Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-2107
Vulnerability from csaf_certbund
Published
2025-09-22 22:00
Modified
2025-10-15 22:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder nicht näher beschriebene Auswirkungen zu erzielen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder nicht n\u00e4her beschriebene Auswirkungen zu erzielen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2107 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2107.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2107 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2107"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39867",
"url": "https://lore.kernel.org/linux-cve-announce/2025092357-CVE-2025-39867-51e2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39868",
"url": "https://lore.kernel.org/linux-cve-announce/2025092359-CVE-2025-39868-8245@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39869",
"url": "https://lore.kernel.org/linux-cve-announce/2025092359-CVE-2025-39869-6005@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39870",
"url": "https://lore.kernel.org/linux-cve-announce/2025092359-CVE-2025-39870-2af3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39871",
"url": "https://lore.kernel.org/linux-cve-announce/2025092300-CVE-2025-39871-3abe@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39872",
"url": "https://lore.kernel.org/linux-cve-announce/2025092300-CVE-2025-39872-5102@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39873",
"url": "https://lore.kernel.org/linux-cve-announce/2025092300-CVE-2025-39873-94d3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39874",
"url": "https://lore.kernel.org/linux-cve-announce/2025092300-CVE-2025-39874-d462@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39875",
"url": "https://lore.kernel.org/linux-cve-announce/2025092300-CVE-2025-39875-6d27@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39876",
"url": "https://lore.kernel.org/linux-cve-announce/2025092300-CVE-2025-39876-3d4a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39877",
"url": "https://lore.kernel.org/linux-cve-announce/2025092301-CVE-2025-39877-1244@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39878",
"url": "https://lore.kernel.org/linux-cve-announce/2025092301-CVE-2025-39878-29db@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39879",
"url": "https://lore.kernel.org/linux-cve-announce/2025092301-CVE-2025-39879-3ed2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39880",
"url": "https://lore.kernel.org/linux-cve-announce/2025092301-CVE-2025-39880-17c5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39881",
"url": "https://lore.kernel.org/linux-cve-announce/2025092301-CVE-2025-39881-a4e1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39882",
"url": "https://lore.kernel.org/linux-cve-announce/2025092301-CVE-2025-39882-1d0a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39883",
"url": "https://lore.kernel.org/linux-cve-announce/2025092302-CVE-2025-39883-6015@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39884",
"url": "https://lore.kernel.org/linux-cve-announce/2025092302-CVE-2025-39884-1503@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39885",
"url": "https://lore.kernel.org/linux-cve-announce/2025092302-CVE-2025-39885-7e13@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39886",
"url": "https://lore.kernel.org/linux-cve-announce/2025092302-CVE-2025-39886-4bea@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39887",
"url": "https://lore.kernel.org/linux-cve-announce/2025092302-CVE-2025-39887-12f0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39888",
"url": "https://lore.kernel.org/linux-cve-announce/2025092303-CVE-2025-39888-3c85@gregkh/"
},
{
"category": "external",
"summary": "Google Container-Optimized OS release notes vom 2025-09-30",
"url": "https://cloud.google.com/container-optimized-os/docs/release-notes#September_29_2025"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-20649 vom 2025-10-07",
"url": "https://linux.oracle.com/errata/ELSA-2025-20649.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4328 vom 2025-10-13",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03601-1 vom 2025-10-15",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/022903.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03615-1 vom 2025-10-16",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BVPLWRQN6MVKFQDJSEKN2JP6PMSGIO4Q/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03614-1 vom 2025-10-16",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/022911.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03600-1 vom 2025-10-15",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VHWHH7ZSMFJ6PQZ3CBDGGCWHNBCWD26Z/"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-10-15T22:00:00.000+00:00",
"generator": {
"date": "2025-10-16T09:43:31.604+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2107",
"initial_release_date": "2025-09-22T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-09-22T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-09-30T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-10-06T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-10-12T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-10-15T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Google Container-Optimized OS",
"product": {
"name": "Google Container-Optimized OS",
"product_id": "1607324",
"product_identification_helper": {
"cpe": "cpe:/o:google:container-optimized_os:-"
}
}
}
],
"category": "vendor",
"name": "Google"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T028463",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:unspecified"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-49202",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49202"
},
{
"cve": "CVE-2022-49205",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49205"
},
{
"cve": "CVE-2022-49214",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49214"
},
{
"cve": "CVE-2022-49222",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49222"
},
{
"cve": "CVE-2022-49228",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49228"
},
{
"cve": "CVE-2022-49234",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49234"
},
{
"cve": "CVE-2022-49244",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49244"
},
{
"cve": "CVE-2022-49245",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49245"
},
{
"cve": "CVE-2022-49246",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49246"
},
{
"cve": "CVE-2022-49248",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49248"
},
{
"cve": "CVE-2022-49249",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49249"
},
{
"cve": "CVE-2022-49250",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49250"
},
{
"cve": "CVE-2022-49251",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49251"
},
{
"cve": "CVE-2022-49252",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49252"
},
{
"cve": "CVE-2022-49253",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49253"
},
{
"cve": "CVE-2022-49254",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49254"
},
{
"cve": "CVE-2022-49256",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49256"
},
{
"cve": "CVE-2022-49257",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49257"
},
{
"cve": "CVE-2022-49261",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49261"
},
{
"cve": "CVE-2022-49262",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49262"
},
{
"cve": "CVE-2022-49263",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49263"
},
{
"cve": "CVE-2022-49268",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49268"
},
{
"cve": "CVE-2022-49271",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49271"
},
{
"cve": "CVE-2022-49272",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49272"
},
{
"cve": "CVE-2022-49274",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49274"
},
{
"cve": "CVE-2022-49278",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49278"
},
{
"cve": "CVE-2022-49283",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49283"
},
{
"cve": "CVE-2022-49285",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49285"
},
{
"cve": "CVE-2022-49286",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49286"
},
{
"cve": "CVE-2022-49289",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49289"
},
{
"cve": "CVE-2022-49292",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49292"
},
{
"cve": "CVE-2022-49320",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49320"
},
{
"cve": "CVE-2022-49325",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49325"
},
{
"cve": "CVE-2022-49330",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49330"
},
{
"cve": "CVE-2022-49337",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49337"
},
{
"cve": "CVE-2022-49339",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49339"
},
{
"cve": "CVE-2022-49345",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49345"
},
{
"cve": "CVE-2022-49347",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49347"
},
{
"cve": "CVE-2022-49350",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49350"
},
{
"cve": "CVE-2022-49379",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49379"
},
{
"cve": "CVE-2022-49393",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49393"
},
{
"cve": "CVE-2022-49396",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49396"
},
{
"cve": "CVE-2022-49397",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49397"
},
{
"cve": "CVE-2022-49401",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49401"
},
{
"cve": "CVE-2022-49407",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49407"
},
{
"cve": "CVE-2022-49409",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49409"
},
{
"cve": "CVE-2022-49415",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49415"
},
{
"cve": "CVE-2022-49417",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49417"
},
{
"cve": "CVE-2022-49421",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2022-49421"
},
{
"cve": "CVE-2025-10843",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-10843"
},
{
"cve": "CVE-2025-39867",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39867"
},
{
"cve": "CVE-2025-39868",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39868"
},
{
"cve": "CVE-2025-39869",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39869"
},
{
"cve": "CVE-2025-39870",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39870"
},
{
"cve": "CVE-2025-39871",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39871"
},
{
"cve": "CVE-2025-39872",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39872"
},
{
"cve": "CVE-2025-39873",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39873"
},
{
"cve": "CVE-2025-39874",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39874"
},
{
"cve": "CVE-2025-39875",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39875"
},
{
"cve": "CVE-2025-39876",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39876"
},
{
"cve": "CVE-2025-39877",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39877"
},
{
"cve": "CVE-2025-39878",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39878"
},
{
"cve": "CVE-2025-39879",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39879"
},
{
"cve": "CVE-2025-39880",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39880"
},
{
"cve": "CVE-2025-39881",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39881"
},
{
"cve": "CVE-2025-39882",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39882"
},
{
"cve": "CVE-2025-39883",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39883"
},
{
"cve": "CVE-2025-39884",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39884"
},
{
"cve": "CVE-2025-39885",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39885"
},
{
"cve": "CVE-2025-39886",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39886"
},
{
"cve": "CVE-2025-39887",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39887"
},
{
"cve": "CVE-2025-39888",
"product_status": {
"known_affected": [
"T028463",
"2951",
"T002207",
"T004914",
"1607324"
]
},
"release_date": "2025-09-22T22:00:00.000+00:00",
"title": "CVE-2025-39888"
}
]
}
CVE-2025-39867 (GCVE-0-2025-39867)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-09-29T06:08:49.023Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39867",
"datePublished": "2025-09-23T06:00:42.707Z",
"dateRejected": "2025-09-29T06:08:49.023Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-09-29T06:08:49.023Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49245 (GCVE-0-2022-49245)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: rockchip: Fix PM usage reference of rockchip_i2s_tdm_resume
pm_runtime_get_sync will increment pm usage counter
even it failed. Forgetting to putting operation will
result in reference leak here. We fix it by replacing
it with pm_runtime_resume_and_get to keep usage counter
balanced.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/rockchip/rockchip_i2s_tdm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e5510219111607b1f1875ab3c3f0485ba3c381c",
"status": "affected",
"version": "081068fd641403994f0505e6b91e021d3925f348",
"versionType": "git"
},
{
"lessThan": "5c1834aac759ddfd0f17c9f38db1b30adc8eb4e8",
"status": "affected",
"version": "081068fd641403994f0505e6b91e021d3925f348",
"versionType": "git"
},
{
"lessThan": "cc5d8ac95663a5813c696008bc524b794d471215",
"status": "affected",
"version": "081068fd641403994f0505e6b91e021d3925f348",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/rockchip/rockchip_i2s_tdm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rockchip: Fix PM usage reference of rockchip_i2s_tdm_resume\n\npm_runtime_get_sync will increment pm usage counter\neven it failed. Forgetting to putting operation will\nresult in reference leak here. We fix it by replacing\nit with pm_runtime_resume_and_get to keep usage counter\nbalanced."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:15.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e5510219111607b1f1875ab3c3f0485ba3c381c"
},
{
"url": "https://git.kernel.org/stable/c/5c1834aac759ddfd0f17c9f38db1b30adc8eb4e8"
},
{
"url": "https://git.kernel.org/stable/c/cc5d8ac95663a5813c696008bc524b794d471215"
}
],
"title": "ASoC: rockchip: Fix PM usage reference of rockchip_i2s_tdm_resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49245",
"datePublished": "2025-02-26T01:56:05.259Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-05-04T08:33:15.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39884 (GCVE-0-2025-39884)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix subvolume deletion lockup caused by inodes xarray race
There is a race condition between inode eviction and inode caching that
can cause a live struct btrfs_inode to be missing from the root->inodes
xarray. Specifically, there is a window during evict() between the inode
being unhashed and deleted from the xarray. If btrfs_iget() is called
for the same inode in that window, it will be recreated and inserted
into the xarray, but then eviction will delete the new entry, leaving
nothing in the xarray:
Thread 1 Thread 2
---------------------------------------------------------------
evict()
remove_inode_hash()
btrfs_iget_path()
btrfs_iget_locked()
btrfs_read_locked_inode()
btrfs_add_inode_to_root()
destroy_inode()
btrfs_destroy_inode()
btrfs_del_inode_from_root()
__xa_erase
In turn, this can cause issues for subvolume deletion. Specifically, if
an inode is in this lost state, and all other inodes are evicted, then
btrfs_del_inode_from_root() will call btrfs_add_dead_root() prematurely.
If the lost inode has a delayed_node attached to it, then when
btrfs_clean_one_deleted_snapshot() calls btrfs_kill_all_delayed_nodes(),
it will loop forever because the delayed_nodes xarray will never become
empty (unless memory pressure forces the inode out). We saw this
manifest as soft lockups in production.
Fix it by only deleting the xarray entry if it matches the given inode
(using __xa_cmpxchg()).
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ba898c9fcbe6ebb88bcd4df8aab0f90090d202e",
"status": "affected",
"version": "310b2f5d5a9451b708ab1d3385c3b0998084904c",
"versionType": "git"
},
{
"lessThan": "f1498abaf74f8d7b1e7001f16ed77818d8ae6a59",
"status": "affected",
"version": "310b2f5d5a9451b708ab1d3385c3b0998084904c",
"versionType": "git"
},
{
"lessThan": "f6a6c280059c4ddc23e12e3de1b01098e240036f",
"status": "affected",
"version": "310b2f5d5a9451b708ab1d3385c3b0998084904c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix subvolume deletion lockup caused by inodes xarray race\n\nThere is a race condition between inode eviction and inode caching that\ncan cause a live struct btrfs_inode to be missing from the root-\u003einodes\nxarray. Specifically, there is a window during evict() between the inode\nbeing unhashed and deleted from the xarray. If btrfs_iget() is called\nfor the same inode in that window, it will be recreated and inserted\ninto the xarray, but then eviction will delete the new entry, leaving\nnothing in the xarray:\n\nThread 1 Thread 2\n---------------------------------------------------------------\nevict()\n remove_inode_hash()\n btrfs_iget_path()\n btrfs_iget_locked()\n btrfs_read_locked_inode()\n btrfs_add_inode_to_root()\n destroy_inode()\n btrfs_destroy_inode()\n btrfs_del_inode_from_root()\n __xa_erase\n\nIn turn, this can cause issues for subvolume deletion. Specifically, if\nan inode is in this lost state, and all other inodes are evicted, then\nbtrfs_del_inode_from_root() will call btrfs_add_dead_root() prematurely.\nIf the lost inode has a delayed_node attached to it, then when\nbtrfs_clean_one_deleted_snapshot() calls btrfs_kill_all_delayed_nodes(),\nit will loop forever because the delayed_nodes xarray will never become\nempty (unless memory pressure forces the inode out). We saw this\nmanifest as soft lockups in production.\n\nFix it by only deleting the xarray entry if it matches the given inode\n(using __xa_cmpxchg())."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:44.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ba898c9fcbe6ebb88bcd4df8aab0f90090d202e"
},
{
"url": "https://git.kernel.org/stable/c/f1498abaf74f8d7b1e7001f16ed77818d8ae6a59"
},
{
"url": "https://git.kernel.org/stable/c/f6a6c280059c4ddc23e12e3de1b01098e240036f"
}
],
"title": "btrfs: fix subvolume deletion lockup caused by inodes xarray race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39884",
"datePublished": "2025-09-23T06:00:52.064Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-09-29T06:01:44.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39873 (GCVE-0-2025-39873)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-10-02 13:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
can_put_echo_skb() takes ownership of the SKB and it may be freed
during or after the call.
However, xilinx_can xcan_write_frame() keeps using SKB after the call.
Fix that by only calling can_put_echo_skb() after the code is done
touching the SKB.
The tx_lock is held for the entire xcan_write_frame() execution and
also on the can_get_echo_skb() side so the order of operations does not
matter.
An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb
memory") did not move the can_put_echo_skb() call far enough.
[mkl: add "commit" in front of sha1 in patch description]
[mkl: fix indention]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/xilinx_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e202ffd9e54538ef67ec301ebd6d9da4823466c9",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "1139321161a3ba5e45e61e0738b37f42f20bc57a",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "94b050726288a56a6b8ff55aa641f2fedbd3b44c",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "725b33deebd6e4c96fe7893f384510a54258f28f",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "668cc1e3bb21101d074e430de1b7ba8fd10189e7",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "ef79f00be72bd81d2e1e6f060d83cf7e425deee4",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/xilinx_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB\n\ncan_put_echo_skb() takes ownership of the SKB and it may be freed\nduring or after the call.\n\nHowever, xilinx_can xcan_write_frame() keeps using SKB after the call.\n\nFix that by only calling can_put_echo_skb() after the code is done\ntouching the SKB.\n\nThe tx_lock is held for the entire xcan_write_frame() execution and\nalso on the can_get_echo_skb() side so the order of operations does not\nmatter.\n\nAn earlier fix commit 3d3c817c3a40 (\"can: xilinx_can: Fix usage of skb\nmemory\") did not move the can_put_echo_skb() call far enough.\n\n[mkl: add \"commit\" in front of sha1 in patch description]\n[mkl: fix indention]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:10.369Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e202ffd9e54538ef67ec301ebd6d9da4823466c9"
},
{
"url": "https://git.kernel.org/stable/c/1139321161a3ba5e45e61e0738b37f42f20bc57a"
},
{
"url": "https://git.kernel.org/stable/c/94b050726288a56a6b8ff55aa641f2fedbd3b44c"
},
{
"url": "https://git.kernel.org/stable/c/725b33deebd6e4c96fe7893f384510a54258f28f"
},
{
"url": "https://git.kernel.org/stable/c/668cc1e3bb21101d074e430de1b7ba8fd10189e7"
},
{
"url": "https://git.kernel.org/stable/c/ef79f00be72bd81d2e1e6f060d83cf7e425deee4"
}
],
"title": "can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39873",
"datePublished": "2025-09-23T06:00:46.157Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-10-02T13:26:10.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39869 (GCVE-0-2025-39869)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-10-02 13:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
Fix a critical memory allocation bug in edma_setup_from_hw() where
queue_priority_map was allocated with insufficient memory. The code
declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),
but allocated memory using sizeof(s8) instead of the correct size.
This caused out-of-bounds memory writes when accessing:
queue_priority_map[i][0] = i;
queue_priority_map[i][1] = i;
The bug manifested as kernel crashes with "Oops - undefined instruction"
on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the
memory corruption triggered kernel hardening features on Clang.
Change the allocation to use sizeof(*queue_priority_map) which
automatically gets the correct size for the 2D array structure.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/edma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d4de60d6db02d9b01d5890d5156b04fad65d07a",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "d722de80ce037dccf6931e778f4a46499d51bdf9",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "301a96cc4dc006c9a285913d301e681cfbf7edb6",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "1baed10553fc8b388351d8fc803e3ae6f1a863bc",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "069fd1688c57c0cc8a3de64d108579b31676f74b",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "d5e82f3f2c918d446df46e8d65f8083fd97cdec5",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "e63419dbf2ceb083c1651852209c7f048089ac0f",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/edma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Fix memory allocation size for queue_priority_map\n\nFix a critical memory allocation bug in edma_setup_from_hw() where\nqueue_priority_map was allocated with insufficient memory. The code\ndeclared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),\nbut allocated memory using sizeof(s8) instead of the correct size.\n\nThis caused out-of-bounds memory writes when accessing:\n queue_priority_map[i][0] = i;\n queue_priority_map[i][1] = i;\n\nThe bug manifested as kernel crashes with \"Oops - undefined instruction\"\non ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the\nmemory corruption triggered kernel hardening features on Clang.\n\nChange the allocation to use sizeof(*queue_priority_map) which\nautomatically gets the correct size for the 2D array structure."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:04.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d4de60d6db02d9b01d5890d5156b04fad65d07a"
},
{
"url": "https://git.kernel.org/stable/c/d722de80ce037dccf6931e778f4a46499d51bdf9"
},
{
"url": "https://git.kernel.org/stable/c/301a96cc4dc006c9a285913d301e681cfbf7edb6"
},
{
"url": "https://git.kernel.org/stable/c/5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93"
},
{
"url": "https://git.kernel.org/stable/c/1baed10553fc8b388351d8fc803e3ae6f1a863bc"
},
{
"url": "https://git.kernel.org/stable/c/069fd1688c57c0cc8a3de64d108579b31676f74b"
},
{
"url": "https://git.kernel.org/stable/c/d5e82f3f2c918d446df46e8d65f8083fd97cdec5"
},
{
"url": "https://git.kernel.org/stable/c/e63419dbf2ceb083c1651852209c7f048089ac0f"
}
],
"title": "dmaengine: ti: edma: Fix memory allocation size for queue_priority_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39869",
"datePublished": "2025-09-23T06:00:43.852Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-10-02T13:26:04.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49234 (GCVE-0-2022-49234)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: Avoid cross-chip syncing of VLAN filtering
Changes to VLAN filtering are not applicable to cross-chip
notifications.
On a system like this:
.-----. .-----. .-----.
| sw1 +---+ sw2 +---+ sw3 |
'-1-2-' '-1-2-' '-1-2-'
Before this change, upon sw1p1 leaving a bridge, a call to
dsa_port_vlan_filtering would also be made to sw2p1 and sw3p1.
In this scenario:
.---------. .-----. .-----.
| sw1 +---+ sw2 +---+ sw3 |
'-1-2-3-4-' '-1-2-' '-1-2-'
When sw1p4 would leave a bridge, dsa_port_vlan_filtering would be
called for sw2 and sw3 with a non-existing port - leading to array
out-of-bounds accesses and crashes on mv88e6xxx.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dsa/switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1f2a4dd8d433eec393d09273a78a3d3551339cf",
"status": "affected",
"version": "d371b7c92d190448f3ccbf082c90bf929285f648",
"versionType": "git"
},
{
"lessThan": "108dc8741c203e9d6ce4e973367f1bac20c7192b",
"status": "affected",
"version": "d371b7c92d190448f3ccbf082c90bf929285f648",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dsa/switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: Avoid cross-chip syncing of VLAN filtering\n\nChanges to VLAN filtering are not applicable to cross-chip\nnotifications.\n\nOn a system like this:\n\n.-----. .-----. .-----.\n| sw1 +---+ sw2 +---+ sw3 |\n\u0027-1-2-\u0027 \u0027-1-2-\u0027 \u0027-1-2-\u0027\n\nBefore this change, upon sw1p1 leaving a bridge, a call to\ndsa_port_vlan_filtering would also be made to sw2p1 and sw3p1.\n\nIn this scenario:\n\n.---------. .-----. .-----.\n| sw1 +---+ sw2 +---+ sw3 |\n\u0027-1-2-3-4-\u0027 \u0027-1-2-\u0027 \u0027-1-2-\u0027\n\nWhen sw1p4 would leave a bridge, dsa_port_vlan_filtering would be\ncalled for sw2 and sw3 with a non-existing port - leading to array\nout-of-bounds accesses and crashes on mv88e6xxx."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:01.348Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1f2a4dd8d433eec393d09273a78a3d3551339cf"
},
{
"url": "https://git.kernel.org/stable/c/108dc8741c203e9d6ce4e973367f1bac20c7192b"
}
],
"title": "net: dsa: Avoid cross-chip syncing of VLAN filtering",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49234",
"datePublished": "2025-02-26T01:55:59.615Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-05-04T08:33:01.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49401 (GCVE-0-2022-49401)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/page_owner: use strscpy() instead of strlcpy()
current->comm[] is not a string (no guarantee for a zero byte in it).
strlcpy(s1, s2, l) is calling strlen(s2), potentially
causing out-of-bound access, as reported by syzbot:
detected buffer overflow in __fortify_strlen
------------[ cut here ]------------
kernel BUG at lib/string_helpers.c:980!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:fortify_panic+0x18/0x1a lib/string_helpers.c:980
Code: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff <0f> 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a
RSP: 0018:ffffc900000074a8 EFLAGS: 00010286
RAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000
RDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87
RBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000
R10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700
R13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
<IRQ>
__fortify_strlen include/linux/fortify-string.h:128 [inline]
strlcpy include/linux/fortify-string.h:143 [inline]
__set_page_owner_handle+0x2b1/0x3e0 mm/page_owner.c:171
__set_page_owner+0x3e/0x50 mm/page_owner.c:190
prep_new_page mm/page_alloc.c:2441 [inline]
get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
alloc_slab_page mm/slub.c:1799 [inline]
allocate_slab+0x26c/0x3c0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0x8df/0xf20 mm/slub.c:3005
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092
slab_alloc_node mm/slub.c:3183 [inline]
slab_alloc mm/slub.c:3225 [inline]
__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242
dst_alloc+0x146/0x1f0 net/core/dst.c:92
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/page_owner.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5cd9900a1ac8b0a4ff3cd97d4d77b7711be435bf",
"status": "affected",
"version": "865ed6a3278654ce4a55eb74c5283eeb82ad4699",
"versionType": "git"
},
{
"lessThan": "cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a",
"status": "affected",
"version": "865ed6a3278654ce4a55eb74c5283eeb82ad4699",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/page_owner.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_owner: use strscpy() instead of strlcpy()\n\ncurrent-\u003ecomm[] is not a string (no guarantee for a zero byte in it).\n\nstrlcpy(s1, s2, l) is calling strlen(s2), potentially\ncausing out-of-bound access, as reported by syzbot:\n\ndetected buffer overflow in __fortify_strlen\n------------[ cut here ]------------\nkernel BUG at lib/string_helpers.c:980!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:fortify_panic+0x18/0x1a lib/string_helpers.c:980\nCode: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff \u003c0f\u003e 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a\nRSP: 0018:ffffc900000074a8 EFLAGS: 00010286\n\nRAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000\nRDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87\nRBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000\nR10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700\nR13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nCall Trace:\n \u003cIRQ\u003e\n __fortify_strlen include/linux/fortify-string.h:128 [inline]\n strlcpy include/linux/fortify-string.h:143 [inline]\n __set_page_owner_handle+0x2b1/0x3e0 mm/page_owner.c:171\n __set_page_owner+0x3e/0x50 mm/page_owner.c:190\n prep_new_page mm/page_alloc.c:2441 [inline]\n get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182\n __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408\n alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272\n alloc_slab_page mm/slub.c:1799 [inline]\n allocate_slab+0x26c/0x3c0 mm/slub.c:1944\n new_slab mm/slub.c:2004 [inline]\n ___slab_alloc+0x8df/0xf20 mm/slub.c:3005\n __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092\n slab_alloc_node mm/slub.c:3183 [inline]\n slab_alloc mm/slub.c:3225 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3232 [inline]\n kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242\n dst_alloc+0x146/0x1f0 net/core/dst.c:92"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:53.713Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5cd9900a1ac8b0a4ff3cd97d4d77b7711be435bf"
},
{
"url": "https://git.kernel.org/stable/c/cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a"
}
],
"title": "mm/page_owner: use strscpy() instead of strlcpy()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49401",
"datePublished": "2025-02-26T02:12:28.603Z",
"dateReserved": "2025-02-26T02:08:31.565Z",
"dateUpdated": "2025-05-04T08:36:53.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39872 (GCVE-0-2025-39872)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hsr: hold rcu and dev lock for hsr_get_port_ndev
hsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock.
On the other hand, before return the port device, we need to hold the
device reference to avoid UaF in the caller function.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/icssg/icssg_prueth.c",
"net/hsr/hsr_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "68a6729afd3e8e9a2a32538642ce92b96ccf9b1d",
"status": "affected",
"version": "9c10dd8eed74de9e8adeb820939f8745cd566d4a",
"versionType": "git"
},
{
"lessThan": "847748fc66d08a89135a74e29362a66ba4e3ab15",
"status": "affected",
"version": "9c10dd8eed74de9e8adeb820939f8745cd566d4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/icssg/icssg_prueth.c",
"net/hsr/hsr_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: hold rcu and dev lock for hsr_get_port_ndev\n\nhsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock.\nOn the other hand, before return the port device, we need to hold the\ndevice reference to avoid UaF in the caller function."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:29.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/68a6729afd3e8e9a2a32538642ce92b96ccf9b1d"
},
{
"url": "https://git.kernel.org/stable/c/847748fc66d08a89135a74e29362a66ba4e3ab15"
}
],
"title": "hsr: hold rcu and dev lock for hsr_get_port_ndev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39872",
"datePublished": "2025-09-23T06:00:45.528Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-09-29T06:01:29.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49417 (GCVE-0-2022-49417)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iwlwifi: mei: fix potential NULL-ptr deref
If SKB allocation fails, continue rather than using the NULL
pointer.
