CVE-2021-47549

In the Linux kernel, the following vulnerability has been resolved: sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl When the rmmod sata_fsl.ko command is executed in the PPC64 GNU/Linux,a bug is reported: BUG: Unable to handle kernel data access on read at 0x80000800805b502cOops: Kernel...

CVE-2021-4453

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fix a potential gpu_metrics_table memory leak Memory is allocated for gpu_metrics_table in renoir_init_smc_tables(),but not freed in int smu_v12_0_fini_smc_tables(). Free it!

CVE-2021-4083

A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges ...

CVE-2021-4002

A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.

CVE-2022-1195

A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early.

CVE-2021-45402

The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a "pointer leak."

CVE-2021-47548

In the Linux kernel, the following vulnerability has been resolved: ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() The if statement:if (port >= DSAF_GE_NUM)return; limits the value of port less than DSAF_GE_NUM (i.e., 8).However, if the value...

CVE-2021-4135

A memory leak vulnerability was found in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data.

CVE-2021-47101

In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this casesmsr will be uninitialized. Fail log:BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:...

CVE-2021-4001

A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space. This flaw affects k...

CVE-2021-47094

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Don't advance iterator after restart due to yielding After dropping mmu_lock in the TDP MMU, restart the iterator duringtdp_iter_next() and do not advance the iterator. Advancing the iteratorresults in skipping the to...

CVE-2021-4090

An out-of-bounds (OOB) memory write flaw was found in the NFSD in the Linux kernel. Missing sanity may lead to a write beyond bmval[bmlen-1] in nfsd4_decode_bitmap4 in fs/nfsd/nfs4xdr.c. In this flaw, a local attacker with user privilege may gain access to out-of-bounds memory, leading to a system ...

CVE-2021-47097

In the Linux kernel, the following vulnerability has been resolved: Input: elantech - fix stack out of bound access in elantech_change_report_id() The array param[] in elantech_change_report_id() must be at least 3bytes, because elantech_read_reg_params() is calling ps2_command() withPSMOUSE_CMD_GE...

CVE-2021-47560

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum: Protect driver from buggy firmware When processing port up/down events generated by the device's firmware,the driver protects itself from events reported for non-existent localports, but not the CPU port (local por...

CVE-2021-47103

In the Linux kernel, the following vulnerability has been resolved: inet: fully convert sk->sk_rx_dst to RCU rules syzbot reported various issues around early demux,one being included in this changelog [1] sk->sk_rx_dst is using RCU protection without clearlydocumenting it. And following sequ...

CVE-2021-47098

In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations Commit b50aa49638c7 ("hwmon: (lm90) Prevent integer underflows oftemperature calculations") addressed a number of underflow situationswhen writing temperat...

CVE-2021-47505

In the Linux kernel, the following vulnerability has been resolved: aio: fix use-after-free due to missing POLLFREE handling signalfd_poll() and binder_poll() are special in that they use awaitqueue whose lifetime is the current task, rather than the structfile as is normally the case. This is okay...

CVE-2021-47099

In the Linux kernel, the following vulnerability has been resolved: veth: ensure skb entering GRO are not cloned. After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"),if GRO is enabled on a veth device and TSO is disabled on the peerdevice, TCP skbs will go through the NAPI call...

CVE-2021-47580

In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix type in min_t to avoid stack OOB Change min_t() to use type "u32" instead of type "int" to avoid stack outof bounds. With min_t() type "int" the values get sign extended and thelarger value gets used causing s...

CVE-2021-47609

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Fix string overflow in SCPI genpd driver Without the bound checks for scpi_pd->name, it could result in the bufferoverflow when copying the SCPI device name from the corresponding devicetree node as the name ...

CVE-2021-47592

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix tc flower deletion for VLAN priority Rx steering To replicate the issue:- Add 1 flower filter for VLAN Priority based frame steering:-$ IFDEVNAME=eth0$ tc qdisc add dev $IFDEVNAME ingress$ tc qdisc add dev $IFDEVNA...

CVE-2022-0264

A vulnerability was found in the Linux kernel's eBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some ...

CVE-2021-47501

In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc When trying to dump VFs VSI RX/TX descriptorsusing debugfs there was a crashdue to NULL pointer dereference in i40e_dbg_dump_desc.Added a check to i40e_dbg_dump_desc that che...

CVE-2021-47107

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix READDIR buffer overflow If a client sends a READDIR count argument that is too small (say,zero), then the buffer size calculation in the new init_dirlisthelper functions results in an underflow, allowing the XDR streamfun...

CVE-2021-47186

In the Linux kernel, the following vulnerability has been resolved: tipc: check for null after calling kmemdup kmemdup can return a null pointer so need to check for it, otherwisethe null key will be dereferenced later in tipc_crypto_key_xmit ascan be seen in the trace [1]. [1] https://syzkaller.ap...

CVE-2021-47606

In the Linux kernel, the following vulnerability has been resolved: net: netlink: af_netlink: Prevent empty skb by adding a check on len. Adding a check on len parameter to avoid empty skb. This prevents adivision error in netem_enqueue function which is caused when skb->len=0and skb->data_le...

CVE-2021-47108

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf In commit 41ca9caaae0b("drm/mediatek: hdmi: Add check for CEA modes only") a checkfor CEA modes was added to function mtk_hdmi_bridge_mode_valid()in order to address ...

