CVE-2022-49361

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check for inline inode Yanming reported a kernel bug in Bugzilla kernel [1], which can bereproduced. The bug message is: The kernel message is shown below: kernel BUG at fs/inode.c:611!Call Trace:evict+0x282/...

CVE-2022-49391

In the Linux kernel, the following vulnerability has been resolved: remoteproc: mtk_scp: Fix a potential double free 'scp->rproc' is allocated using devm_rproc_alloc(), so there is no needto free it explicitly in the remove function.

CVE-2022-49452

In the Linux kernel, the following vulnerability has been resolved: dpaa2-eth: retrieve the virtual address before dma_unmap The TSO header was DMA unmapped before the virtual address was retrievedand then used to free the buffer. This meant that we were actuallyremoving the DMA map and then trying...

CVE-2022-49554

In the Linux kernel, the following vulnerability has been resolved: zsmalloc: fix races between asynchronous zspage free and page migration The asynchronous zspage free worker tries to lock a zspage's entire pagelist without defending against page migration. Since pages which haven'tyet been locked...

CVE-2022-49755

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait While performing fast composition switch, there is a possibility that theprocess of ffs_ep0_write/ffs_ep0_read get into a race conditiondue to ep0req being freed up from fun...

CVE-2022-49794

In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91_adc: fix possible memory leak in at91_adc_allocate_trigger() If iio_trigger_register() returns error, it should call iio_trigger_free()to give up the reference that hold in iio_trigger_alloc(), so that it cancall iio...

CVE-2022-49909

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() When l2cap_recv_frame() is invoked to receive data, and the cid isL2CAP_CID_A2MP, if the channel does not exist, it will create a channel.However, after a channel is created,...

CVE-2022-49921

In the Linux kernel, the following vulnerability has been resolved: net: sched: Fix use after free in red_enqueue() We can't use "skb" again after passing it to qdisc_enqueue(). This isbasically identical to commit 2f09707d0c97 ("sch_sfb: Also store skblen before calling child enqueue").

CVE-2023-52655

In the Linux kernel, the following vulnerability has been resolved: usb: aqc111: check packet for fixup for true limit If a device sends a packet that is inbetween 0and sizeof(u64) the value passed to skb_trim()as length will wrap around ending up as some verylarge value. The driver will then proce...

CVE-2023-52671

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix hang/underflow when transitioning to ODM4:1 [Why]Under some circumstances, disabling an OPTC and attempting to reclaimits OPP(s) for a different OPTC could cause a hang/underflow due to OPPsnot being properly d...

CVE-2023-52695

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check writeback connectors in create_validate_stream_for_sink [WHY & HOW]This is to check connector type to avoidunhandled null pointer for writeback connectors.

CVE-2023-52744

In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix potential NULL-ptr-dereference in_dev_get() can return NULL which will cause a failure once idev isdereferenced in in_dev_for_each_ifa_rtnl(). This patch adds acheck for NULL value in idev beforehand. Found by Linux...

CVE-2023-52930

In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential bit_17 double-free A userspace with multiple threads racing I915_GEM_SET_TILING to set thetiling to I915_TILING_NONE could trigger a double free of the bit_17bitmask. (Or conversely leak memory on the transi...

CVE-2023-53032

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value ofan arithmetic expression 2 <

CVE-2023-53057

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HCI: Fix global-out-of-bounds To loop a variable-length array, hci_init_stage_sync(stage) considersthat stage[i] is valid as long as stage[i-1].func is valid.Thus, the last element of stage[].func should be intentionally...

CVE-2023-53087

In the Linux kernel, the following vulnerability has been resolved: drm/i915/active: Fix misuse of non-idle barriers as fence trackers Users reported oopses on list corruptions when using i915 perf with anumber of concurrently running graphics applications. Root cause analysispointed at an issue in...

CVE-2024-27060

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Fix NULL pointer dereference in tb_port_update_credits() Olliver reported that his system crashes when plugging in Thunderbolt 1device: BUG: kernel NULL pointer dereference, address: 0000000000000020#PF: supervisor rea...