Coverity CID: 1497650
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mei/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29b81de94d62b5e2704bb5106b3e701ca8d7c7a4",
"status": "affected",
"version": "2da4366f9e2c44afedec4acad65a99a3c7da1a35",
"versionType": "git"
},
{
"lessThan": "5d8d06fd3a02919100b28f927bcb76481ec0a0e3",
"status": "affected",
"version": "2da4366f9e2c44afedec4acad65a99a3c7da1a35",
"versionType": "git"
},
{
"lessThan": "78488a64aea94a3336ee97f345c1496e9bc5ebdf",
"status": "affected",
"version": "2da4366f9e2c44afedec4acad65a99a3c7da1a35",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mei/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: mei: fix potential NULL-ptr deref\n\nIf SKB allocation fails, continue rather than using the NULL\npointer.\n\nCoverity CID: 1497650"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:13.761Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29b81de94d62b5e2704bb5106b3e701ca8d7c7a4"
},
{
"url": "https://git.kernel.org/stable/c/5d8d06fd3a02919100b28f927bcb76481ec0a0e3"
},
{
"url": "https://git.kernel.org/stable/c/78488a64aea94a3336ee97f345c1496e9bc5ebdf"
}
],
"title": "iwlwifi: mei: fix potential NULL-ptr deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49417",
"datePublished": "2025-02-26T02:12:42.872Z",
"dateReserved": "2025-02-26T02:08:31.568Z",
"dateUpdated": "2025-05-04T08:37:13.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49268 (GCVE-0-2022-49268)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM
Do not call snd_dma_free_pages() when snd_dma_alloc_pages() returns
-ENOMEM because it leads to a NULL pointer dereference bug.
The dmesg says:
[ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12
[ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ T1387] #PF: supervisor read access in kernel mode
[ T1387] #PF: error_code(0x0000) - not-present page
[ T1387] PGD 0 P4D 0
[ T1387] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ T1387] CPU: 6 PID: 1387 Comm: alsa-sink-HDA A Tainted: G W 5.17.0-rc4-superb-owl-00055-g80d47f5de5e3
[ T1387] Hardware name: HP HP Laptop 14s-dq2xxx/87FD, BIOS F.15 09/15/2021
[ T1387] RIP: 0010:dma_free_noncontiguous+0x37/0x80
[ T1387] Code: [... snip ...]
[ T1387] RSP: 0000:ffffc90002b87770 EFLAGS: 00010246
[ T1387] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ T1387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888101db30d0
[ T1387] RBP: 00000000fffffff4 R08: 0000000000000000 R09: 0000000000000000
[ T1387] R10: 0000000000000000 R11: ffffc90002b874d0 R12: 0000000000000001
[ T1387] R13: 0000000000058000 R14: ffff888105260c68 R15: ffff888105260828
[ T1387] FS: 00007f42e2ffd640(0000) GS:ffff888466b80000(0000) knlGS:0000000000000000
[ T1387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ T1387] CR2: 0000000000000000 CR3: 000000014acf0003 CR4: 0000000000770ee0
[ T1387] PKRU: 55555554
[ T1387] Call Trace:
[ T1387] <TASK>
[ T1387] cl_stream_prepare+0x10a/0x120 [snd_sof_intel_hda_common 146addf995b9279ae7f509621078cccbe4f875e1]
[... snip ...]
[ T1387] </TASK>
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/intel/hda-loader.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01df5f7627f1624d6bb0b8c0870a569b32adfbf8",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
},
{
"lessThan": "0c307349fe060971625b856c92f0361b8ea9a120",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
},
{
"lessThan": "b6094744e261083d3790c3def770ebf5060d383b",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
},
{
"lessThan": "09eca322d4118dc26570ca6100fa34e59e5a5143",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
},
{
"lessThan": "67f7bd9ff9079c1ee2de58e024fb582905c74c16",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
},
{
"lessThan": "b7fb0ae09009d076964afe4c1a2bde1ee2bd88a9",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/intel/hda-loader.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM\n\nDo not call snd_dma_free_pages() when snd_dma_alloc_pages() returns\n-ENOMEM because it leads to a NULL pointer dereference bug.\n\nThe dmesg says:\n\n [ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12\n [ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000\n [ T1387] #PF: supervisor read access in kernel mode\n [ T1387] #PF: error_code(0x0000) - not-present page\n [ T1387] PGD 0 P4D 0\n [ T1387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n [ T1387] CPU: 6 PID: 1387 Comm: alsa-sink-HDA A Tainted: G W 5.17.0-rc4-superb-owl-00055-g80d47f5de5e3\n [ T1387] Hardware name: HP HP Laptop 14s-dq2xxx/87FD, BIOS F.15 09/15/2021\n [ T1387] RIP: 0010:dma_free_noncontiguous+0x37/0x80\n [ T1387] Code: [... snip ...]\n [ T1387] RSP: 0000:ffffc90002b87770 EFLAGS: 00010246\n [ T1387] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n [ T1387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888101db30d0\n [ T1387] RBP: 00000000fffffff4 R08: 0000000000000000 R09: 0000000000000000\n [ T1387] R10: 0000000000000000 R11: ffffc90002b874d0 R12: 0000000000000001\n [ T1387] R13: 0000000000058000 R14: ffff888105260c68 R15: ffff888105260828\n [ T1387] FS: 00007f42e2ffd640(0000) GS:ffff888466b80000(0000) knlGS:0000000000000000\n [ T1387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ T1387] CR2: 0000000000000000 CR3: 000000014acf0003 CR4: 0000000000770ee0\n [ T1387] PKRU: 55555554\n [ T1387] Call Trace:\n [ T1387] \u003cTASK\u003e\n [ T1387] cl_stream_prepare+0x10a/0x120 [snd_sof_intel_hda_common 146addf995b9279ae7f509621078cccbe4f875e1]\n [... snip ...]\n [ T1387] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:44.684Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01df5f7627f1624d6bb0b8c0870a569b32adfbf8"
},
{
"url": "https://git.kernel.org/stable/c/0c307349fe060971625b856c92f0361b8ea9a120"
},
{
"url": "https://git.kernel.org/stable/c/b6094744e261083d3790c3def770ebf5060d383b"
},
{
"url": "https://git.kernel.org/stable/c/09eca322d4118dc26570ca6100fa34e59e5a5143"
},
{
"url": "https://git.kernel.org/stable/c/67f7bd9ff9079c1ee2de58e024fb582905c74c16"
},
{
"url": "https://git.kernel.org/stable/c/b7fb0ae09009d076964afe4c1a2bde1ee2bd88a9"
}
],
"title": "ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49268",
"datePublished": "2025-02-26T01:56:16.713Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-05-04T08:33:44.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49251 (GCVE-0-2022-49251)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: va-macro: fix accessing array out of bounds for enum type
Accessing enums using integer would result in array out of bounds access
on platforms like aarch64 where sizeof(long) is 8 compared to enum size
which is 4 bytes.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-va-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "966408e37d84b762d11978b7bfb03fff0c6222ad",
"status": "affected",
"version": "908e6b1df26efc9d2df70c9a7bf4f5eae5c5702f",
"versionType": "git"
},
{
"lessThan": "4a799972a283ab4ec031041304d7e2d34e1a16eb",
"status": "affected",
"version": "908e6b1df26efc9d2df70c9a7bf4f5eae5c5702f",
"versionType": "git"
},
{
"lessThan": "c0099bbf8bc85d30c4cf38220fca3c8d4253fa7f",
"status": "affected",
"version": "908e6b1df26efc9d2df70c9a7bf4f5eae5c5702f",
"versionType": "git"
},
{
"lessThan": "0ea5eff7c6063a8f124188424f8e4c6727f35051",
"status": "affected",
"version": "908e6b1df26efc9d2df70c9a7bf4f5eae5c5702f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-va-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: va-macro: fix accessing array out of bounds for enum type\n\nAccessing enums using integer would result in array out of bounds access\non platforms like aarch64 where sizeof(long) is 8 compared to enum size\nwhich is 4 bytes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:22.619Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/966408e37d84b762d11978b7bfb03fff0c6222ad"
},
{
"url": "https://git.kernel.org/stable/c/4a799972a283ab4ec031041304d7e2d34e1a16eb"
},
{
"url": "https://git.kernel.org/stable/c/c0099bbf8bc85d30c4cf38220fca3c8d4253fa7f"
},
{
"url": "https://git.kernel.org/stable/c/0ea5eff7c6063a8f124188424f8e4c6727f35051"
}
],
"title": "ASoC: codecs: va-macro: fix accessing array out of bounds for enum type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49251",
"datePublished": "2025-02-26T01:56:08.180Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:22.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49271 (GCVE-0-2022-49271)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: prevent bad output lengths in smb2_ioctl_query_info()
When calling smb2_ioctl_query_info() with
smb_query_info::flags=PASSTHRU_FSCTL and
smb_query_info::output_buffer_length=0, the following would return
0x10
buffer = memdup_user(arg + sizeof(struct smb_query_info),
qi.output_buffer_length);
if (IS_ERR(buffer)) {
kfree(vars);
return PTR_ERR(buffer);
}
rather than a valid pointer thus making IS_ERR() check fail. This
would then cause a NULL ptr deference in @buffer when accessing it
later in smb2_ioctl_query_ioctl(). While at it, prevent having a
@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO
FileEndOfFileInformation requests when
smb_query_info::flags=PASSTHRU_SET_INFO.
Here is a small C reproducer which triggers a NULL ptr in @buffer when
passing an invalid smb_query_info::flags
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#define die(s) perror(s), exit(1)
#define QUERY_INFO 0xc018cf07
int main(int argc, char *argv[])
{
int fd;
if (argc < 2)
exit(1);
fd = open(argv[1], O_RDONLY);
if (fd == -1)
die("open");
if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
die("ioctl");
close(fd);
return 0;
}
mount.cifs //srv/share /mnt -o ...
gcc repro.c && ./a.out /mnt/f0
[ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1
[ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
[ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
[ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
[ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
[ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
[ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
[ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
[ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
[ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
[ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
[ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
[ 114.146131] Call Trace:
[ 114.146291] <TASK>
[ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
[ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]
[ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
[ 114.147775] ? dentry_path_raw+0xa6/0xf0
[ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
[ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]
[ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]
[ 114.149371] ? lock_downgrade+0x6f0/0x6f0
[ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]
[ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0
[ 114.150562] ? __up_read+0x192/0x710
[ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0
[ 114.151025] ? __x64_sys_openat+0x11f/0x1d0
[ 114.151296] __x64_sys_ioctl+0x127/0x190
[ 114.151549] do_syscall_64+0x3b/0x90
[ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 114.152079] RIP: 0033:0x7f7aead043df
[ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9963ccea6087268e1275b992dca5d0dd4b938765",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f143f8334fb9eb2f6c7c15b9da1472d9c965fd84",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7529fbee10d82493c5cb109e51788bf74816d1c0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b92e358757b91c2827af112cae9af513f26a3f34",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent bad output lengths in smb2_ioctl_query_info()\n\nWhen calling smb2_ioctl_query_info() with\nsmb_query_info::flags=PASSTHRU_FSCTL and\nsmb_query_info::output_buffer_length=0, the following would return\n0x10\n\n\tbuffer = memdup_user(arg + sizeof(struct smb_query_info),\n\t\t\t qi.output_buffer_length);\n\tif (IS_ERR(buffer)) {\n\t\tkfree(vars);\n\t\treturn PTR_ERR(buffer);\n\t}\n\nrather than a valid pointer thus making IS_ERR() check fail. This\nwould then cause a NULL ptr deference in @buffer when accessing it\nlater in smb2_ioctl_query_ioctl(). While at it, prevent having a\n@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO\nFileEndOfFileInformation requests when\nsmb_query_info::flags=PASSTHRU_SET_INFO.\n\nHere is a small C reproducer which triggers a NULL ptr in @buffer when\npassing an invalid smb_query_info::flags\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003cstdint.h\u003e\n\t#include \u003cunistd.h\u003e\n\t#include \u003cfcntl.h\u003e\n\t#include \u003csys/ioctl.h\u003e\n\n\t#define die(s) perror(s), exit(1)\n\t#define QUERY_INFO 0xc018cf07\n\n\tint main(int argc, char *argv[])\n\t{\n\t\tint fd;\n\n\t\tif (argc \u003c 2)\n\t\t\texit(1);\n\t\tfd = open(argv[1], O_RDONLY);\n\t\tif (fd == -1)\n\t\t\tdie(\"open\");\n\t\tif (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)\n\t\t\tdie(\"ioctl\");\n\t\tclose(fd);\n\t\treturn 0;\n\t}\n\n\tmount.cifs //srv/share /mnt -o ...\n\tgcc repro.c \u0026\u0026 ./a.out /mnt/f0\n\n\t[ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\n\t[ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\t[ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1\n\t[ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n\t[ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]\n\t[ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24\n\t[ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256\n\t[ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d\n\t[ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380\n\t[ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003\n\t[ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288\n\t[ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000\n\t[ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000\n\t[ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\t[ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0\n\t[ 114.146131] Call Trace:\n\t[ 114.146291] \u003cTASK\u003e\n\t[ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]\n\t[ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]\n\t[ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]\n\t[ 114.147775] ? dentry_path_raw+0xa6/0xf0\n\t[ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]\n\t[ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]\n\t[ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]\n\t[ 114.149371] ? lock_downgrade+0x6f0/0x6f0\n\t[ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]\n\t[ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0\n\t[ 114.150562] ? __up_read+0x192/0x710\n\t[ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0\n\t[ 114.151025] ? __x64_sys_openat+0x11f/0x1d0\n\t[ 114.151296] __x64_sys_ioctl+0x127/0x190\n\t[ 114.151549] do_syscall_64+0x3b/0x90\n\t[ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\t[ 114.152079] RIP: 0033:0x7f7aead043df\n\t[ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:53.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9963ccea6087268e1275b992dca5d0dd4b938765"
},
{
"url": "https://git.kernel.org/stable/c/f143f8334fb9eb2f6c7c15b9da1472d9c965fd84"
},
{
"url": "https://git.kernel.org/stable/c/fadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53"
},
{
"url": "https://git.kernel.org/stable/c/7529fbee10d82493c5cb109e51788bf74816d1c0"
},
{
"url": "https://git.kernel.org/stable/c/b92e358757b91c2827af112cae9af513f26a3f34"
}
],
"title": "cifs: prevent bad output lengths in smb2_ioctl_query_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49271",
"datePublished": "2025-02-26T01:56:18.148Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-05-04T08:33:53.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49272 (GCVE-0-2022-49272)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
syzbot caught a potential deadlock between the PCM
runtime->buffer_mutex and the mm->mmap_lock. It was brought by the
recent fix to cover the racy read/write and other ioctls, and in that
commit, I overlooked a (hopefully only) corner case that may take the
revert lock, namely, the OSS mmap. The OSS mmap operation
exceptionally allows to re-configure the parameters inside the OSS
mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the
copy_from/to_user calls at read/write operations also take the
mm->mmap_lock internally, hence it may lead to a AB/BA deadlock.
A similar problem was already seen in the past and we fixed it with a
refcount (in commit b248371628aa). The former fix covered only the
call paths with OSS read/write and OSS ioctls, while we need to cover
the concurrent access via both ALSA and OSS APIs now.
This patch addresses the problem above by replacing the buffer_mutex
lock in the read/write operations with a refcount similar as we've
used for OSS. The new field, runtime->buffer_accessing, keeps the
number of concurrent read/write operations. Unlike the former
buffer_mutex protection, this protects only around the
copy_from/to_user() calls; the other codes are basically protected by
the PCM stream lock. The refcount can be a negative, meaning blocked
by the ioctls. If a negative value is seen, the read/write aborts
with -EBUSY. In the ioctl side, OTOH, they check this refcount, too,
and set to a negative value for blocking unless it's already being
accessed.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 73867cb2bc7dfa7fbd219e53a0b68d253d8fda09 Version: b3830197aa7413c65767cf5a1aa8775c83f0dbf7 Version: 08d1807f097a63ea00a7067dad89c1c81cb2115e Version: 8527c8f052fb42091c6569cb928e472376a4a889 Version: 47711ff10c7e126702cfa725f6d86ef529d15a5f Version: 4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5 Version: dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03 Version: dca947d4d26dbf925a64a6cfb2ddbc035e831a3d |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/sound/pcm.h",
"sound/core/pcm.c",
"sound/core/pcm_lib.c",
"sound/core/pcm_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e9133607e1501c94881be35e118d8f84d96dcb4",
"status": "affected",
"version": "73867cb2bc7dfa7fbd219e53a0b68d253d8fda09",
"versionType": "git"
},
{
"lessThan": "40f4cffbe13a51faf136faf5f9ef6847782cd595",
"status": "affected",
"version": "b3830197aa7413c65767cf5a1aa8775c83f0dbf7",
"versionType": "git"
},
{
"lessThan": "9661bf674d6a82b76e4ae424438a8ce1e3ed855d",
"status": "affected",
"version": "08d1807f097a63ea00a7067dad89c1c81cb2115e",
"versionType": "git"
},
{
"lessThan": "9017201e8d8c6d1472273361389ed431188584a0",
"status": "affected",
"version": "8527c8f052fb42091c6569cb928e472376a4a889",
"versionType": "git"
},
{
"lessThan": "7777744e92a0b30e3e0cce2758d911837011ebd9",
"status": "affected",
"version": "47711ff10c7e126702cfa725f6d86ef529d15a5f",
"versionType": "git"
},
{
"lessThan": "abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e",
"status": "affected",
"version": "4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5",
"versionType": "git"
},
{
"lessThan": "be9813ad2fc8f0885f5ce6925af0d993ce5da4e5",
"status": "affected",
"version": "dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03",
"versionType": "git"
},
{
"lessThan": "bc55cfd5718c7c23e5524582e9fa70b4d10f2433",
"status": "affected",
"version": "dca947d4d26dbf925a64a6cfb2ddbc035e831a3d",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/sound/pcm.h",
"sound/core/pcm.c",
"sound/core/pcm_lib.c",
"sound/core/pcm_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.10.110",
"status": "affected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThan": "5.15.33",
"status": "affected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThan": "5.16.19",
"status": "affected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThan": "5.17.2",
"status": "affected",
"version": "5.17.1",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.10.109",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.16.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock\n\nsyzbot caught a potential deadlock between the PCM\nruntime-\u003ebuffer_mutex and the mm-\u003emmap_lock. It was brought by the\nrecent fix to cover the racy read/write and other ioctls, and in that\ncommit, I overlooked a (hopefully only) corner case that may take the\nrevert lock, namely, the OSS mmap. The OSS mmap operation\nexceptionally allows to re-configure the parameters inside the OSS\nmmap syscall, where mm-\u003emmap_mutex is already held. Meanwhile, the\ncopy_from/to_user calls at read/write operations also take the\nmm-\u003emmap_lock internally, hence it may lead to a AB/BA deadlock.\n\nA similar problem was already seen in the past and we fixed it with a\nrefcount (in commit b248371628aa). The former fix covered only the\ncall paths with OSS read/write and OSS ioctls, while we need to cover\nthe concurrent access via both ALSA and OSS APIs now.\n\nThis patch addresses the problem above by replacing the buffer_mutex\nlock in the read/write operations with a refcount similar as we\u0027ve\nused for OSS. The new field, runtime-\u003ebuffer_accessing, keeps the\nnumber of concurrent read/write operations. Unlike the former\nbuffer_mutex protection, this protects only around the\ncopy_from/to_user() calls; the other codes are basically protected by\nthe PCM stream lock. The refcount can be a negative, meaning blocked\nby the ioctls. If a negative value is seen, the read/write aborts\nwith -EBUSY. In the ioctl side, OTOH, they check this refcount, too,\nand set to a negative value for blocking unless it\u0027s already being\naccessed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:54.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e9133607e1501c94881be35e118d8f84d96dcb4"
},
{
"url": "https://git.kernel.org/stable/c/40f4cffbe13a51faf136faf5f9ef6847782cd595"
},
{
"url": "https://git.kernel.org/stable/c/9661bf674d6a82b76e4ae424438a8ce1e3ed855d"
},
{
"url": "https://git.kernel.org/stable/c/9017201e8d8c6d1472273361389ed431188584a0"
},
{
"url": "https://git.kernel.org/stable/c/7777744e92a0b30e3e0cce2758d911837011ebd9"
},
{
"url": "https://git.kernel.org/stable/c/abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e"
},
{
"url": "https://git.kernel.org/stable/c/be9813ad2fc8f0885f5ce6925af0d993ce5da4e5"
},
{
"url": "https://git.kernel.org/stable/c/bc55cfd5718c7c23e5524582e9fa70b4d10f2433"
}
],
"title": "ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49272",
"datePublished": "2025-02-26T01:56:18.626Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-05-04T08:33:54.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49407 (GCVE-0-2022-49407)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dlm: fix plock invalid read
This patch fixes an invalid read showed by KASAN. A unlock will allocate a
"struct plock_op" and a followed send_op() will append it to a global
send_list data structure. In some cases a followed dev_read() moves it
to recv_list and dev_write() will cast it to "struct plock_xop" and access
fields which are only available in those structures. At this point an
invalid read happens by accessing those fields.
To fix this issue the "callback" field is moved to "struct plock_op" to
indicate that a cast to "plock_xop" is allowed and does the additional
"plock_xop" handling if set.
Example of the KASAN output which showed the invalid read:
[ 2064.296453] ==================================================================
[ 2064.304852] BUG: KASAN: slab-out-of-bounds in dev_write+0x52b/0x5a0 [dlm]
[ 2064.306491] Read of size 8 at addr ffff88800ef227d8 by task dlm_controld/7484
[ 2064.308168]
[ 2064.308575] CPU: 0 PID: 7484 Comm: dlm_controld Kdump: loaded Not tainted 5.14.0+ #9
[ 2064.310292] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 2064.311618] Call Trace:
[ 2064.312218] dump_stack_lvl+0x56/0x7b
[ 2064.313150] print_address_description.constprop.8+0x21/0x150
[ 2064.314578] ? dev_write+0x52b/0x5a0 [dlm]
[ 2064.315610] ? dev_write+0x52b/0x5a0 [dlm]
[ 2064.316595] kasan_report.cold.14+0x7f/0x11b
[ 2064.317674] ? dev_write+0x52b/0x5a0 [dlm]
[ 2064.318687] dev_write+0x52b/0x5a0 [dlm]
[ 2064.319629] ? dev_read+0x4a0/0x4a0 [dlm]
[ 2064.320713] ? bpf_lsm_kernfs_init_security+0x10/0x10
[ 2064.321926] vfs_write+0x17e/0x930
[ 2064.322769] ? __fget_light+0x1aa/0x220
[ 2064.323753] ksys_write+0xf1/0x1c0
[ 2064.324548] ? __ia32_sys_read+0xb0/0xb0
[ 2064.325464] do_syscall_64+0x3a/0x80
[ 2064.326387] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 2064.327606] RIP: 0033:0x7f807e4ba96f
[ 2064.328470] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 39 87 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 7c 87 f8 ff 48
[ 2064.332902] RSP: 002b:00007ffd50cfe6e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[ 2064.334658] RAX: ffffffffffffffda RBX: 000055cc3886eb30 RCX: 00007f807e4ba96f
[ 2064.336275] RDX: 0000000000000040 RSI: 00007ffd50cfe7e0 RDI: 0000000000000010
[ 2064.337980] RBP: 00007ffd50cfe7e0 R08: 0000000000000000 R09: 0000000000000001
[ 2064.339560] R10: 000055cc3886eb30 R11: 0000000000000293 R12: 000055cc3886eb80
[ 2064.341237] R13: 000055cc3886eb00 R14: 000055cc3886f590 R15: 0000000000000001
[ 2064.342857]
[ 2064.343226] Allocated by task 12438:
[ 2064.344057] kasan_save_stack+0x1c/0x40
[ 2064.345079] __kasan_kmalloc+0x84/0xa0
[ 2064.345933] kmem_cache_alloc_trace+0x13b/0x220
[ 2064.346953] dlm_posix_unlock+0xec/0x720 [dlm]
[ 2064.348811] do_lock_file_wait.part.32+0xca/0x1d0
[ 2064.351070] fcntl_setlk+0x281/0xbc0
[ 2064.352879] do_fcntl+0x5e4/0xfe0
[ 2064.354657] __x64_sys_fcntl+0x11f/0x170
[ 2064.356550] do_syscall_64+0x3a/0x80
[ 2064.358259] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 2064.360745]
[ 2064.361511] Last potentially related work creation:
[ 2064.363957] kasan_save_stack+0x1c/0x40
[ 2064.365811] __kasan_record_aux_stack+0xaf/0xc0
[ 2064.368100] call_rcu+0x11b/0xf70
[ 2064.369785] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]
[ 2064.372404] receive_from_sock+0x290/0x770 [dlm]
[ 2064.374607] process_recv_sockets+0x32/0x40 [dlm]
[ 2064.377290] process_one_work+0x9a8/0x16e0
[ 2064.379357] worker_thread+0x87/0xbf0
[ 2064.381188] kthread+0x3ac/0x490
[ 2064.383460] ret_from_fork+0x22/0x30
[ 2064.385588]
[ 2064.386518] Second to last potentially related work creation:
[ 2064.389219] kasan_save_stack+0x1c/0x40
[ 2064.391043] __kasan_record_aux_stack+0xaf/0xc0
[ 2064.393303] call_rcu+0x11b/0xf70
[ 2064.394885] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]
[ 2064.397694] receive_from_sock+0x290/0x770
---truncated---
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/dlm/plock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c55155cc365861044d9e6e80e342693e8805e33",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "72f2f68970f9bdc252d59e119b385a6441b0b155",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "5a1765adf9855cf0f6d3f7e0eb4b78ca66f70dee",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "49cd9eb7b9a7b88124b31e31f8e539acaf1b3a6d",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "899bc4429174861122f0c236588700a4710c1fec",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "acdad5bc9827922ec2f2e84fd198718aa8e8ab92",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "56aa8d1fbd02357f3bf81bdfba1cde87ce8402fc",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "e421872fa17542cf33747071fb141b0130ce9ef7",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "42252d0d2aa9b94d168241710a761588b3959019",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/dlm/plock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: fix plock invalid read\n\nThis patch fixes an invalid read showed by KASAN. A unlock will allocate a\n\"struct plock_op\" and a followed send_op() will append it to a global\nsend_list data structure. In some cases a followed dev_read() moves it\nto recv_list and dev_write() will cast it to \"struct plock_xop\" and access\nfields which are only available in those structures. At this point an\ninvalid read happens by accessing those fields.\n\nTo fix this issue the \"callback\" field is moved to \"struct plock_op\" to\nindicate that a cast to \"plock_xop\" is allowed and does the additional\n\"plock_xop\" handling if set.\n\nExample of the KASAN output which showed the invalid read:\n\n[ 2064.296453] ==================================================================\n[ 2064.304852] BUG: KASAN: slab-out-of-bounds in dev_write+0x52b/0x5a0 [dlm]\n[ 2064.306491] Read of size 8 at addr ffff88800ef227d8 by task dlm_controld/7484\n[ 2064.308168]\n[ 2064.308575] CPU: 0 PID: 7484 Comm: dlm_controld Kdump: loaded Not tainted 5.14.0+ #9\n[ 2064.310292] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n[ 2064.311618] Call Trace:\n[ 2064.312218] dump_stack_lvl+0x56/0x7b\n[ 2064.313150] print_address_description.constprop.8+0x21/0x150\n[ 2064.314578] ? dev_write+0x52b/0x5a0 [dlm]\n[ 2064.315610] ? dev_write+0x52b/0x5a0 [dlm]\n[ 2064.316595] kasan_report.cold.14+0x7f/0x11b\n[ 2064.317674] ? dev_write+0x52b/0x5a0 [dlm]\n[ 2064.318687] dev_write+0x52b/0x5a0 [dlm]\n[ 2064.319629] ? dev_read+0x4a0/0x4a0 [dlm]\n[ 2064.320713] ? bpf_lsm_kernfs_init_security+0x10/0x10\n[ 2064.321926] vfs_write+0x17e/0x930\n[ 2064.322769] ? __fget_light+0x1aa/0x220\n[ 2064.323753] ksys_write+0xf1/0x1c0\n[ 2064.324548] ? __ia32_sys_read+0xb0/0xb0\n[ 2064.325464] do_syscall_64+0x3a/0x80\n[ 2064.326387] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 2064.327606] RIP: 0033:0x7f807e4ba96f\n[ 2064.328470] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 39 87 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 7c 87 f8 ff 48\n[ 2064.332902] RSP: 002b:00007ffd50cfe6e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 2064.334658] RAX: ffffffffffffffda RBX: 000055cc3886eb30 RCX: 00007f807e4ba96f\n[ 2064.336275] RDX: 0000000000000040 RSI: 00007ffd50cfe7e0 RDI: 0000000000000010\n[ 2064.337980] RBP: 00007ffd50cfe7e0 R08: 0000000000000000 R09: 0000000000000001\n[ 2064.339560] R10: 000055cc3886eb30 R11: 0000000000000293 R12: 000055cc3886eb80\n[ 2064.341237] R13: 000055cc3886eb00 R14: 000055cc3886f590 R15: 0000000000000001\n[ 2064.342857]\n[ 2064.343226] Allocated by task 12438:\n[ 2064.344057] kasan_save_stack+0x1c/0x40\n[ 2064.345079] __kasan_kmalloc+0x84/0xa0\n[ 2064.345933] kmem_cache_alloc_trace+0x13b/0x220\n[ 2064.346953] dlm_posix_unlock+0xec/0x720 [dlm]\n[ 2064.348811] do_lock_file_wait.part.32+0xca/0x1d0\n[ 2064.351070] fcntl_setlk+0x281/0xbc0\n[ 2064.352879] do_fcntl+0x5e4/0xfe0\n[ 2064.354657] __x64_sys_fcntl+0x11f/0x170\n[ 2064.356550] do_syscall_64+0x3a/0x80\n[ 2064.358259] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 2064.360745]\n[ 2064.361511] Last potentially related work creation:\n[ 2064.363957] kasan_save_stack+0x1c/0x40\n[ 2064.365811] __kasan_record_aux_stack+0xaf/0xc0\n[ 2064.368100] call_rcu+0x11b/0xf70\n[ 2064.369785] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]\n[ 2064.372404] receive_from_sock+0x290/0x770 [dlm]\n[ 2064.374607] process_recv_sockets+0x32/0x40 [dlm]\n[ 2064.377290] process_one_work+0x9a8/0x16e0\n[ 2064.379357] worker_thread+0x87/0xbf0\n[ 2064.381188] kthread+0x3ac/0x490\n[ 2064.383460] ret_from_fork+0x22/0x30\n[ 2064.385588]\n[ 2064.386518] Second to last potentially related work creation:\n[ 2064.389219] kasan_save_stack+0x1c/0x40\n[ 2064.391043] __kasan_record_aux_stack+0xaf/0xc0\n[ 2064.393303] call_rcu+0x11b/0xf70\n[ 2064.394885] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]\n[ 2064.397694] receive_from_sock+0x290/0x770 \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:01.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c55155cc365861044d9e6e80e342693e8805e33"
},
{
"url": "https://git.kernel.org/stable/c/72f2f68970f9bdc252d59e119b385a6441b0b155"
},
{
"url": "https://git.kernel.org/stable/c/5a1765adf9855cf0f6d3f7e0eb4b78ca66f70dee"
},
{
"url": "https://git.kernel.org/stable/c/49cd9eb7b9a7b88124b31e31f8e539acaf1b3a6d"
},
{
"url": "https://git.kernel.org/stable/c/899bc4429174861122f0c236588700a4710c1fec"
},
{
"url": "https://git.kernel.org/stable/c/acdad5bc9827922ec2f2e84fd198718aa8e8ab92"
},
{
"url": "https://git.kernel.org/stable/c/56aa8d1fbd02357f3bf81bdfba1cde87ce8402fc"
},
{
"url": "https://git.kernel.org/stable/c/e421872fa17542cf33747071fb141b0130ce9ef7"
},
{
"url": "https://git.kernel.org/stable/c/42252d0d2aa9b94d168241710a761588b3959019"
}
],
"title": "dlm: fix plock invalid read",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49407",
"datePublished": "2025-02-26T02:12:31.562Z",
"dateReserved": "2025-02-26T02:08:31.566Z",
"dateUpdated": "2025-05-04T08:37:01.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39880 (GCVE-0-2025-39880)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-10-02 13:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: fix invalid accesses to ceph_connection_v1_info
There is a place where generic code in messenger.c is reading and
another place where it is writing to con->v1 union member without
checking that the union member is active (i.e. msgr1 is in use).