CVE-2021-47082

In the Linux kernel, the following vulnerability has been resolved: tun: avoid double free in tun_free_netdev Avoid double free in tun_free_netdev() by moving thedev->tstats and tun->security allocs to a new ndo_init routine(tun_net_init()) that will be called by register_netdevice().ndo_init...

CVE-2021-47087

In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix incorrect page free bug Pointer to the allocated pages (struct page *page) has alreadyprogressed towards the end of allocation. It is incorrect to perform__free_pages(page, order) using this pointer as we would free...

CVE-2021-47104

In the Linux kernel, the following vulnerability has been resolved: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() The wrong goto label was used for the error case and missed cleanup of thepkt allocation. Addresses-Coverity-ID: 1493352 ("Resource leak")

CVE-2021-47105

In the Linux kernel, the following vulnerability has been resolved: ice: xsk: return xsk buffers back to pool when cleaning the ring Currently we only NULL the xdp_buff pointer in the internal SW ring butwe never give it back to the xsk buffer pool. This means that bufferscan be leaked out of the b...

CVE-2021-47090

In the Linux kernel, the following vulnerability has been resolved: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() Hulk Robot reported a panic in put_page_testzero() when testingmadvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retryingget_any_page(). This is becau...

CVE-2021-47086

In the Linux kernel, the following vulnerability has been resolved: phonet/pep: refuse to enable an unbound pipe This ioctl() implicitly assumed that the socket was already bound toa valid local socket name, i.e. Phonet object. If the socket was notbound, two separate problems would occur: We'd sen...

CVE-2021-47095

In the Linux kernel, the following vulnerability has been resolved: ipmi: ssif: initialize ssif_info->client early During probe ssif_info->client is dereferenced in error path. However,it is set when some of the error checking has already been done. Thiscauses following kernel crash if an err...

CVE-2021-47563

In the Linux kernel, the following vulnerability has been resolved: ice: avoid bpf_prog refcount underflow Ice driver has the routines for managing XDP resources that are sharedbetween ndo_bpf op and VSI rebuild flow. The latter takes place forexample when user changes queue count on an interface v...

CVE-2021-47102

In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix incorrect structure access In line:upper = info->upper_dev;We access upper_dev field, which is related only for particular events(e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memorya...

CVE-2021-47517

In the Linux kernel, the following vulnerability has been resolved: ethtool: do not perform operations on net devices being unregistered There is a short period between a net device starts to be unregisteredand when it is actually gone. In that time frame ethtool operationscould still be performed,...

CVE-2021-47212

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error,which indicates that the driver started the destroy process.In this case, when a destroy command is being executed,...

CVE-2021-47217

In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails Check for a valid hv_vp_index array prior to derefencing hv_vp_index whensetting Hyper-V's TSC change callback. If Hyper-V setup failed inhyperv_init(), the...

CVE-2021-47188

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65cCall trace:ufshcd_queuecommand+0x468/0x65cscsi_...

CVE-2021-47201

In the Linux kernel, the following vulnerability has been resolved: iavf: free q_vectors before queues in iavf_disable_vf iavf_free_queues() clears adapter->num_active_queues, whichiavf_free_q_vectors() relies on, so swap the order of these two functioncalls in iavf_disable_vf(). This resolves a...

CVE-2021-47106

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy() We need to use list_for_each_entry_safe() iteratorbecause we can not access @catchall after kfree_rcu() call. syzbot reported: BUG: KASAN: use-after-free in nft...

CVE-2021-47551

In the Linux kernel, the following vulnerability has been resolved: drm/amd/amdkfd: Fix kernel panic when reset failed and been triggered again In SRIOV configuration, the reset may failed to bring asic back to normal but stop cpschalready been called, the start_cpsch will not be called since there...

CVE-2021-47602

In the Linux kernel, the following vulnerability has been resolved: mac80211: track only QoS data frames for admission control For admission control, obviously all of that only works forQoS data frames, otherwise we cannot even access the QoSfield in the header. Syzbot reported (see below) an unini...

CVE-2021-47603

In the Linux kernel, the following vulnerability has been resolved: audit: improve robustness of the audit queue handling If the audit daemon were ever to get stuck in a stopped state thekernel's kauditd_thread() could get blocked attempting to send auditrecords to the userspace audit daemon. With ...

CVE-2021-47091

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix locking in ieee80211_start_ap error path We need to hold the local->mtx to release the channel context,as even encoded by the lockdep_assert_held() there. Fix it.

CVE-2021-47100

In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Hi, When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko,the system crashed. The log as follows:[ 141.087026] BUG: unable to handle kernel paging re...

CVE-2021-47214

In the Linux kernel, the following vulnerability has been resolved: hugetlb, userfaultfd: fix reservation restore on userfaultfd error Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if webail out using "goto out_release_unlock;" in the cases where idx >=size, or !huge_pte_none(...

CVE-2021-47218

In the Linux kernel, the following vulnerability has been resolved: selinux: fix NULL-pointer dereference when hashtab allocation fails When the hash table slot array allocation fails in hashtab_init(),h->size is left initialized with a non-zero value, but the h->htablepointer is NULL. This m...

CVE-2021-47534

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: kms: Add missing drm_crtc_commit_put Commit 9ec03d7f1ed3 ("drm/vc4: kms: Wait on previous FIFO users before acommit") introduced a global state for the HVS, with each FIFO storingthe current CRTC commit so that we can prop...