CVE-2024-27406

In the Linux kernel, the following vulnerability has been resolved: lib/Kconfig.debug: TEST_IOV_ITER depends on MMU Trying to run the iov_iter unit test on a nommu system such as the qemukc705-nommu emulation results in a crash. KTAP version 1 # Subtest: iov_iter # module: kunit_iov_iter 1..9 BUG: ...

CVE-2024-36033

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: fix info leak when fetching board id Add the missing sanity check when fetching the board id to avoid leakingslab data when later requesting the firmware.

CVE-2024-38551

In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: Assign dummy when codec not specified for a DAI link MediaTek sound card drivers are checking whether a DAI link is presentand used on a board to assign the correct parameters and this is doneby checking the codec D...

CVE-2024-38636

In the Linux kernel, the following vulnerability has been resolved: f2fs: multidev: fix to recognize valid zero block address As reported by Yi Zhang in mailing list [1], kernel warning was catchedduring zbd/010 test as below: ./check zbd/010zbd/010 (test gap zone support with F2FS) [failed]runtime...

CVE-2024-40933

In the Linux kernel, the following vulnerability has been resolved: iio: temperature: mlx90635: Fix ERR_PTR dereference in mlx90635_probe() When devm_regmap_init_i2c() fails, regmap_ee could be error pointer,instead of checking for IS_ERR(regmap_ee), regmap is checked which lookslike a copy paste e...

CVE-2024-40949

In the Linux kernel, the following vulnerability has been resolved: mm: shmem: fix getting incorrect lruvec when replacing a shmem folio When testing shmem swapin, I encountered the warning below on my machine.The reason is that replacing an old shmem folio with a new one causesmem_cgroup_migrate()...

CVE-2024-40962

In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes Shin'ichiro reported that when he's running fstests' test-casebtrfs/167 on emulated zoned devices, he's seeing the following NULLpointer dereference in 'btrfs_zone_f...

CVE-2024-40964

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind() The cs35l41_hda_unbind() function clears the hda_component entrymatching it's index and then dereferences the codec pointer held in thefirst element of t...

CVE-2024-40986

In the Linux kernel, the following vulnerability has been resolved: dmaengine: xilinx: xdma: Fix data synchronisation in xdma_channel_isr() Requests the vchan lock before using xdma->stop_request.

CVE-2024-41054

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix ufshcd_clear_cmd racing issue When ufshcd_clear_cmd is racing with the completion ISR, the completed tagof the request's mq_hctx pointer will be set to NULL by the ISR. Andufshcd_clear_cmd's call to ufshcd_mcq_...

CVE-2024-41086

In the Linux kernel, the following vulnerability has been resolved: bcachefs: Fix sb_field_downgrade validation bch2_sb_downgrade_validate() wasn't checking for a downgrade entryextending past the end of the superblock section for_each_downgrade_entry() is used in to_text() and needs to work onmalf...

CVE-2024-42100

In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common In order to set the rate range of a hw sunxi_ccu_probe callshw_to_ccu_common() assuming all entries in desc->ccu_clks are containedin a ccu_common struct. T...

CVE-2024-42109

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally flush pending work before notifier syzbot reports: KASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831KASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:95...

CVE-2024-42118

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not return negative stream id for array [WHY]resource_stream_to_stream_idx returns an array index and it return -1when not found; however, -1 is not a valid array index number. [HOW]When this happens, call ASSER...

CVE-2024-42239

In the Linux kernel, the following vulnerability has been resolved: bpf: Fail bpf_timer_cancel when callback is being cancelled Given a schedule: timer1 cb timer2 cb bpf_timer_cancel(timer2); bpf_timer_cancel(timer1); Both bpf_timer_cancel calls would wait for the other callback to finishexecuting,...

