CVE-2023-52493

In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Drop chan lock before queuing buffers Ensure read and write locks for the channel are not taken in succession bydropping the read lock from parse_xfer_event() such that a callback givento client can potentially queu...

CVE-2023-52491

In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound withmtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens inmtk_...

CVE-2023-52487

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix peer flow lists handling The cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUPflag when list of peer flows has become empty. However, if any concurrentuser holds a reference to a peer flow (for e...

CVE-2021-46979

In the Linux kernel, the following vulnerability has been resolved: iio: core: fix ioctl handlers removal Currently ioctl handlers are removed twice. For the first time duringiio_device_unregister() then later on insideiio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().Double fr...

CVE-2021-46963

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() RIP: 0010:kmem_cache_free+0xfa/0x1b0 Call Trace: qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx] scsi_queue_rq+0x5e2/0xa40 __blk_mq_try_issue_directly+0x128/0x1d0 blk_mq_request_issue...

CVE-2024-26939

In the Linux kernel, the following vulnerability has been resolved: drm/i915/vma: Fix UAF on destroy against retire race Object debugging tools were sporadically reporting illegal attempts tofree a still active i915 VMA object when parking a GT believed to be idle. [161.359441] ODEBUG: free active ...

CVE-2021-46960

In the Linux kernel, the following vulnerability has been resolved: cifs: Return correct error code from smb2_get_enc_key Avoid a warning if the error percolates back up: [440700.376476] CIFS VFS: \otters.example.com crypt_message: Could not get encryption key[440700.386947] ------------[ cut here ...

CVE-2024-26817

In the Linux kernel, the following vulnerability has been resolved: amdkfd: use calloc instead of kzalloc to avoid integer overflow This uses calloc instead of doing the multiplication which mightoverflow.

CVE-2021-46961

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Do not enable irqs when handling spurious interrups We triggered the following error while running our 4.19 kernelwith the pseudo-NMI patches backported to it: [ 14.816231] ------------[ cut here ]------------[ 14.8...

CVE-2021-46990

In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix crashes when toggling entry flush barrier The entry flush mitigation can be enabled/disabled at runtime via adebugfs file (entry_flush), which causes the kernel to patch itself toenable/disable the relevant mitigat...

CVE-2021-46962

In the Linux kernel, the following vulnerability has been resolved: mmc: uniphier-sd: Fix a resource leak in the remove function A 'tmio_mmc_host_free()' call is missing in the remove function, in orderto balance a 'tmio_mmc_host_alloc()' call in the probe.This is done in the error handling path of...

CVE-2021-46955

In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see thefollowing splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in...

CVE-2021-46966

In the Linux kernel, the following vulnerability has been resolved: ACPI: custom_method: fix potential use-after-free issue In cm_write(), buf is always freed when reaching the end of thefunction. If the requested count is less than table.length, theallocated buffer will be freed but subsequent cal...

CVE-2021-46967

In the Linux kernel, the following vulnerability has been resolved: vhost-vdpa: fix vm_flags for virtqueue doorbell mapping The virtqueue doorbell is usually implemented via registeres but wedon't provide the necessary vma->flags like VM_PFNMAP. This may causeseveral issues e.g when userspace tr...

CVE-2023-52644

In the Linux kernel, the following vulnerability has been resolved: wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled When QoS is disabled, the queue priority value will not map to the correctieee80211 queue since there is only one queue. Stop/wake queue 0 when QoSis disabled t...

CVE-2023-52433

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction New elements in this transaction might expired before such transactionends. Skip sync GC for such elements otherwise commit path might walkover an already...

CVE-2023-52587

In the Linux kernel, the following vulnerability has been resolved: IB/ipoib: Fix mcast list locking Releasing the priv->lock while iterating the priv->multicast_list inipoib_mcast_join_task() opens a window for ipoib_mcast_dev_flush() toremove the items while in the middle of iteration. If t...

