Race condition

In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix race condition of overwrite vs truncate posfsstress testcase complains a panic as belew: ------------ cut here ------------ kernel BUG at fs/f2fs/compress.c:1082! invalid opcode: 0000 1 SMP PTI CPU: 4 PID:...

Null pointer dereference

In the Linux kernel, the following vulnerability has been resolved: nvmet-rdma: Fix NULL deref when SEND is completed with error When running some traffic and taking down the link on peer, a retry counter exceeded error is received. This leads to nvmetrdmaerrorcomp which tried accessing the...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: ACPI: scan: Fix a memory leak in an error handling path If 'acpidevicesetname' fails, we must free 'acpidevicebusid-busid' or there is a potential memory leak...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: userfaultfd: release page in error path to avoid BUGON Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmemmfillatomicpte. We successfully account the blocks, we...

Null pointer dereference

In the Linux kernel, the following vulnerability has been resolved: nbd: Fix NULL pointer in flushworkqueue Open /dev/nbdX first, the configrefs will be 1 and the pointers in nbddevice are still null. Disconnect /dev/nbdX, then reference a null recvworkq. The protection by configrefs in...

Race condition

In the Linux kernel, the following vulnerability has been resolved: hfsplus: prevent corruption in shrinking truncate I believe there are some issues introduced by commit 31651c607151 "hfsplus: avoid deadlock on file truncation" HFS+ has extent records which always contains 8 extents. In case the...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Free gadget structure only after freeing endpoints As part of commit e81a7018d93a "usb: dwc3: allocate gadget structure dynamically" the dwc3gadgetrelease was added which will free the dwc-gadget structure upon...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock when cloning inline extents and using qgroups There are a few exceptional cases where cloning an inline extent needs to copy the inline extent data into a page of the destination inode. When this happens, we e...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix crashes when toggling entry flush barrier The entry flush mitigation can be enabled/disabled at runtime via a debugfs file entryflush, which causes the kernel to patch itself to enable/disable the relevant...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: i40e: Fix use-after-free in i40eclientsubtask Currently the call to i40eclientdelinstance frees the object pf-cinst, however pf-cinst-laninfo is being accessed after the free. Fix this by adding the missing return...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: avoid overflows in nfthashbuckets Number of buckets being stored in 32bit variables, we have to ensure that no overflows occur in nfthashbuckets syzbot injected a size == 0x40000000 and reported: UBSAN:...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: ethernet:enic: Fix a use after free bug in enichardstartxmit In enichardstartxmit, it calls enicqueuewqskb. Inside enicqueuewqskb, if some error happens, the skb will be freed by devkfreeskbskb. But the freed skb is still used in...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: sched: Fix out-of-bound access in uclamp Util-clamp places tasks in different buckets based on their clamp values for performance reasons. However, the size of buckets is currently computed using a rounding division, which can le...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: arm64: entry: always set GICPRIOPSRISET during entry Zenghui reports that booting a kernel with "irqchip.gicv3pseudonmi=1" on the command line hits a warning during kernel entry, due to the way we manipulate the PMR. Early in the...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix resume from sleep before interface was brought up Since 8ce8c0abcba3 the driver queues work via priv-restartwork when resuming after suspend, even when the interface was not previously enabled. This causes a nul...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: sctp: do asoc update earlier in sctpsfdodupcooka There's a panic that occurs in a few of envs, the call trace is as below: general protection fault, ... 0x29acd70f1000a: 0000 1 SMP PTI RIP:...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: kyber: fix out of bounds access when preempted blkmqschedbiomerge gets the ctx and hctx for the current CPU and passes the hctx to -biomerge. kyberbiomerge then gets the ctx for the current CPU again and uses that to get the...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: can: mcp251xfd: mcp251xfdprobe: fix an error pointer dereference in probe When we converted this code to use deverrprobe we accidentally removed a return. It means that if devmclkget it will lead to an Oops when we call clkgetrat...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: ceph: fix inode leak on getattr error in fhtodentry...

Null pointer dereference

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix null pointer dereference in svcrqstfree When allocpagesnode returns null in svcrqstalloc, the null rqscratchpage pointer will be dereferenced when calling putpage in svcrqstfree. Fix it by adding a null check...

Null pointer dereference

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix potential null dereference on pointer status There are calls to idxdcmdexec that pass a null status pointer however a recent commit has added an assignment to status that can end up with a null pointer...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Fix cwnd update ordering After a reconnect, the reply handler is opening the cwnd and thus enabling more RPC Calls to be sent /before/ rpcrdmapostrecvs can post enough Receive WRs to receive their replies. This causes a...

