2926 matches found
CVE-2022-49144
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix memory leak of uid in files registration When there are no files for __io_sqe_files_scm() to process in therange, it'll free everything and return. However, it forgets to put uid.
CVE-2022-49151
In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: properly check endpoint type Syzbot reported warning in usb_submit_urb() which is caused by wrongendpoint type. We should check that in endpoint is actually present toprevent this warning. Found pipes are now saved t...
CVE-2022-49193
In the Linux kernel, the following vulnerability has been resolved: ice: fix 'scheduling while atomic' on aux critical err interrupt There's a kernel BUG splat on processing aux critical errorinterrupts in ice_misc_intr(): [ 2100.917085] BUG: scheduling while atomic: swapper/15/0/0x00010000...[ 210...
CVE-2022-49286
In the Linux kernel, the following vulnerability has been resolved: tpm: use try_get_ops() in tpm-space.c As part of the series conversion to remove nested TPM operations: https://lore.kernel.org/all/[email protected]/ exposure of the chip->tpm_mutex was remo...
CVE-2022-49292
In the Linux kernel, the following vulnerability has been resolved: ALSA: oss: Fix PCM OSS buffer allocation overflow We've got syzbot reports hitting INT_MAX overflow at vmalloc()allocation that is called from snd_pcm_plug_alloc(). Although weapply the restrictions to input parameters, it's based ...
CVE-2022-49377
In the Linux kernel, the following vulnerability has been resolved: blk-mq: don't touch ->tagset in blk_mq_get_sq_hctx blk_mq_run_hw_queues() could be run when there isn't queued request andafter queue is cleaned up, at that time tagset is freed, because tagsetlifetime is covered by driver, and ...
CVE-2022-49424
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Fix NULL pointer dereference when printing dev_name When larbdev is NULL (in the case I hit, the node is incorrectly setiommus = ), it will cause device_link_add() fail andkernel crashes when we try to print dev_nam...
CVE-2022-49446
In the Linux kernel, the following vulnerability has been resolved: nvdimm: Fix firmware activation deadlock scenarios Lockdep reports the following deadlock scenarios for CXL root devicepower-management, device_prepare(), operations, and device_shutdown()operations for 'nd_region' devices: Chain e...
CVE-2022-49460
In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: rk3399_dmc: Disable edev on remove() Otherwise we hit an unablanced enable-count when unbinding the DFIdevice: [ 1279.659119] ------------[ cut here ]------------[ 1279.659179] WARNING: CPU: 2 PID: 5638 at drivers/dev...
CVE-2022-49501
In the Linux kernel, the following vulnerability has been resolved: usbnet: Run unregister_netdev() before unbind() again Commit 2c9d6c2b871d ("usbnet: run unbind() before unregister_netdev()")sought to fix a use-after-free on disconnect of USB Ethernet adapters. It turns out that a different fix i...
CVE-2022-49523
In the Linux kernel, the following vulnerability has been resolved: ath11k: disable spectral scan during spectral deinit When ath11k modules are removed using rmmod with spectral scan enabled,crash is observed. Different crash trace is observed for each crash. Send spectral scan disable WMI command...
CVE-2022-49570
In the Linux kernel, the following vulnerability has been resolved: gpio: gpio-xilinx: Fix integer overflow Current implementation is not able to configure more than 32 pinsdue to incorrect data type. So type casting with unsigned longto avoid it.
CVE-2022-49652
In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate of_parse_phandle() returns a node pointer with refcountincremented, we should use of_node_put() on it when not needed anymore. Add missing of_node_put() in to fix this...
CVE-2022-49670
In the Linux kernel, the following vulnerability has been resolved: linux/dim: Fix divide by 0 in RDMA DIM Fix a divide 0 error in rdma_dim_stats_compare() when prev->cpe_ratio ==0. CallTrace:Hardware name: H3C R4900 G3/RS33M2C9S, BIOS 2.00.37P21 03/12/2020task: ffff880194b78000 task.stack: ffff...
CVE-2022-49677
In the Linux kernel, the following vulnerability has been resolved: ARM: cns3xxx: Fix refcount leak in cns3xxx_init of_find_compatible_node() returns a node pointer with refcountincremented, we should use of_node_put() on it when done.Add missing of_node_put() to avoid refcount leak.