CVE-2024-42261

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Validate passed in drm syncobj handles in the timestamp extension If userspace provides an unknown or invalid handle anywhere in the handlearray the rest of the driver will not handle that well. Fix it by checking handle w...

CVE-2024-42300

In the Linux kernel, the following vulnerability has been resolved: erofs: fix race in z_erofs_get_gbuf() In z_erofs_get_gbuf(), the current task may be migrated to anotherCPU between z_erofs_gbuf_id() and spin_lock(&gbuf->lock). Therefore, z_erofs_put_gbuf() will trigger the following issuewhic...

CVE-2024-43838

In the Linux kernel, the following vulnerability has been resolved: bpf: fix overflow check in adjust_jmp_off() adjust_jmp_off() incorrectly used the insn->imm field for all overflow check,which is incorrect as that should only be done or the BPF_JMP32 | BPF_JA case,not the general jump instruct...

CVE-2024-44967

In the Linux kernel, the following vulnerability has been resolved: drm/mgag200: Bind I2C lifetime to DRM device Managed cleanup with devm_add_action_or_reset() will release the I2Cadapter when the underlying Linux device goes away. But the connectorstill refers to it, so this cleanup leaves behind...

CVE-2024-44993

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Fix out-of-bounds read in v3d_csd_job_run() When enabling UBSAN on Raspberry Pi 5, we get the following warning: [ 387.894977] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/v3d/v3d_sched.c:320:3[ 387.903868] index 7 ...

CVE-2024-45004

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: dcp: fix leak of blob encryption key Trusted keys unseal the key blob on load, but keep the sealed payload inthe blob field so that every subsequent read (export) will simplyconvert this field to hex and send it to u...

CVE-2024-45012

In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: use dma non-coherent allocator Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit aBUG() on startup, when the iommu is enabled: kernel BUG at include/linux/scatterlist.h:187!invalid opcode: 0000 ...

CVE-2024-46687

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() [BUG]There is an internal report that KASAN is reporting use-after-free, withthe following backtrace: BUG: KASAN: slab-use-after-free in btrfs_check_read_b...

CVE-2024-46788

In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with theinterface_lock held. This means that the kthread variable could beunexpectedly changed causin...

CVE-2024-46792

In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code alloweduserspace to access any virtual memory address.

CVE-2024-46827

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an associationrequest containing an Extended HE Capabilities InformationElement with an invalid MCS-NSS, it triggers a firmwarecrash. ...

CVE-2024-49970

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Implement bounds check for stream encoder creation in DCN401 'stream_enc_regs' array is an array of dcn10_stream_enc_registersstructures. The array is initialized with four elements, correspondingto the four calls ...

CVE-2024-50175

In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: Remove use_count guard in stop_streaming The use_count check was introduced so that multiple concurrent Raw DataInterfaces RDIs could be driven by different virtual channels VCs on theCSIPHY input driving the vi...

CVE-2024-50177

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix a UBSAN warning in DML2.1 When programming phantom pipe, since cursor_width is explicity set to 0,this causes calculation logic to trigger overflow for an unsigned inttriggering the kernel's UBSAN check as belo...

CVE-2024-50276

In the Linux kernel, the following vulnerability has been resolved: net: vertexcom: mse102x: Fix possible double free of TX skb The scope of the TX skb is wider than just mse102x_tx_frame_spi(),so in case the TX skb room needs to be expanded, we should free thethe temporary skb instead of the origi...

CVE-2024-56541

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup() During ath12k module removal, in ath12k_core_deinit(),ath12k_mac_destroy() un-registers ah->hw from mac80211 and freesthe ah->hw as well as all the ar's in it. After ...

CVE-2024-56655

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not defer rule destruction via call_rcu nf_tables_chain_destroy can sleep, it can't be used from call_rcucallbacks. Moreover, nf_tables_rule_release() is only safe for error unwinding,while transaction mute...

CVE-2024-58012

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params Each cpu DAI should associate with a widget. However, the topology mightnot create the right number of DAI widgets for aggregated amps. And itwill cause NULL point...