Linux Kernel Security Vulnerabilities

CVE-2021-46920

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback Current code blindly writes over the SWERR and the OVERFLOW bits. Writeback the bits actually read instead so the driver avoids clobbering theOVERFLOW bit that come...

CVE-2021-46921

In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader canacquire the lock without holding wait_lock. The writer side loopschecking the value with the atomic_cond...

CVE-2021-46922

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix TPM reservation for seal/unseal The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for sealand unseal operations") was correct on the mailing list: https://lore.kernel.org/linux-integrity/20210128235621...

CVE-2021-46923

In the Linux kernel, the following vulnerability has been resolved: fs/mount_setattr: always cleanup mount_kattr Make sure that finish_mount_kattr() is called after mount_kattr wassuccesfully built in both the success and failure case to preventleaking any references we took when we built it. We re...

CVE-2021-46924

In the Linux kernel, the following vulnerability has been resolved: NFC: st21nfca: Fix memory leak in device probe and remove 'phy->pending_skb' is alloced when device probe, but forgot to freein the error handling path and remove path, this cause memory leakas follows: unreferenced object 0xfff...

CVE-2021-46925

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of smc_sock A crash occurs when smc_cdc_tx_handler() tries to access smc_sockbut smc_release() has already freed it. [ 4570.695099] BUG: unable to handle page fault for address: 000000002eae...

CVE-2021-46926

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle beforechecking that it's actually a SoundWire controller. This can lead toissues where the graph walk continues ...

CVE-2021-46927

In the Linux kernel, the following vulnerability has been resolved: nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert After commit 5b78ed24e8ec ("mm/pagemap: add mmap_assert_locked()annotations to find_vma*()"), the call to get_user_pages() will triggerthe mmap assert. static...

CVE-2021-46928

In the Linux kernel, the following vulnerability has been resolved: parisc: Clear stale IIR value on instruction access rights trap When a trap 7 (Instruction access rights) occurs, this means the CPUcouldn't execute an instruction due to missing execute permissions onthe memory region. In this cas...

CVE-2021-46929

In the Linux kernel, the following vulnerability has been resolved: sctp: use call_rcu to free endpoint This patch is to delay the endpoint free by calling call_rcu() to fixanother use-after-free issue in sctp_sock_dump(): BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20Call Trace:__lock_...

CVE-2021-46930

In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix list_head check warning This is caused by uninitialization of list_head. BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4 Call trace:dump_backtrace+0x0/0x298show_stack+0x24/0x34dump_stack+0x130/0x1a8pri...

CVE-2021-46931

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Wrap the tx reporter dump callback to extract the sq Function mlx5e_tx_reporter_dump_sq() casts its void * argument to structmlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actuallyof type struct mlx5e_tx_...

CVE-2021-46932

In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused bywork->func == NULL, which means missing work initialization. This may happen, since input_dev...

CVE-2021-46933

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland pr...

CVE-2021-46934

In the Linux kernel, the following vulnerability has been resolved: i2c: validate user data in compat ioctl Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.Userspace should not be able to trigger warnings, so this patch addsvalidation checks for user data in compact ioctl to prev...

CVE-2021-46935

In the Linux kernel, the following vulnerability has been resolved: binder: fix async_free_space accounting for empty parcels In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")fixed a kernel structure visibility issue. As part of that patch,sizeof(void ...

CVE-2021-46936

In the Linux kernel, the following vulnerability has been resolved: net: fix use-after-free in tw_timer_handler A real world panic issue was found as follow in Linux 5.4. BUG: unable to handle page fault for address: ffffde49a863de28 PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0...

CVE-2021-46937

In the Linux kernel, the following vulnerability has been resolved: mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()' DAMON debugfs interface increases the reference counts of 'struct pid'sfor targets from the 'target_ids' file write callback('dbgfs_target_ids_write()'), but decr...

CVE-2021-46938

In the Linux kernel, the following vulnerability has been resolved: dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails When loading a device-mapper table for a request-based mapped device,and the allocation/initialization of the blk_mq_tag_set for the devicefails, a follo...

