Linux Kernel vulnerabilities

CVE-2023-53435 [MEDIUM] CWE-401 CVE-2023-53435: In the Linux kernel, the following vulnerability has been resolved: cassini: Fix a memory leak in t In the Linux kernel, the following vulnerability has been resolved: cassini: Fix a memory leak in the error handling path of cas_init_one() cas_saturn_firmware_init() allocates some memory using vmalloc(). This memory is freed in the .remove() function but not it the error handling path of the probe. Add the missing vfree() to avoid a memory leak

CVE-2023-53403 [MEDIUM] CWE-401 CVE-2023-53403: In the Linux kernel, the following vulnerability has been resolved: time/debug: Fix memory leak wit In the Linux kernel, the following vulnerability has been resolved: time/debug: Fix memory leak with using debugfs_lookup() When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once.

CVE-2023-53416 [MEDIUM] CWE-401 CVE-2023-53416: In the Linux kernel, the following vulnerability has been resolved: USB: isp1362: fix memory leak w In the Linux kernel, the following vulnerability has been resolved: USB: isp1362: fix memory leak with using debugfs_lookup() When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once.

CVE-2023-53431 [MEDIUM] CVE-2023-53431: In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Handle enclosure wit In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Handle enclosure with just a primary component gracefully This reverts commit 3fe97ff3d949 ("scsi: ses: Don't attach if enclosure has no components") and introduces proper handling of case where there are no detected secondary components, but primary component (enumerated in nu

CVE-2022-50414 [MEDIUM] CVE-2022-50414: In the Linux kernel, the following vulnerability has been resolved: scsi: fcoe: Fix transport not d In the Linux kernel, the following vulnerability has been resolved: scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails fcoe_init() calls fcoe_transport_attach(&fcoe_sw_transport), but when fcoe_if_init() fails, &fcoe_sw_transport is not detached and leaves freed &fcoe_sw_transport on fcoe_transports list. This causes panic when reinserting

CVE-2023-53436 [MEDIUM] CWE-401 CVE-2023-53436: In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix possible memory In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix possible memory leak if device_add() fails If device_add() returns error, the name allocated by dev_set_name() needs be freed. As the comment of device_add() says, put_device() should be used to give up the reference in the error path. So fix this by calling put_de

CVE-2023-53369 [MEDIUM] CVE-2023-53369: In the Linux kernel, the following vulnerability has been resolved: net: dcb: choose correct policy In the Linux kernel, the following vulnerability has been resolved: net: dcb: choose correct policy to parse DCB_ATTR_BCN The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN], which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB BCN"). Please see the comment in below code static int dcbnl_bcn_setcfg(...) { ... ret = nla_p

CVE-2023-53419 [MEDIUM] CWE-476 CVE-2023-53419: In the Linux kernel, the following vulnerability has been resolved: rcu: Protect rcu_print_task_exp In the Linux kernel, the following vulnerability has been resolved: rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access For kernels built with CONFIG_PREEMPT_RCU=y, the following scenario can result in a NULL-pointer dereference: CPU1 CPU2 rcu_preempt_deferred_qs_irqrestore rcu_print_task_exp_stall if (special.b.blocked) READ_ONCE(rnp->exp

CVE-2022-50392 [MEDIUM] CVE-2022-50392: In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8183: fix ref In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8183: fix refcount leak in mt8183_mt6358_ts3a227_max98357_dev_probe() The node returned by of_parse_phandle() with refcount incremented, of_node_put() needs be called when finish using it. So add it in the error path in mt8183_mt6358_ts3a227_max98357_dev_probe().