On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,
so such a read is almost guaranteed to return a bogus value instead of
0 when msgr2 is in use. This ends up being fairly benign because the
side effect is just the invalidation of the authorizer and successive
fetching of new tickets.
con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that
it's being written to can cause more serious consequences, but luckily
it's not something that happens often.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea12ab684f8ae8a6da11a22c78d94a79e2163096",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "591ea9c30737663a471b2bb07b27ddde86b020d5",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "23538cfbeed87159a5ac6c61e7a6de3d8d4486a8",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "6bd8b56899be0b514945f639a89ccafb8f8dfaef",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "cdbc9836c7afadad68f374791738f118263c5371",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix invalid accesses to ceph_connection_v1_info\n\nThere is a place where generic code in messenger.c is reading and\nanother place where it is writing to con-\u003ev1 union member without\nchecking that the union member is active (i.e. msgr1 is in use).\n\nOn 64-bit systems, con-\u003ev1.auth_retry overlaps with con-\u003ev2.out_iter,\nso such a read is almost guaranteed to return a bogus value instead of\n0 when msgr2 is in use. This ends up being fairly benign because the\nside effect is just the invalidation of the authorizer and successive\nfetching of new tickets.\n\ncon-\u003ev1.connect_seq overlaps with con-\u003ev2.conn_bufs and the fact that\nit\u0027s being written to can cause more serious consequences, but luckily\nit\u0027s not something that happens often."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:21.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea12ab684f8ae8a6da11a22c78d94a79e2163096"
},
{
"url": "https://git.kernel.org/stable/c/591ea9c30737663a471b2bb07b27ddde86b020d5"
},
{
"url": "https://git.kernel.org/stable/c/23538cfbeed87159a5ac6c61e7a6de3d8d4486a8"
},
{
"url": "https://git.kernel.org/stable/c/35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983"
},
{
"url": "https://git.kernel.org/stable/c/6bd8b56899be0b514945f639a89ccafb8f8dfaef"
},
{
"url": "https://git.kernel.org/stable/c/cdbc9836c7afadad68f374791738f118263c5371"
}
],
"title": "libceph: fix invalid accesses to ceph_connection_v1_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39880",
"datePublished": "2025-09-23T06:00:49.897Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-10-02T13:26:21.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49320 (GCVE-0-2022-49320)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type
In zynqmp_dma_alloc/free_chan_resources functions there is a
potential overflow in the below expressions.
dma_alloc_coherent(chan->dev, (2 * chan->desc_size *
ZYNQMP_DMA_NUM_DESCS),
&chan->desc_pool_p, GFP_KERNEL);
dma_free_coherent(chan->dev,(2 * ZYNQMP_DMA_DESC_SIZE(chan) *
ZYNQMP_DMA_NUM_DESCS),
chan->desc_pool_v, chan->desc_pool_p);
The arguments desc_size and ZYNQMP_DMA_NUM_DESCS were 32 bit. Though
this overflow condition is not observed but it is a potential problem
in the case of 32-bit multiplication. Hence fix it by changing the
desc_size data type to size_t.
In addition to coverity fix it also reuse ZYNQMP_DMA_DESC_SIZE macro in
dma_alloc_coherent API argument.
Addresses-Coverity: Event overflow_before_widen.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/xilinx/zynqmp_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83960276ffc9bf5570d4106490346b61e61be5f3",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
},
{
"lessThan": "95a0ba85c1b51b36e909841c02d205cd223ab753",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
},
{
"lessThan": "7b5488f4721fed6e121e661e165bab06ae2f8675",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
},
{
"lessThan": "4838969e4d95d2bd2995d1605b20d3144fcb3e74",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
},
{
"lessThan": "90aefae2e3a770a6909d339f5d8a988c0b0ceaf0",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
},
{
"lessThan": "f9a9f43a62a04ec3183fb0da9226c7706eed0115",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/xilinx/zynqmp_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type\n\nIn zynqmp_dma_alloc/free_chan_resources functions there is a\npotential overflow in the below expressions.\n\ndma_alloc_coherent(chan-\u003edev, (2 * chan-\u003edesc_size *\n\t\t ZYNQMP_DMA_NUM_DESCS),\n\t\t \u0026chan-\u003edesc_pool_p, GFP_KERNEL);\n\ndma_free_coherent(chan-\u003edev,(2 * ZYNQMP_DMA_DESC_SIZE(chan) *\n ZYNQMP_DMA_NUM_DESCS),\n chan-\u003edesc_pool_v, chan-\u003edesc_pool_p);\n\nThe arguments desc_size and ZYNQMP_DMA_NUM_DESCS were 32 bit. Though\nthis overflow condition is not observed but it is a potential problem\nin the case of 32-bit multiplication. Hence fix it by changing the\ndesc_size data type to size_t.\n\nIn addition to coverity fix it also reuse ZYNQMP_DMA_DESC_SIZE macro in\ndma_alloc_coherent API argument.\n\nAddresses-Coverity: Event overflow_before_widen."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:08.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83960276ffc9bf5570d4106490346b61e61be5f3"
},
{
"url": "https://git.kernel.org/stable/c/95a0ba85c1b51b36e909841c02d205cd223ab753"
},
{
"url": "https://git.kernel.org/stable/c/7b5488f4721fed6e121e661e165bab06ae2f8675"
},
{
"url": "https://git.kernel.org/stable/c/4838969e4d95d2bd2995d1605b20d3144fcb3e74"
},
{
"url": "https://git.kernel.org/stable/c/90aefae2e3a770a6909d339f5d8a988c0b0ceaf0"
},
{
"url": "https://git.kernel.org/stable/c/f9a9f43a62a04ec3183fb0da9226c7706eed0115"
}
],
"title": "dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49320",
"datePublished": "2025-02-26T02:10:45.703Z",
"dateReserved": "2025-02-26T02:08:31.537Z",
"dateUpdated": "2025-05-04T08:35:08.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39875 (GCVE-0-2025-39875)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
igb: Fix NULL pointer dereference in ethtool loopback test
The igb driver currently causes a NULL pointer dereference when executing
the ethtool loopback test. This occurs because there is no associated
q_vector for the test ring when it is set up, as interrupts are typically
not added to the test rings.
Since commit 5ef44b3cb43b removed the napi_id assignment in
__xdp_rxq_info_reg(), there is no longer a need to pass a napi_id to it.
Therefore, simply use 0 as the last parameter.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igb/igb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "473be7d39efd3be383e9c0c8e44b53508b4ffeb5",
"status": "affected",
"version": "2c6196013f84651772388a86dfd4bb033d0c0d45",
"versionType": "git"
},
{
"lessThan": "75871a525a596ff4d16c4aebc0018f8d0923c9b1",
"status": "affected",
"version": "2c6196013f84651772388a86dfd4bb033d0c0d45",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igb/igb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix NULL pointer dereference in ethtool loopback test\n\nThe igb driver currently causes a NULL pointer dereference when executing\nthe ethtool loopback test. This occurs because there is no associated\nq_vector for the test ring when it is set up, as interrupts are typically\nnot added to the test rings.\n\nSince commit 5ef44b3cb43b removed the napi_id assignment in\n__xdp_rxq_info_reg(), there is no longer a need to pass a napi_id to it.\nTherefore, simply use 0 as the last parameter."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:33.315Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/473be7d39efd3be383e9c0c8e44b53508b4ffeb5"
},
{
"url": "https://git.kernel.org/stable/c/75871a525a596ff4d16c4aebc0018f8d0923c9b1"
}
],
"title": "igb: Fix NULL pointer dereference in ethtool loopback test",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39875",
"datePublished": "2025-09-23T06:00:47.198Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-09-29T06:01:33.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49248 (GCVE-0-2022-49248)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
AV/C deferred transaction was supported at a commit 00a7bb81c20f ("ALSA:
firewire-lib: Add support for deferred transaction") while 'deferrable'
flag can be uninitialized for non-control/notify AV/C transactions.
UBSAN reports it:
kernel: ================================================================================
kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9
kernel: load of value 158 is not a valid value for type '_Bool'
kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu
kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019
kernel: Call Trace:
kernel: <IRQ>
kernel: show_stack+0x52/0x58
kernel: dump_stack_lvl+0x4a/0x5f
kernel: dump_stack+0x10/0x12
kernel: ubsan_epilogue+0x9/0x45
kernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49
kernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib]
kernel: fcp_response+0x28/0x30 [snd_firewire_lib]
kernel: fw_core_handle_request+0x230/0x3d0 [firewire_core]
kernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci]
kernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci]
kernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core]
kernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci]
kernel: tasklet_action_common.constprop.0+0xea/0xf0
kernel: tasklet_action+0x22/0x30
kernel: __do_softirq+0xd9/0x2e3
kernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0
kernel: do_softirq+0x75/0xa0
kernel: </IRQ>
kernel: <TASK>
kernel: __local_bh_enable_ip+0x50/0x60
kernel: irq_forced_thread_fn+0x7e/0x90
kernel: irq_thread+0xba/0x190
kernel: ? irq_thread_fn+0x60/0x60
kernel: kthread+0x11e/0x140
kernel: ? irq_thread_check_affinity+0xf0/0xf0
kernel: ? set_kthread_struct+0x50/0x50
kernel: ret_from_fork+0x22/0x30
kernel: </TASK>
kernel: ================================================================================
This commit fixes the bug. The bug has no disadvantage for the non-
control/notify AV/C transactions since the flag has an effect for AV/C
response with INTERIM (0x0f) status which is not used for the transactions
in AV/C general specification.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/fcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99582e4b19f367fa95bdd150b3034d7ce8113342",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "b2b65c9013dc28836d82e25d0f0c94d794a14aba",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "60e5d391805d70458a01998de00d0c28cba40bf3",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "7025f40690a235a118c87674cfb93072694aa66d",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "7e6f5786621df060f8296f074efd275eaf20361a",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "eab74c41612083bd627b60da650e19234e4f1051",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "d07e4bbaff6fbba6f70c04b092ea7d9afcdf392e",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "39d2c4a33dc1b4402cec68a3c8f82c6588b6edce",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/fcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction\n\nAV/C deferred transaction was supported at a commit 00a7bb81c20f (\"ALSA:\nfirewire-lib: Add support for deferred transaction\") while \u0027deferrable\u0027\nflag can be uninitialized for non-control/notify AV/C transactions.\nUBSAN reports it:\n\nkernel: ================================================================================\nkernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9\nkernel: load of value 158 is not a valid value for type \u0027_Bool\u0027\nkernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu\nkernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019\nkernel: Call Trace:\nkernel: \u003cIRQ\u003e\nkernel: show_stack+0x52/0x58\nkernel: dump_stack_lvl+0x4a/0x5f\nkernel: dump_stack+0x10/0x12\nkernel: ubsan_epilogue+0x9/0x45\nkernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49\nkernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib]\nkernel: fcp_response+0x28/0x30 [snd_firewire_lib]\nkernel: fw_core_handle_request+0x230/0x3d0 [firewire_core]\nkernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci]\nkernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci]\nkernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core]\nkernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci]\nkernel: tasklet_action_common.constprop.0+0xea/0xf0\nkernel: tasklet_action+0x22/0x30\nkernel: __do_softirq+0xd9/0x2e3\nkernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0\nkernel: do_softirq+0x75/0xa0\nkernel: \u003c/IRQ\u003e\nkernel: \u003cTASK\u003e\nkernel: __local_bh_enable_ip+0x50/0x60\nkernel: irq_forced_thread_fn+0x7e/0x90\nkernel: irq_thread+0xba/0x190\nkernel: ? irq_thread_fn+0x60/0x60\nkernel: kthread+0x11e/0x140\nkernel: ? irq_thread_check_affinity+0xf0/0xf0\nkernel: ? set_kthread_struct+0x50/0x50\nkernel: ret_from_fork+0x22/0x30\nkernel: \u003c/TASK\u003e\nkernel: ================================================================================\n\nThis commit fixes the bug. The bug has no disadvantage for the non-\ncontrol/notify AV/C transactions since the flag has an effect for AV/C\nresponse with INTERIM (0x0f) status which is not used for the transactions\nin AV/C general specification."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:19.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99582e4b19f367fa95bdd150b3034d7ce8113342"
},
{
"url": "https://git.kernel.org/stable/c/b2b65c9013dc28836d82e25d0f0c94d794a14aba"
},
{
"url": "https://git.kernel.org/stable/c/60e5d391805d70458a01998de00d0c28cba40bf3"
},
{
"url": "https://git.kernel.org/stable/c/7025f40690a235a118c87674cfb93072694aa66d"
},
{
"url": "https://git.kernel.org/stable/c/7e6f5786621df060f8296f074efd275eaf20361a"
},
{
"url": "https://git.kernel.org/stable/c/eab74c41612083bd627b60da650e19234e4f1051"
},
{
"url": "https://git.kernel.org/stable/c/d07e4bbaff6fbba6f70c04b092ea7d9afcdf392e"
},
{
"url": "https://git.kernel.org/stable/c/39d2c4a33dc1b4402cec68a3c8f82c6588b6edce"
},
{
"url": "https://git.kernel.org/stable/c/bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d"
}
],
"title": "ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49248",
"datePublished": "2025-02-26T01:56:06.709Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:19.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49252 (GCVE-0-2022-49252)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: rx-macro: fix accessing array out of bounds for enum type
Accessing enums using integer would result in array out of bounds access
on platforms like aarch64 where sizeof(long) is 8 compared to enum size
which is 4 bytes.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-rx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb15c6ea692fd88d70698d874d9a0d667fb4cde9",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "7e3629e256d1cabf801d00050550ade4d036cafe",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "aed43e92e4b9187029903880d5db608f7fa1c53c",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "bcfe5f76cc4051ea3f9eb5d2c8ea621641f290a5",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-rx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: rx-macro: fix accessing array out of bounds for enum type\n\nAccessing enums using integer would result in array out of bounds access\non platforms like aarch64 where sizeof(long) is 8 compared to enum size\nwhich is 4 bytes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:24.889Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb15c6ea692fd88d70698d874d9a0d667fb4cde9"
},
{
"url": "https://git.kernel.org/stable/c/7e3629e256d1cabf801d00050550ade4d036cafe"
},
{
"url": "https://git.kernel.org/stable/c/aed43e92e4b9187029903880d5db608f7fa1c53c"
},
{
"url": "https://git.kernel.org/stable/c/bcfe5f76cc4051ea3f9eb5d2c8ea621641f290a5"
}
],
"title": "ASoC: codecs: rx-macro: fix accessing array out of bounds for enum type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49252",
"datePublished": "2025-02-26T01:56:08.663Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:24.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49283 (GCVE-0-2022-49283)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: sysfb: fix platform-device leak in error path
Make sure to free the platform device also in the unlikely event that
registration fails.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/sysfb_simplefb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3e38f939ab4d0d86f56bff3362c3f88c4b2ad32",
"status": "affected",
"version": "8633ef82f101c040427b57d4df7b706261420b94",
"versionType": "git"
},
{
"lessThan": "bb7fcbe80a013dc883181dc818c407d38558f76c",
"status": "affected",
"version": "8633ef82f101c040427b57d4df7b706261420b94",
"versionType": "git"
},
{
"lessThan": "fed4df558b8cdb6f3beea38a7c977f118f082b0d",
"status": "affected",
"version": "8633ef82f101c040427b57d4df7b706261420b94",
"versionType": "git"
},
{
"lessThan": "202c08914ba50dd324e42d5ad99535a89f242560",
"status": "affected",
"version": "8633ef82f101c040427b57d4df7b706261420b94",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/sysfb_simplefb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: sysfb: fix platform-device leak in error path\n\nMake sure to free the platform device also in the unlikely event that\nregistration fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:12.930Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3e38f939ab4d0d86f56bff3362c3f88c4b2ad32"
},
{
"url": "https://git.kernel.org/stable/c/bb7fcbe80a013dc883181dc818c407d38558f76c"
},
{
"url": "https://git.kernel.org/stable/c/fed4df558b8cdb6f3beea38a7c977f118f082b0d"
},
{
"url": "https://git.kernel.org/stable/c/202c08914ba50dd324e42d5ad99535a89f242560"
}
],
"title": "firmware: sysfb: fix platform-device leak in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49283",
"datePublished": "2025-02-26T01:56:24.155Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-05-04T08:34:12.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49214 (GCVE-0-2022-49214)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s: Don't use DSISR for SLB faults
Since commit 46ddcb3950a2 ("powerpc/mm: Show if a bad page fault on data
is read or write.") we use page_fault_is_write(regs->dsisr) in
__bad_page_fault() to determine if the fault is for a read or write, and
change the message printed accordingly.
But SLB faults, aka Data Segment Interrupts, don't set DSISR (Data
Storage Interrupt Status Register) to a useful value. All ISA versions
from v2.03 through v3.1 specify that the Data Segment Interrupt sets
DSISR "to an undefined value". As far as I can see there's no mention of
SLB faults setting DSISR in any BookIV content either.
This manifests as accesses that should be a read being incorrectly
reported as writes, for example, using the xmon "dump" command:
0:mon> d 0x5deadbeef0000000
5deadbeef0000000
[359526.415354][ C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000
[359526.415611][ C6] Faulting instruction address: 0xc00000000010a300
cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400]
pc: c00000000010a300: mread+0x90/0x190
If we disassemble the PC, we see a load instruction:
0:mon> di c00000000010a300
c00000000010a300 89490000 lbz r10,0(r9)
We can also see in exceptions-64s.S that the data_access_slb block
doesn't set IDSISR=1, which means it doesn't load DSISR into pt_regs. So
the value we're using to determine if the fault is a read/write is some
stale value in pt_regs from a previous page fault.
Rework the printing logic to separate the SLB fault case out, and only
print read/write in the cases where we can determine it.
The result looks like eg:
0:mon> d 0x5deadbeef0000000
5deadbeef0000000
[ 721.779525][ C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000
[ 721.779697][ C6] Faulting instruction address: 0xc00000000014cbe0
cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]
0:mon> d 0
0000000000000000
[ 742.793242][ C6] BUG: Kernel NULL pointer dereference at 0x00000000
[ 742.793316][ C6] Faulting instruction address: 0xc00000000014cbe0
cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/mm/fault.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a852ff9b7bea9c640540e2c1bc70bd3ba455d61",
"status": "affected",
"version": "46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d",
"versionType": "git"
},
{
"lessThan": "a3dae36d632b2cf6eb20314273e512a96cb43c9a",
"status": "affected",
"version": "46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d",
"versionType": "git"
},
{
"lessThan": "093449bb182db885dae816d62874cccab7a4c42a",
"status": "affected",
"version": "46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d",
"versionType": "git"
},
{
"lessThan": "d4679ac8ea2e5078704aa1c026db36580cc1bf9a",
"status": "affected",
"version": "46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/mm/fault.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Don\u0027t use DSISR for SLB faults\n\nSince commit 46ddcb3950a2 (\"powerpc/mm: Show if a bad page fault on data\nis read or write.\") we use page_fault_is_write(regs-\u003edsisr) in\n__bad_page_fault() to determine if the fault is for a read or write, and\nchange the message printed accordingly.\n\nBut SLB faults, aka Data Segment Interrupts, don\u0027t set DSISR (Data\nStorage Interrupt Status Register) to a useful value. All ISA versions\nfrom v2.03 through v3.1 specify that the Data Segment Interrupt sets\nDSISR \"to an undefined value\". As far as I can see there\u0027s no mention of\nSLB faults setting DSISR in any BookIV content either.\n\nThis manifests as accesses that should be a read being incorrectly\nreported as writes, for example, using the xmon \"dump\" command:\n\n 0:mon\u003e d 0x5deadbeef0000000\n 5deadbeef0000000\n [359526.415354][ C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000\n [359526.415611][ C6] Faulting instruction address: 0xc00000000010a300\n cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400]\n pc: c00000000010a300: mread+0x90/0x190\n\nIf we disassemble the PC, we see a load instruction:\n\n 0:mon\u003e di c00000000010a300\n c00000000010a300 89490000 lbz r10,0(r9)\n\nWe can also see in exceptions-64s.S that the data_access_slb block\ndoesn\u0027t set IDSISR=1, which means it doesn\u0027t load DSISR into pt_regs. So\nthe value we\u0027re using to determine if the fault is a read/write is some\nstale value in pt_regs from a previous page fault.\n\nRework the printing logic to separate the SLB fault case out, and only\nprint read/write in the cases where we can determine it.\n\nThe result looks like eg:\n\n 0:mon\u003e d 0x5deadbeef0000000\n 5deadbeef0000000\n [ 721.779525][ C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000\n [ 721.779697][ C6] Faulting instruction address: 0xc00000000014cbe0\n cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]\n\n 0:mon\u003e d 0\n 0000000000000000\n [ 742.793242][ C6] BUG: Kernel NULL pointer dereference at 0x00000000\n [ 742.793316][ C6] Faulting instruction address: 0xc00000000014cbe0\n cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:31.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a852ff9b7bea9c640540e2c1bc70bd3ba455d61"
},
{
"url": "https://git.kernel.org/stable/c/a3dae36d632b2cf6eb20314273e512a96cb43c9a"
},
{
"url": "https://git.kernel.org/stable/c/093449bb182db885dae816d62874cccab7a4c42a"
},
{
"url": "https://git.kernel.org/stable/c/d4679ac8ea2e5078704aa1c026db36580cc1bf9a"
}
],
"title": "powerpc/64s: Don\u0027t use DSISR for SLB faults",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49214",
"datePublished": "2025-02-26T01:55:49.677Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-05-04T08:32:31.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10843 (GCVE-0-2025-10843)
Vulnerability from cvelistv5
Published
2025-09-23 06:02
Modified
2025-09-23 19:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw has been found in Reservation Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /reservation/paypalpayout.php. Executing manipulation of the argument confirm can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.325205 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.325205 | signature, permissions-required | |
| https://vuldb.com/?submit.657389 | third-party-advisory | |
| https://github.com/xingrenlvke/cve/issues/10 | exploit, issue-tracking |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Reservation | Online Hotel Reservation System |
Version: 1.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10843",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T19:17:06.000455Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T19:17:13.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Online Hotel Reservation System",
"vendor": "Reservation",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "xingrenlvke (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Reservation Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /reservation/paypalpayout.php. Executing manipulation of the argument confirm can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Reservation Online Hotel Reservation System 1.0 entdeckt. Betroffen davon ist eine unbekannte Funktion der Datei /reservation/paypalpayout.php. Die Bearbeitung des Arguments confirm verursacht sql injection. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T06:02:09.227Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-325205 | Reservation Online Hotel Reservation System paypalpayout.php sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.325205"
},
{
"name": "VDB-325205 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.325205"
},
{
"name": "Submit #657389 | code-projects Online Hotel Reservation System 1 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.657389"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/xingrenlvke/cve/issues/10"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-22T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-22T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-22T07:35:43.000Z",
"value": "VulDB entry last update"
}
],
"title": "Reservation Online Hotel Reservation System paypalpayout.php sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-10843",
"datePublished": "2025-09-23T06:02:09.227Z",
"dateReserved": "2025-09-22T05:30:39.434Z",
"dateUpdated": "2025-09-23T19:17:13.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49246 (GCVE-0-2022-49246)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: atmel: Fix error handling in snd_proto_probe
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
This function only calls of_node_put() in the regular path.
