CVE-2022-48799

In the Linux kernel, the following vulnerability has been resolved: perf: Fix list corruption in perf_cgroup_switch() There's list corruption on cgrp_cpuctx_list. This happens on thefollowing path: perf_cgroup_switch: list_for_each_entry(cgrp_cpuctx_list)cpu_ctx_sched_inctx_sched_inctx_pinned_sched...

CVE-2022-48850

In the Linux kernel, the following vulnerability has been resolved: net-sysfs: add check for netdevice being present to speed_show When bringing down the netdevice or system shutdown, a panic can betriggered while accessing the sysfs path because the device is alreadyremoved. [ 755.549084] mlx5_cor...

CVE-2022-48910

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ensure we call ipv6_mc_down() at most once There are two reasons for addrconf_notify() to be called with NETDEV_DOWN:either the network device is actually going down, or IPv6 was disabledon the interface. If either of th...

CVE-2022-48990

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free during gpu recovery [Why][ 754.862560] refcount_t: underflow; use-after-free.[ 754.862898] Call Trace:[ 754.862903] [ 754.862913] amdgpu_job_free_cb+0xc2/0xe1 [amdgpu][ 754.863543] drm_sched_main.cold...

CVE-2023-52570

In the Linux kernel, the following vulnerability has been resolved: vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent() Inject fault while probing mdpy.ko, if kstrdup() of create_dir() fails inkobject_add_internal() in kobject_init_and_add() in mdev_type_add()in parent_create_sysfs_fil...

CVE-2023-52805

In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in diAlloc Currently there is not check against the agno of the iag whileallocating new inodes to avoid fragmentation problem. Added the checkwhich is required.

CVE-2023-52812

In the Linux kernel, the following vulnerability has been resolved: drm/amd: check num of link levels when update pcie param In SR-IOV environment, the value of pcie_table->num_of_link_levels willbe 0, and num_of_levels - 1 will cause array index out of bounds

CVE-2023-52856

In the Linux kernel, the following vulnerability has been resolved: drm/bridge: lt8912b: Fix crash on bridge detach The lt8912b driver, in its bridge detach function, callsdrm_connector_unregister() and drm_connector_cleanup(). drm_connector_unregister() should be called only for connectorsexplicit...

CVE-2023-52861

In the Linux kernel, the following vulnerability has been resolved: drm: bridge: it66121: Fix invalid connector dereference Fix the NULL pointer dereference when no monitor is connected, and thesound card is opened from userspace. Instead return an empty buffer (of zeroes) as the EDID information t...

CVE-2023-52898

In the Linux kernel, the following vulnerability has been resolved: xhci: Fix null pointer dereference when host dies Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not raceand cause null pointer dereference when host suddenly dies. Usb core may call xhci_free_dev() which frees the xhci...

CVE-2023-52913

In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential context UAFs gem_context_register() makes the context visible to userspace, and whichpoint a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.So we need to ensure that nothing uses the ctx ptr ...

CVE-2024-26658

In the Linux kernel, the following vulnerability has been resolved: bcachefs: grab s_umount only if snapshotting When I was testing mongodb over bcachefs with compression,there is a lockdep warning when snapshotting mongodb data volume. $ cat test.shprog=bcachefs $prog subvolume create /mnt/data$pr...

CVE-2024-26756

In the Linux kernel, the following vulnerability has been resolved: md: Don't register sync_thread for reshape directly Currently, if reshape is interrupted, then reassemble the array willregister sync_thread directly from pers->run(), in this case'MD_RECOVERY_RUNNING' is set directly, however, ...

CVE-2024-26784

In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: Fix NULL dereference on scmi_perf_domain removal On unloading of the scmi_perf_domain module got the below splat, when inthe DT provided to the system under test the '#power-domain-cells' propertywas missing. Indeed,...

CVE-2024-26841

In the Linux kernel, the following vulnerability has been resolved: LoongArch: Update cpu_sibling_map when disabling nonboot CPUs Update cpu_sibling_map when disabling nonboot CPUs by defining & callingclear_cpu_sibling_map(), otherwise we get such errors on SMT systems: jump label: negative count!...