CVE-2023-53380 [MEDIUM] CWE-476 CVE-2023-53380: In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix null-ptr-deref o In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request There are two check of 'mreplace' in raid10_sync_request(). In the first check, 'need_replace' will be set and 'mreplace' will be used later if no-Faulty 'mreplace' exists, In the second check, 'mreplace' will be set

CVE-2022-50381 [MEDIUM] CWE-476 CVE-2022-50381: In the Linux kernel, the following vulnerability has been resolved: md: fix a crash in mempool_free In the Linux kernel, the following vulnerability has been resolved: md: fix a crash in mempool_free There's a crash in mempool_free when running the lvm test shell/lvchange-rebuild-raid.sh. The reason for the crash is this: * super_written calls atomic_dec_and_test(&mddev->pending_writes) and wake_up(&mddev->sb_wait). Then it calls rdev_dec_pendi

CVE-2023-53401 [MEDIUM] CWE-476 CVE-2023-53401: In the Linux kernel, the following vulnerability has been resolved: mm: kmem: fix a NULL pointer de In the Linux kernel, the following vulnerability has been resolved: mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required() KCSAN found an issue in obj_stock_flush_required(): stock->cached_objcg can be reset between the check and dereference: BUG: KCSAN: data-race in drain_all_stock / drain_obj_stock write to 0xffff888237c2a2f8 o

CVE-2023-53375 [MEDIUM] CWE-401 CVE-2023-53375: In the Linux kernel, the following vulnerability has been resolved: tracing: Free error logs of tra In the Linux kernel, the following vulnerability has been resolved: tracing: Free error logs of tracing instances When a tracing instance is removed, the error messages that hold errors that occurred in the instance needs to be freed. The following reports a memory leak: # cd /sys/kernel/tracing # mkdir instances/foo # echo 'hist:keys=x' > instan

CVE-2023-53434 [MEDIUM] CVE-2023-53434: In the Linux kernel, the following vulnerability has been resolved: remoteproc: imx_dsp_rproc: Add In the Linux kernel, the following vulnerability has been resolved: remoteproc: imx_dsp_rproc: Add custom memory copy implementation for i.MX DSP Cores The IRAM is part of the HiFi DSP. According to hardware specification only 32-bits write are allowed otherwise we get a Kernel panic. Therefore add a custom memory copy and memset functions to deal with th

CVE-2023-53429 [MEDIUM] CVE-2023-53429: In the Linux kernel, the following vulnerability has been resolved: btrfs: don't check PageError in In the Linux kernel, the following vulnerability has been resolved: btrfs: don't check PageError in __extent_writepage __extent_writepage currenly sets PageError whenever any error happens, and the also checks for PageError to decide if to call error handling. This leads to very unclear responsibility for cleaning up on errors. In the VM and generic write

CVE-2022-50397 CVE-2022-50397: In the Linux kernel, the following vulnerability has been resolved: net/ieee802154: reject zero-sized raw_sendmsg() syzbot is hitting skb_assert_len() In the Linux kernel, the following vulnerability has been resolved: net/ieee802154: reject zero-sized raw_sendmsg() syzbot is hitting skb_assert_len() warning at raw_sendmsg() for ieee802154 socket. What commit dc633700f00f726e ("net/af_packet: check len when min_header_len equals to 0") does also applies to ieee8021

CVE-2022-50377 CVE-2022-50377: In the Linux kernel, the following vulnerability has been resolved: ext4: check and assert if marking an no_delete evicting inode dirty In ext4_evic In the Linux kernel, the following vulnerability has been resolved: ext4: check and assert if marking an no_delete evicting inode dirty In ext4_evict_inode(), if we evicting an inode in the 'no_delete' path, it cannot be raced by another mark_inode_dirty(). If it happens, someone else may accidentally dirty it with

CVE-2022-50403 CVE-2022-50403: In the Linux kernel, the following vulnerability has been resolved: ext4: fix undefined behavior in bit shift for ext4_check_flag_values Shifting si In the Linux kernel, the following vulnerability has been resolved: ext4: fix undefined behavior in bit shift for ext4_check_flag_values Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in fs/ext4/ext4.

CVE-2023-53358 [HIGH] CWE-416 CVE-2023-53358: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix racy issue under coc In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix racy issue under cocurrent smb2 tree disconnect There is UAF issue under cocurrent smb2 tree disconnect. This patch introduce TREE_CONN_EXPIRE flags for tcon to avoid cocurrent access.

CVE-2023-53338 [HIGH] CWE-416 CVE-2023-53338: In the Linux kernel, the following vulnerability has been resolved: lwt: Fix return values of BPF x In the Linux kernel, the following vulnerability has been resolved: lwt: Fix return values of BPF xmit ops BPF encap ops can return different types of positive values, such like NET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function skb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return values would be treated implicitly