CVE-2021-46941

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Do core softreset when switch mode According to the programming guide, to switch mode for DRD controller,the driver needs to do the following. To switch from device to host: Reset controller with GCTL.CoreSoftReset...

CVE-2023-52439

In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 uio_unregister_device uio_openidev = idr_find()device_unregister(&idev->dev)put_device(&idev->dev)uio_device_releaseget_device(&idev->dev)kfree(idev)uio_free_minor(minor)ui...

CVE-2021-46929

In the Linux kernel, the following vulnerability has been resolved: sctp: use call_rcu to free endpoint This patch is to delay the endpoint free by calling call_rcu() to fixanother use-after-free issue in sctp_sock_dump(): BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20Call Trace:__lock_...

CVE-2024-26582

In the Linux kernel, the following vulnerability has been resolved: net: tls: fix use-after-free with partial reads and async decrypt tls_decrypt_sg doesn't take a reference on the pages from clear_skb,so the put_page() in tls_decrypt_done releases them, and we triggera use-after-free in process_rx...

CVE-2023-52434

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential OOBs in smb2_parse_contexts() Validate offsets and lengths before dereferencing create contexts insmb2_parse_contexts(). This fixes following oops when accessing invalid create contexts fromserver: BUG: u...

CVE-2021-46940

In the Linux kernel, the following vulnerability has been resolved: tools/power turbostat: Fix offset overflow issue in index converting The idx_to_offset() function returns type int (32-bit signed), butMSR_PKG_ENERGY_STAT is u32 and would be interpreted as a negative number.The end result is that ...

CVE-2021-46927

In the Linux kernel, the following vulnerability has been resolved: nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert After commit 5b78ed24e8ec ("mm/pagemap: add mmap_assert_locked()annotations to find_vma*()"), the call to get_user_pages() will triggerthe mmap assert. static...

CVE-2024-26585

In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg)may exit as soon as the async crypto handler calls complete().Reorder scheduling the work before calling...

CVE-2020-36776

In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/cpufreq_cooling: Fix slab OOB issue Slab OOB issue is scanned by KASAN in cpu_power_to_freq().If power is limited below the power of OPP0 in EM table,it will cause slab out-of-bound issue with negative arrayindex. R...

CVE-2021-46915

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: avoid possible divide error in nft_limit_init div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriatemath function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASANCP...

CVE-2021-46936

In the Linux kernel, the following vulnerability has been resolved: net: fix use-after-free in tw_timer_handler A real world panic issue was found as follow in Linux 5.4. BUG: unable to handle page fault for address: ffffde49a863de28 PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0...

CVE-2021-46909

In the Linux kernel, the following vulnerability has been resolved: ARM: footbridge: fix PCI interrupt mapping Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() inpci_device_probe()"), the PCI code will call the IRQ mapping functionwhenever a PCI driver is probed. If these are marked ...

CVE-2020-36777

In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: Fix memory leak in dvb_media_device_free() dvb_media_device_free() is leaking memory. Free dvbdev->adapter->connbefore setting it to NULL, as documented in include/media/media-device.h:"The media_entity instanc...

CVE-2021-46912

In the Linux kernel, the following vulnerability has been resolved: net: Make tcp_allowed_congestion_control readonly in non-init netns Currently, tcp_allowed_congestion_control is global and writable;writing to it in any net namespace will leak into all other netnamespaces. tcp_available_congestio...

CVE-2021-46948

In the Linux kernel, the following vulnerability has been resolved: sfc: farch: fix TX queue lookup in TX event handling We're starting from a TXQ label, not a TXQ type, soefx_channel_get_tx_queue() is inappropriate (and could return NULL,leading to panics).

CVE-2021-46910

In the Linux kernel, the following vulnerability has been resolved: ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled The debugging code for kmap_local() doubles the number of per-CPU fixmapslots allocated for kmap_local(), in order to use half of them as guardregions. T...

CVE-2021-46925

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of smc_sock A crash occurs when smc_cdc_tx_handler() tries to access smc_sockbut smc_release() has already freed it. [ 4570.695099] BUG: unable to handle page fault for address: 000000002eae...

CVE-2024-26875

In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix uaf in pvr2_context_set_notify [Syzbot reported]BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35Read of size 4 at addr ffff888113aeb0d8 by tas...

CVE-2021-46931

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Wrap the tx reporter dump callback to extract the sq Function mlx5e_tx_reporter_dump_sq() casts its void * argument to structmlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actuallyof type struct mlx5e_tx_...

CVE-2021-46908

In the Linux kernel, the following vulnerability has been resolved: bpf: Use correct permission flag for mixed signed bounds arithmetic We forbid adding unknown scalars with mixed signed bounds due to thespectre v1 masking mitigation. Hence this also needs bypass_spec_v1flag instead of allow_ptr_le...

CVE-2021-46949

In the Linux kernel, the following vulnerability has been resolved: sfc: farch: fix TX queue lookup in TX flush done handling We're starting from a TXQ instance number ('qid'), not a TXQ type, soefx_get_tx_queue() is inappropriate (and could return NULL, leadingto panics).

CVE-2021-46952

In the Linux kernel, the following vulnerability has been resolved: NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds Fix shift out-of-bounds in xprt_calc_majortimeo(). This is causedby a garbage timeout (retrans) mount option being passed to nfs mount,in this case from syzkaller...

CVE-2021-46945

In the Linux kernel, the following vulnerability has been resolved: ext4: always panic when errors=panic is specified Before commit 014c9caa29d3 ("ext4: make ext4_abort() use__ext4_error()"), the following series of commands would trigger apanic: mount /dev/sda -o ro,errors=panic test mount /dev/sd...