CVE-2024-27411

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: keep DMA buffers required for suspend/resume Nouveau deallocates a few buffers post GPU init which are required for GPU suspend/resume to function correctly.This is likely not as big an issue on systems where the NVGPU...

CVE-2024-27418

In the Linux kernel, the following vulnerability has been resolved: net: mctp: take ownership of skb in mctp_local_output Currently, mctp_local_output only takes ownership of skb on success, andwe may leak an skb if mctp_local_output fails in specific states; theskb ownership isn't transferred unti...

CVE-2024-35799

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Prevent crash when disable stream [Why]Disabling stream encoder invokes a function that no longer exists. [How]Check if the function declaration is NULL in disable stream encoder.

CVE-2024-35882

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix a slow server-side memory leak with RPC-over-TCP Jan Schunk reports that his small NFS servers suffer from memoryexhaustion after just a few days. A bisect shows that commite18e157bb5c8 ("SUNRPC: Send RPC message on TCP...

CVE-2024-35994

In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: uefisecapp: Fix memory related IO errors and crashes It turns out that while the QSEECOM APP_SEND command has specific fieldsfor request and response buffers, uefisecapp expects them both to be ina single memory reg...

CVE-2024-36009

In the Linux kernel, the following vulnerability has been resolved: ax25: Fix netdev refcount issue The dev_tracker is added to ax25_cb in ax25_bind(). When theax25 device is detaching, the dev_tracker of ax25_cb should bedeallocated in ax25_kill_by_device() instead of the dev_trackerof ax25_dev. T...

CVE-2024-36032

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: fix info leak when fetching fw build id Add the missing sanity checks and move the 255-byte build-id buffer offthe stack to avoid leaking stack data through debugfs in case thebuild-info reply is malformed.

CVE-2024-36244

In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: extend minimum interval restriction to entire cycle too It is possible for syzbot to side-step the restriction imposed by theblamed commit in the Fixes: tag, because the taprio UAPI permits acycle-time different ...

CVE-2024-36892

In the Linux kernel, the following vulnerability has been resolved: mm/slub: avoid zeroing outside-object freepointer for single free Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeingseparately") splits single and bulk object freeing in two functionsslab_free() and slab_free_bulk...

CVE-2024-36906

In the Linux kernel, the following vulnerability has been resolved: ARM: 9381/1: kasan: clear stale stack poison We found below OOB crash: [ 33.452494] ==================================================================[ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+...

CVE-2024-36947

In the Linux kernel, the following vulnerability has been resolved: qibfs: fix dentry leak simple_recursive_removal() drops the pinning references to all positivesin subtree. For the cases when its argument has been kept alive bythe pinning alone that's exactly the right thing to do, but herethe ar...

CVE-2024-36948

In the Linux kernel, the following vulnerability has been resolved: drm/xe/xe_migrate: Cast to output precision before multiplying operands Addressing potential overflow in result of multiplication of two lowerprecision (u32) operands before widening it to higher precision(u64). -v2Fix commit messa...

CVE-2024-38562

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: Avoid address calculations via out of bounds array indexing Before request->channels[] can be used, request->n_channels must be set.Additionally, address calculations for memory after the "channels" arrayneed t...

CVE-2024-38576

In the Linux kernel, the following vulnerability has been resolved: rcu: Fix buffer overflow in print_cpu_stall_info() The rcuc-starvation output from print_cpu_stall_info() might overflow thebuffer if there is a huge difference in jiffies difference. The situationmight seem improbable, but compute...

CVE-2024-38613

In the Linux kernel, the following vulnerability has been resolved: m68k: Fix spinlock race in kernel thread creation Context switching does take care to retain the correct lock owner acrossthe switch from 'prev' to 'next' tasks. This does rely on interruptsremaining disabled for the entire duratio...

CVE-2024-39467

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() syzbot reports a kernel bug as below: F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 BUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:29...

CVE-2024-40968

In the Linux kernel, the following vulnerability has been resolved: MIPS: Octeon: Add PCIe link status check The standard PCIe configuration read-write interface is used toaccess the configuration space of the peripheral PCIe devicesof the mips processor after the PCIe link surprise down, it cangen...