And it will cause refcount leak in error paths.
Fix this by calling of_node_put() in error handling too.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/atmel/mikroe-proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f32ac9bf5e3f594ef9bfedb410aebc98cf784e69",
"status": "affected",
"version": "a45f8853a5f95e3760dfbd7ba09d3d597d247040",
"versionType": "git"
},
{
"lessThan": "0f517480d5888cd54487c5662ce4da95b30ad798",
"status": "affected",
"version": "a45f8853a5f95e3760dfbd7ba09d3d597d247040",
"versionType": "git"
},
{
"lessThan": "8fa969cd8485031294f91fc7184399000cae6355",
"status": "affected",
"version": "a45f8853a5f95e3760dfbd7ba09d3d597d247040",
"versionType": "git"
},
{
"lessThan": "b0bfaf0544d08d093d6211d7ef8816fb0b5b6c75",
"status": "affected",
"version": "a45f8853a5f95e3760dfbd7ba09d3d597d247040",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/atmel/mikroe-proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: atmel: Fix error handling in snd_proto_probe\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error paths.\nFix this by calling of_node_put() in error handling too."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:16.716Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f32ac9bf5e3f594ef9bfedb410aebc98cf784e69"
},
{
"url": "https://git.kernel.org/stable/c/0f517480d5888cd54487c5662ce4da95b30ad798"
},
{
"url": "https://git.kernel.org/stable/c/8fa969cd8485031294f91fc7184399000cae6355"
},
{
"url": "https://git.kernel.org/stable/c/b0bfaf0544d08d093d6211d7ef8816fb0b5b6c75"
}
],
"title": "ASoC: atmel: Fix error handling in snd_proto_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49246",
"datePublished": "2025-02-26T01:56:05.740Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:16.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39868 (GCVE-0-2025-39868)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix runtime warning on truncate_folio_batch_exceptionals()
Commit 0e2f80afcfa6("fs/dax: ensure all pages are idle prior to
filesystem unmount") introduced the WARN_ON_ONCE to capture whether
the filesystem has removed all DAX entries or not and applied the
fix to xfs and ext4.
Apply the missed fix on erofs to fix the runtime warning:
[ 5.266254] ------------[ cut here ]------------
[ 5.266274] WARNING: CPU: 6 PID: 3109 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xff/0x260
[ 5.266294] Modules linked in:
[ 5.266999] CPU: 6 UID: 0 PID: 3109 Comm: umount Tainted: G S 6.16.0+ #6 PREEMPT(voluntary)
[ 5.267012] Tainted: [S]=CPU_OUT_OF_SPEC
[ 5.267017] Hardware name: Dell Inc. OptiPlex 5000/05WXFV, BIOS 1.5.1 08/24/2022
[ 5.267024] RIP: 0010:truncate_folio_batch_exceptionals+0xff/0x260
[ 5.267076] Code: 00 00 41 39 df 7f 11 eb 78 83 c3 01 49 83 c4 08 41 39 df 74 6c 48 63 f3 48 83 fe 1f 0f 83 3c 01 00 00 43 f6 44 26 08 01 74 df <0f> 0b 4a 8b 34 22 4c 89 ef 48 89 55 90 e8 ff 54 1f 00 48 8b 55 90
[ 5.267083] RSP: 0018:ffffc900013f36c8 EFLAGS: 00010202
[ 5.267095] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 5.267101] RDX: ffffc900013f3790 RSI: 0000000000000000 RDI: ffff8882a1407898
[ 5.267108] RBP: ffffc900013f3740 R08: 0000000000000000 R09: 0000000000000000
[ 5.267113] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 5.267119] R13: ffff8882a1407ab8 R14: ffffc900013f3888 R15: 0000000000000001
[ 5.267125] FS: 00007aaa8b437800(0000) GS:ffff88850025b000(0000) knlGS:0000000000000000
[ 5.267132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.267138] CR2: 00007aaa8b3aac10 CR3: 000000024f764000 CR4: 0000000000f52ef0
[ 5.267144] PKRU: 55555554
[ 5.267150] Call Trace:
[ 5.267154] <TASK>
[ 5.267181] truncate_inode_pages_range+0x118/0x5e0
[ 5.267193] ? save_trace+0x54/0x390
[ 5.267296] truncate_inode_pages_final+0x43/0x60
[ 5.267309] evict+0x2a4/0x2c0
[ 5.267339] dispose_list+0x39/0x80
[ 5.267352] evict_inodes+0x150/0x1b0
[ 5.267376] generic_shutdown_super+0x41/0x180
[ 5.267390] kill_block_super+0x1b/0x50
[ 5.267402] erofs_kill_sb+0x81/0x90 [erofs]
[ 5.267436] deactivate_locked_super+0x32/0xb0
[ 5.267450] deactivate_super+0x46/0x60
[ 5.267460] cleanup_mnt+0xc3/0x170
[ 5.267475] __cleanup_mnt+0x12/0x20
[ 5.267485] task_work_run+0x5d/0xb0
[ 5.267499] exit_to_user_mode_loop+0x144/0x170
[ 5.267512] do_syscall_64+0x2b9/0x7c0
[ 5.267523] ? __lock_acquire+0x665/0x2ce0
[ 5.267535] ? __lock_acquire+0x665/0x2ce0
[ 5.267560] ? lock_acquire+0xcd/0x300
[ 5.267573] ? find_held_lock+0x31/0x90
[ 5.267582] ? mntput_no_expire+0x97/0x4e0
[ 5.267606] ? mntput_no_expire+0xa1/0x4e0
[ 5.267625] ? mntput+0x24/0x50
[ 5.267634] ? path_put+0x1e/0x30
[ 5.267647] ? do_faccessat+0x120/0x2f0
[ 5.267677] ? do_syscall_64+0x1a2/0x7c0
[ 5.267686] ? from_kgid_munged+0x17/0x30
[ 5.267703] ? from_kuid_munged+0x13/0x30
[ 5.267711] ? __do_sys_getuid+0x3d/0x50
[ 5.267724] ? do_syscall_64+0x1a2/0x7c0
[ 5.267732] ? irqentry_exit+0x77/0xb0
[ 5.267743] ? clear_bhb_loop+0x30/0x80
[ 5.267752] ? clear_bhb_loop+0x30/0x80
[ 5.267765] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 5.267772] RIP: 0033:0x7aaa8b32a9fb
[ 5.267781] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e9 83 0d 00 f7 d8
[ 5.267787] RSP: 002b:00007ffd7c4c9468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 5.267796] RAX: 0000000000000000 RBX: 00005a61592a8b00 RCX: 00007aaa8b32a9fb
[ 5.267802] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005a61592b2080
[ 5.267806] RBP: 00007ffd7c4c9540 R08: 00007aaa8b403b20 R09: 0000000000000020
[ 5.267812] R10: 0000000000000001 R11: 0000000000000246 R12: 00005a61592a8c00
[ 5.267817] R13: 00000000
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "91c34cd6ca1bc67ccf2d104834956af56b5893de",
"status": "affected",
"version": "bde708f1a65d025c45575bfe1e7bf7bdf7e71e87",
"versionType": "git"
},
{
"lessThan": "181993bb0d626cf88cc803f4356ce5c5abe86278",
"status": "affected",
"version": "bde708f1a65d025c45575bfe1e7bf7bdf7e71e87",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix runtime warning on truncate_folio_batch_exceptionals()\n\nCommit 0e2f80afcfa6(\"fs/dax: ensure all pages are idle prior to\nfilesystem unmount\") introduced the WARN_ON_ONCE to capture whether\nthe filesystem has removed all DAX entries or not and applied the\nfix to xfs and ext4.\n\nApply the missed fix on erofs to fix the runtime warning:\n\n[ 5.266254] ------------[ cut here ]------------\n[ 5.266274] WARNING: CPU: 6 PID: 3109 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xff/0x260\n[ 5.266294] Modules linked in:\n[ 5.266999] CPU: 6 UID: 0 PID: 3109 Comm: umount Tainted: G S 6.16.0+ #6 PREEMPT(voluntary)\n[ 5.267012] Tainted: [S]=CPU_OUT_OF_SPEC\n[ 5.267017] Hardware name: Dell Inc. OptiPlex 5000/05WXFV, BIOS 1.5.1 08/24/2022\n[ 5.267024] RIP: 0010:truncate_folio_batch_exceptionals+0xff/0x260\n[ 5.267076] Code: 00 00 41 39 df 7f 11 eb 78 83 c3 01 49 83 c4 08 41 39 df 74 6c 48 63 f3 48 83 fe 1f 0f 83 3c 01 00 00 43 f6 44 26 08 01 74 df \u003c0f\u003e 0b 4a 8b 34 22 4c 89 ef 48 89 55 90 e8 ff 54 1f 00 48 8b 55 90\n[ 5.267083] RSP: 0018:ffffc900013f36c8 EFLAGS: 00010202\n[ 5.267095] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 5.267101] RDX: ffffc900013f3790 RSI: 0000000000000000 RDI: ffff8882a1407898\n[ 5.267108] RBP: ffffc900013f3740 R08: 0000000000000000 R09: 0000000000000000\n[ 5.267113] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n[ 5.267119] R13: ffff8882a1407ab8 R14: ffffc900013f3888 R15: 0000000000000001\n[ 5.267125] FS: 00007aaa8b437800(0000) GS:ffff88850025b000(0000) knlGS:0000000000000000\n[ 5.267132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5.267138] CR2: 00007aaa8b3aac10 CR3: 000000024f764000 CR4: 0000000000f52ef0\n[ 5.267144] PKRU: 55555554\n[ 5.267150] Call Trace:\n[ 5.267154] \u003cTASK\u003e\n[ 5.267181] truncate_inode_pages_range+0x118/0x5e0\n[ 5.267193] ? save_trace+0x54/0x390\n[ 5.267296] truncate_inode_pages_final+0x43/0x60\n[ 5.267309] evict+0x2a4/0x2c0\n[ 5.267339] dispose_list+0x39/0x80\n[ 5.267352] evict_inodes+0x150/0x1b0\n[ 5.267376] generic_shutdown_super+0x41/0x180\n[ 5.267390] kill_block_super+0x1b/0x50\n[ 5.267402] erofs_kill_sb+0x81/0x90 [erofs]\n[ 5.267436] deactivate_locked_super+0x32/0xb0\n[ 5.267450] deactivate_super+0x46/0x60\n[ 5.267460] cleanup_mnt+0xc3/0x170\n[ 5.267475] __cleanup_mnt+0x12/0x20\n[ 5.267485] task_work_run+0x5d/0xb0\n[ 5.267499] exit_to_user_mode_loop+0x144/0x170\n[ 5.267512] do_syscall_64+0x2b9/0x7c0\n[ 5.267523] ? __lock_acquire+0x665/0x2ce0\n[ 5.267535] ? __lock_acquire+0x665/0x2ce0\n[ 5.267560] ? lock_acquire+0xcd/0x300\n[ 5.267573] ? find_held_lock+0x31/0x90\n[ 5.267582] ? mntput_no_expire+0x97/0x4e0\n[ 5.267606] ? mntput_no_expire+0xa1/0x4e0\n[ 5.267625] ? mntput+0x24/0x50\n[ 5.267634] ? path_put+0x1e/0x30\n[ 5.267647] ? do_faccessat+0x120/0x2f0\n[ 5.267677] ? do_syscall_64+0x1a2/0x7c0\n[ 5.267686] ? from_kgid_munged+0x17/0x30\n[ 5.267703] ? from_kuid_munged+0x13/0x30\n[ 5.267711] ? __do_sys_getuid+0x3d/0x50\n[ 5.267724] ? do_syscall_64+0x1a2/0x7c0\n[ 5.267732] ? irqentry_exit+0x77/0xb0\n[ 5.267743] ? clear_bhb_loop+0x30/0x80\n[ 5.267752] ? clear_bhb_loop+0x30/0x80\n[ 5.267765] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 5.267772] RIP: 0033:0x7aaa8b32a9fb\n[ 5.267781] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e9 83 0d 00 f7 d8\n[ 5.267787] RSP: 002b:00007ffd7c4c9468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[ 5.267796] RAX: 0000000000000000 RBX: 00005a61592a8b00 RCX: 00007aaa8b32a9fb\n[ 5.267802] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005a61592b2080\n[ 5.267806] RBP: 00007ffd7c4c9540 R08: 00007aaa8b403b20 R09: 0000000000000020\n[ 5.267812] R10: 0000000000000001 R11: 0000000000000246 R12: 00005a61592a8c00\n[ 5.267817] R13: 00000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:23.870Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/91c34cd6ca1bc67ccf2d104834956af56b5893de"
},
{
"url": "https://git.kernel.org/stable/c/181993bb0d626cf88cc803f4356ce5c5abe86278"
}
],
"title": "erofs: fix runtime warning on truncate_folio_batch_exceptionals()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39868",
"datePublished": "2025-09-23T06:00:43.308Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-09-29T06:01:23.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39883 (GCVE-0-2025-39883)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-10-02 13:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
When I did memory failure tests, below panic occurs:
page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))
kernel BUG at include/linux/page-flags.h:616!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Call Trace:
<TASK>
unpoison_memory+0x2f3/0x590
simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110
debugfs_attr_write+0x42/0x60
full_proxy_write+0x5b/0x80
vfs_write+0xd5/0x540
ksys_write+0x64/0xe0
do_syscall_64+0xb9/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f08f0314887
RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887
RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001
RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00
</TASK>
Modules linked in: hwpoison_inject
---[ end trace 0000000000000000 ]---
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---
The root cause is that unpoison_memory() tries to check the PG_HWPoison
flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is
triggered. This can be reproduced by below steps:
1.Offline memory block:
echo offline > /sys/devices/system/memory/memory12/state
2.Get offlined memory pfn:
page-types -b n -rlN
3.Write pfn to unpoison-pfn
echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn
This scenario can be identified by pfn_to_online_page() returning NULL.
And ZONE_DEVICE pages are never expected, so we can simply fail if
pfn_to_online_page() == NULL to fix the bug.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e01ea186a52c90694c08a9ff57bea1b0e78256a",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "fb65803ccff37cf9123c50c1c02efd1ed73c4ed5",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "99f7048957f5ae3cee1c01189147e73a9a96de02",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "e4ec6def5643a1c9511115b3884eb879572294c6",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "7618fd443aa4cfa553a64cacf5721581653ee7b0",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "d613f53c83ec47089c4e25859d5e8e0359f6f8da",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory\n\nWhen I did memory failure tests, below panic occurs:\n\npage dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))\nkernel BUG at include/linux/page-flags.h:616!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n unpoison_memory+0x2f3/0x590\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xd5/0x540\n ksys_write+0x64/0xe0\n do_syscall_64+0xb9/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f08f0314887\nRSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887\nRDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001\nRBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009\nR13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00\n \u003c/TASK\u003e\nModules linked in: hwpoison_inject\n---[ end trace 0000000000000000 ]---\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nThe root cause is that unpoison_memory() tries to check the PG_HWPoison\nflags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is\ntriggered. This can be reproduced by below steps:\n\n1.Offline memory block:\n\n echo offline \u003e /sys/devices/system/memory/memory12/state\n\n2.Get offlined memory pfn:\n\n page-types -b n -rlN\n\n3.Write pfn to unpoison-pfn\n\n echo \u003cpfn\u003e \u003e /sys/kernel/debug/hwpoison/unpoison-pfn\n\nThis scenario can be identified by pfn_to_online_page() returning NULL. \nAnd ZONE_DEVICE pages are never expected, so we can simply fail if\npfn_to_online_page() == NULL to fix the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:26.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e01ea186a52c90694c08a9ff57bea1b0e78256a"
},
{
"url": "https://git.kernel.org/stable/c/fb65803ccff37cf9123c50c1c02efd1ed73c4ed5"
},
{
"url": "https://git.kernel.org/stable/c/99f7048957f5ae3cee1c01189147e73a9a96de02"
},
{
"url": "https://git.kernel.org/stable/c/e4ec6def5643a1c9511115b3884eb879572294c6"
},
{
"url": "https://git.kernel.org/stable/c/3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a"
},
{
"url": "https://git.kernel.org/stable/c/7618fd443aa4cfa553a64cacf5721581653ee7b0"
},
{
"url": "https://git.kernel.org/stable/c/63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96"
},
{
"url": "https://git.kernel.org/stable/c/d613f53c83ec47089c4e25859d5e8e0359f6f8da"
}
],
"title": "mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39883",
"datePublished": "2025-09-23T06:00:51.548Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-10-02T13:26:26.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49262 (GCVE-0-2022-49262)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: octeontx2 - remove CONFIG_DM_CRYPT check
No issues were found while using the driver with dm-crypt enabled. So
CONFIG_DM_CRYPT check in the driver can be removed.
This also fixes the NULL pointer dereference in driver release if
CONFIG_DM_CRYPT is enabled.
...
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
...
Call trace:
crypto_unregister_alg+0x68/0xfc
crypto_unregister_skciphers+0x44/0x60
otx2_cpt_crypto_exit+0x100/0x1a0
otx2_cptvf_remove+0xf8/0x200
pci_device_remove+0x3c/0xd4
__device_release_driver+0x188/0x234
device_release_driver+0x2c/0x4c
...
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6374086f249295121384bfaa7cdcc8d461146f0",
"status": "affected",
"version": "6f03f0e8b6c8a82d8e740ff3a87ed407ad423243",
"versionType": "git"
},
{
"lessThan": "a462214866eebbca87e13ff6d73092b1c4895624",
"status": "affected",
"version": "6f03f0e8b6c8a82d8e740ff3a87ed407ad423243",
"versionType": "git"
},
{
"lessThan": "a1bf728f3388ac3a2c2dffa57e25622e90b9f6f2",
"status": "affected",
"version": "6f03f0e8b6c8a82d8e740ff3a87ed407ad423243",
"versionType": "git"
},
{
"lessThan": "2d841af23ae8f398c85dd1ff2dc24b5ec8ba4569",
"status": "affected",
"version": "6f03f0e8b6c8a82d8e740ff3a87ed407ad423243",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: octeontx2 - remove CONFIG_DM_CRYPT check\n\nNo issues were found while using the driver with dm-crypt enabled. So\nCONFIG_DM_CRYPT check in the driver can be removed.\n\nThis also fixes the NULL pointer dereference in driver release if\nCONFIG_DM_CRYPT is enabled.\n\n...\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n...\nCall trace:\n crypto_unregister_alg+0x68/0xfc\n crypto_unregister_skciphers+0x44/0x60\n otx2_cpt_crypto_exit+0x100/0x1a0\n otx2_cptvf_remove+0xf8/0x200\n pci_device_remove+0x3c/0xd4\n __device_release_driver+0x188/0x234\n device_release_driver+0x2c/0x4c\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:37.249Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6374086f249295121384bfaa7cdcc8d461146f0"
},
{
"url": "https://git.kernel.org/stable/c/a462214866eebbca87e13ff6d73092b1c4895624"
},
{
"url": "https://git.kernel.org/stable/c/a1bf728f3388ac3a2c2dffa57e25622e90b9f6f2"
},
{
"url": "https://git.kernel.org/stable/c/2d841af23ae8f398c85dd1ff2dc24b5ec8ba4569"
}
],
"title": "crypto: octeontx2 - remove CONFIG_DM_CRYPT check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49262",
"datePublished": "2025-02-26T01:56:13.566Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:37.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49205 (GCVE-0-2022-49205)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix double uncharge the mem of sk_msg
If tcp_bpf_sendmsg is running during a tear down operation, psock may be
freed.
tcp_bpf_sendmsg()
tcp_bpf_send_verdict()
sk_msg_return()
tcp_bpf_sendmsg_redir()
unlikely(!psock))
sk_msg_free()
The mem of msg has been uncharged in tcp_bpf_send_verdict() by
sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock
is null, we can simply returning an error code, this would then trigger
the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have
the side effect of throwing an error up to user space. This would be a
slight change in behavior from user side but would look the same as an
error if the redirect on the socket threw an error.
This issue can cause the following info:
WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260
Call Trace:
<TASK>
__sk_destruct+0x24/0x1f0
sk_psock_destroy+0x19b/0x1c0
process_one_work+0x1b3/0x3c0
worker_thread+0x30/0x350
? process_one_work+0x3c0/0x3c0
kthread+0xe6/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "94c6ac22abcdede72bfaa0f4c22fb370891f4002",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "cd84ea3920aef936c559b63099ef0013ce6b2325",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "cb6f141ae705af0101e819065a79e6d029f6e393",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "223f3c51ab163852dd4819d357dcf33039929434",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "ac3ecb7760c750c8e4fc09c719241d8e6e88028c",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "2486ab434b2c2a14e9237296db00b1e1b7ae3273",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix double uncharge the mem of sk_msg\n\nIf tcp_bpf_sendmsg is running during a tear down operation, psock may be\nfreed.\n\ntcp_bpf_sendmsg()\n tcp_bpf_send_verdict()\n sk_msg_return()\n tcp_bpf_sendmsg_redir()\n unlikely(!psock))\n sk_msg_free()\n\nThe mem of msg has been uncharged in tcp_bpf_send_verdict() by\nsk_msg_return(), and would be uncharged by sk_msg_free() again. When psock\nis null, we can simply returning an error code, this would then trigger\nthe sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have\nthe side effect of throwing an error up to user space. This would be a\nslight change in behavior from user side but would look the same as an\nerror if the redirect on the socket threw an error.\n\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n \u003cTASK\u003e\n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n worker_thread+0x30/0x350\n ? process_one_work+0x3c0/0x3c0\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:19.084Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/94c6ac22abcdede72bfaa0f4c22fb370891f4002"
},
{
"url": "https://git.kernel.org/stable/c/cd84ea3920aef936c559b63099ef0013ce6b2325"
},
{
"url": "https://git.kernel.org/stable/c/cb6f141ae705af0101e819065a79e6d029f6e393"
},
{
"url": "https://git.kernel.org/stable/c/223f3c51ab163852dd4819d357dcf33039929434"
},
{
"url": "https://git.kernel.org/stable/c/ac3ecb7760c750c8e4fc09c719241d8e6e88028c"
},
{
"url": "https://git.kernel.org/stable/c/2486ab434b2c2a14e9237296db00b1e1b7ae3273"
}
],
"title": "bpf, sockmap: Fix double uncharge the mem of sk_msg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49205",
"datePublished": "2025-02-26T01:55:45.177Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-05-04T08:32:19.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49379 (GCVE-0-2022-49379)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction
Mounting NFS rootfs was timing out when deferred_probe_timeout was
non-zero [1]. This was because ip_auto_config() initcall times out
waiting for the network interfaces to show up when
deferred_probe_timeout was non-zero. While ip_auto_config() calls
wait_for_device_probe() to make sure any currently running deferred
probe work or asynchronous probe finishes, that wasn't sufficient to
account for devices being deferred until deferred_probe_timeout.
Commit 35a672363ab3 ("driver core: Ensure wait_for_device_probe() waits
until the deferred_probe_timeout fires") tried to fix that by making
sure wait_for_device_probe() waits for deferred_probe_timeout to expire
before returning.
However, if wait_for_device_probe() is called from the kernel_init()
context:
- Before deferred_probe_initcall() [2], it causes the boot process to
hang due to a deadlock.
- After deferred_probe_initcall() [3], it blocks kernel_init() from
continuing till deferred_probe_timeout expires and beats the point of
deferred_probe_timeout that's trying to wait for userspace to load
modules.
Neither of this is good. So revert the changes to
wait_for_device_probe().
[1] - https://lore.kernel.org/lkml/TYAPR01MB45443DF63B9EF29054F7C41FD8C60@TYAPR01MB4544.jpnprd01.prod.outlook.com/
[2] - https://lore.kernel.org/lkml/YowHNo4sBjr9ijZr@dev-arch.thelio-3990X/
[3] - https://lore.kernel.org/lkml/Yo3WvGnNk3LvLb7R@linutronix.de/
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe Version: 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe Version: 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe Version: 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe Version: 35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/dd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71cbce75031aed26c72c2dc8a83111d181685f1b",
"status": "affected",
"version": "35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe",
"versionType": "git"
},
{
"lessThan": "29357883a89193863f3cc6a2c5e0b42ceb022761",
"status": "affected",
"version": "35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe",
"versionType": "git"
},
{
"lessThan": "528229474e1cbb1b3451cb713d94aecb5f6ee264",
"status": "affected",
"version": "35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe",
"versionType": "git"
},
{
"lessThan": "4ad6af07efcca85369c21e4897b3020cff2c170b",
"status": "affected",
"version": "35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe",
"versionType": "git"
},
{
"lessThan": "5ee76c256e928455212ab759c51d198fedbe7523",
"status": "affected",
"version": "35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/dd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: Fix wait_for_device_probe() \u0026 deferred_probe_timeout interaction\n\nMounting NFS rootfs was timing out when deferred_probe_timeout was\nnon-zero [1]. This was because ip_auto_config() initcall times out\nwaiting for the network interfaces to show up when\ndeferred_probe_timeout was non-zero. While ip_auto_config() calls\nwait_for_device_probe() to make sure any currently running deferred\nprobe work or asynchronous probe finishes, that wasn\u0027t sufficient to\naccount for devices being deferred until deferred_probe_timeout.\n\nCommit 35a672363ab3 (\"driver core: Ensure wait_for_device_probe() waits\nuntil the deferred_probe_timeout fires\") tried to fix that by making\nsure wait_for_device_probe() waits for deferred_probe_timeout to expire\nbefore returning.\n\nHowever, if wait_for_device_probe() is called from the kernel_init()\ncontext:\n\n- Before deferred_probe_initcall() [2], it causes the boot process to\n hang due to a deadlock.\n\n- After deferred_probe_initcall() [3], it blocks kernel_init() from\n continuing till deferred_probe_timeout expires and beats the point of\n deferred_probe_timeout that\u0027s trying to wait for userspace to load\n modules.\n\nNeither of this is good. So revert the changes to\nwait_for_device_probe().\n\n[1] - https://lore.kernel.org/lkml/TYAPR01MB45443DF63B9EF29054F7C41FD8C60@TYAPR01MB4544.jpnprd01.prod.outlook.com/\n[2] - https://lore.kernel.org/lkml/YowHNo4sBjr9ijZr@dev-arch.thelio-3990X/\n[3] - https://lore.kernel.org/lkml/Yo3WvGnNk3LvLb7R@linutronix.de/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:25.934Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71cbce75031aed26c72c2dc8a83111d181685f1b"
},
{
"url": "https://git.kernel.org/stable/c/29357883a89193863f3cc6a2c5e0b42ceb022761"
},
{
"url": "https://git.kernel.org/stable/c/528229474e1cbb1b3451cb713d94aecb5f6ee264"
},
{
"url": "https://git.kernel.org/stable/c/4ad6af07efcca85369c21e4897b3020cff2c170b"
},
{
"url": "https://git.kernel.org/stable/c/5ee76c256e928455212ab759c51d198fedbe7523"
}
],
"title": "driver core: Fix wait_for_device_probe() \u0026 deferred_probe_timeout interaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49379",
"datePublished": "2025-02-26T02:11:17.795Z",
"dateReserved": "2025-02-26T02:08:31.558Z",
"dateUpdated": "2025-05-04T08:36:25.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49345 (GCVE-0-2022-49345)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: xfrm: unexport __init-annotated xfrm4_protocol_init()
EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.
modpost used to detect it, but it has been broken for a decade.
Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.
There are two ways to fix it:
- Remove __init
- Remove EXPORT_SYMBOL
I chose the latter for this case because the only in-tree call-site,
net/ipv4/xfrm4_policy.c is never compiled as modular.