CVE-2021-46939

In the Linux kernel, the following vulnerability has been resolved: tracing: Restructure trace_clock_global() to never block It was reported that a fix to the ring buffer recursion detection wouldcause a hung machine when performing suspend / resume testing. Thefollowing backtrace was extracted fro...

CVE-2021-46940

In the Linux kernel, the following vulnerability has been resolved: tools/power turbostat: Fix offset overflow issue in index converting The idx_to_offset() function returns type int (32-bit signed), butMSR_PKG_ENERGY_STAT is u32 and would be interpreted as a negative number.The end result is that ...

CVE-2021-46941

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Do core softreset when switch mode According to the programming guide, to switch mode for DRD controller,the driver needs to do the following. To switch from device to host: Reset controller with GCTL.CoreSoftReset...

CVE-2021-46942

In the Linux kernel, the following vulnerability has been resolved: io_uring: fix shared sqpoll cancellation hangs [ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.[ 736.982897] Call Trace:[ 736.982901] schedule+0x68/0xe0[ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110[ 7...

CVE-2021-46943

In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix set_fmt error handling If there in an error during a set_fmt, do not overwrite the previoussizes with the invalid config. Without this patch, v4l2-compliance ends up allocating 4GiB of RAM andcausing ...

CVE-2021-46944

In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix memory leak in imu_fmt We are losing the reference to an allocated memory if try. Change theorder of the check to avoid that.

CVE-2021-46945

In the Linux kernel, the following vulnerability has been resolved: ext4: always panic when errors=panic is specified Before commit 014c9caa29d3 ("ext4: make ext4_abort() use__ext4_error()"), the following series of commands would trigger apanic: mount /dev/sda -o ro,errors=panic test mount /dev/sd...

CVE-2021-46947

In the Linux kernel, the following vulnerability has been resolved: sfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues efx->xdp_tx_queue_count is initially initialized to num_possible_cpus() and islater used to allocate and traverse efx->xdp_tx_queues lookup arr...

CVE-2021-46948

In the Linux kernel, the following vulnerability has been resolved: sfc: farch: fix TX queue lookup in TX event handling We're starting from a TXQ label, not a TXQ type, soefx_channel_get_tx_queue() is inappropriate (and could return NULL,leading to panics).

CVE-2021-46949

In the Linux kernel, the following vulnerability has been resolved: sfc: farch: fix TX queue lookup in TX flush done handling We're starting from a TXQ instance number ('qid'), not a TXQ type, soefx_get_tx_queue() is inappropriate (and could return NULL, leadingto panics).

CVE-2021-46950

In the Linux kernel, the following vulnerability has been resolved: md/raid1: properly indicate failure when ending a failed write request This patch addresses a data corruption bug in raid1 arrays using bitmaps.Without this fix, the bitmap bits for the failed I/O end up being cleared. Since we are...

CVE-2021-46951

In the Linux kernel, the following vulnerability has been resolved: tpm: efi: Use local variable for calculating final log size When tpm_read_log_efi is called multiple times, which happens whenone loads and unloads a TPM2 driver multiple times, then the globalvariable efi_tpm_final_log_size will a...

CVE-2021-46952

In the Linux kernel, the following vulnerability has been resolved: NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds Fix shift out-of-bounds in xprt_calc_majortimeo(). This is causedby a garbage timeout (retrans) mount option being passed to nfs mount,in this case from syzkaller...

CVE-2021-46953

In the Linux kernel, the following vulnerability has been resolved: ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure When failing the driver probe because of invalid firmware properties,the GTDT driver unmaps the interrupt that it mapped earlier. However, it never checks wheth...

CVE-2021-46954

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets when 'act_mirred' tries to fragment IPv4 packets that had been previouslyre-assembled using 'act_ct', splats like the following can be observed onkernels built ...

CVE-2021-46955

In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see thefollowing splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in...

CVE-2021-46956

In the Linux kernel, the following vulnerability has been resolved: virtiofs: fix memory leak in virtio_fs_probe() When accidentally passing twice the same tag to qemu, kmemleak ended upreporting a memory leak in virtiofs. Also, looking at the log I saw thefollowing error (that's when I realised th...

