CVE-2022-49114

In the Linux kernel, the following vulnerability has been resolved: scsi: libfc: Fix use after free in fc_exch_abts_resp() fc_exch_release(ep) will decrease the ep's reference count. When thereference count reaches zero, it is freed. But ep is still used in thefollowing code, which will lead to a u...

CVE-2022-49273

In the Linux kernel, the following vulnerability has been resolved: rtc: pl031: fix rtc features null pointer dereference When there is no interrupt line, rtc alarm feature is disabled. The clearing of the alarm feature bit was being done prior to allocationsof ldata->rtc device, resulting in a ...

CVE-2022-49636

In the Linux kernel, the following vulnerability has been resolved: vlan: fix memory leak in vlan_newlink() Blamed commit added back a bug I fixed in commit 9bbd917e0bec("vlan: fix memory leak in vlan_dev_set_egress_priority") If a memory allocation fails in vlan_changelink() after other allocation...

CVE-2022-49275

In the Linux kernel, the following vulnerability has been resolved: can: m_can: m_can_tx_handler(): fix use after free of skb can_put_echo_skb() will clone skb then free the skb. Move thecan_put_echo_skb() for the m_can version 3.0.x directly before thestart of the xmit in hardware, similar to the ...

CVE-2022-49116

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: use memset avoid memory leaks Use memset to initialize structs to prevent memory leaksin l2cap_ecred_connect

CVE-2022-49111

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use after free in hci_send_acl This fixes the following trace caused by receivingHCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del withoutfirst checking if conn->type is in fact AMP_LINK and in case it...

CVE-2022-49236

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix UAF due to race between btf_try_get_module and load_module While working on code to populate kfunc BTF ID sets for module BTF fromits initcall, I noticed that by the time the initcall is invoked, themodule BTF can already ...

CVE-2022-49290

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix potential double free on mesh join While commit 6a01afcf8468 ("mac80211: mesh: Free ie data when leavingmesh") fixed a memory leak on mesh leave / teardown it introduced apotential memory corruption caused by a double...

CVE-2022-49107

In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leak in ceph_readdir when note_last_dentry returns error Reset the last_readdir at the same time, and add a comment explainingwhy we don't free last_readdir when dir_emit returns false.

CVE-2022-49207

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix memleak in sk_psock_queue_msg If tcp_bpf_sendmsg is running during a tear down operation we may enqueuedata on the ingress msg queue while tear down is trying to free it. sk1 (redirect sk2) sk2 tcp_bpf_sendmsg()tc...

CVE-2022-49235

In the Linux kernel, the following vulnerability has been resolved: ath9k_htc: fix uninit value bugs Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missingfield initialization. In htc_connect_service() svc_meta_len and pad are not initialized. Basedon code it looks like in current...

CVE-2022-49087

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix a race in rxrpc_exit_net() Current code can lead to the following race: CPU0 CPU1 rxrpc_exit_net()rxrpc_peer_keepalive_worker()if (rxnet->live) rxnet->live = false;del_timer_sync(&rxnet->peer_keepalive_timer); t...

CVE-2022-49130

In the Linux kernel, the following vulnerability has been resolved: ath11k: mhi: use mhi_sync_power_up() If amss.bin was missing ath11k would crash during 'rmmod ath11k_pci'. Thereason for that was that we were using mhi_async_power_up() which does notcheck any errors. But mhi_sync_power_up() on th...

CVE-2022-49136

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag hasbeen set as that means hci_unregister_dev has been called so it willlikely cause a uaf after th...

CVE-2022-49287

In the Linux kernel, the following vulnerability has been resolved: tpm: fix reference counting for struct tpm_chip The following sequence of operations results in a refcount warning: Open device /dev/tpmrm. Remove module tpm_tis_spi. Write a TPM command to the file descriptor opened at step 1. ---...

CVE-2022-49288

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix races among concurrent prealloc proc writes We have no protection against concurrent PCM buffer preallocationchanges via proc files, and it may potentially lead to UAF or someweird problem. This patch applies the PCM...

CVE-2022-49078

In the Linux kernel, the following vulnerability has been resolved: lz4: fix LZ4_decompress_safe_partial read out of bound When partialDecoding, it is EOF if we've either filled the output bufferor can't proceed with reading an offset for following match. In some extreme corner cases when compresse...