(CONFIG_XFRM is boolean)
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/xfrm4_protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c58d82a1264813e69119c13e9804e2e60b664ad5",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "e53cd3814504b2cadaba4d5a8a07eeea9ddacd03",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "31f3c6a4dcd3260a386e62cef2d5b36e902600a1",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "ef6d2354de238b065d8799c80da4be9a6af18e39",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "be3884d5cd04ccd58294b83a02d70b7c5fca19d3",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "85a055c03691e51499123194a14a0c249cf33227",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "e04d59cfe0c0129df7aba7ef7bb17b96be2a64f2",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "2b253fbc9f7b5db18d716436bdcf8ecef09fd63d",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "4a388f08d8784af48f352193d2b72aaf167a57a1",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/xfrm4_protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xfrm: unexport __init-annotated xfrm4_protocol_init()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the only in-tree call-site,\nnet/ipv4/xfrm4_policy.c is never compiled as modular.\n(CONFIG_XFRM is boolean)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:44.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c58d82a1264813e69119c13e9804e2e60b664ad5"
},
{
"url": "https://git.kernel.org/stable/c/e53cd3814504b2cadaba4d5a8a07eeea9ddacd03"
},
{
"url": "https://git.kernel.org/stable/c/31f3c6a4dcd3260a386e62cef2d5b36e902600a1"
},
{
"url": "https://git.kernel.org/stable/c/ef6d2354de238b065d8799c80da4be9a6af18e39"
},
{
"url": "https://git.kernel.org/stable/c/be3884d5cd04ccd58294b83a02d70b7c5fca19d3"
},
{
"url": "https://git.kernel.org/stable/c/85a055c03691e51499123194a14a0c249cf33227"
},
{
"url": "https://git.kernel.org/stable/c/e04d59cfe0c0129df7aba7ef7bb17b96be2a64f2"
},
{
"url": "https://git.kernel.org/stable/c/2b253fbc9f7b5db18d716436bdcf8ecef09fd63d"
},
{
"url": "https://git.kernel.org/stable/c/4a388f08d8784af48f352193d2b72aaf167a57a1"
}
],
"title": "net: xfrm: unexport __init-annotated xfrm4_protocol_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49345",
"datePublished": "2025-02-26T02:11:00.976Z",
"dateReserved": "2025-02-26T02:08:31.542Z",
"dateUpdated": "2025-05-04T08:35:44.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49421 (GCVE-0-2022-49421)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup
of_parse_phandle() returns a node pointer with refcount incremented, we should
use of_node_put() on it when not need anymore. Add missing of_node_put() to
avoid refcount leak.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/amba-clcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c92711db7c90f78e0b67ac2a8944d0fe7e12d83",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "2e2e2c71b2642289438392edbf5d08cdbc0b138b",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "51eb1bb6baeb478538dd4ec6459fd68c44a855b1",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "8db59df7f5826e104db82cfddbf22a33a151193e",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "c1c4405222b6fc98c16e8c2aa679c14e41d81465",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "f2dfb4ab887d67be7d0892ba041d3c8d738d3356",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "bbb2a24e863b6a10129546a0a4ceea2f07deec39",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "38d245cebf545338a6bc1c7762023de3fbecd7b7",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "b23789a59fa6f00e98a319291819f91fbba0deb8",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/amba-clcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup\n\nof_parse_phandle() returns a node pointer with refcount incremented, we should\nuse of_node_put() on it when not need anymore. Add missing of_node_put() to\navoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:19.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c92711db7c90f78e0b67ac2a8944d0fe7e12d83"
},
{
"url": "https://git.kernel.org/stable/c/2e2e2c71b2642289438392edbf5d08cdbc0b138b"
},
{
"url": "https://git.kernel.org/stable/c/51eb1bb6baeb478538dd4ec6459fd68c44a855b1"
},
{
"url": "https://git.kernel.org/stable/c/8db59df7f5826e104db82cfddbf22a33a151193e"
},
{
"url": "https://git.kernel.org/stable/c/c1c4405222b6fc98c16e8c2aa679c14e41d81465"
},
{
"url": "https://git.kernel.org/stable/c/f2dfb4ab887d67be7d0892ba041d3c8d738d3356"
},
{
"url": "https://git.kernel.org/stable/c/bbb2a24e863b6a10129546a0a4ceea2f07deec39"
},
{
"url": "https://git.kernel.org/stable/c/38d245cebf545338a6bc1c7762023de3fbecd7b7"
},
{
"url": "https://git.kernel.org/stable/c/b23789a59fa6f00e98a319291819f91fbba0deb8"
}
],
"title": "video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49421",
"datePublished": "2025-02-26T02:12:44.790Z",
"dateReserved": "2025-02-26T02:08:31.568Z",
"dateUpdated": "2025-05-04T08:37:19.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39871 (GCVE-0-2025-39871)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Remove improper idxd_free
The call to idxd_free() introduces a duplicate put_device() leading to a
reference count underflow:
refcount_t: underflow; use-after-free.
WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110
...
Call Trace:
<TASK>
idxd_remove+0xe4/0x120 [idxd]
pci_device_remove+0x3f/0xb0
device_release_driver_internal+0x197/0x200
driver_detach+0x48/0x90
bus_remove_driver+0x74/0xf0
pci_unregister_driver+0x2e/0xb0
idxd_exit_module+0x34/0x7a0 [idxd]
__do_sys_delete_module.constprop.0+0x183/0x280
do_syscall_64+0x54/0xd70
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The idxd_unregister_devices() which is invoked at the very beginning of
idxd_remove(), already takes care of the necessary put_device() through the
following call path:
idxd_unregister_devices() -> device_unregister() -> put_device()
In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may
trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is
called immediately after, it can result in a use-after-free.
Remove the improper idxd_free() to avoid both the refcount underflow and
potential memory corruption during module unload.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: d2d05fd0fc95c4defed6f7b87550e20e8baa1d97 Version: 21f9f5cd9a0c75084d4369ba0b8c4f695c41dea7 Version: d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 Version: d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 Version: 68ac5a01f635b3791196fd1c39bc48497252c36f Version: 2b7a961cea0e5b65afda911f76d14fec5c98d024 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e95ee7f532b21206fe3f1c4054002b0d21e3b9c",
"status": "affected",
"version": "d2d05fd0fc95c4defed6f7b87550e20e8baa1d97",
"versionType": "git"
},
{
"lessThan": "dd7a7e43269711d757fc260b0bbdf7138f75de11",
"status": "affected",
"version": "21f9f5cd9a0c75084d4369ba0b8c4f695c41dea7",
"versionType": "git"
},
{
"lessThan": "da4fbc1488a4cec6748da685181ee4449a878dac",
"status": "affected",
"version": "d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805",
"versionType": "git"
},
{
"lessThan": "f41c538881eec4dcf5961a242097d447f848cda6",
"status": "affected",
"version": "d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805",
"versionType": "git"
},
{
"status": "affected",
"version": "68ac5a01f635b3791196fd1c39bc48497252c36f",
"versionType": "git"
},
{
"status": "affected",
"version": "2b7a961cea0e5b65afda911f76d14fec5c98d024",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.6.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.12.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Remove improper idxd_free\n\nThe call to idxd_free() introduces a duplicate put_device() leading to a\nreference count underflow:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n...\nCall Trace:\n \u003cTASK\u003e\n idxd_remove+0xe4/0x120 [idxd]\n pci_device_remove+0x3f/0xb0\n device_release_driver_internal+0x197/0x200\n driver_detach+0x48/0x90\n bus_remove_driver+0x74/0xf0\n pci_unregister_driver+0x2e/0xb0\n idxd_exit_module+0x34/0x7a0 [idxd]\n __do_sys_delete_module.constprop.0+0x183/0x280\n do_syscall_64+0x54/0xd70\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe idxd_unregister_devices() which is invoked at the very beginning of\nidxd_remove(), already takes care of the necessary put_device() through the\nfollowing call path:\nidxd_unregister_devices() -\u003e device_unregister() -\u003e put_device()\n\nIn addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may\ntrigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is\ncalled immediately after, it can result in a use-after-free.\n\nRemove the improper idxd_free() to avoid both the refcount underflow and\npotential memory corruption during module unload."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:27.766Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e95ee7f532b21206fe3f1c4054002b0d21e3b9c"
},
{
"url": "https://git.kernel.org/stable/c/dd7a7e43269711d757fc260b0bbdf7138f75de11"
},
{
"url": "https://git.kernel.org/stable/c/da4fbc1488a4cec6748da685181ee4449a878dac"
},
{
"url": "https://git.kernel.org/stable/c/f41c538881eec4dcf5961a242097d447f848cda6"
}
],
"title": "dmaengine: idxd: Remove improper idxd_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39871",
"datePublished": "2025-09-23T06:00:44.882Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-09-29T06:01:27.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39874 (GCVE-0-2025-39874)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
macsec: sync features on RTM_NEWLINK
Syzkaller managed to lock the lower device via ETHTOOL_SFEATURES:
netdev_lock include/linux/netdevice.h:2761 [inline]
netdev_lock_ops include/net/netdev_lock.h:42 [inline]
netdev_sync_lower_features net/core/dev.c:10649 [inline]
__netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819
netdev_update_features+0x6d/0xe0 net/core/dev.c:10876
macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533
notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
call_netdevice_notifiers net/core/dev.c:2281 [inline]
netdev_features_change+0x85/0xc0 net/core/dev.c:1570
__dev_ethtool net/ethtool/ioctl.c:3469 [inline]
dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502
dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759
It happens because lower features are out of sync with the upper:
__dev_ethtool (real_dev)
netdev_lock_ops(real_dev)
ETHTOOL_SFEATURES
__netdev_features_change
netdev_sync_upper_features
disable LRO on the lower
if (old_features != dev->features)
netdev_features_change
fires NETDEV_FEAT_CHANGE
macsec_notify
NETDEV_FEAT_CHANGE
netdev_update_features (for each macsec dev)
netdev_sync_lower_features
if (upper_features != lower_features)
netdev_lock_ops(lower) # lower == real_dev
stuck
...
netdev_unlock_ops(real_dev)
Per commit af5f54b0ef9e ("net: Lock lower level devices when updating
features"), we elide the lock/unlock when the upper and lower features
are synced. Makes sure the lower (real_dev) has proper features after
the macsec link has been created. This makes sure we never hit the
situation where we need to sync upper flags to the lower.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macsec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7624629ccf47135c65fef0701fa0d9a115b87f3",
"status": "affected",
"version": "7e4d784f5810bba76c4593791028e13cce4af547",
"versionType": "git"
},
{
"lessThan": "0f82c3ba66c6b2e3cde0f255156a753b108ee9dc",
"status": "affected",
"version": "7e4d784f5810bba76c4593791028e13cce4af547",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macsec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: sync features on RTM_NEWLINK\n\nSyzkaller managed to lock the lower device via ETHTOOL_SFEATURES:\n\n netdev_lock include/linux/netdevice.h:2761 [inline]\n netdev_lock_ops include/net/netdev_lock.h:42 [inline]\n netdev_sync_lower_features net/core/dev.c:10649 [inline]\n __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819\n netdev_update_features+0x6d/0xe0 net/core/dev.c:10876\n macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533\n notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]\n call_netdevice_notifiers net/core/dev.c:2281 [inline]\n netdev_features_change+0x85/0xc0 net/core/dev.c:1570\n __dev_ethtool net/ethtool/ioctl.c:3469 [inline]\n dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502\n dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759\n\nIt happens because lower features are out of sync with the upper:\n\n __dev_ethtool (real_dev)\n netdev_lock_ops(real_dev)\n ETHTOOL_SFEATURES\n __netdev_features_change\n netdev_sync_upper_features\n disable LRO on the lower\n if (old_features != dev-\u003efeatures)\n netdev_features_change\n fires NETDEV_FEAT_CHANGE\n\tmacsec_notify\n\t NETDEV_FEAT_CHANGE\n\t netdev_update_features (for each macsec dev)\n\t netdev_sync_lower_features\n\t if (upper_features != lower_features)\n\t netdev_lock_ops(lower) # lower == real_dev\n\t\t stuck\n\t\t ...\n\n netdev_unlock_ops(real_dev)\n\nPer commit af5f54b0ef9e (\"net: Lock lower level devices when updating\nfeatures\"), we elide the lock/unlock when the upper and lower features\nare synced. Makes sure the lower (real_dev) has proper features after\nthe macsec link has been created. This makes sure we never hit the\nsituation where we need to sync upper flags to the lower."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:31.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7624629ccf47135c65fef0701fa0d9a115b87f3"
},
{
"url": "https://git.kernel.org/stable/c/0f82c3ba66c6b2e3cde0f255156a753b108ee9dc"
}
],
"title": "macsec: sync features on RTM_NEWLINK",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39874",
"datePublished": "2025-09-23T06:00:46.690Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-09-29T06:01:31.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49244 (GCVE-0-2022-49244)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: mt8192-mt6359: Fix error handling in mt8192_mt6359_dev_probe
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
This function only calls of_node_put() in the regular path.
And it will cause refcount leak in error paths.
Fix this by calling of_node_put() in error handling too.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87e04a89c31e792eef62bcba6ebb77fd323d28a1",
"status": "affected",
"version": "286c6f7b28fab19d649c2e1f3bc18fdecdbadfe5",
"versionType": "git"
},
{
"lessThan": "d5a38629f1aaf397fd471b27e49d55289ddc0656",
"status": "affected",
"version": "d1be8577f0b2f679095d237aaf281dca344f06c4",
"versionType": "git"
},
{
"lessThan": "1765787ec02e824f4f5e672cf269280a5da09d2f",
"status": "affected",
"version": "4e28491a7a198c668437f2be8a91a76aa52f20eb",
"versionType": "git"
},
{
"lessThan": "e45ac7831ff3e2934d58cce319c17c8ec763c95c",
"status": "affected",
"version": "4e28491a7a198c668437f2be8a91a76aa52f20eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.16.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8192-mt6359: Fix error handling in mt8192_mt6359_dev_probe\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error paths.\nFix this by calling of_node_put() in error handling too."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:14.176Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87e04a89c31e792eef62bcba6ebb77fd323d28a1"
},
{
"url": "https://git.kernel.org/stable/c/d5a38629f1aaf397fd471b27e49d55289ddc0656"
},
{
"url": "https://git.kernel.org/stable/c/1765787ec02e824f4f5e672cf269280a5da09d2f"
},
{
"url": "https://git.kernel.org/stable/c/e45ac7831ff3e2934d58cce319c17c8ec763c95c"
}
],
"title": "ASoC: mediatek: mt8192-mt6359: Fix error handling in mt8192_mt6359_dev_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49244",
"datePublished": "2025-02-26T01:56:04.783Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-05-04T08:33:14.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49337 (GCVE-0-2022-49337)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock
When user_dlm_destroy_lock failed, it didn't clean up the flags it set
before exit. For USER_LOCK_IN_TEARDOWN, if this function fails because of
lock is still in used, next time when unlink invokes this function, it
will return succeed, and then unlink will remove inode and dentry if lock
is not in used(file closed), but the dlm lock is still linked in dlm lock
resource, then when bast come in, it will trigger a panic due to
user-after-free. See the following panic call trace. To fix this,
USER_LOCK_IN_TEARDOWN should be reverted if fail. And also error should
be returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink
fail.
For the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN,
USER_LOCK_BUSY is also required to be cleared. Even though spin lock is
released in between, but USER_LOCK_IN_TEARDOWN is still set, for
USER_LOCK_BUSY, if before every place that waits on this flag,
USER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow
waits on the busy flag set by user_dlm_destroy_lock(), then we can
simplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails. Fix
user_dlm_cluster_lock() which is the only function not following this.
[ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink
004fb0000060000b5a90b8c847b72e1, error -16 from destroy
[ 989.757536] ------------[ cut here ]------------
[ 989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173!
[ 989.757876] invalid opcode: 0000 [#1] SMP
[ 989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O)
ksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc
xen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5
auth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs
ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc
fcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc
rds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad
rdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE)
mlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad
ib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support
pcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si
ipmi_msghandler
[ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp
pps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel
be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio
libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi
dm_mirror dm_region_hash dm_log dm_mod [last unloaded:
ksplice_2zhuk2jr_ib_ipoib_old]
[ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P OE
4.1.12-124.57.1.el6uek.x86_64 #2
[ 989.762290] Hardware name: Oracle Corporation ORACLE SERVER
X5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021
[ 989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti:
ffff88017f7c8000
[ 989.762848] RIP: e030:[<ffffffffc07d4316>] [<ffffffffc07d4316>]
__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]
[ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246
[ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX:
0000000000000003
[ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI:
ffff880174d48170
[ 989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09:
0000000000000000
[ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12:
ffff880174d48008
[ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15:
ffff88021db7a000
[ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000)
knlGS:ffff880247480000
[ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4:
0000000000042660
[ 989.765081] Stack:
[ 989.765167] 00000000000
---truncated---
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/dlmfs/userdlm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1434cd71ad9f3a6beda3036972983b6c4869207c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02480e2e82ae0e5588374bbbcf4fa6e4959fa174",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "733a35c00ef363a1c774d7ea486e0735b7c13a15",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82bf8e7271fade40184177cb406203addc34c4a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "337e36550788dbe03254f0593a231c1c4873b20d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c96238fac045b289993d7bc5aae7b2d72b25c76",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efb54ec548829e1d3605f0434526f86e345b1b28",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2c5e26a626fe46675bceba853e12aaf13c712e10",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "863e0d81b6683c4cbc588ad831f560c90e494bef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/dlmfs/userdlm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: dlmfs: fix error handling of user_dlm_destroy_lock\n\nWhen user_dlm_destroy_lock failed, it didn\u0027t clean up the flags it set\nbefore exit. For USER_LOCK_IN_TEARDOWN, if this function fails because of\nlock is still in used, next time when unlink invokes this function, it\nwill return succeed, and then unlink will remove inode and dentry if lock\nis not in used(file closed), but the dlm lock is still linked in dlm lock\nresource, then when bast come in, it will trigger a panic due to\nuser-after-free. See the following panic call trace. To fix this,\nUSER_LOCK_IN_TEARDOWN should be reverted if fail. And also error should\nbe returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink\nfail.\n\nFor the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN,\nUSER_LOCK_BUSY is also required to be cleared. Even though spin lock is\nreleased in between, but USER_LOCK_IN_TEARDOWN is still set, for\nUSER_LOCK_BUSY, if before every place that waits on this flag,\nUSER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow\nwaits on the busy flag set by user_dlm_destroy_lock(), then we can\nsimplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails. Fix\nuser_dlm_cluster_lock() which is the only function not following this.\n\n[ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink\n004fb0000060000b5a90b8c847b72e1, error -16 from destroy\n[ 989.757536] ------------[ cut here ]------------\n[ 989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173!\n[ 989.757876] invalid opcode: 0000 [#1] SMP\n[ 989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O)\nksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc\nxen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5\nauth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs\nocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc\nfcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc\nrds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad\nrdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE)\nmlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad\nib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support\npcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si\nipmi_msghandler\n[ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp\npps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel\nbe2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio\nlibiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi\ndm_mirror dm_region_hash dm_log dm_mod [last unloaded:\nksplice_2zhuk2jr_ib_ipoib_old]\n[ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P OE\n4.1.12-124.57.1.el6uek.x86_64 #2\n[ 989.762290] Hardware name: Oracle Corporation ORACLE SERVER\nX5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021\n[ 989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti:\nffff88017f7c8000\n[ 989.762848] RIP: e030:[\u003cffffffffc07d4316\u003e] [\u003cffffffffc07d4316\u003e]\n__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]\n[ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246\n[ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX:\n0000000000000003\n[ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI:\nffff880174d48170\n[ 989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09:\n0000000000000000\n[ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12:\nffff880174d48008\n[ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15:\nffff88021db7a000\n[ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000)\nknlGS:ffff880247480000\n[ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4:\n0000000000042660\n[ 989.765081] Stack:\n[ 989.765167] 00000000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:29.871Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1434cd71ad9f3a6beda3036972983b6c4869207c"
},
{
"url": "https://git.kernel.org/stable/c/02480e2e82ae0e5588374bbbcf4fa6e4959fa174"
},
{
"url": "https://git.kernel.org/stable/c/733a35c00ef363a1c774d7ea486e0735b7c13a15"
},
{
"url": "https://git.kernel.org/stable/c/82bf8e7271fade40184177cb406203addc34c4a0"
},
{
"url": "https://git.kernel.org/stable/c/337e36550788dbe03254f0593a231c1c4873b20d"
},
{
"url": "https://git.kernel.org/stable/c/9c96238fac045b289993d7bc5aae7b2d72b25c76"
},
{
"url": "https://git.kernel.org/stable/c/efb54ec548829e1d3605f0434526f86e345b1b28"
},
{
"url": "https://git.kernel.org/stable/c/2c5e26a626fe46675bceba853e12aaf13c712e10"
},
{
"url": "https://git.kernel.org/stable/c/863e0d81b6683c4cbc588ad831f560c90e494bef"
}
],
"title": "ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49337",
"datePublished": "2025-02-26T02:10:55.696Z",
"dateReserved": "2025-02-26T02:08:31.539Z",
"dateUpdated": "2025-05-04T08:35:29.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49393 (GCVE-0-2022-49393)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix list iterator in fastrpc_req_mem_unmap_impl
This is another instance of incorrect use of list iterator and
checking it for NULL.
The list iterator value 'map' will *always* be set and non-NULL
by list_for_each_entry(), so it is incorrect to assume that the
iterator value will be NULL if the list is empty (in this case, the
check 'if (!map) {' will always be false and never exit as expected).
To fix the bug, use a new variable 'iter' as the list iterator,
while use the original variable 'map' as a dedicated pointer to
point to the found element.
Without this patch, Kernel crashes with below trace:
Unable to handle kernel access to user memory outside uaccess routines
at virtual address 0000ffff7fb03750
...
Call trace:
fastrpc_map_create+0x70/0x290 [fastrpc]
fastrpc_req_mem_map+0xf0/0x2dc [fastrpc]
fastrpc_device_ioctl+0x138/0xc60 [fastrpc]
__arm64_sys_ioctl+0xa8/0xec
invoke_syscall+0x48/0x114
el0_svc_common.constprop.0+0xd4/0xfc
do_el0_svc+0x28/0x90
el0_svc+0x3c/0x130
el0t_64_sync_handler+0xa4/0x130
el0t_64_sync+0x18c/0x190
Code: 14000016 f94000a5 eb05029f 54000260 (b94018a6)
---[ end trace 0000000000000000 ]---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d12905aad462383f4e7a5fdb024d2b7ae2d10cf",
"status": "affected",
"version": "5c1b97c7d7b736e6439af4f43a65837bc72f56c1",
"versionType": "git"
},
{
"lessThan": "c5c07c5958cf0c9af6e76813e6de15d42ee49822",
"status": "affected",
"version": "5c1b97c7d7b736e6439af4f43a65837bc72f56c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix list iterator in fastrpc_req_mem_unmap_impl\n\nThis is another instance of incorrect use of list iterator and\nchecking it for NULL.\n\nThe list iterator value \u0027map\u0027 will *always* be set and non-NULL\nby list_for_each_entry(), so it is incorrect to assume that the\niterator value will be NULL if the list is empty (in this case, the\ncheck \u0027if (!map) {\u0027 will always be false and never exit as expected).\n\nTo fix the bug, use a new variable \u0027iter\u0027 as the list iterator,\nwhile use the original variable \u0027map\u0027 as a dedicated pointer to\npoint to the found element.\n\nWithout this patch, Kernel crashes with below trace:\n\nUnable to handle kernel access to user memory outside uaccess routines\n at virtual address 0000ffff7fb03750\n...\nCall trace:\n fastrpc_map_create+0x70/0x290 [fastrpc]\n fastrpc_req_mem_map+0xf0/0x2dc [fastrpc]\n fastrpc_device_ioctl+0x138/0xc60 [fastrpc]\n __arm64_sys_ioctl+0xa8/0xec\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xd4/0xfc\n do_el0_svc+0x28/0x90\n el0_svc+0x3c/0x130\n el0t_64_sync_handler+0xa4/0x130\n el0t_64_sync+0x18c/0x190\nCode: 14000016 f94000a5 eb05029f 54000260 (b94018a6)\n---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:43.602Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d12905aad462383f4e7a5fdb024d2b7ae2d10cf"
},
{
"url": "https://git.kernel.org/stable/c/c5c07c5958cf0c9af6e76813e6de15d42ee49822"
}
],
"title": "misc: fastrpc: fix list iterator in fastrpc_req_mem_unmap_impl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49393",
"datePublished": "2025-02-26T02:11:24.730Z",
"dateReserved": "2025-02-26T02:08:31.562Z",
"dateUpdated": "2025-05-04T08:36:43.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39886 (GCVE-0-2025-39886)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()
Currently, calling bpf_map_kmalloc_node() from __bpf_async_init() can
cause various locking issues; see the following stack trace (edited for
style) as one example:
...
[10.011566] do_raw_spin_lock.cold
[10.011570] try_to_wake_up (5) double-acquiring the same
[10.011575] kick_pool rq_lock, causing a hardlockup
[10.011579] __queue_work
[10.011582] queue_work_on
[10.011585] kernfs_notify
[10.011589] cgroup_file_notify
[10.011593] try_charge_memcg (4) memcg accounting raises an
[10.011597] obj_cgroup_charge_pages MEMCG_MAX event
[10.011599] obj_cgroup_charge_account
[10.011600] __memcg_slab_post_alloc_hook
[10.011603] __kmalloc_node_noprof
...
[10.011611] bpf_map_kmalloc_node
[10.011612] __bpf_async_init
[10.011615] bpf_timer_init (3) BPF calls bpf_timer_init()
[10.011617] bpf_prog_xxxxxxxxxxxxxxxx_fcg_runnable
[10.011619] bpf__sched_ext_ops_runnable
[10.011620] enqueue_task_scx (2) BPF runs with rq_lock held
[10.011622] enqueue_task
[10.011626] ttwu_do_activate
[10.011629] sched_ttwu_pending (1) grabs rq_lock
...
The above was reproduced on bpf-next (b338cf849ec8) by modifying
./tools/sched_ext/scx_flatcg.bpf.c to call bpf_timer_init() during
ops.runnable(), and hacking the memcg accounting code a bit to make
a bpf_timer_init() call more likely to raise an MEMCG_MAX event.
We have also run into other similar variants (both internally and on
bpf-next), including double-acquiring cgroup_file_kn_lock, the same
worker_pool::lock, etc.
As suggested by Shakeel, fix this by using __GFP_HIGH instead of
GFP_ATOMIC in __bpf_async_init(), so that e.g. if try_charge_memcg()
raises an MEMCG_MAX event, we call __memcg_memory_event() with
@allow_spinning=false and avoid calling cgroup_file_notify() there.