CVE-2021-46956

In the Linux kernel, the following vulnerability has been resolved: virtiofs: fix memory leak in virtio_fs_probe() When accidentally passing twice the same tag to qemu, kmemleak ended upreporting a memory leak in virtiofs. Also, looking at the log I saw thefollowing error (that's when I realised th...

CVE-2024-26861

In the Linux kernel, the following vulnerability has been resolved: wireguard: receive: annotate data-race around receiving_counter.counter Syzkaller with KCSAN identified a data-race issue when accessingkeypair->receiving_counter.counter. Use READ_ONCE() and WRITE_ONCE()annotations to mark the ...

CVE-2024-26816

In the Linux kernel, the following vulnerability has been resolved: x86, relocs: Ignore relocations in .notes section When building with CONFIG_XEN_PV=y, .text symbols are emitted intothe .notes section so that Xen can find the "startup_xen" entry point.This information is used prior to booting the...

CVE-2024-26809

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use itto destroy the set, otherwise it is possible to destroy elements twice. This fix re...

CVE-2021-47013

In the Linux kernel, the following vulnerability has been resolved: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).If some error happens in emac_tx_fill_tpd(), the skb will be freed viadev_kfree_skb(skb) in error branch ...

CVE-2021-47068

In the Linux kernel, the following vulnerability has been resolved: net/nfc: fix use-after-free llcp_sock_bind/connect Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()")and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")fixed a refcount leak bug in bind/connect but introduc...

CVE-2021-47017

In the Linux kernel, the following vulnerability has been resolved: ath10k: Fix a use after free in ath10k_htc_send_bundle In ath10k_htc_send_bundle, the bundle_skb could be freed bydev_kfree_skb_any(bundle_skb). But the bundle_skb is used laterby bundle_skb->len. As skb_len = bundle_skb->len...

CVE-2021-47005

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix NULL pointer dereference for ->get_features() get_features ops of pci_epc_ops may return NULL, causing NULL pointerdereference in pci_epf_test_alloc_space function. Let us add a check forpci_epc_feature pointe...

CVE-2020-36787

In the Linux kernel, the following vulnerability has been resolved: media: aspeed: fix clock handling logic Video engine uses eclk and vclk for its clock sources and its resetcontrol is coupled with eclk so the current clock enabling sequence workslike below. Enable eclkDe-assert Video Engine reset...

CVE-2021-47009

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak on object td Two error return paths are neglecting to free allocated object td,causing a memory leak. Fix this by returning via the error returnpath that securely kfree's td. Fixes clang scan-build wa...

CVE-2021-47022

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: fix memleak when mt7615_unregister_device() mt7615_tx_token_put() should get call before mt76_free_pending_txwi().

CVE-2021-47042

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Free local data after use Fixes the following memory leak in dc_link_construct(): unreferenced object 0xffffa03e81471400 (size 1024):comm "amd_module_load", pid 2486, jiffies 4294946026 (age 10.544s)hex dump (first...

CVE-2024-26957

In the Linux kernel, the following vulnerability has been resolved: s390/zcrypt: fix reference counting on zcrypt card objects Tests with hot-plugging crytpo cards on KVM guests with debugkernel build revealed an use after free for the load field ofthe struct zcrypt_card. The reason was an incorrec...

CVE-2021-47003

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix potential null dereference on pointer status There are calls to idxd_cmd_exec that pass a null status pointer howevera recent commit has added an assignment to *status that can end upwith a null pointer derefer...

CVE-2023-52583

In the Linux kernel, the following vulnerability has been resolved: ceph: fix deadlock or deadcode of misusing dget() The lock order is incorrect between denty and its parent, we shouldalways make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will...

CVE-2021-46987

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock when cloning inline extents and using qgroups There are a few exceptional cases where cloning an inline extent needs tocopy the inline extent data into a page of the destination inode. When this happens, we end ...

CVE-2021-47030

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: fix memory leak in mt7615_coredump_work Similar to the issue fixed in mt7921_coredump_work, fix a possible memoryleak in mt7615_coredump_work routine.

