Linux Kernel vulnerabilities

CVE-2023-53668 [HIGH] CWE-125 CVE-2023-53668: In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix deadloop issue In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix deadloop issue on reading trace_pipe Soft lockup occurs when reading file 'trace_pipe': watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488] [...] RIP: 0010:ring_buffer_empty_cpu+0xed/0x170 RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246 RAX: 0000000000000000 R

CVE-2023-53636 [HIGH] CWE-416 CVE-2023-53636: In the Linux kernel, the following vulnerability has been resolved: clk: microchip: fix potential U In the Linux kernel, the following vulnerability has been resolved: clk: microchip: fix potential UAF in auxdev release callback Similar to commit 1c11289b34ab ("peci: cpu: Fix use-after-free in adev_release()"), the auxiliary device is not torn down in the correct order. If auxiliary_device_add() fails, the release callback will be called twice, re

CVE-2022-50551 [HIGH] CWE-125 CVE-2022-50551: In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential s In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() This patch fixes a shift-out-of-bounds in brcmfmac that occurs in BIT(chiprev) when a 'chiprev' provided by the device is too large. It should also not be equal to or greater than BITS_PER_TYPE(u32) as we

CVE-2022-50546 [HIGH] CWE-908 CVE-2022-50546: In the Linux kernel, the following vulnerability has been resolved: ext4: fix uninititialized value In the Linux kernel, the following vulnerability has been resolved: ext4: fix uninititialized value in 'ext4_evict_inode' Syzbot found the following issue: BUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180 ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180 evict+0x365/0x9a0 fs/inode.c:664 iput_final fs/inode.c:1747 [inline]

CVE-2022-50543 [HIGH] CWE-415 CVE-2022-50543: In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix mr->map double fr In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix mr->map double free rxe_mr_cleanup() which tries to free mr->map again will be called when rxe_mr_init_user() fails: CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

CVE-2022-50526 [HIGH] CWE-787 CVE-2022-50526: In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: fix memory corrupti In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: fix memory corruption with too many bridges Add the missing sanity check on the bridge counter to avoid corrupting data beyond the fixed-sized bridge array in case there are ever more than eight bridges. Patchwork: https://patchwork.freedesktop.org/patch/502664/

CVE-2023-53673 [HIGH] CWE-416 CVE-2023-53673: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: call disc In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: call disconnect callback before deleting conn In hci_cs_disconnect, we do hci_conn_del even if disconnection failed. ISO, L2CAP and SCO connections refer to the hci_conn without hci_conn_get, so disconn_cfm must be called so they can clean up their conn, other

CVE-2023-53675 [HIGH] CWE-125 CVE-2023-53675: In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix possible desc_pt In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix possible desc_ptr out-of-bounds accesses Sanitize possible desc_ptr out-of-bounds accesses in ses_enclosure_data_process().

CVE-2023-53676 [HIGH] CWE-787 CVE-2023-53676: In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix buffer In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() The function lio_target_nacl_info_show() uses sprintf() in a loop to print details for every iSCSI connection in a session without checking for the buffer length. With enough iSCSI connections it's possible to o

CVE-2022-50518 [HIGH] CWE-667 CVE-2022-50518: In the Linux kernel, the following vulnerability has been resolved: parisc: Fix locking in pdc_iodc In the Linux kernel, the following vulnerability has been resolved: parisc: Fix locking in pdc_iodc_print() firmware call Utilize pdc_lock spinlock to protect parallel modifications of the iodc_dbuf[] buffer, check length to prevent buffer overflow of iodc_dbuf[], drop the iodc_retbuf[] buffer and fix some wrong indentings.