Depends on mm patch
"memcg: skip cgroup_file_notify if spinning is not allowed":
https://lore.kernel.org/bpf/20250905201606.66198-1-shakeel.butt@linux.dev/
v0 approach s/bpf_map_kmalloc_node/bpf_mem_alloc/
https://lore.kernel.org/bpf/20250905061919.439648-1-yepeilin@google.com/
v1 approach:
https://lore.kernel.org/bpf/20250905234547.862249-1-yepeilin@google.com/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "449682e76f32601f211816d3e2100bed87e67a4c",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
},
{
"lessThan": "cd1fd26bb13473c1734e3026b2b97025a0a4087b",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
},
{
"lessThan": "ac70cd446f83ccb25532b343919ab86eacdcd06a",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
},
{
"lessThan": "6d78b4473cdb08b74662355a9e8510bde09c511e",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()\n\nCurrently, calling bpf_map_kmalloc_node() from __bpf_async_init() can\ncause various locking issues; see the following stack trace (edited for\nstyle) as one example:\n\n...\n [10.011566] do_raw_spin_lock.cold\n [10.011570] try_to_wake_up (5) double-acquiring the same\n [10.011575] kick_pool rq_lock, causing a hardlockup\n [10.011579] __queue_work\n [10.011582] queue_work_on\n [10.011585] kernfs_notify\n [10.011589] cgroup_file_notify\n [10.011593] try_charge_memcg (4) memcg accounting raises an\n [10.011597] obj_cgroup_charge_pages MEMCG_MAX event\n [10.011599] obj_cgroup_charge_account\n [10.011600] __memcg_slab_post_alloc_hook\n [10.011603] __kmalloc_node_noprof\n...\n [10.011611] bpf_map_kmalloc_node\n [10.011612] __bpf_async_init\n [10.011615] bpf_timer_init (3) BPF calls bpf_timer_init()\n [10.011617] bpf_prog_xxxxxxxxxxxxxxxx_fcg_runnable\n [10.011619] bpf__sched_ext_ops_runnable\n [10.011620] enqueue_task_scx (2) BPF runs with rq_lock held\n [10.011622] enqueue_task\n [10.011626] ttwu_do_activate\n [10.011629] sched_ttwu_pending (1) grabs rq_lock\n...\n\nThe above was reproduced on bpf-next (b338cf849ec8) by modifying\n./tools/sched_ext/scx_flatcg.bpf.c to call bpf_timer_init() during\nops.runnable(), and hacking the memcg accounting code a bit to make\na bpf_timer_init() call more likely to raise an MEMCG_MAX event.\n\nWe have also run into other similar variants (both internally and on\nbpf-next), including double-acquiring cgroup_file_kn_lock, the same\nworker_pool::lock, etc.\n\nAs suggested by Shakeel, fix this by using __GFP_HIGH instead of\nGFP_ATOMIC in __bpf_async_init(), so that e.g. if try_charge_memcg()\nraises an MEMCG_MAX event, we call __memcg_memory_event() with\n@allow_spinning=false and avoid calling cgroup_file_notify() there.\n\nDepends on mm patch\n\"memcg: skip cgroup_file_notify if spinning is not allowed\":\nhttps://lore.kernel.org/bpf/20250905201606.66198-1-shakeel.butt@linux.dev/\n\nv0 approach s/bpf_map_kmalloc_node/bpf_mem_alloc/\nhttps://lore.kernel.org/bpf/20250905061919.439648-1-yepeilin@google.com/\nv1 approach:\nhttps://lore.kernel.org/bpf/20250905234547.862249-1-yepeilin@google.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:47.185Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/449682e76f32601f211816d3e2100bed87e67a4c"
},
{
"url": "https://git.kernel.org/stable/c/cd1fd26bb13473c1734e3026b2b97025a0a4087b"
},
{
"url": "https://git.kernel.org/stable/c/ac70cd446f83ccb25532b343919ab86eacdcd06a"
},
{
"url": "https://git.kernel.org/stable/c/6d78b4473cdb08b74662355a9e8510bde09c511e"
}
],
"title": "bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39886",
"datePublished": "2025-09-23T06:00:53.120Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-09-29T06:01:47.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39887 (GCVE-0-2025-39887)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/osnoise: Fix null-ptr-deref in bitmap_parselist()
A crash was observed with the following output:
BUG: kernel NULL pointer dereference, address: 0000000000000010
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 2 UID: 0 PID: 92 Comm: osnoise_cpus Not tainted 6.17.0-rc4-00201-gd69eb204c255 #138 PREEMPT(voluntary)
RIP: 0010:bitmap_parselist+0x53/0x3e0
Call Trace:
<TASK>
osnoise_cpus_write+0x7a/0x190
vfs_write+0xf8/0x410
? do_sys_openat2+0x88/0xd0
ksys_write+0x60/0xd0
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
This issue can be reproduced by below code:
fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY);
write(fd, "0-2", 0);
When user pass 'count=0' to osnoise_cpus_write(), kmalloc() will return
ZERO_SIZE_PTR (16) and cpulist_parse() treat it as a normal value, which
trigger the null pointer dereference. Add check for the parameter 'count'.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e33228a2cc7ff706ca88533464e8a3b525b961ed",
"status": "affected",
"version": "17f89102fe23d7389085a8820550df688f79888a",
"versionType": "git"
},
{
"lessThan": "c1628c00c4351dd0727ef7f670694f68d9e663d8",
"status": "affected",
"version": "17f89102fe23d7389085a8820550df688f79888a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Fix null-ptr-deref in bitmap_parselist()\n\nA crash was observed with the following output:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 2 UID: 0 PID: 92 Comm: osnoise_cpus Not tainted 6.17.0-rc4-00201-gd69eb204c255 #138 PREEMPT(voluntary)\nRIP: 0010:bitmap_parselist+0x53/0x3e0\nCall Trace:\n \u003cTASK\u003e\n osnoise_cpus_write+0x7a/0x190\n vfs_write+0xf8/0x410\n ? do_sys_openat2+0x88/0xd0\n ksys_write+0x60/0xd0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nThis issue can be reproduced by below code:\n\nfd=open(\"/sys/kernel/debug/tracing/osnoise/cpus\", O_WRONLY);\nwrite(fd, \"0-2\", 0);\n\nWhen user pass \u0027count=0\u0027 to osnoise_cpus_write(), kmalloc() will return\nZERO_SIZE_PTR (16) and cpulist_parse() treat it as a normal value, which\ntrigger the null pointer dereference. Add check for the parameter \u0027count\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:48.722Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e33228a2cc7ff706ca88533464e8a3b525b961ed"
},
{
"url": "https://git.kernel.org/stable/c/c1628c00c4351dd0727ef7f670694f68d9e663d8"
}
],
"title": "tracing/osnoise: Fix null-ptr-deref in bitmap_parselist()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39887",
"datePublished": "2025-09-23T06:00:53.648Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-09-29T06:01:48.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49409 (GCVE-0-2022-49409)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix bug_on in __es_tree_search
Hulk Robot reported a BUG_ON:
==================================================================
kernel BUG at fs/ext4/extents_status.c:199!
[...]
RIP: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline]
RIP: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217
[...]
Call Trace:
ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766
ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561
ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964
ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384
ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567
ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980
ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031
ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257
v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63
v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82
vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368
dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490
ext4_quota_enable fs/ext4/super.c:6137 [inline]
ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163
ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754
mount_bdev+0x2e9/0x3b0 fs/super.c:1158
mount_fs+0x4b/0x1e4 fs/super.c:1261
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_fill_super
ext4_enable_quotas
ext4_quota_enable
ext4_iget
__ext4_iget
ext4_ext_check_inode
ext4_ext_check
__ext4_ext_check
ext4_valid_extent_entries
Check for overlapping extents does't take effect
dquot_enable
vfs_load_quota_inode
v2_check_quota_file
v2_read_header
ext4_quota_read
ext4_bread
ext4_getblk
ext4_map_blocks
ext4_ext_map_blocks
ext4_find_extent
ext4_cache_extents
ext4_es_cache_extent
ext4_es_cache_extent
__es_tree_search
ext4_es_end
BUG_ON(es->es_lblk + es->es_len < es->es_lblk)
The error ext4 extents is as follows:
0af3 0300 0400 0000 00000000 extent_header
00000000 0100 0000 12000000 extent1
00000000 0100 0000 18000000 extent2
02000000 0400 0000 14000000 extent3
In the ext4_valid_extent_entries function,
if prev is 0, no error is returned even if lblock<=prev.
This was intended to skip the check on the first extent, but
in the error image above, prev=0+1-1=0 when checking the second extent,
so even though lblock<=prev, the function does not return an error.
As a result, bug_ON occurs in __es_tree_search and the system panics.
To solve this problem, we only need to check that:
1. The lblock of the first extent is not less than 0.
2. The lblock of the next extent is not less than
the next block of the previous extent.
The same applies to extent_idx.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 4645e4ee32aee01a85bdc03348982a65c65ce216 Version: a1192c0e5d037def6763f3873d3340615c241fe7 Version: ae21dda05193c441bde106a4bbf88c185a68fbed Version: ea214c946ee77588c4313be3e9951edd25d6b270 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"lessThan": "4fd58b5cf118d2d9038a0b8c9cc0e43096297686",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"lessThan": "3c617827cd51018bc377bd2954e176920ddbcfad",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"lessThan": "59cf2fabbfe76de29d88dd7ae69858a25735b59f",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"lessThan": "ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"lessThan": "d36f6ed761b53933b0b4126486c10d3da7751e7f",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"status": "affected",
"version": "4645e4ee32aee01a85bdc03348982a65c65ce216",
"versionType": "git"
},
{
"status": "affected",
"version": "a1192c0e5d037def6763f3873d3340615c241fe7",
"versionType": "git"
},
{
"status": "affected",
"version": "ae21dda05193c441bde106a4bbf88c185a68fbed",
"versionType": "git"
},
{
"status": "affected",
"version": "ea214c946ee77588c4313be3e9951edd25d6b270",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.277",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.277",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search\n\nHulk Robot reported a BUG_ON:\n==================================================================\nkernel BUG at fs/ext4/extents_status.c:199!\n[...]\nRIP: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline]\nRIP: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217\n[...]\nCall Trace:\n ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766\n ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561\n ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964\n ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384\n ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567\n ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980\n ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031\n ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257\n v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63\n v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82\n vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368\n dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490\n ext4_quota_enable fs/ext4/super.c:6137 [inline]\n ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163\n ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754\n mount_bdev+0x2e9/0x3b0 fs/super.c:1158\n mount_fs+0x4b/0x1e4 fs/super.c:1261\n[...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_enable_quotas\n ext4_quota_enable\n ext4_iget\n __ext4_iget\n ext4_ext_check_inode\n ext4_ext_check\n __ext4_ext_check\n ext4_valid_extent_entries\n Check for overlapping extents does\u0027t take effect\n dquot_enable\n vfs_load_quota_inode\n v2_check_quota_file\n v2_read_header\n ext4_quota_read\n ext4_bread\n ext4_getblk\n ext4_map_blocks\n ext4_ext_map_blocks\n ext4_find_extent\n ext4_cache_extents\n ext4_es_cache_extent\n ext4_es_cache_extent\n __es_tree_search\n ext4_es_end\n BUG_ON(es-\u003ees_lblk + es-\u003ees_len \u003c es-\u003ees_lblk)\n\nThe error ext4 extents is as follows:\n0af3 0300 0400 0000 00000000 extent_header\n00000000 0100 0000 12000000 extent1\n00000000 0100 0000 18000000 extent2\n02000000 0400 0000 14000000 extent3\n\nIn the ext4_valid_extent_entries function,\nif prev is 0, no error is returned even if lblock\u003c=prev.\nThis was intended to skip the check on the first extent, but\nin the error image above, prev=0+1-1=0 when checking the second extent,\nso even though lblock\u003c=prev, the function does not return an error.\nAs a result, bug_ON occurs in __es_tree_search and the system panics.\n\nTo solve this problem, we only need to check that:\n1. The lblock of the first extent is not less than 0.\n2. The lblock of the next extent is not less than\n the next block of the previous extent.\nThe same applies to extent_idx."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:39.209Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f"
},
{
"url": "https://git.kernel.org/stable/c/4fd58b5cf118d2d9038a0b8c9cc0e43096297686"
},
{
"url": "https://git.kernel.org/stable/c/3c617827cd51018bc377bd2954e176920ddbcfad"
},
{
"url": "https://git.kernel.org/stable/c/59cf2fabbfe76de29d88dd7ae69858a25735b59f"
},
{
"url": "https://git.kernel.org/stable/c/ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a"
},
{
"url": "https://git.kernel.org/stable/c/d36f6ed761b53933b0b4126486c10d3da7751e7f"
}
],
"title": "ext4: fix bug_on in __es_tree_search",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49409",
"datePublished": "2025-02-26T02:12:32.591Z",
"dateReserved": "2025-02-26T02:08:31.567Z",
"dateUpdated": "2025-05-04T12:44:39.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49397 (GCVE-0-2022-49397)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: qcom-qmp: fix struct clk leak on probe errors
Make sure to release the pipe clock reference in case of a late probe
error (e.g. probe deferral).
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/qualcomm/phy-qcom-qmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b999d48b0869b8599de532ff6081575a7ab5358a",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "621a4bcfb7aa031e7760d7b156bad7a45df58387",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "1668ad103679306ba2ef37f758d704e58a3ef1a0",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "6f3673c8d8eff0c4ab5a5ee0d3ca9717d85419b4",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "b246695636a861a09f0e2cde92bb2dd8f114f024",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "f8d23895a41243c6a8dbf392e531fff9497bb023",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "ad9b0fad02f9b3a06ad5ac7df11f244e316a6254",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "f0a4bc38a12f5a0cc5ad68670d9480e91e6a94df",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/qualcomm/phy-qcom-qmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp: fix struct clk leak on probe errors\n\nMake sure to release the pipe clock reference in case of a late probe\nerror (e.g. probe deferral)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:49.119Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b999d48b0869b8599de532ff6081575a7ab5358a"
},
{
"url": "https://git.kernel.org/stable/c/621a4bcfb7aa031e7760d7b156bad7a45df58387"
},
{
"url": "https://git.kernel.org/stable/c/1668ad103679306ba2ef37f758d704e58a3ef1a0"
},
{
"url": "https://git.kernel.org/stable/c/6f3673c8d8eff0c4ab5a5ee0d3ca9717d85419b4"
},
{
"url": "https://git.kernel.org/stable/c/b246695636a861a09f0e2cde92bb2dd8f114f024"
},
{
"url": "https://git.kernel.org/stable/c/f8d23895a41243c6a8dbf392e531fff9497bb023"
},
{
"url": "https://git.kernel.org/stable/c/ad9b0fad02f9b3a06ad5ac7df11f244e316a6254"
},
{
"url": "https://git.kernel.org/stable/c/f0a4bc38a12f5a0cc5ad68670d9480e91e6a94df"
}
],
"title": "phy: qcom-qmp: fix struct clk leak on probe errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49397",
"datePublished": "2025-02-26T02:11:26.612Z",
"dateReserved": "2025-02-26T02:08:31.563Z",
"dateUpdated": "2025-05-04T08:36:49.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49222 (GCVE-0-2022-49222)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/bridge: anx7625: Fix overflow issue on reading EDID
The length of EDID block can be longer than 256 bytes, so we should use
`int` instead of `u8` for the `edid_pos` variable.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/analogix/anx7625.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64c06df2428bb7bb3d8cf5691416001af42d94dd",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "f0d5d938d51af4eb08d9d8684fd9903425a0a87d",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "db1c47d299298a7c52ccb201905d6be979fd7507",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "d5c6f647aec9ed524aedd04a3aec5ebc21d39007",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/analogix/anx7625.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: anx7625: Fix overflow issue on reading EDID\n\nThe length of EDID block can be longer than 256 bytes, so we should use\n`int` instead of `u8` for the `edid_pos` variable."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:46.609Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64c06df2428bb7bb3d8cf5691416001af42d94dd"
},
{
"url": "https://git.kernel.org/stable/c/f0d5d938d51af4eb08d9d8684fd9903425a0a87d"
},
{
"url": "https://git.kernel.org/stable/c/db1c47d299298a7c52ccb201905d6be979fd7507"
},
{
"url": "https://git.kernel.org/stable/c/d5c6f647aec9ed524aedd04a3aec5ebc21d39007"
}
],
"title": "drm/bridge: anx7625: Fix overflow issue on reading EDID",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49222",
"datePublished": "2025-02-26T01:55:53.799Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-05-04T08:32:46.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49228 (GCVE-0-2022-49228)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a btf decl_tag bug when tagging a function
syzbot reported a btf decl_tag bug with stack trace below:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline]
RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910
...
Call Trace:
<TASK>
btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198
btf_check_all_types kernel/bpf/btf.c:4239 [inline]
btf_parse_type_sec kernel/bpf/btf.c:4280 [inline]
btf_parse kernel/bpf/btf.c:4513 [inline]
btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047
bpf_btf_load kernel/bpf/syscall.c:4039 [inline]
__sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679
__do_sys_bpf kernel/bpf/syscall.c:4738 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4736 [inline]
__x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The kasan error is triggered with an illegal BTF like below:
type 0: void
type 1: int
type 2: decl_tag to func type 3
type 3: func to func_proto type 8
The total number of types is 4 and the type 3 is illegal
since its func_proto type is out of range.
Currently, the target type of decl_tag can be struct/union, var or func.
Both struct/union and var implemented their own 'resolve' callback functions
and hence handled properly in kernel.
But func type doesn't have 'resolve' callback function. When
btf_decl_tag_resolve() tries to check func type, it tries to get
vlen of its func_proto type, which triggered the above kasan error.
To fix the issue, btf_decl_tag_resolve() needs to do btf_func_check()
before trying to accessing func_proto type.
In the current implementation, func type is checked with
btf_func_check() in the main checking function btf_check_all_types().
To fix the above kasan issue, let us implement 'resolve' callback
func type properly. The 'resolve' callback will be also called
in btf_check_all_types() for func types.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3bcd2110c087bc62e90fddd4a93237b049d6e68",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
},
{
"lessThan": "796d5666f6422ddadc938fb888044fcc16f2dbe3",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
},
{
"lessThan": "d7e7b42f4f956f2c68ad8cda87d750093dbba737",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a btf decl_tag bug when tagging a function\n\nsyzbot reported a btf decl_tag bug with stack trace below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline]\n RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910\n ...\n Call Trace:\n \u003cTASK\u003e\n btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198\n btf_check_all_types kernel/bpf/btf.c:4239 [inline]\n btf_parse_type_sec kernel/bpf/btf.c:4280 [inline]\n btf_parse kernel/bpf/btf.c:4513 [inline]\n btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047\n bpf_btf_load kernel/bpf/syscall.c:4039 [inline]\n __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679\n __do_sys_bpf kernel/bpf/syscall.c:4738 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:4736 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe kasan error is triggered with an illegal BTF like below:\n type 0: void\n type 1: int\n type 2: decl_tag to func type 3\n type 3: func to func_proto type 8\nThe total number of types is 4 and the type 3 is illegal\nsince its func_proto type is out of range.\n\nCurrently, the target type of decl_tag can be struct/union, var or func.\nBoth struct/union and var implemented their own \u0027resolve\u0027 callback functions\nand hence handled properly in kernel.\nBut func type doesn\u0027t have \u0027resolve\u0027 callback function. When\nbtf_decl_tag_resolve() tries to check func type, it tries to get\nvlen of its func_proto type, which triggered the above kasan error.\n\nTo fix the issue, btf_decl_tag_resolve() needs to do btf_func_check()\nbefore trying to accessing func_proto type.\nIn the current implementation, func type is checked with\nbtf_func_check() in the main checking function btf_check_all_types().\nTo fix the above kasan issue, let us implement \u0027resolve\u0027 callback\nfunc type properly. The \u0027resolve\u0027 callback will be also called\nin btf_check_all_types() for func types."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:53.680Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3bcd2110c087bc62e90fddd4a93237b049d6e68"
},
{
"url": "https://git.kernel.org/stable/c/796d5666f6422ddadc938fb888044fcc16f2dbe3"
},
{
"url": "https://git.kernel.org/stable/c/d7e7b42f4f956f2c68ad8cda87d750093dbba737"
}
],
"title": "bpf: Fix a btf decl_tag bug when tagging a function",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49228",
"datePublished": "2025-02-26T01:55:56.682Z",
"dateReserved": "2025-02-26T01:49:39.293Z",
"dateUpdated": "2025-05-04T08:32:53.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49289 (GCVE-0-2022-49289)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
uaccess: fix integer overflow on access_ok()
Three architectures check the end of a user access against the
address limit without taking a possible overflow into account.
Passing a negative length or another overflow in here returns
success when it should not.
Use the most common correct implementation here, which optimizes
for a constant 'size' argument, and turns the common case into a
single comparison.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/csky/include/asm/uaccess.h",
"arch/hexagon/include/asm/uaccess.h",
"arch/microblaze/include/asm/uaccess.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e65d28d4e9bf90a35ba79c06661a572a38391dec",
"status": "affected",
"version": "7567746e1c0d66ac0ef8a9d8816ca694462c7370",
"versionType": "git"
},
{
"lessThan": "99801e2f457824955da4aadaa035913a6dede03a",
"status": "affected",
"version": "7567746e1c0d66ac0ef8a9d8816ca694462c7370",
"versionType": "git"
},
{
"lessThan": "a1ad747fc1a0e06d1bf26b996ee8a56b5c8d02d8",
"status": "affected",
"version": "7567746e1c0d66ac0ef8a9d8816ca694462c7370",
"versionType": "git"
},
{
"lessThan": "222ca305c9fd39e5ed8104da25c09b2b79a516a8",
"status": "affected",
"version": "7567746e1c0d66ac0ef8a9d8816ca694462c7370",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/csky/include/asm/uaccess.h",
"arch/hexagon/include/asm/uaccess.h",
"arch/microblaze/include/asm/uaccess.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuaccess: fix integer overflow on access_ok()\n\nThree architectures check the end of a user access against the\naddress limit without taking a possible overflow into account.\nPassing a negative length or another overflow in here returns\nsuccess when it should not.\n\nUse the most common correct implementation here, which optimizes\nfor a constant \u0027size\u0027 argument, and turns the common case into a\nsingle comparison."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:19.985Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e65d28d4e9bf90a35ba79c06661a572a38391dec"
},
{
"url": "https://git.kernel.org/stable/c/99801e2f457824955da4aadaa035913a6dede03a"
},
{
"url": "https://git.kernel.org/stable/c/a1ad747fc1a0e06d1bf26b996ee8a56b5c8d02d8"
},
{
"url": "https://git.kernel.org/stable/c/222ca305c9fd39e5ed8104da25c09b2b79a516a8"
}
],
"title": "uaccess: fix integer overflow on access_ok()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49289",
"datePublished": "2025-02-26T01:56:27.026Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-05-04T08:34:19.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49339 (GCVE-0-2022-49339)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: unexport __init-annotated seg6_hmac_init()
EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.
modpost used to detect it, but it has been broken for a decade.
Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.
There are two ways to fix it:
- Remove __init
- Remove EXPORT_SYMBOL
I chose the latter for this case because the caller (net/ipv6/seg6.c)
and the callee (net/ipv6/seg6_hmac.c) belong to the same module.
It seems an internal function call in ipv6.ko.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6_hmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64aef8efe96c1616142c4476a05731306fc4494e",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "ab8b2c2de273ec1d698a18e399896a6febb5cda0",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "317260b3eb6384a05a8af212308fa50f3b2e8290",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "5d9c1b081ad28c852a97e10dd75412546497694a",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "1084716f76c8045eadf92a9d9a62641f3c8d8c90",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "3e6de5037148c5a93a436b1e8d2edad3dac11755",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "9ba4416b831eeb4d185e88e73488d1d21288e63a",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "5801f064e35181c71857a80ff18af4dbec3c5f5c",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6_hmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: unexport __init-annotated seg6_hmac_init()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the caller (net/ipv6/seg6.c)\nand the callee (net/ipv6/seg6_hmac.c) belong to the same module.\nIt seems an internal function call in ipv6.ko."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:37.695Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64aef8efe96c1616142c4476a05731306fc4494e"
},
{
"url": "https://git.kernel.org/stable/c/ab8b2c2de273ec1d698a18e399896a6febb5cda0"
},
{
"url": "https://git.kernel.org/stable/c/317260b3eb6384a05a8af212308fa50f3b2e8290"
},
{
"url": "https://git.kernel.org/stable/c/5d9c1b081ad28c852a97e10dd75412546497694a"
},
{
"url": "https://git.kernel.org/stable/c/1084716f76c8045eadf92a9d9a62641f3c8d8c90"
},
{
"url": "https://git.kernel.org/stable/c/3e6de5037148c5a93a436b1e8d2edad3dac11755"
},
{
"url": "https://git.kernel.org/stable/c/9ba4416b831eeb4d185e88e73488d1d21288e63a"
},
{
"url": "https://git.kernel.org/stable/c/5801f064e35181c71857a80ff18af4dbec3c5f5c"
}
],
"title": "net: ipv6: unexport __init-annotated seg6_hmac_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49339",
"datePublished": "2025-02-26T02:10:56.704Z",
"dateReserved": "2025-02-26T02:08:31.541Z",
"dateUpdated": "2025-05-04T08:35:37.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39870 (GCVE-0-2025-39870)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Fix double free in idxd_setup_wqs()
The clean up in idxd_setup_wqs() has had a couple bugs because the error
handling is a bit subtle. It's simpler to just re-write it in a cleaner
way. The issues here are:
1) If "idxd->max_wqs" is <= 0 then we call put_device(conf_dev) when
"conf_dev" hasn't been initialized.
2) If kzalloc_node() fails then again "conf_dev" is invalid. It's
either uninitialized or it points to the "conf_dev" from the
previous iteration so it leads to a double free.
It's better to free partial loop iterations within the loop and then
the unwinding at the end can handle whole loop iterations. I also
renamed the labels to describe what the goto does and not where the goto
was located.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: d584acdf54f409cb7eae1359ae6c12aaabedeed8 Version: 47846211998a9ffb0fcc08092eb95ac783d2b11a Version: 5fcd392dae6d6aba7dc64ffdbb838ff191315da3 Version: 3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4 Version: 3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4 Version: ed2c66000aa64c0d2621864831f0d04c820a1441 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25e6146c2812487a88f619d5ff6efbdcd5b2bc31",
"status": "affected",
"version": "d584acdf54f409cb7eae1359ae6c12aaabedeed8",
"versionType": "git"
},
{
"lessThan": "df82c7901513fd0fc738052a8e6a330d92cc8ec9",
"status": "affected",
"version": "47846211998a9ffb0fcc08092eb95ac783d2b11a",
"versionType": "git"
},
{
"lessThan": "ec5430d090d0b6ace8fefa290fc37e88930017d2",
"status": "affected",
"version": "5fcd392dae6d6aba7dc64ffdbb838ff191315da3",
"versionType": "git"
},
{
"lessThan": "9f0e225635475b2285b966271d5e82cba74295b1",
"status": "affected",
"version": "3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4",
"versionType": "git"
},
{
"lessThan": "39aaa337449e71a41d4813be0226a722827ba606",
"status": "affected",
"version": "3fd2f4bc010cdfbc07dd21018dc65bd9370eb7a4",
"versionType": "git"
},
{
"status": "affected",
"version": "ed2c66000aa64c0d2621864831f0d04c820a1441",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "6.1.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.6.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.12.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix double free in idxd_setup_wqs()\n\nThe clean up in idxd_setup_wqs() has had a couple bugs because the error\nhandling is a bit subtle. It\u0027s simpler to just re-write it in a cleaner\nway. The issues here are:\n\n1) If \"idxd-\u003emax_wqs\" is \u003c= 0 then we call put_device(conf_dev) when\n \"conf_dev\" hasn\u0027t been initialized.\n2) If kzalloc_node() fails then again \"conf_dev\" is invalid. It\u0027s\n either uninitialized or it points to the \"conf_dev\" from the\n previous iteration so it leads to a double free.\n\nIt\u0027s better to free partial loop iterations within the loop and then\nthe unwinding at the end can handle whole loop iterations. I also\nrenamed the labels to describe what the goto does and not where the goto\nwas located."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:26.463Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25e6146c2812487a88f619d5ff6efbdcd5b2bc31"
},
{
"url": "https://git.kernel.org/stable/c/df82c7901513fd0fc738052a8e6a330d92cc8ec9"
},
{
"url": "https://git.kernel.org/stable/c/ec5430d090d0b6ace8fefa290fc37e88930017d2"
},
{
"url": "https://git.kernel.org/stable/c/9f0e225635475b2285b966271d5e82cba74295b1"
},
{
"url": "https://git.kernel.org/stable/c/39aaa337449e71a41d4813be0226a722827ba606"
}
],
"title": "dmaengine: idxd: Fix double free in idxd_setup_wqs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39870",
"datePublished": "2025-09-23T06:00:44.369Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-09-29T06:01:26.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49263 (GCVE-0-2022-49263)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path
This avoids leaking memory if brcmf_chip_get_raminfo fails. Note that
the CLM blob is released in the device remove path.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0ab87f8dcdfe72dc1d763be3392c1fc51a1ace2",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
},
{
"lessThan": "f3820ddaf4f3ac80c7401ccc6a42e663c9317f31",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
},
{
"lessThan": "a88337a06966f2d733ad9a97714b874469133f14",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
},
{
"lessThan": "4e0b507597e1a86e9b4c056ab274c427223cf8ea",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
},
{
"lessThan": "0347bdfdb1529994ac3a4cb425087c477a74eb2c",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
},
{
"lessThan": "5e90f0f3ead014867dade7a22f93958119f5efab",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbrcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path\n\nThis avoids leaking memory if brcmf_chip_get_raminfo fails. Note that\nthe CLM blob is released in the device remove path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:38.564Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0ab87f8dcdfe72dc1d763be3392c1fc51a1ace2"
},
{
"url": "https://git.kernel.org/stable/c/f3820ddaf4f3ac80c7401ccc6a42e663c9317f31"
},
{
"url": "https://git.kernel.org/stable/c/a88337a06966f2d733ad9a97714b874469133f14"
},
{
"url": "https://git.kernel.org/stable/c/4e0b507597e1a86e9b4c056ab274c427223cf8ea"
},
{
"url": "https://git.kernel.org/stable/c/0347bdfdb1529994ac3a4cb425087c477a74eb2c"
},
{
"url": "https://git.kernel.org/stable/c/5e90f0f3ead014867dade7a22f93958119f5efab"
}
],
"title": "brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49263",
"datePublished": "2025-02-26T01:56:14.061Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:38.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49330 (GCVE-0-2022-49330)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd
syzbot got a new report [1] finally pointing to a very old bug,
added in initial support for MTU probing.
tcp_mtu_probe() has checks about starting an MTU probe if
tcp_snd_cwnd(tp) >= 11.