CVE-2022-49701
In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Allocate/free queue resource only during probe/remove Currently, the sub-queues and event pool resources are allocated/freed forevery CRQ connection event such as reset and LPM. This exposes the driverto a couple issu...
CVE-2022-49839
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_transport_sas: Fix error handling in sas_phy_add() If transport_add_device() fails in sas_phy_add(), the kernel will crashtrying to delete the device in transport_remove_device() called fromsas_remove_host(). Unable to h...
CVE-2023-53052
In the Linux kernel, the following vulnerability has been resolved: cifs: fix use-after-free bug in refresh_cache_worker() The UAF bug occurred because we were putting DFS root sessions incifs_umount() while DFS cache refresher was being executed. Make DFS root sessions have same lifetime as DFS tc...
CVE-2024-56764
In the Linux kernel, the following vulnerability has been resolved: ublk: detach gendisk from ublk device if add_disk() fails Inside ublk_abort_requests(), gendisk is grabbed for aborting allinflight requests. And ublk_abort_requests() is called when exitingthe uring context or handling timeout. If...
CVE-2024-56766
In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fix double free in atmel_pmecc_create_user() The "user" pointer was converted from being allocated with kzalloc() tobeing allocated by devm_kzalloc(). Calling kfree(user) will lead to adouble free.
CVE-2024-57857
In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Remove direct link to net_device Do not manage a per device direct link to net_device. Relyon associated ib_devices net_device management, not doublingthe effort locally. A badly managed local link to net_devicewas causin...
CVE-2024-58034
In the Linux kernel, the following vulnerability has been resolved: memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code() As of_find_node_by_name() release the reference of the argument devicenode, tegra_emc_find_node_by_ram_code() releases some device nodes whilest...
CVE-2024-58064
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: tests: Fix potential NULL dereference in test_cfg80211_parse_colocated_ap() kunit_kzalloc() may return NULL, dereferencing it without NULL check maylead to NULL dereference.Add a NULL check for ies.
CVE-2025-21707
In the Linux kernel, the following vulnerability has been resolved: mptcp: consolidate suboption status MPTCP maintains the received sub-options status is the bitmask carryingthe received suboptions and in several bitfields carrying per suboptionadditional info. Zeroing the bitmask before parsing i...
CVE-2025-21795
In the Linux kernel, the following vulnerability has been resolved: NFSD: fix hang in nfsd4_shutdown_callback If nfs4_client is in courtesy state then there is no point to sendthe callback. This causes nfsd4_shutdown_callback to hang sincecl_cb_inflight is not 0. This hang lasts about 15 minutes un...
CVE-2025-21808
In the Linux kernel, the following vulnerability has been resolved: net: xdp: Disallow attaching device-bound programs in generic mode Device-bound programs are used to support RX metadata kfuncs. Thesekfuncs are driver-specific and rely on the driver context to read themetadata. This means they ca...
CVE-2025-21828
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't flush non-uploaded STAs If STA state is pre-moved to AUTHORIZED (such as in IBSSscenarios) and insertion fails, the station is freed.In this case, the driver never knew about the station,so trying to flush it ...
CVE-2025-21860
In the Linux kernel, the following vulnerability has been resolved: mm/zswap: fix inconsistency when zswap_store_page() fails Commit b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()")skips charging any zswap entries when it failed to zswap the entire folio. However, when some base pa...
CVE-2025-21881
In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0...
CVE-2025-21950
In the Linux kernel, the following vulnerability has been resolved: drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl In the "pmcmd_ioctl" function, three memory objects allocated bykmalloc are initialized by "hcall_get_cpu_state", which are thencopied to user space. The initi...
CVE-2025-21970
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event istriggered. Driver finds the lower devices (PFs) to flush all theoffloaded entries. And mlx5_lag_is_shared_fd...
CVE-2025-22001
In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user viaqaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure thatthe math doesn't have an integer wrapping bug.
CVE-2025-22013
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state There are several problems with the way hyp code lazily saves the host'sFPSIMD/SVE state, including: Host SVE being discarded unexpectedly due to inconsistentconfigur...