CVE-2023-52440

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() If authblob->SessionKey.Length is bigger than session keysize(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes.cifs_arc4_crypt copy to session key array ...

CVE-2023-52441

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out of bounds in init_smb2_rsp_hdr() If client send smb2 negotiate request and then send smb1 negotiaterequest, init_smb2_rsp_hdr is called for smb1 negotiate request sinceneed_neg is set to false. This patch ignore smb1...

CVE-2021-46950

In the Linux kernel, the following vulnerability has been resolved: md/raid1: properly indicate failure when ending a failed write request This patch addresses a data corruption bug in raid1 arrays using bitmaps.Without this fix, the bitmap bits for the failed I/O end up being cleared. Since we are...

CVE-2021-46935

In the Linux kernel, the following vulnerability has been resolved: binder: fix async_free_space accounting for empty parcels In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")fixed a kernel structure visibility issue. As part of that patch,sizeof(void ...

CVE-2023-52435

In the Linux kernel, the following vulnerability has been resolved: net: prevent mss overflow in skb_segment() Once again syzbot is able to crash the kernel in skb_segment() [1] GSO_BY_FRAGS is a forbidden value, but unfortunately the followingcomputation in skb_segment() can reach it quite easily ...

CVE-2021-46953

In the Linux kernel, the following vulnerability has been resolved: ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure When failing the driver probe because of invalid firmware properties,the GTDT driver unmaps the interrupt that it mapped earlier. However, it never checks wheth...

CVE-2021-46918

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: clear MSIX permission entry on shutdown Add disabling/clearing of MSIX permission entries on device shutdown tomirror the enabling of the MSIX entries on probe. Current code left theMSIX enabled and the pasid entri...

CVE-2021-46917

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq cleanup of WQCFG registers A pre-release silicon erratum workaround where wq reset does not clearWQCFG registers was leaked into upstream code. Use wq reset commandinstead of blasting the MMIO region. This a...

CVE-2021-46919

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq size store permission state WQ size can only be changed when the device is disabled. Current codeallows change when device is enabled but wq is disabled. Change the checkto detect device state.

CVE-2021-46942

In the Linux kernel, the following vulnerability has been resolved: io_uring: fix shared sqpoll cancellation hangs [ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.[ 736.982897] Call Trace:[ 736.982901] schedule+0x68/0xe0[ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110[ 7...

CVE-2021-46954

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets when 'act_mirred' tries to fragment IPv4 packets that had been previouslyre-assembled using 'act_ct', splats like the following can be observed onkernels built ...

CVE-2021-46938

In the Linux kernel, the following vulnerability has been resolved: dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails When loading a device-mapper table for a request-based mapped device,and the allocation/initialization of the blk_mq_tag_set for the devicefails, a follo...

CVE-2021-46921

In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader canacquire the lock without holding wait_lock. The writer side loopschecking the value with the atomic_cond...

CVE-2021-46933

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland pr...

CVE-2021-46928

In the Linux kernel, the following vulnerability has been resolved: parisc: Clear stale IIR value on instruction access rights trap When a trap 7 (Instruction access rights) occurs, this means the CPUcouldn't execute an instruction due to missing execute permissions onthe memory region. In this cas...

CVE-2024-26590

In the Linux kernel, the following vulnerability has been resolved: erofs: fix inconsistent per-file compression format EROFS can select compression algorithms on a per-file basis, and eachper-file compression algorithm needs to be marked in the on-disksuperblock for initialization. However, syzkal...

CVE-2021-46947

In the Linux kernel, the following vulnerability has been resolved: sfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues efx->xdp_tx_queue_count is initially initialized to num_possible_cpus() and islater used to allocate and traverse efx->xdp_tx_queues lookup arr...

CVE-2021-46937

In the Linux kernel, the following vulnerability has been resolved: mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()' DAMON debugfs interface increases the reference counts of 'struct pid'sfor targets from the 'target_ids' file write callback('dbgfs_target_ids_write()'), but decr...

CVE-2021-46923

In the Linux kernel, the following vulnerability has been resolved: fs/mount_setattr: always cleanup mount_kattr Make sure that finish_mount_kattr() is called after mount_kattr wassuccesfully built in both the success and failure case to preventleaking any references we took when we built it. We re...

CVE-2021-46934

In the Linux kernel, the following vulnerability has been resolved: i2c: validate user data in compat ioctl Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.Userspace should not be able to trigger warnings, so this patch addsvalidation checks for user data in compact ioctl to prev...

CVE-2021-46913

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: clone set element expression template memcpy() breaks when using connlimit in set elements. Usenft_expr_clone() to initialize the connlimit expression list, otherwiseconnlimit garbage collector crashes when wal...

CVE-2021-46922

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix TPM reservation for seal/unseal The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for sealand unseal operations") was correct on the mailing list: https://lore.kernel.org/linux-integrity/20210128235621...

CVE-2021-46924

In the Linux kernel, the following vulnerability has been resolved: NFC: st21nfca: Fix memory leak in device probe and remove 'phy->pending_skb' is alloced when device probe, but forgot to freein the error handling path and remove path, this cause memory leakas follows: unreferenced object 0xfff...

CVE-2021-46926

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle beforechecking that it's actually a SoundWire controller. This can lead toissues where the graph walk continues ...

CVE-2024-25743

In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.

CVE-2021-46932

In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused bywork->func == NULL, which means missing work initialization. This may happen, since input_dev...

CVE-2021-46943

In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix set_fmt error handling If there in an error during a set_fmt, do not overwrite the previoussizes with the invalid config. Without this patch, v4l2-compliance ends up allocating 4GiB of RAM andcausing ...