But nothing prevents tcp_snd_cwnd(tp) to be reduced later
and before the MTU probe succeeds.
This bug would lead to potential zero-divides.
Debugging added in commit 40570375356c ("tcp: add accessors
to read/set tp->snd_cwnd") has paid off :)
While we are at it, address potential overflows in this code.
[1]
WARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712
Modules linked in:
CPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline]
RIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712
Code: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 <0f> 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff
RSP: 0018:ffffc900079e70f8 EFLAGS: 00010287
RAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000
RDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f
RBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520
R10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50
R13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000
FS: 00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356
tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861
tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973
tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476
sk_backlog_rcv include/net/sock.h:1061 [inline]
__release_sock+0x1d8/0x4c0 net/core/sock.c:2849
release_sock+0x5d/0x1c0 net/core/sock.c:3404
sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145
tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410
tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
__sys_sendto+0x439/0x5c0 net/socket.c:2119
__do_sys_sendto net/socket.c:2131 [inline]
__se_sys_sendto net/socket.c:2127 [inline]
__x64_sys_sendto+0xda/0xf0 net/socket.c:2127
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6431289109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109
RDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a
RBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29e13f6b38f0816af2012e0725507754e8f4569c",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "42726877453afdbe1508a8a96884ea907741d9a7",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "f2845e1504a3bc4f3381394f057e8b63cb5f3f7a",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "602b338e3c3cd7f935f3f5011882961d074e5ac1",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "9ba2b4ac35935f05ac98cff722f36ba07d62270e",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "90385f2b65d0cd2b3b1ac8909f0cc6dd31062cfc",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "aa7f333efd1138a68517a6a6a69ae540dd59d800",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "38ca71a24cd4845021eed35fd2594d89dba9a5a8",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "11825765291a93d8e7f44230da67b9f607c777bf",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_mtup_probe_success vs wrong snd_cwnd\n\nsyzbot got a new report [1] finally pointing to a very old bug,\nadded in initial support for MTU probing.\n\ntcp_mtu_probe() has checks about starting an MTU probe if\ntcp_snd_cwnd(tp) \u003e= 11.\n\nBut nothing prevents tcp_snd_cwnd(tp) to be reduced later\nand before the MTU probe succeeds.\n\nThis bug would lead to potential zero-divides.\n\nDebugging added in commit 40570375356c (\"tcp: add accessors\nto read/set tp-\u003esnd_cwnd\") has paid off :)\n\nWhile we are at it, address potential overflows in this code.\n\n[1]\nWARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712\nModules linked in:\nCPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline]\nRIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712\nCode: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 \u003c0f\u003e 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff\nRSP: 0018:ffffc900079e70f8 EFLAGS: 00010287\nRAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000\nRDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f\nRBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520\nR10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50\nR13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000\nFS: 00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356\n tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861\n tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973\n tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476\n sk_backlog_rcv include/net/sock.h:1061 [inline]\n __release_sock+0x1d8/0x4c0 net/core/sock.c:2849\n release_sock+0x5d/0x1c0 net/core/sock.c:3404\n sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145\n tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410\n tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n __sys_sendto+0x439/0x5c0 net/socket.c:2119\n __do_sys_sendto net/socket.c:2131 [inline]\n __se_sys_sendto net/socket.c:2127 [inline]\n __x64_sys_sendto+0xda/0xf0 net/socket.c:2127\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f6431289109\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109\nRDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a\nRBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:20.659Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29e13f6b38f0816af2012e0725507754e8f4569c"
},
{
"url": "https://git.kernel.org/stable/c/42726877453afdbe1508a8a96884ea907741d9a7"
},
{
"url": "https://git.kernel.org/stable/c/f2845e1504a3bc4f3381394f057e8b63cb5f3f7a"
},
{
"url": "https://git.kernel.org/stable/c/602b338e3c3cd7f935f3f5011882961d074e5ac1"
},
{
"url": "https://git.kernel.org/stable/c/9ba2b4ac35935f05ac98cff722f36ba07d62270e"
},
{
"url": "https://git.kernel.org/stable/c/90385f2b65d0cd2b3b1ac8909f0cc6dd31062cfc"
},
{
"url": "https://git.kernel.org/stable/c/aa7f333efd1138a68517a6a6a69ae540dd59d800"
},
{
"url": "https://git.kernel.org/stable/c/38ca71a24cd4845021eed35fd2594d89dba9a5a8"
},
{
"url": "https://git.kernel.org/stable/c/11825765291a93d8e7f44230da67b9f607c777bf"
}
],
"title": "tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49330",
"datePublished": "2025-02-26T02:10:50.554Z",
"dateReserved": "2025-02-26T02:08:31.538Z",
"dateUpdated": "2025-05-04T08:35:20.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49347 (GCVE-0-2022-49347)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix bug_on in ext4_writepages
we got issue as follows:
EXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2708!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155
RIP: 0010:ext4_writepages+0x1977/0x1c10
RSP: 0018:ffff88811d3e7880 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000
RDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002
RBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000
R10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001
R13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028
FS: 00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
do_writepages+0x130/0x3a0
filemap_fdatawrite_wbc+0x83/0xa0
filemap_flush+0xab/0xe0
ext4_alloc_da_blocks+0x51/0x120
__ext4_ioctl+0x1534/0x3210
__x64_sys_ioctl+0x12c/0x170
do_syscall_64+0x3b/0x90
It may happen as follows:
1. write inline_data inode
vfs_write
new_sync_write
ext4_file_write_iter
ext4_buffered_write_iter
generic_perform_write
ext4_da_write_begin
ext4_da_write_inline_data_begin -> If inline data size too
small will allocate block to write, then mapping will has
dirty page
ext4_da_convert_inline_data_to_extent ->clear EXT4_STATE_MAY_INLINE_DATA
2. fallocate
do_vfs_ioctl
ioctl_preallocate
vfs_fallocate
ext4_fallocate
ext4_convert_inline_data
ext4_convert_inline_data_nolock
ext4_map_blocks -> fail will goto restore data
ext4_restore_inline_data
ext4_create_inline_data
ext4_write_inline_data
ext4_set_inode_state -> set inode EXT4_STATE_MAY_INLINE_DATA
3. writepages
__ext4_ioctl
ext4_alloc_da_blocks
filemap_flush
filemap_fdatawrite_wbc
do_writepages
ext4_writepages
if (ext4_has_inline_data(inode))
BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
The root cause of this issue is we destory inline data until call
ext4_writepages under delay allocation mode. But there maybe already
convert from inline to extent. To solve this issue, we call
filemap_flush first..
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19918ec7717d87d5ab825884a46b26b21375d7ce",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b2b78f5bf2d453dda3903955efee059260787a42",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de1732b5c1693ad489c5d254f124f67cb775f37d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "73fd5b19285197078ee8a2e651d75d5b094a4de9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b061af037646c9cdb0afd8a8d2f1e1c06285866",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "18a759f7f99f0b65a08ff5b7e745fc405a42bde4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1cde35417edc0370fb0179a4e38b78a15350a8d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "013f12bdedb96816aaa27ee04349f4433d361f52",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef09ed5d37b84d18562b30cf7253e57062d0db05",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in ext4_writepages\n\nwe got issue as follows:\nEXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls\n------------[ cut here ]------------\nkernel BUG at fs/ext4/inode.c:2708!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155\nRIP: 0010:ext4_writepages+0x1977/0x1c10\nRSP: 0018:ffff88811d3e7880 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000\nRDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002\nRBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000\nR10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001\nR13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028\nFS: 00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n do_writepages+0x130/0x3a0\n filemap_fdatawrite_wbc+0x83/0xa0\n filemap_flush+0xab/0xe0\n ext4_alloc_da_blocks+0x51/0x120\n __ext4_ioctl+0x1534/0x3210\n __x64_sys_ioctl+0x12c/0x170\n do_syscall_64+0x3b/0x90\n\nIt may happen as follows:\n1. write inline_data inode\nvfs_write\n new_sync_write\n ext4_file_write_iter\n ext4_buffered_write_iter\n generic_perform_write\n ext4_da_write_begin\n ext4_da_write_inline_data_begin -\u003e If inline data size too\n small will allocate block to write, then mapping will has\n dirty page\n ext4_da_convert_inline_data_to_extent -\u003eclear EXT4_STATE_MAY_INLINE_DATA\n2. fallocate\ndo_vfs_ioctl\n ioctl_preallocate\n vfs_fallocate\n ext4_fallocate\n ext4_convert_inline_data\n ext4_convert_inline_data_nolock\n ext4_map_blocks -\u003e fail will goto restore data\n ext4_restore_inline_data\n ext4_create_inline_data\n ext4_write_inline_data\n ext4_set_inode_state -\u003e set inode EXT4_STATE_MAY_INLINE_DATA\n3. writepages\n__ext4_ioctl\n ext4_alloc_da_blocks\n filemap_flush\n filemap_fdatawrite_wbc\n do_writepages\n ext4_writepages\n if (ext4_has_inline_data(inode))\n BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))\n\nThe root cause of this issue is we destory inline data until call\next4_writepages under delay allocation mode. But there maybe already\nconvert from inline to extent. To solve this issue, we call\nfilemap_flush first.."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:47.612Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19918ec7717d87d5ab825884a46b26b21375d7ce"
},
{
"url": "https://git.kernel.org/stable/c/b2b78f5bf2d453dda3903955efee059260787a42"
},
{
"url": "https://git.kernel.org/stable/c/de1732b5c1693ad489c5d254f124f67cb775f37d"
},
{
"url": "https://git.kernel.org/stable/c/73fd5b19285197078ee8a2e651d75d5b094a4de9"
},
{
"url": "https://git.kernel.org/stable/c/1b061af037646c9cdb0afd8a8d2f1e1c06285866"
},
{
"url": "https://git.kernel.org/stable/c/18a759f7f99f0b65a08ff5b7e745fc405a42bde4"
},
{
"url": "https://git.kernel.org/stable/c/1cde35417edc0370fb0179a4e38b78a15350a8d0"
},
{
"url": "https://git.kernel.org/stable/c/013f12bdedb96816aaa27ee04349f4433d361f52"
},
{
"url": "https://git.kernel.org/stable/c/ef09ed5d37b84d18562b30cf7253e57062d0db05"
}
],
"title": "ext4: fix bug_on in ext4_writepages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49347",
"datePublished": "2025-02-26T02:11:01.983Z",
"dateReserved": "2025-02-26T02:08:31.543Z",
"dateUpdated": "2025-05-04T08:35:47.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49415 (GCVE-0-2022-49415)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipmi:ipmb: Fix refcount leak in ipmi_ipmb_probe
of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_ipmb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f22068357acc268148bd55ce77f0a3e5c86701b4",
"status": "affected",
"version": "00d93611f00219bd142aa119c5121793cac30ff0",
"versionType": "git"
},
{
"lessThan": "a508e33956b538e034ed5df619a73ec7c15bda72",
"status": "affected",
"version": "00d93611f00219bd142aa119c5121793cac30ff0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_ipmb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:ipmb: Fix refcount leak in ipmi_ipmb_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:11.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f22068357acc268148bd55ce77f0a3e5c86701b4"
},
{
"url": "https://git.kernel.org/stable/c/a508e33956b538e034ed5df619a73ec7c15bda72"
}
],
"title": "ipmi:ipmb: Fix refcount leak in ipmi_ipmb_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49415",
"datePublished": "2025-02-26T02:12:35.593Z",
"dateReserved": "2025-02-26T02:08:31.568Z",
"dateUpdated": "2025-05-04T08:37:11.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39881 (GCVE-0-2025-39881)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
kernfs: Fix UAF in polling when open file is released
A use-after-free (UAF) vulnerability was identified in the PSI (Pressure
Stall Information) monitoring mechanism:
BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140
Read of size 8 at addr ffff3de3d50bd308 by task systemd/1
psi_trigger_poll+0x3c/0x140
cgroup_pressure_poll+0x70/0xa0
cgroup_file_poll+0x8c/0x100
kernfs_fop_poll+0x11c/0x1c0
ep_item_poll.isra.0+0x188/0x2c0
Allocated by task 1:
cgroup_file_open+0x88/0x388
kernfs_fop_open+0x73c/0xaf0
do_dentry_open+0x5fc/0x1200
vfs_open+0xa0/0x3f0
do_open+0x7e8/0xd08
path_openat+0x2fc/0x6b0
do_filp_open+0x174/0x368
Freed by task 8462:
cgroup_file_release+0x130/0x1f8
kernfs_drain_open_files+0x17c/0x440
kernfs_drain+0x2dc/0x360
kernfs_show+0x1b8/0x288
cgroup_file_show+0x150/0x268
cgroup_pressure_write+0x1dc/0x340
cgroup_file_write+0x274/0x548
Reproduction Steps:
1. Open test/cpu.pressure and establish epoll monitoring
2. Disable monitoring: echo 0 > test/cgroup.pressure
3. Re-enable monitoring: echo 1 > test/cgroup.pressure
The race condition occurs because:
1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:
- Releases PSI triggers via cgroup_file_release()
- Frees of->priv through kernfs_drain_open_files()
2. While epoll still holds reference to the file and continues polling
3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv
epolling disable/enable cgroup.pressure
fd=open(cpu.pressure)
while(1)
...
epoll_wait
kernfs_fop_poll
kernfs_get_active = true echo 0 > cgroup.pressure
... cgroup_file_show
kernfs_show
// inactive kn
kernfs_drain_open_files
cft->release(of);
kfree(ctx);
...
kernfs_get_active = false
echo 1 > cgroup.pressure
kernfs_show
kernfs_activate_one(kn);
kernfs_fop_poll
kernfs_get_active = true
cgroup_file_poll
psi_trigger_poll
// UAF
...
end: close(fd)
To address this issue, introduce kernfs_get_active_of() for kernfs open
files to obtain active references. This function will fail if the open file
has been released. Replace kernfs_get_active() with kernfs_get_active_of()
to prevent further operations on released file descriptors.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 34f26a15611afb03c33df6819359d36f5b382589 Version: 34f26a15611afb03c33df6819359d36f5b382589 Version: 34f26a15611afb03c33df6819359d36f5b382589 Version: 34f26a15611afb03c33df6819359d36f5b382589 Version: 34f26a15611afb03c33df6819359d36f5b382589 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/kernfs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34d9cafd469c69ad85e6a36b4303c78382cf5c79",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "854baafc00c433cccbe0ab4231b77aeb9b637b77",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "7e64474aba78d240f7804f48f2d454dcca78b15f",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "ac5cda4fae8818cf1963317bb699f7f2f85b60af",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
},
{
"lessThan": "3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f",
"status": "affected",
"version": "34f26a15611afb03c33df6819359d36f5b382589",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/kernfs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Fix UAF in polling when open file is released\n\nA use-after-free (UAF) vulnerability was identified in the PSI (Pressure\nStall Information) monitoring mechanism:\n\nBUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140\nRead of size 8 at addr ffff3de3d50bd308 by task systemd/1\n\npsi_trigger_poll+0x3c/0x140\ncgroup_pressure_poll+0x70/0xa0\ncgroup_file_poll+0x8c/0x100\nkernfs_fop_poll+0x11c/0x1c0\nep_item_poll.isra.0+0x188/0x2c0\n\nAllocated by task 1:\ncgroup_file_open+0x88/0x388\nkernfs_fop_open+0x73c/0xaf0\ndo_dentry_open+0x5fc/0x1200\nvfs_open+0xa0/0x3f0\ndo_open+0x7e8/0xd08\npath_openat+0x2fc/0x6b0\ndo_filp_open+0x174/0x368\n\nFreed by task 8462:\ncgroup_file_release+0x130/0x1f8\nkernfs_drain_open_files+0x17c/0x440\nkernfs_drain+0x2dc/0x360\nkernfs_show+0x1b8/0x288\ncgroup_file_show+0x150/0x268\ncgroup_pressure_write+0x1dc/0x340\ncgroup_file_write+0x274/0x548\n\nReproduction Steps:\n1. Open test/cpu.pressure and establish epoll monitoring\n2. Disable monitoring: echo 0 \u003e test/cgroup.pressure\n3. Re-enable monitoring: echo 1 \u003e test/cgroup.pressure\n\nThe race condition occurs because:\n1. When cgroup.pressure is disabled (echo 0 \u003e cgroup.pressure), it:\n - Releases PSI triggers via cgroup_file_release()\n - Frees of-\u003epriv through kernfs_drain_open_files()\n2. While epoll still holds reference to the file and continues polling\n3. Re-enabling (echo 1 \u003e cgroup.pressure) accesses freed of-\u003epriv\n\nepolling\t\t\tdisable/enable cgroup.pressure\nfd=open(cpu.pressure)\nwhile(1)\n...\nepoll_wait\nkernfs_fop_poll\nkernfs_get_active = true\techo 0 \u003e cgroup.pressure\n...\t\t\t\tcgroup_file_show\n\t\t\t\tkernfs_show\n\t\t\t\t// inactive kn\n\t\t\t\tkernfs_drain_open_files\n\t\t\t\tcft-\u003erelease(of);\n\t\t\t\tkfree(ctx);\n\t\t\t\t...\nkernfs_get_active = false\n\t\t\t\techo 1 \u003e cgroup.pressure\n\t\t\t\tkernfs_show\n\t\t\t\tkernfs_activate_one(kn);\nkernfs_fop_poll\nkernfs_get_active = true\ncgroup_file_poll\npsi_trigger_poll\n// UAF\n...\nend: close(fd)\n\nTo address this issue, introduce kernfs_get_active_of() for kernfs open\nfiles to obtain active references. This function will fail if the open file\nhas been released. Replace kernfs_get_active() with kernfs_get_active_of()\nto prevent further operations on released file descriptors."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:40.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34d9cafd469c69ad85e6a36b4303c78382cf5c79"
},
{
"url": "https://git.kernel.org/stable/c/854baafc00c433cccbe0ab4231b77aeb9b637b77"
},
{
"url": "https://git.kernel.org/stable/c/7e64474aba78d240f7804f48f2d454dcca78b15f"
},
{
"url": "https://git.kernel.org/stable/c/ac5cda4fae8818cf1963317bb699f7f2f85b60af"
},
{
"url": "https://git.kernel.org/stable/c/3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f"
}
],
"title": "kernfs: Fix UAF in polling when open file is released",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39881",
"datePublished": "2025-09-23T06:00:50.496Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-09-29T06:01:40.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49278 (GCVE-0-2022-49278)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
remoteproc: Fix count check in rproc_coredump_write()
Check count for 0, to avoid a potential underflow. Make the check the
same as the one in rproc_recovery_write().
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 3afdc59e4390487f04f2435b7e8a6289984e0a1e Version: 3afdc59e4390487f04f2435b7e8a6289984e0a1e Version: 3afdc59e4390487f04f2435b7e8a6289984e0a1e Version: 3afdc59e4390487f04f2435b7e8a6289984e0a1e Version: 3afdc59e4390487f04f2435b7e8a6289984e0a1e |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/remoteproc_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b97b305656a7013690e7b6e310f0e827e0bbff90",
"status": "affected",
"version": "3afdc59e4390487f04f2435b7e8a6289984e0a1e",
"versionType": "git"
},
{
"lessThan": "34afac3c75fa08d6fabbab4c93f0a90618afaaa6",
"status": "affected",
"version": "3afdc59e4390487f04f2435b7e8a6289984e0a1e",
"versionType": "git"
},
{
"lessThan": "a8c3e53517985d69040a1b36a269e85f99cf0cea",
"status": "affected",
"version": "3afdc59e4390487f04f2435b7e8a6289984e0a1e",
"versionType": "git"
},
{
"lessThan": "11572dad9fbadbd9269a2550f7e236b5b8c2d80c",
"status": "affected",
"version": "3afdc59e4390487f04f2435b7e8a6289984e0a1e",
"versionType": "git"
},
{
"lessThan": "f89672cc3681952f2d06314981a6b45f8b0045d1",
"status": "affected",
"version": "3afdc59e4390487f04f2435b7e8a6289984e0a1e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/remoteproc_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: Fix count check in rproc_coredump_write()\n\nCheck count for 0, to avoid a potential underflow. Make the check the\nsame as the one in rproc_recovery_write()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:02.129Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b97b305656a7013690e7b6e310f0e827e0bbff90"
},
{
"url": "https://git.kernel.org/stable/c/34afac3c75fa08d6fabbab4c93f0a90618afaaa6"
},
{
"url": "https://git.kernel.org/stable/c/a8c3e53517985d69040a1b36a269e85f99cf0cea"
},
{
"url": "https://git.kernel.org/stable/c/11572dad9fbadbd9269a2550f7e236b5b8c2d80c"
},
{
"url": "https://git.kernel.org/stable/c/f89672cc3681952f2d06314981a6b45f8b0045d1"
}
],
"title": "remoteproc: Fix count check in rproc_coredump_write()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49278",
"datePublished": "2025-02-26T01:56:21.546Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-05-04T08:34:02.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49396 (GCVE-0-2022-49396)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: qcom-qmp: fix reset-controller leak on probe errors
Make sure to release the lane reset controller in case of a late probe
error (e.g. probe deferral).
Note that due to the reset controller being defined in devicetree in
"lane" child nodes, devm_reset_control_get_exclusive() cannot be used
directly.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/qualcomm/phy-qcom-qmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7b5fbcaac5355e2e695dc0c08a0fcf248250388",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "a39d9eccb333b8c07c43ebea1c6dfda122378a0f",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "7ac21b24af859c097eb4034e93430056068f8f31",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "2156dc390402043ba5982489c6625adcb0b0975c",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "ba173a6f8d8dffed64bb13ab23081bdddfb464f0",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "feb05b10b3ed3ae21b851520a0d0b71685439517",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "8c03eb0c8982677b4e17174073a011788891304d",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "4d2900f20edfe541f75756a00deeb2ffe7c66bc1",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/qualcomm/phy-qcom-qmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp: fix reset-controller leak on probe errors\n\nMake sure to release the lane reset controller in case of a late probe\nerror (e.g. probe deferral).\n\nNote that due to the reset controller being defined in devicetree in\n\"lane\" child nodes, devm_reset_control_get_exclusive() cannot be used\ndirectly."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:47.558Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7b5fbcaac5355e2e695dc0c08a0fcf248250388"
},
{
"url": "https://git.kernel.org/stable/c/a39d9eccb333b8c07c43ebea1c6dfda122378a0f"
},
{
"url": "https://git.kernel.org/stable/c/7ac21b24af859c097eb4034e93430056068f8f31"
},
{
"url": "https://git.kernel.org/stable/c/2156dc390402043ba5982489c6625adcb0b0975c"
},
{
"url": "https://git.kernel.org/stable/c/ba173a6f8d8dffed64bb13ab23081bdddfb464f0"
},
{
"url": "https://git.kernel.org/stable/c/feb05b10b3ed3ae21b851520a0d0b71685439517"
},
{
"url": "https://git.kernel.org/stable/c/8c03eb0c8982677b4e17174073a011788891304d"
},
{
"url": "https://git.kernel.org/stable/c/4d2900f20edfe541f75756a00deeb2ffe7c66bc1"
}
],
"title": "phy: qcom-qmp: fix reset-controller leak on probe errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49396",
"datePublished": "2025-02-26T02:11:26.145Z",
"dateReserved": "2025-02-26T02:08:31.563Z",
"dateUpdated": "2025-05-04T08:36:47.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39879 (GCVE-0-2025-39879)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: always call ceph_shift_unused_folios_left()
The function ceph_process_folio_batch() sets folio_batch entries to
NULL, which is an illegal state. Before folio_batch_release() crashes
due to this API violation, the function ceph_shift_unused_folios_left()
is supposed to remove those NULLs from the array.
However, since commit ce80b76dd327 ("ceph: introduce
ceph_process_folio_batch() method"), this shifting doesn't happen
anymore because the "for" loop got moved to ceph_process_folio_batch(),
and now the `i` variable that remains in ceph_writepages_start()
doesn't get incremented anymore, making the shifting effectively
unreachable much of the time.
Later, commit 1551ec61dc55 ("ceph: introduce ceph_submit_write()
method") added more preconditions for doing the shift, replacing the
`i` check (with something that is still just as broken):
- if ceph_process_folio_batch() fails, shifting never happens
- if ceph_move_dirty_page_in_page_array() was never called (because
ceph_process_folio_batch() has returned early for some of various
reasons), shifting never happens
- if `processed_in_fbatch` is zero (because ceph_process_folio_batch()
has returned early for some of the reasons mentioned above or
because ceph_move_dirty_page_in_page_array() has failed), shifting
never happens
Since those two commits, any problem in ceph_process_folio_batch()
could crash the kernel, e.g. this way:
BUG: kernel NULL pointer dereference, address: 0000000000000034
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: Oops: 0002 [#1] SMP NOPTI
CPU: 172 UID: 0 PID: 2342707 Comm: kworker/u778:8 Not tainted 6.15.10-cm4all1-es #714 NONE
Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.10 12/08/2023
Workqueue: writeback wb_workfn (flush-ceph-1)
RIP: 0010:folios_put_refs+0x85/0x140
Code: 83 c5 01 39 e8 7e 76 48 63 c5 49 8b 5c c4 08 b8 01 00 00 00 4d 85 ed 74 05 41 8b 44 ad 00 48 8b 15 b0 >
RSP: 0018:ffffb880af8db778 EFLAGS: 00010207
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000003
RDX: ffffe377cc3b0000 RSI: 0000000000000000 RDI: ffffb880af8db8c0
RBP: 0000000000000000 R08: 000000000000007d R09: 000000000102b86f
R10: 0000000000000001 R11: 00000000000000ac R12: ffffb880af8db8c0
R13: 0000000000000000 R14: 0000000000000000 R15: ffff9bd262c97000
FS: 0000000000000000(0000) GS:ffff9c8efc303000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000034 CR3: 0000000160958004 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
<TASK>
ceph_writepages_start+0xeb9/0x1410
The crash can be reproduced easily by changing the
ceph_check_page_before_write() return value to `-E2BIG`.