CVE-2025-37757
In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit In case the backlog transmit queue for system-importance messages is overloaded,tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads tomemory leak and failure when a s...
CVE-2020-36791
In the Linux kernel, the following vulnerability has been resolved: net_sched: keep alloc_hash updated after hash allocation In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex")I moved cp->hash calculation before the firsttcindex_alloc_perfect_hash(), but cp->alloc_hash is l...
CVE-2022-49092
In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix route with nexthop object delete warning FRR folks have hit a kernel warning[1] while deleting routes[2] which iscaused by trying to delete a route pointing to a nexthop id withoutspecifying nhid but matching on an i...
CVE-2022-49095
In the Linux kernel, the following vulnerability has been resolved: scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one() The error handling path of the probe releases a resource that is not freedin the remove function. In some cases, a ioremap() must be undone. Add the missing iounmap() cal...
CVE-2022-49159
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Implement ref count for SRB The timeout handler and the done function are racing. Whenqla2x00_async_iocb_timeout() starts to run it can be preempted by thenormal response path (via the firmware?). qla24xx_async_gpsc_...
CVE-2022-49204
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix more uncharged while msg has more_data In tcp_bpf_send_verdict(), if msg has more data aftertcp_bpf_sendmsg_redir(): tcp_bpf_send_verdict()tosend = msg->sg.size //msg->sg.size = 22220case __SK_REDIRECT:sk_ms...
CVE-2022-49258
In the Linux kernel, the following vulnerability has been resolved: crypto: ccree - Fix use after free in cc_cipher_exit() kfree_sensitive(ctx_p->user.key) will free the ctx_p->user.key. Butctx_p->user.key is still used in the next line, which will lead to ause after free. We can call kfre...
CVE-2022-49337
In the Linux kernel, the following vulnerability has been resolved: ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock When user_dlm_destroy_lock failed, it didn't clean up the flags it setbefore exit. For USER_LOCK_IN_TEARDOWN, if this function fails because oflock is still in used, next ti...
CVE-2022-49382
In the Linux kernel, the following vulnerability has been resolved: soc: rockchip: Fix refcount leak in rockchip_grf_init of_find_matching_node_and_match returns a node pointer with refcountincremented, we should use of_node_put() on it when done.Add missing of_node_put() to avoid refcount leak.
CVE-2022-49392
In the Linux kernel, the following vulnerability has been resolved: serial: 8250_aspeed_vuart: Fix potential NULL dereference in aspeed_vuart_probe platform_get_resource() may fail and return NULL, so we shouldbetter check it's return value to avoid a NULL pointer dereference.
CVE-2022-49427
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Remove clk_disable in mtk_iommu_remove After the commit b34ea31fe013 ("iommu/mediatek: Always enable the clk onresume"), the iommu clock is controlled by the runtime callback.thus remove the clk control in the mtk_i...
CVE-2022-49431
In the Linux kernel, the following vulnerability has been resolved: powerpc/iommu: Add missing of_node_put in iommu_init_early_dart The device_node pointer is returned by of_find_compatible_nodewith refcount incremented. We should use of_node_put() to avoidthe refcount leak.
CVE-2022-49450
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix listen() setting the bar too high for the prealloc rings AF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bumpup the sysctl), but whilst the preallocation circular buffers have 32 slotsin them, one o...
CVE-2022-49470
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event We should not access skb buffer data anymore after hci_recv_frame wascalled. [ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0[ 39.634855] Read of...
CVE-2022-49488
In the Linux kernel, the following vulnerability has been resolved: drm/msm/mdp5: Return error code in mdp5_mixer_release when deadlock is detected There is a possibility for mdp5_get_global_state to return-EDEADLK when acquiring the modeset lock, but currently global_state inmdp5_mixer_release doe...
CVE-2022-49494
In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: cadence: fix possible null-ptr-deref in cadence_nand_dt_probe() It will cause null-ptr-deref when using 'res', if platform_get_resource()returns NULL, so move using 'res' after devm_ioremap_resource() thatwill check i...
CVE-2022-49503
In the Linux kernel, the following vulnerability has been resolved: ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need toensure that it is within the bitmap. drivers/net/wireless/ath/ath9k/comm...