CVE-2021-46998

In the Linux kernel, the following vulnerability has been resolved: ethernet:enic: Fix a use after free bug in enic_hard_start_xmit In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Insideenic_queue_wq_skb, if some error happens, the skb will be freedby dev_kfree_skb(skb). But the freed skb is...

CVE-2021-47021

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix memleak when mt7915_unregister_device() mt7915_tx_token_put() should get call before mt76_free_pending_txwi().

CVE-2021-46983

In the Linux kernel, the following vulnerability has been resolved: nvmet-rdma: Fix NULL deref when SEND is completed with error When running some traffic and taking down the link on peer, aretry counter exceeded error is received. This leads tonvmet_rdma_error_comp which tried accessing the cq_con...

CVE-2021-46959

In the Linux kernel, the following vulnerability has been resolved: spi: Fix use-after-free with devm_spi_alloc_* We can't rely on the contents of the devres list duringspi_unregister_controller(), as the list is already torn down at thetime we perform devres_find() for devm_spi_release_controller....

CVE-2021-47058

In the Linux kernel, the following vulnerability has been resolved: regmap: set debugfs_name to NULL after it is freed There is a upstream commit cffa4b2122f5("regmap:debugfs:Fix a memory leak when calling regmap_attach_dev") thatadds a if condition when create name for debugfs_name.With below func...

CVE-2023-52461

In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix bounds limiting when given a malformed entity If we're given a malformed entity in drm_sched_entity_init()--shouldn'thappen, but we verify--with out-of-bounds priority value, we set it to anallowed value. Fix the exp...

CVE-2021-46985

In the Linux kernel, the following vulnerability has been resolved: ACPI: scan: Fix a memory leak in an error handling path If 'acpi_device_set_name()' fails, we must free'acpi_device_bus_id->bus_id' or there is a (potential) memory leak.

CVE-2021-47028

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix txrate reporting Properly check rate_info to fix unexpected reporting. [ 1215.161863] Call trace:[ 1215.164307] cfg80211_calculate_bitrate+0x124/0x200 [cfg80211][ 1215.170139] ieee80211s_update_metric+0x80/0xc0 [m...

CVE-2024-27008

In the Linux kernel, the following vulnerability has been resolved: drm: nv04: Fix out of bounds access When Output Resource (dcb->or) value is assigned infabricate_dcb_output(), there may be out of bounds access todac_users array in case dcb->or is zero because ffs(dcb->or) isused as inde...

CVE-2024-26614

In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the followingissue:pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!WARNING: CPU: 19 PID: 21160 at __pv_qu...

CVE-2023-52492

In the Linux kernel, the following vulnerability has been resolved: dmaengine: fix NULL pointer in channel unregistration function __dma_async_device_channel_register() can fail. In case of failure,chan->local is freed (with free_percpu()), and chan->local is nullified.When dma_async_device_u...

CVE-2024-26612

In the Linux kernel, the following vulnerability has been resolved: netfs, fscache: Prevent Oops in fscache_put_cache() This function dereferences "cache" and then checks if it'sIS_ERR_OR_NULL(). Check first, then dereference.

CVE-2024-26608

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix global oob in ksmbd_nl_policy Similar to a reported issue (check the commit b33fb5b801c6 ("net:qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer findsanother global out-of-bounds read for policy ksmbd_nl...

CVE-2024-26859

In the Linux kernel, the following vulnerability has been resolved: net/bnx2x: Prevent access to a freed page in page_pool Fix race condition leading to system crash during EEH error handling During EEH error recovery, the bnx2x driver's transmit timeout logiccould cause a race condition when handl...

CVE-2024-26982

In the Linux kernel, the following vulnerability has been resolved: Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inodehas an inode number with the inv...

CVE-2024-26973

In the Linux kernel, the following vulnerability has been resolved: fat: fix uninitialized field in nostale filehandles When fat_encode_fh_nostale() encodes file handle without a parent itstores only first 10 bytes of the file handle. However the length of thefile handle must be a multiple of 4 so ...