CVE-2021-46957

In the Linux kernel, the following vulnerability has been resolved: riscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe The execution of sys_read end up hitting a BUG_ON() in __find_get_blockafter installing kprobe at sys_read, the BUG message like the following: [ 65.708663] ---...

CVE-2021-46958

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between transaction aborts and fsyncs leading to use-after-free There is a race between a task aborting a transaction during a commit,a task doing an fsync and the transaction kthread, which leads to anuse-after-fre...

CVE-2021-46959

In the Linux kernel, the following vulnerability has been resolved: spi: Fix use-after-free with devm_spi_alloc_* We can't rely on the contents of the devres list duringspi_unregister_controller(), as the list is already torn down at thetime we perform devres_find() for devm_spi_release_controller....

CVE-2021-46960

In the Linux kernel, the following vulnerability has been resolved: cifs: Return correct error code from smb2_get_enc_key Avoid a warning if the error percolates back up: [440700.376476] CIFS VFS: \otters.example.com crypt_message: Could not get encryption key[440700.386947] ------------[ cut here ...

CVE-2021-46961

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Do not enable irqs when handling spurious interrups We triggered the following error while running our 4.19 kernelwith the pseudo-NMI patches backported to it: [ 14.816231] ------------[ cut here ]------------[ 14.8...

CVE-2021-46962

In the Linux kernel, the following vulnerability has been resolved: mmc: uniphier-sd: Fix a resource leak in the remove function A 'tmio_mmc_host_free()' call is missing in the remove function, in orderto balance a 'tmio_mmc_host_alloc()' call in the probe.This is done in the error handling path of...

CVE-2021-46963

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() RIP: 0010:kmem_cache_free+0xfa/0x1b0 Call Trace: qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx] scsi_queue_rq+0x5e2/0xa40 __blk_mq_try_issue_directly+0x128/0x1d0 blk_mq_request_issue...

CVE-2021-46964

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Reserve extra IRQ vectors Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number ofCPUs") lowers the number of allocated MSI-X vectors to the number of CPUs. That breaks vector allocation assumptions ...

CVE-2021-46965

In the Linux kernel, the following vulnerability has been resolved: mtd: physmap: physmap-bt1-rom: Fix unintentional stack access Cast &data to (char *) in order to avoid unintentionally accessingthe stack. Notice that data is of type u32, so any increment to &datawill be in the order of 4-byte chu...

CVE-2021-46966

In the Linux kernel, the following vulnerability has been resolved: ACPI: custom_method: fix potential use-after-free issue In cm_write(), buf is always freed when reaching the end of thefunction. If the requested count is less than table.length, theallocated buffer will be freed but subsequent cal...

CVE-2021-46967

In the Linux kernel, the following vulnerability has been resolved: vhost-vdpa: fix vm_flags for virtqueue doorbell mapping The virtqueue doorbell is usually implemented via registeres but wedon't provide the necessary vma->flags like VM_PFNMAP. This may causeseveral issues e.g when userspace tr...

CVE-2021-46968

In the Linux kernel, the following vulnerability has been resolved: s390/zcrypt: fix zcard and zqueue hot-unplug memleak Tests with kvm and a kmemdebug kernel showed, that on hot unplug thezcard and zqueue structs for the unplugged card or queue are notproperly freed because of a mismatch with get/...

CVE-2021-46969

In the Linux kernel, the following vulnerability has been resolved: bus: mhi: core: Fix invalid error returning in mhi_queue mhi_queue returns an error when the doorbell is not accessible inthe current state. This can happen when the device is in non M0state, like M3, and needs to be waken-up prior...

CVE-2021-46970

In the Linux kernel, the following vulnerability has been resolved: bus: mhi: pci_generic: Remove WQ_MEM_RECLAIM flag from state workqueue A recent change created a dedicated workqueue for the state-change workwith WQ_HIGHPRI (no strong reason for that) and WQ_MEM_RECLAIM flags,but the state-change...