CVE-2021-47657

In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Ensure that objs is not NULL in virtio_gpu_array_put_free() If virtio_gpu_object_shmem_init() fails (e.g. due to fault injection, as ithappened in the bug report by syzbot), virtio_gpu_array_put_free() could becalled wi...

CVE-2022-49153

In the Linux kernel, the following vulnerability has been resolved: wireguard: socket: free skb in send6 when ipv6 is disabled I got a memory leak report: unreferenced object 0xffff8881191fc040 (size 232):comm "kworker/u17:0", pid 23193, jiffies 4295238848 (age 3464.870s)hex dump (first 32 bytes):0...

CVE-2022-49179

In the Linux kernel, the following vulnerability has been resolved: block, bfq: don't move oom_bfqq Our test report a UAF: [ 2073.019181] ==================================================================[ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168[ 2073.019191] Writ...

CVE-2022-49129

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix crash when startup fails. If the nic fails to start, it is possible that thereset_work has already been scheduled. Ensure thework item is canceled so we do not have use-after-freecrash in case cleanup is called be...

CVE-2022-49215

In the Linux kernel, the following vulnerability has been resolved: xsk: Fix race at socket teardown Fix a race in the xsk socket teardown code that can lead to a NULL pointerdereference splat. The current xsk unbind code in xsk_unbind_dev() starts bysetting xs->state to XSK_UNBOUND, sets xs-&gt...

CVE-2022-49223

In the Linux kernel, the following vulnerability has been resolved: cxl/port: Hold port reference until decoder release KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free incxl_decoder_release() where it goes to reference its parent, a cxl_port,to free its id back to port->decoder_...

CVE-2022-49291

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix races among concurrent hw_params and hw_free calls Currently we have neither proper check nor protection against theconcurrent calls of PCM hw_params and hw_free ioctls, which may resultin a UAF. Since the existing P...

CVE-2021-47639

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Zap all roots when unmapping gfn range in TDP MMU Zap both valid and invalid roots when zapping/unmapping a gfn range, asKVM must ensure it holds no references to the freed page after returningfrom the unmap operation...

CVE-2021-47646

In the Linux kernel, the following vulnerability has been resolved: Revert "Revert "block, bfq: honor already-setup queue merges"" A crash [1] happened to be triggered in conjunction with commit2d52c58b9c9b ("block, bfq: honor already-setup queue merges"). Thelatter was then reverted by commit ebc6...

CVE-2022-49280

In the Linux kernel, the following vulnerability has been resolved: NFSD: prevent underflow in nfssvc_decode_writeargs() Smatch complains: fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs() warn: no lower bound on 'args->len' Change the type to unsigned to prevent this issue.

CVE-2022-49093

In the Linux kernel, the following vulnerability has been resolved: skbuff: fix coalescing for page_pool fragment recycling Fix a use-after-free when using page_pool with page fragments. Weencountered this problem during normal RX in the hns3 driver: (1) Initially we have three descriptors in the R...

CVE-2022-49279

In the Linux kernel, the following vulnerability has been resolved: NFSD: prevent integer overflow on 32 bit systems On a 32 bit system, the "len * sizeof(*p)" operation can have aninteger overflow.

CVE-2022-49135

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix memory leak [why]Resource release is needed on the error handling pathto prevent memory leak. [how]Fix this by adding kfree on the error handling path.

CVE-2022-49238

In the Linux kernel, the following vulnerability has been resolved: ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855 Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of stationfor QCA6390 and WCN6855") is to fix firmware crash by changing the WMIcommand sequen...

CVE-2022-49152

In the Linux kernel, the following vulnerability has been resolved: XArray: Fix xas_create_range() when multi-order entry present If there is already an entry present that is of order >= XA_CHUNK_SHIFTwhen we call xas_create_range(), xas_create_range() will misinterpretthat entry as a node and d...

CVE-2022-49190

In the Linux kernel, the following vulnerability has been resolved: kernel/resource: fix kfree() of bootmem memory again Since commit ebff7d8f270d ("mem hotunplug: fix kfree() of bootmemmemory"), we could get a resource allocated during boot viaalloc_resource(). And it's required to release the res...