Null pointer dereference

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix NULL pointer dereference for -getfeatures getfeatures ops of pciepcops may return NULL, causing NULL pointer dereference in pciepftestallocspace function. Let us add a check for pciepcfeature pointer in...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid touching checkpointed data in getvictim In CP disabling mode, there are two issues when using LFS or SSR | ATSSR mode to select victim: 1. LFS is set to find source section during GC, the victim should have no...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix a use after free in siwallocmr Our code analyzer reported a UAF. In siwallocmr, it calls siwmraddmemmr,... In the implementation of siwmraddmem, mem is assigned to mr-mem and then mem is freed via kfreemem if...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: mm: memcontrol: slab: fix obtain a reference to a freeing memcg Patch series "Use objcgroup APIs to charge kmem pages", v5. Since Roman's series "The new cgroup slab memory controller" applied. All slab objects are charged with t...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak on object td Two error return paths are neglecting to free allocated object td, causing a memory leak. Fix this by returning via the error return path that securely kfree's td. Fixes clang scan-buil...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: net:emac/emac-mac: Fix a use after free in emacmactxbufsend In emacmactxbufsend, it calls emactxfilltpd..,skb,... If some error happens in emactxfilltpd, the skb will be freed via devkfreeskbskb in error branch of emactxfilltpd...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: net: Only allow init netns to set default tcp cong to a restricted algo tcpsetdefaultcongestioncontrol is netns-safe in that it writes to &net-ipv4.tcpcongestioncontrol, but it also sets ca-flags |= TCPCONGNONRESTRICTED which is...

Null pointer dereference

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Make sure GHCB is mapped before updating Access to the GHCB is mainly in the VMGEXIT path and it is known that the GHCB will be mapped. But there are two paths where it is possible the GHCB might not be mapped. The...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix panic during f2fsresizefs f2fsresizefs hangs in below callstack with testcase: - mkfs 16GB image & mount image - dd 8GB fileA - dd 8GB fileB - sync - rm fileA - sync - resize filesystem to 8GB kernel BUG at...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: bnxten: Fix RX consumer index logic in the error path. In bnxtrxpkt, the RX buffers are expected to complete in order. If the RX consumer index indicates an out of order buffer completion, it means we are hitting a hardware bug a...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: powerpc/64: Fix the definition of the fixmap area At the time being, the fixmap area is defined at the top of the address space or just below KASAN. This definition is not valid for PPC64. For PPC64, use the top of the I/O space...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix memleak when mt7915unregisterdevice mt7915txtokenput should get call before mt76freependingtxwi...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: fix memleak when mt7615unregisterdevice mt7615txtokenput should get call before mt76freependingtxwi...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix possible invalid register access Disable the interrupt and synchronze for the pending irq handlers to ensure the irq tasklet is not being scheduled after the suspend to avoid the possible invalid register access...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: ath10k: Fix a use after free in ath10khtcsendbundle In ath10khtcsendbundle, the bundleskb could be freed by devkfreeskbanybundleskb. But the bundleskb is used later by bundleskb-len. As skblen = bundleskb-len, my patch replaces...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: ARM: 9064/1: hwbreakpoint: Do not directly check the event's overflowhandler hook The commit 1879445dfa7b "perf/core: Set event's default ::overflowhandler" set a default event-overflowhandler in perfeventalloc, and replace the...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: free queued packets when closing socket As reported by syzbot 1, there is a memory leak while closing the socket. We partially solved this issue with commit ac03046ece2b "vsock/virtio: free packets during the socket...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: destroy sysfs after removing session from active list A session can be removed dynamically by sysfs interface "removepath" that eventually calls rtrscltremovepathfromsysfs function. The current...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix kernel crash when the firmware fails to download Fix kernel crash when the firmware is missing or fails to download. 9.444758 kernel BUG at drivers/pci/msi.c:375! 9.449363 Internal error: Oops - BUG: 0 1 PREEMPT...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Always enable the clk on resume In mtkiommuruntimeresume always enable the clk, even if m4udom is null. Otherwise the 'suspend' cb might disable the clk which is already disabled causing the warning: 1.586104...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: mt76: connac: fix kernel warning adding monitor interface Fix the following kernel warning adding a monitor interface in mt76connacmcuuniadddev routine. 507.984882 ------------ cut here ------------ 507.989515 WARNING: CPU: 1 PID...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix txrate reporting Properly check rateinfo to fix unexpected reporting. 1215.161863 Call trace: 1215.164307 cfg80211calculatebitrate+0x124/0x200 cfg80211 1215.170139 ieee80211supdatemetric+0x80/0xc0 mac80211...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: ASoC: q6afe-clocks: fix reprobing of the driver Q6afe-clocks driver can get reprobed. For example if the APR services are restarted after the firmware crash. However currently Q6afe-clocks driver will oops because hw.init will ge...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix tx skb dma unmap The first pointer in the txp needs to be unmapped as well, otherwise it will leak DMA mapping entries...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: fix tx skb dma unmap The first pointer in the txp needs to be unmapped as well, otherwise it will leak DMA mapping entries...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: udp: skip L4 aggregation for UDP tunnel packets If NETIFFGROFRAGLIST or NETIFFGROUDPFWD are enabled, and there are UDP tunnels available in the system, udpgroreceive could end-up doing L4 aggregation either SKBGSOUDPL4 or...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Remove WO permissions on second-level paging entries When the first level page table is used for IOVA translation, it only supports Read-Only and Read-Write permissions. The Write-Only permission is not supported as t...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix pte update for kernel memory on radix When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radixsetpteat does not do this for...