CVE-2023-53622 [HIGH] CWE-362 CVE-2023-53622: In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix possible data races i In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix possible data races in gfs2_show_options() Some fields such as gt_logd_secs of the struct gfs2_tune are accessed without holding the lock gt_spin in gfs2_show_options(): val = sdp->sd_tune.gt_logd_secs; if (val != 30) seq_printf(s, ",commit=%d", val); And thus can cause

CVE-2022-50536 [HIGH] CWE-415 CVE-2022-50536: In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix repeated call In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data In tcp_bpf_send_verdict() redirection, the eval variable is assigned to __SK_REDIRECT after the apply_bytes data is sent, if msg has more_data, sock_put() will be called multiple times. We should reset the eval v

CVE-2023-53680 [HIGH] CWE-787 CVE-2023-53680: In the Linux kernel, the following vulnerability has been resolved: NFSD: Avoid calling OPDESC() wi In the Linux kernel, the following vulnerability has been resolved: NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL OPDESC() simply indexes into nfsd4_ops[] by the op's operation number, without range checking that value. It assumes callers are careful to avoid calling it with an out-of-bounds opnum value. nfsd4_decode_compound() is not

CVE-2023-53645 [HIGH] CWE-416 CVE-2023-53645: In the Linux kernel, the following vulnerability has been resolved: bpf: Make bpf_refcount_acquire In the Linux kernel, the following vulnerability has been resolved: bpf: Make bpf_refcount_acquire fallible for non-owning refs This patch fixes an incorrect assumption made in the original bpf_refcount series [0], specifically that the BPF program calling bpf_refcount_acquire on some node can always guarantee that the node is alive. In that series,

CVE-2023-53652 [HIGH] CVE-2023-53652: In the Linux kernel, the following vulnerability has been resolved: vdpa: Add features attr to vdpa In the Linux kernel, the following vulnerability has been resolved: vdpa: Add features attr to vdpa_nl_policy for nlattr length check The vdpa_nl_policy structure is used to validate the nlattr when parsing the incoming nlmsg. It will ensure the attribute being described produces a valid nlattr pointer in info->attrs before entering into each handler in vdp

CVE-2023-53646 [HIGH] CWE-125 CVE-2023-53646: In the Linux kernel, the following vulnerability has been resolved: drm/i915/perf: add sentinel to In the Linux kernel, the following vulnerability has been resolved: drm/i915/perf: add sentinel to xehp_oa_b_counters Arrays passed to reg_in_range_table should end with empty record. The patch solves KASAN detected bug with signature: BUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915] Read of size 4 at addr ffffffff

CVE-2022-50542 [HIGH] CWE-416 CVE-2022-50542: In the Linux kernel, the following vulnerability has been resolved: media: si470x: Fix use-after-fr In the Linux kernel, the following vulnerability has been resolved: media: si470x: Fix use-after-free in si470x_int_in_callback() syzbot reported use-after-free in si470x_int_in_callback() [1]. This indicates that urb->context, which contains struct si470x_device object, is freed when si470x_int_in_callback() is called. The cause of this issue is t

CVE-2023-53621 [HIGH] CWE-476 CVE-2023-53621: In the Linux kernel, the following vulnerability has been resolved: memcontrol: ensure memcg acquir In the Linux kernel, the following vulnerability has been resolved: memcontrol: ensure memcg acquired by id is properly set up In the eviction recency check, we attempt to retrieve the memcg to which the folio belonged when it was evicted, by the memcg id stored in the shadow entry. However, there is a chance that the retrieved memcg is not the orig

CVE-2023-53638 [HIGH] CWE-416 CVE-2023-53638: In the Linux kernel, the following vulnerability has been resolved: octeon_ep: cancel queued works In the Linux kernel, the following vulnerability has been resolved: octeon_ep: cancel queued works in probe error path If it fails to get the devices's MAC address, octep_probe exits while leaving the delayed work intr_poll_task queued. When the work later runs, it's a use after free. Move the cancelation of intr_poll_task from octep_remove into oct

CVE-2023-53659 [HIGH] CWE-125 CVE-2023-53659: In the Linux kernel, the following vulnerability has been resolved: iavf: Fix out-of-bounds when se In the Linux kernel, the following vulnerability has been resolved: iavf: Fix out-of-bounds when setting channels on remove If we set channels greater during iavf_remove(), and waiting reset done would be timeout, then returned with error but changed num_active_queues directly, that will lead to OOB like the following logs. Because the num_active_qu