CVE-2022-49276

In the Linux kernel, the following vulnerability has been resolved: jffs2: fix memory leak in jffs2_scan_medium If an error is returned in jffs2_scan_eraseblock() and some memoryhas been added to the jffs2_summary *s, we can observe the followingkmemleak report: unreferenced object 0xffff88812b889c...

CVE-2022-49277

In the Linux kernel, the following vulnerability has been resolved: jffs2: fix memory leak in jffs2_do_mount_fs If jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,we can observe the following kmemleak report: unreferenced object 0xffff88811b25a640 (size 64):comm "mount", pid 691, j...

CVE-2022-49155

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair() [ 12.323788] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/1020[ 12.332297] caller is qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx][ 12.338...

CVE-2022-49182

In the Linux kernel, the following vulnerability has been resolved: net: hns3: add vlan list lock to protect vlan list When adding port base VLAN, vf VLAN need to remove from HW and modifythe vlan state in vf VLAN list as false. If the periodicity task isfreeing the same node, it may cause "use aft...

CVE-2022-49334

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: Fix xarray node memory leak If xas_split_alloc() fails to allocate the necessary nodes to complete thexarray entry split, it sets the xa_state to -ENOMEM, which xas_nomem()then interprets as "Please allocate more me...

CVE-2022-49408

In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in parse_apply_sb_mount_options() If processing the on-disk mount options fails after any memory wasallocated in the ext4_fs_context, e.g. s_qf_names, then this memory isleaked. Fix this by calling ext4_fc_fre...

CVE-2021-47644

In the Linux kernel, the following vulnerability has been resolved: media: staging: media: zoran: move videodev alloc Move some code out of zr36057_init() and create new functions for handlingzr->video_dev. This permit to ease code reading and fix a zr->video_devmemory leak.

CVE-2022-49669

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race on unaccepted mptcp sockets When the listener socket owning the relevant request is closed,it frees the unaccepted subflows and that causes later deletionof the paired MPTCP sockets. The mptcp socket's worker can ru...

CVE-2025-21936

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() Add check for the return value of mgmt_alloc_skb() inmgmt_device_connected() to prevent null pointer dereference.

CVE-2022-49076

In the Linux kernel, the following vulnerability has been resolved: RDMA/hfi1: Fix use-after-free bug for mm struct Under certain conditions, such as MPI_Abort, the hfi1 cleanup code mayrepresent the last reference held on the task mm.hfi1_mmu_rb_unregister() then drops the last reference and the m...

CVE-2022-49168

In the Linux kernel, the following vulnerability has been resolved: btrfs: do not clean up repair bio if submit fails The submit helper will always run bio_endio() on the bio if it fails tosubmit, so cleaning up the bio just leads to a variety of use-after-freeand NULL pointer dereference bugs beca...

CVE-2022-49102

In the Linux kernel, the following vulnerability has been resolved: habanalabs: fix possible memory leak in MMU DR fini This patch fixes what seems to be copy paste error. We will have a memory leak if the host-resident shadow is NULL (whichwill likely happen as the DR and HR are not dependent).

CVE-2022-49219

In the Linux kernel, the following vulnerability has been resolved: vfio/pci: fix memory leak during D3hot to D0 transition If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device doesnot have No_Soft_Reset bit set in its PMCSR config register), thenthe current PCI state will be saved locall...

CVE-2021-47645

In the Linux kernel, the following vulnerability has been resolved: media: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com On the case tmp_dcim=1, the index of buffer is miscalculated.This generate a NULL pointer dereference later. So let's fix the calcul and add a ...

CVE-2021-47648

In the Linux kernel, the following vulnerability has been resolved: gpu: host1x: Fix a memory leak in 'host1x_remove()' Add a missing 'host1x_channel_list_free()' call in the remove function,as already done in the error handling path of the probe function.

CVE-2022-49241

In the Linux kernel, the following vulnerability has been resolved: ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe The device_node pointer is returned by of_parse_phandle() with refcountincremented. We should use of_node_put() on it when done. This function only calls of_node_put() i...

CVE-2021-47634

In the Linux kernel, the following vulnerability has been resolved: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl Hulk Robot reported a KASAN report about use-after-free: BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160Read of size 8 at addr ffff888035e37d98 by ...