CVE-2024-40976

In the Linux kernel, the following vulnerability has been resolved: drm/lima: mask irqs in timeout path before hard reset There is a race condition in which a rendering job might take just longenough to trigger the drm sched job timeout handler but also stillcomplete before the hard reset is done b...

CVE-2024-41050

In the Linux kernel, the following vulnerability has been resolved: cachefiles: cyclic allocation of msg_id to avoid reuse Reusing the msg_id after a maliciously completed reopen request may causea read request to remain unprocessed and result in a hung, as shown below: t1 | t2 | t3 cachefiles_onde...

CVE-2024-41088

In the Linux kernel, the following vulnerability has been resolved: can: mcp251xfd: fix infinite loop when xmit fails When the mcp251xfd_start_xmit() function fails, the driver stopsprocessing messages, and the interrupt routine does not return,running indefinitely even after killing the running ap...

CVE-2024-42249

In the Linux kernel, the following vulnerability has been resolved: spi: don't unoptimize message in spi_async() Calling spi_maybe_unoptimize_message() in spi_async() is wrong becausethe message is likely to be in the queue and not transferred yet. Thiscan corrupt the message while it is being used...

CVE-2024-42310

In the Linux kernel, the following vulnerability has been resolved: drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()is assigned to mode, which will lead to a NULL pointer dereference onfailure of drm_mode_du...

CVE-2024-43860

In the Linux kernel, the following vulnerability has been resolved: remoteproc: imx_rproc: Skip over memory region when node value is NULL In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just countsnumber of phandles. But phandles may be empty. So of_parse_phandle() inthe parsing loop...

CVE-2024-44961

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Forward soft recovery errors to userspace As we discussed before[1], soft recovery should beforwarded to userspace, or we can get into a reallybad state where apps will keep submitting hangingcommand buffers cascading u...

CVE-2024-44975

In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: fix panic caused by partcmd_update We find a bug as below:BUG: unable to handle page fault for address: 00000003PGD 0 P4D 0Oops: 0000 [#1] PREEMPT SMP NOPTICPU: 3 PID: 358 Comm: bash Tainted: G W I 6.6.0-10893-g60d6H...

CVE-2024-44977

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Validate TA binary size Add TA binary size validation to avoid OOB write. (cherry picked from commit c0a04e3570d72aaf090962156ad085e37c62e442)

CVE-2024-46681

In the Linux kernel, the following vulnerability has been resolved: pktgen: use cpus_read_lock() in pg_net_init() I have seen the WARN_ON(smp_processor_id() != cpu) firingin pktgen_thread_worker() during tests. We must use cpus_read_lock()/cpus_read_unlock()around the for_each_online_cpu(cpu) loop....

CVE-2024-46812

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration [Why]Coverity reports Memory - illegal accesses. [How]Skip inactive planes.

CVE-2024-46817

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 [Why]Coverity reports OVERRUN warning. Should abort amdgpu_dminitialize. [How]Return failure to amdgpu_dm_init.

CVE-2024-46832

In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU...

CVE-2024-47661

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid overflow from uint32_t to uint8_t [WHAT & HOW]dmub_rb_cmd's ramping_boundary has size of uint8_t and it is assigned0xFFFF. Fix it by changing it to uint8_t with value of 0xFF. This fixes 2 INTEGER_OVERFLOW is...

CVE-2024-49905

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) This commit adds a null check for the 'afb' variable in theamdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' wasassumed to be nul...

CVE-2024-49926

In the Linux kernel, the following vulnerability has been resolved: rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() For kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids isdefined as NR_CPUS instead of the number of possible cpus, thiswill cause the followi...

CVE-2024-49992

In the Linux kernel, the following vulnerability has been resolved: drm/stm: Avoid use-after-free issues with crtc and plane ltdc_load() calls functions drm_crtc_init_with_planes(),drm_universal_plane_init() and drm_encoder_init(). These functionsshould not be called with parameters allocated with ...

CVE-2024-50001

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix error path in multi-packet WQE transmit Remove the erroneous unmap in case no DMA mapping was established The multi-packet WQE transmit code attempts to obtain a DMA mapping forthe skb. This could fail, e.g. under mem...