(Interestingly, the crash happens only if `huge_zero_folio` has
already been allocated; without `huge_zero_folio`,
is_huge_zero_folio(NULL) returns true and folios_put_refs() skips NULL
entries instead of dereferencing them. That makes reproducing the bug
somewhat unreliable. See
https://lore.kernel.org/20250826231626.218675-1-max.kellermann@ionos.com
for a discussion of this detail.)
My suggestion is to move the ceph_shift_unused_folios_left() to right
after ceph_process_folio_batch() to ensure it always gets called to
fix up the illegal folio_batch state.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "289b6615cf553d98509a9b273195d9936da1cfb2",
"status": "affected",
"version": "ce80b76dd32764cc914975777e058d4fae4f0ea0",
"versionType": "git"
},
{
"lessThan": "cce7c15faaac79b532a07ed6ab8332280ad83762",
"status": "affected",
"version": "ce80b76dd32764cc914975777e058d4fae4f0ea0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: always call ceph_shift_unused_folios_left()\n\nThe function ceph_process_folio_batch() sets folio_batch entries to\nNULL, which is an illegal state. Before folio_batch_release() crashes\ndue to this API violation, the function ceph_shift_unused_folios_left()\nis supposed to remove those NULLs from the array.\n\nHowever, since commit ce80b76dd327 (\"ceph: introduce\nceph_process_folio_batch() method\"), this shifting doesn\u0027t happen\nanymore because the \"for\" loop got moved to ceph_process_folio_batch(),\nand now the `i` variable that remains in ceph_writepages_start()\ndoesn\u0027t get incremented anymore, making the shifting effectively\nunreachable much of the time.\n\nLater, commit 1551ec61dc55 (\"ceph: introduce ceph_submit_write()\nmethod\") added more preconditions for doing the shift, replacing the\n`i` check (with something that is still just as broken):\n\n- if ceph_process_folio_batch() fails, shifting never happens\n\n- if ceph_move_dirty_page_in_page_array() was never called (because\n ceph_process_folio_batch() has returned early for some of various\n reasons), shifting never happens\n\n- if `processed_in_fbatch` is zero (because ceph_process_folio_batch()\n has returned early for some of the reasons mentioned above or\n because ceph_move_dirty_page_in_page_array() has failed), shifting\n never happens\n\nSince those two commits, any problem in ceph_process_folio_batch()\ncould crash the kernel, e.g. this way:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 172 UID: 0 PID: 2342707 Comm: kworker/u778:8 Not tainted 6.15.10-cm4all1-es #714 NONE\n Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.10 12/08/2023\n Workqueue: writeback wb_workfn (flush-ceph-1)\n RIP: 0010:folios_put_refs+0x85/0x140\n Code: 83 c5 01 39 e8 7e 76 48 63 c5 49 8b 5c c4 08 b8 01 00 00 00 4d 85 ed 74 05 41 8b 44 ad 00 48 8b 15 b0 \u003e\n RSP: 0018:ffffb880af8db778 EFLAGS: 00010207\n RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000003\n RDX: ffffe377cc3b0000 RSI: 0000000000000000 RDI: ffffb880af8db8c0\n RBP: 0000000000000000 R08: 000000000000007d R09: 000000000102b86f\n R10: 0000000000000001 R11: 00000000000000ac R12: ffffb880af8db8c0\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff9bd262c97000\n FS: 0000000000000000(0000) GS:ffff9c8efc303000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000034 CR3: 0000000160958004 CR4: 0000000000770ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n ceph_writepages_start+0xeb9/0x1410\n\nThe crash can be reproduced easily by changing the\nceph_check_page_before_write() return value to `-E2BIG`.\n\n(Interestingly, the crash happens only if `huge_zero_folio` has\nalready been allocated; without `huge_zero_folio`,\nis_huge_zero_folio(NULL) returns true and folios_put_refs() skips NULL\nentries instead of dereferencing them. That makes reproducing the bug\nsomewhat unreliable. See\nhttps://lore.kernel.org/20250826231626.218675-1-max.kellermann@ionos.com\nfor a discussion of this detail.)\n\nMy suggestion is to move the ceph_shift_unused_folios_left() to right\nafter ceph_process_folio_batch() to ensure it always gets called to\nfix up the illegal folio_batch state."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:38.349Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/289b6615cf553d98509a9b273195d9936da1cfb2"
},
{
"url": "https://git.kernel.org/stable/c/cce7c15faaac79b532a07ed6ab8332280ad83762"
}
],
"title": "ceph: always call ceph_shift_unused_folios_left()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39879",
"datePublished": "2025-09-23T06:00:49.377Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-09-29T06:01:38.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49286 (GCVE-0-2022-49286)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: use try_get_ops() in tpm-space.c
As part of the series conversion to remove nested TPM operations:
https://lore.kernel.org/all/20190205224723.19671-1-jarkko.sakkinen@linux.intel.com/
exposure of the chip->tpm_mutex was removed from much of the upper
level code. In this conversion, tpm2_del_space() was missed. This
didn't matter much because it's usually called closely after a
converted operation, so there's only a very tiny race window where the
chip can be removed before the space flushing is done which causes a
NULL deref on the mutex. However, there are reports of this window
being hit in practice, so fix this by converting tpm2_del_space() to
use tpm_try_get_ops(), which performs all the teardown checks before
acquring the mutex.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm2-space.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b1d2561a03e534064b51c50c774657833d3d2cf",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
},
{
"lessThan": "95193d12f10a8a088843b25e0f5fe1d83ec6b079",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
},
{
"lessThan": "476ddd23f818fb94cf86fb5617f3bb9a7c92113d",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
},
{
"lessThan": "eda1662cce964c8a65bb86321f8d9cfa6e9ceaab",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
},
{
"lessThan": "ba84f9a48366dcc3cdef978599433efe101dd5bd",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
},
{
"lessThan": "fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm2-space.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.188",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.109",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: use try_get_ops() in tpm-space.c\n\nAs part of the series conversion to remove nested TPM operations:\n\nhttps://lore.kernel.org/all/20190205224723.19671-1-jarkko.sakkinen@linux.intel.com/\n\nexposure of the chip-\u003etpm_mutex was removed from much of the upper\nlevel code. In this conversion, tpm2_del_space() was missed. This\ndidn\u0027t matter much because it\u0027s usually called closely after a\nconverted operation, so there\u0027s only a very tiny race window where the\nchip can be removed before the space flushing is done which causes a\nNULL deref on the mutex. However, there are reports of this window\nbeing hit in practice, so fix this by converting tpm2_del_space() to\nuse tpm_try_get_ops(), which performs all the teardown checks before\nacquring the mutex."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:16.652Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b1d2561a03e534064b51c50c774657833d3d2cf"
},
{
"url": "https://git.kernel.org/stable/c/95193d12f10a8a088843b25e0f5fe1d83ec6b079"
},
{
"url": "https://git.kernel.org/stable/c/476ddd23f818fb94cf86fb5617f3bb9a7c92113d"
},
{
"url": "https://git.kernel.org/stable/c/eda1662cce964c8a65bb86321f8d9cfa6e9ceaab"
},
{
"url": "https://git.kernel.org/stable/c/ba84f9a48366dcc3cdef978599433efe101dd5bd"
},
{
"url": "https://git.kernel.org/stable/c/fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9"
}
],
"title": "tpm: use try_get_ops() in tpm-space.c",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49286",
"datePublished": "2025-02-26T01:56:25.566Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-05-04T08:34:16.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39888 (GCVE-0-2025-39888)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: Block access to folio overlimit
syz reported a slab-out-of-bounds Write in fuse_dev_do_write.
When the number of bytes to be retrieved is truncated to the upper limit
by fc->max_pages and there is an offset, the oob is triggered.
Add a loop termination condition to prevent overruns.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "623719227b114d73a2cee45f1b343ced63ce09ec",
"status": "affected",
"version": "3568a956932621cafadafc8b75fcf6dc06555105",
"versionType": "git"
},
{
"lessThan": "9d81ba6d49a7457784f0b6a71046818b86ec7e44",
"status": "affected",
"version": "3568a956932621cafadafc8b75fcf6dc06555105",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: Block access to folio overlimit\n\nsyz reported a slab-out-of-bounds Write in fuse_dev_do_write.\n\nWhen the number of bytes to be retrieved is truncated to the upper limit\nby fc-\u003emax_pages and there is an offset, the oob is triggered.\n\nAdd a loop termination condition to prevent overruns."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:50.121Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/623719227b114d73a2cee45f1b343ced63ce09ec"
},
{
"url": "https://git.kernel.org/stable/c/9d81ba6d49a7457784f0b6a71046818b86ec7e44"
}
],
"title": "fuse: Block access to folio overlimit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39888",
"datePublished": "2025-09-23T06:00:54.156Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-09-29T06:01:50.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39876 (GCVE-0-2025-39876)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-10-02 13:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
The function of_phy_find_device may return NULL, so we need to take
care before dereferencing phy_dev.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 9e70485b40c8306298adea8bdc867ca27f88955a Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: c068e505f229ca5f778f825f1401817ce818e917 Version: 8a6ab151443cd71e2aa5e8b7014e3453dbd51935 Version: ce88b5f42868ef4964c497d4dfcd25e88fd60c5b |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c60d12bba14dc655d2d948b1dbf390b3ae39cb8",
"status": "affected",
"version": "9e70485b40c8306298adea8bdc867ca27f88955a",
"versionType": "git"
},
{
"lessThan": "20a3433d31c2d2bf70ab0abec75f3136b42ae66c",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "93a699d6e92cfdfa9eb9dbb8c653b5322542ca4f",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "5f1bb554a131e59b28482abad21f691390651752",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "fe78891f296ac05bf4e5295c9829ef822f3c32e7",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "eb148d85e126c47d65be34f2a465d69432ca5541",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "03e79de4608bdd48ad6eec272e196124cefaf798",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"status": "affected",
"version": "c068e505f229ca5f778f825f1401817ce818e917",
"versionType": "git"
},
{
"status": "affected",
"version": "8a6ab151443cd71e2aa5e8b7014e3453dbd51935",
"versionType": "git"
},
{
"status": "affected",
"version": "ce88b5f42868ef4964c497d4dfcd25e88fd60c5b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()\n\nThe function of_phy_find_device may return NULL, so we need to take\ncare before dereferencing phy_dev."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:16.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c60d12bba14dc655d2d948b1dbf390b3ae39cb8"
},
{
"url": "https://git.kernel.org/stable/c/20a3433d31c2d2bf70ab0abec75f3136b42ae66c"
},
{
"url": "https://git.kernel.org/stable/c/93a699d6e92cfdfa9eb9dbb8c653b5322542ca4f"
},
{
"url": "https://git.kernel.org/stable/c/5f1bb554a131e59b28482abad21f691390651752"
},
{
"url": "https://git.kernel.org/stable/c/fe78891f296ac05bf4e5295c9829ef822f3c32e7"
},
{
"url": "https://git.kernel.org/stable/c/4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5"
},
{
"url": "https://git.kernel.org/stable/c/eb148d85e126c47d65be34f2a465d69432ca5541"
},
{
"url": "https://git.kernel.org/stable/c/03e79de4608bdd48ad6eec272e196124cefaf798"
}
],
"title": "net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39876",
"datePublished": "2025-09-23T06:00:47.731Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-10-02T13:26:16.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49202 (GCVE-0-2022-49202)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: add missing NULL check in h5_enqueue
Syzbot hit general protection fault in __pm_runtime_resume(). The problem
was in missing NULL check.
hu->serdev can be NULL and we should not blindly pass &serdev->dev
somewhere, since it will cause GPF.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_h5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7235485433d290367d60ae22fcdfc565e61d42ab",
"status": "affected",
"version": "d9dd833cf6d29695682ec7e7924c0d0992b906bc",
"versionType": "git"
},
{
"lessThan": "e6b6c904c0f88588b6a3ace20e4c0d61eab124f8",
"status": "affected",
"version": "d9dd833cf6d29695682ec7e7924c0d0992b906bc",
"versionType": "git"
},
{
"lessThan": "8a3896c30f542439d36303183dc96f65df8cc528",
"status": "affected",
"version": "d9dd833cf6d29695682ec7e7924c0d0992b906bc",
"versionType": "git"
},
{
"lessThan": "32cb08e958696908a9aad5e49a78d74f7e32fffb",
"status": "affected",
"version": "d9dd833cf6d29695682ec7e7924c0d0992b906bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_h5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: add missing NULL check in h5_enqueue\n\nSyzbot hit general protection fault in __pm_runtime_resume(). The problem\nwas in missing NULL check.\n\nhu-\u003eserdev can be NULL and we should not blindly pass \u0026serdev-\u003edev\nsomewhere, since it will cause GPF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:15.567Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7235485433d290367d60ae22fcdfc565e61d42ab"
},
{
"url": "https://git.kernel.org/stable/c/e6b6c904c0f88588b6a3ace20e4c0d61eab124f8"
},
{
"url": "https://git.kernel.org/stable/c/8a3896c30f542439d36303183dc96f65df8cc528"
},
{
"url": "https://git.kernel.org/stable/c/32cb08e958696908a9aad5e49a78d74f7e32fffb"
}
],
"title": "Bluetooth: hci_uart: add missing NULL check in h5_enqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49202",
"datePublished": "2025-02-26T01:55:43.738Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-05-04T08:32:15.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49292 (GCVE-0-2022-49292)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: oss: Fix PCM OSS buffer allocation overflow
We've got syzbot reports hitting INT_MAX overflow at vmalloc()
allocation that is called from snd_pcm_plug_alloc(). Although we
apply the restrictions to input parameters, it's based only on the
hw_params of the underlying PCM device. Since the PCM OSS layer
allocates a temporary buffer for the data conversion, the size may
become unexpectedly large when more channels or higher rates is given;
in the reported case, it went over INT_MAX, hence it hits WARN_ON().
This patch is an attempt to avoid such an overflow and an allocation
for too large buffers. First off, it adds the limit of 1MB as the
upper bound for period bytes. This must be large enough for all use
cases, and we really don't want to handle a larger temporary buffer
than this size. The size check is performed at two places, where the
original period bytes is calculated and where the plugin buffer size
is calculated.
In addition, the driver uses array_size() and array3_size() for
multiplications to catch overflows for the converted period size and
buffer bytes.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/oss/pcm_oss.c",
"sound/core/oss/pcm_plugin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a63af1baf0a5e11827db60e3127f87e437cab6e5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c4190b41a69990666b4000999e27f8f1b2a426b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5ce74ff7059341d8b2f4d01c3383491df63d1898",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a40cbf3579a8e14849ba7ce46309c1992658d2b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fb08bf99195a87c798bc8ae1357337a981faeade",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e74a069c6a7bb505f3ade141dddf85f4b0b5145a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efb6402c3c4a7c26d97c92d70186424097b6e366",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/oss/pcm_oss.c",
"sound/core/oss/pcm_plugin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.109",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: oss: Fix PCM OSS buffer allocation overflow\n\nWe\u0027ve got syzbot reports hitting INT_MAX overflow at vmalloc()\nallocation that is called from snd_pcm_plug_alloc(). Although we\napply the restrictions to input parameters, it\u0027s based only on the\nhw_params of the underlying PCM device. Since the PCM OSS layer\nallocates a temporary buffer for the data conversion, the size may\nbecome unexpectedly large when more channels or higher rates is given;\nin the reported case, it went over INT_MAX, hence it hits WARN_ON().\n\nThis patch is an attempt to avoid such an overflow and an allocation\nfor too large buffers. First off, it adds the limit of 1MB as the\nupper bound for period bytes. This must be large enough for all use\ncases, and we really don\u0027t want to handle a larger temporary buffer\nthan this size. The size check is performed at two places, where the\noriginal period bytes is calculated and where the plugin buffer size\nis calculated.\n\nIn addition, the driver uses array_size() and array3_size() for\nmultiplications to catch overflows for the converted period size and\nbuffer bytes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:23.499Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a63af1baf0a5e11827db60e3127f87e437cab6e5"
},
{
"url": "https://git.kernel.org/stable/c/0c4190b41a69990666b4000999e27f8f1b2a426b"
},
{
"url": "https://git.kernel.org/stable/c/5ce74ff7059341d8b2f4d01c3383491df63d1898"
},
{
"url": "https://git.kernel.org/stable/c/7a40cbf3579a8e14849ba7ce46309c1992658d2b"
},
{
"url": "https://git.kernel.org/stable/c/fb08bf99195a87c798bc8ae1357337a981faeade"
},
{
"url": "https://git.kernel.org/stable/c/e74a069c6a7bb505f3ade141dddf85f4b0b5145a"
},
{
"url": "https://git.kernel.org/stable/c/efb6402c3c4a7c26d97c92d70186424097b6e366"
}
],
"title": "ALSA: oss: Fix PCM OSS buffer allocation overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49292",
"datePublished": "2025-02-26T01:56:28.552Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-05-04T08:34:23.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49325 (GCVE-0-2022-49325)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: add accessors to read/set tp->snd_cwnd
We had various bugs over the years with code
breaking the assumption that tp->snd_cwnd is greater
than zero.
Lately, syzbot reported the WARN_ON_ONCE(!tp->prior_cwnd) added
in commit 8b8a321ff72c ("tcp: fix zero cwnd in tcp_cwnd_reduction")
can trigger, and without a repro we would have to spend
considerable time finding the bug.
Instead of complaining too late, we want to catch where
and when tp->snd_cwnd is set to an illegal value.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tcp.h",
"include/trace/events/tcp.h",
"net/core/filter.c",
"net/ipv4/tcp.c",
"net/ipv4/tcp_bbr.c",
"net/ipv4/tcp_bic.c",
"net/ipv4/tcp_cdg.c",
"net/ipv4/tcp_cong.c",
"net/ipv4/tcp_cubic.c",
"net/ipv4/tcp_dctcp.c",
"net/ipv4/tcp_highspeed.c",
"net/ipv4/tcp_htcp.c",
"net/ipv4/tcp_hybla.c",
"net/ipv4/tcp_illinois.c",
"net/ipv4/tcp_input.c",
"net/ipv4/tcp_ipv4.c",
"net/ipv4/tcp_lp.c",
"net/ipv4/tcp_metrics.c",
"net/ipv4/tcp_nv.c",
"net/ipv4/tcp_output.c",
"net/ipv4/tcp_rate.c",
"net/ipv4/tcp_scalable.c",
"net/ipv4/tcp_vegas.c",
"net/ipv4/tcp_veno.c",
"net/ipv4/tcp_westwood.c",
"net/ipv4/tcp_yeah.c",
"net/ipv6/tcp_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3308676ec525901bf1656014003c443a60730a04",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5aba0ad44fb4a7fb78c5076c313456de199a3c29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "41e191fe72282e193a7744e2fc1786b23156c9e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40570375356c874b1578e05c1dcc3ff7c1322dbe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tcp.h",
"include/trace/events/tcp.h",
"net/core/filter.c",
"net/ipv4/tcp.c",
"net/ipv4/tcp_bbr.c",
"net/ipv4/tcp_bic.c",
"net/ipv4/tcp_cdg.c",
"net/ipv4/tcp_cong.c",
"net/ipv4/tcp_cubic.c",
"net/ipv4/tcp_dctcp.c",
"net/ipv4/tcp_highspeed.c",
"net/ipv4/tcp_htcp.c",
"net/ipv4/tcp_hybla.c",
"net/ipv4/tcp_illinois.c",
"net/ipv4/tcp_input.c",
"net/ipv4/tcp_ipv4.c",
"net/ipv4/tcp_lp.c",
"net/ipv4/tcp_metrics.c",
"net/ipv4/tcp_nv.c",
"net/ipv4/tcp_output.c",
"net/ipv4/tcp_rate.c",
"net/ipv4/tcp_scalable.c",
"net/ipv4/tcp_vegas.c",
"net/ipv4/tcp_veno.c",
"net/ipv4/tcp_westwood.c",
"net/ipv4/tcp_yeah.c",
"net/ipv6/tcp_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: add accessors to read/set tp-\u003esnd_cwnd\n\nWe had various bugs over the years with code\nbreaking the assumption that tp-\u003esnd_cwnd is greater\nthan zero.\n\nLately, syzbot reported the WARN_ON_ONCE(!tp-\u003eprior_cwnd) added\nin commit 8b8a321ff72c (\"tcp: fix zero cwnd in tcp_cwnd_reduction\")\ncan trigger, and without a repro we would have to spend\nconsiderable time finding the bug.\n\nInstead of complaining too late, we want to catch where\nand when tp-\u003esnd_cwnd is set to an illegal value."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:14.345Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3308676ec525901bf1656014003c443a60730a04"
},
{
"url": "https://git.kernel.org/stable/c/5aba0ad44fb4a7fb78c5076c313456de199a3c29"
},
{
"url": "https://git.kernel.org/stable/c/41e191fe72282e193a7744e2fc1786b23156c9e4"
},
{
"url": "https://git.kernel.org/stable/c/40570375356c874b1578e05c1dcc3ff7c1322dbe"
}
],
"title": "tcp: add accessors to read/set tp-\u003esnd_cwnd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49325",
"datePublished": "2025-02-26T02:10:48.158Z",
"dateReserved": "2025-02-26T02:08:31.538Z",
"dateUpdated": "2025-05-04T08:35:14.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39877 (GCVE-0-2025-39877)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: fix use-after-free in state_show()
state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock.
This allows a use-after-free race:
CPU 0 CPU 1
----- -----
state_show() damon_sysfs_turn_damon_on()
ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock);
damon_destroy_ctx(kdamond->damon_ctx);
kdamond->damon_ctx = NULL;
mutex_unlock(&damon_sysfs_lock);
damon_is_running(ctx); /* ctx is freed */
mutex_lock(&ctx->kdamond_lock); /* UAF */
(The race can also occur with damon_sysfs_kdamonds_rm_dirs() and
damon_sysfs_kdamond_release(), which free or replace the context under
damon_sysfs_lock.)
Fix by taking damon_sysfs_lock before dereferencing the context, mirroring
the locking used in pid_show().
The bug has existed since state_show() first accessed kdamond->damon_ctx.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: a61ea561c87139992fe32afdee48a6f6b85d824a Version: a61ea561c87139992fe32afdee48a6f6b85d824a Version: a61ea561c87139992fe32afdee48a6f6b85d824a Version: a61ea561c87139992fe32afdee48a6f6b85d824a Version: a61ea561c87139992fe32afdee48a6f6b85d824a |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3858c44341ad49dc7544b19cc9f9ecffaa7cc50e",
"status": "affected",
"version": "a61ea561c87139992fe32afdee48a6f6b85d824a",
"versionType": "git"
},
{
"lessThan": "60d7a3d2b985a395318faa1d88da6915fad11c19",
"status": "affected",
"version": "a61ea561c87139992fe32afdee48a6f6b85d824a",
"versionType": "git"
},
{
"lessThan": "26d29b2ac87a2989071755f9828ebf839b560d4c",
"status": "affected",
"version": "a61ea561c87139992fe32afdee48a6f6b85d824a",
"versionType": "git"
},
{
"lessThan": "4e87f461d61959647464a94d11ae15c011be58ce",
"status": "affected",
"version": "a61ea561c87139992fe32afdee48a6f6b85d824a",
"versionType": "git"
},
{
"lessThan": "3260a3f0828e06f5f13fac69fb1999a6d60d9cff",
"status": "affected",
"version": "a61ea561c87139992fe32afdee48a6f6b85d824a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: fix use-after-free in state_show()\n\nstate_show() reads kdamond-\u003edamon_ctx without holding damon_sysfs_lock. \nThis allows a use-after-free race:\n\nCPU 0 CPU 1\n----- -----\nstate_show() damon_sysfs_turn_damon_on()\nctx = kdamond-\u003edamon_ctx; mutex_lock(\u0026damon_sysfs_lock);\n damon_destroy_ctx(kdamond-\u003edamon_ctx);\n kdamond-\u003edamon_ctx = NULL;\n mutex_unlock(\u0026damon_sysfs_lock);\ndamon_is_running(ctx); /* ctx is freed */\nmutex_lock(\u0026ctx-\u003ekdamond_lock); /* UAF */\n\n(The race can also occur with damon_sysfs_kdamonds_rm_dirs() and\ndamon_sysfs_kdamond_release(), which free or replace the context under\ndamon_sysfs_lock.)\n\nFix by taking damon_sysfs_lock before dereferencing the context, mirroring\nthe locking used in pid_show().\n\nThe bug has existed since state_show() first accessed kdamond-\u003edamon_ctx."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:35.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3858c44341ad49dc7544b19cc9f9ecffaa7cc50e"
},
{
"url": "https://git.kernel.org/stable/c/60d7a3d2b985a395318faa1d88da6915fad11c19"
},
{
"url": "https://git.kernel.org/stable/c/26d29b2ac87a2989071755f9828ebf839b560d4c"
},
{
"url": "https://git.kernel.org/stable/c/4e87f461d61959647464a94d11ae15c011be58ce"
},
{
"url": "https://git.kernel.org/stable/c/3260a3f0828e06f5f13fac69fb1999a6d60d9cff"
}
],
"title": "mm/damon/sysfs: fix use-after-free in state_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39877",
"datePublished": "2025-09-23T06:00:48.317Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-09-29T06:01:35.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49274 (GCVE-0-2022-49274)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix crash when mount with quota enabled
There is a reported crash when mounting ocfs2 with quota enabled.
RIP: 0010:ocfs2_qinfo_lock_res_init+0x44/0x50 [ocfs2]
Call Trace:
ocfs2_local_read_info+0xb9/0x6f0 [ocfs2]
dquot_load_quota_sb+0x216/0x470
dquot_load_quota_inode+0x85/0x100
ocfs2_enable_quotas+0xa0/0x1c0 [ocfs2]
ocfs2_fill_super.cold+0xc8/0x1bf [ocfs2]
mount_bdev+0x185/0x1b0
legacy_get_tree+0x27/0x40
vfs_get_tree+0x25/0xb0
path_mount+0x465/0xac0
__x64_sys_mount+0x103/0x140
It is caused by when initializing dqi_gqlock, the corresponding dqi_type
and dqi_sb are not properly initialized.
This issue is introduced by commit 6c85c2c72819, which wants to avoid
accessing uninitialized variables in error cases. So make global quota
info properly initialized.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/quota_global.c",
"fs/ocfs2/quota_local.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c5312fdb1dcfdc1951b018669af88d5d6420b31",
"status": "affected",
"version": "6c85c2c728193d19d6a908ae9fb312d0325e65ca",
"versionType": "git"
},
{
"lessThan": "01931e1c4e3de5d777253acae64c0e8fd071a1dd",
"status": "affected",
"version": "6c85c2c728193d19d6a908ae9fb312d0325e65ca",
"versionType": "git"
},
{
"lessThan": "eda31f77317647b9fbf889779ee1fb6907651865",
"status": "affected",
"version": "6c85c2c728193d19d6a908ae9fb312d0325e65ca",
"versionType": "git"
},
{
"lessThan": "de19433423c7bedabbd4f9a25f7dbc62c5e78921",
"status": "affected",
"version": "6c85c2c728193d19d6a908ae9fb312d0325e65ca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/quota_global.c",
"fs/ocfs2/quota_local.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix crash when mount with quota enabled\n\nThere is a reported crash when mounting ocfs2 with quota enabled.\n\n RIP: 0010:ocfs2_qinfo_lock_res_init+0x44/0x50 [ocfs2]\n Call Trace:\n ocfs2_local_read_info+0xb9/0x6f0 [ocfs2]\n dquot_load_quota_sb+0x216/0x470\n dquot_load_quota_inode+0x85/0x100\n ocfs2_enable_quotas+0xa0/0x1c0 [ocfs2]\n ocfs2_fill_super.cold+0xc8/0x1bf [ocfs2]\n mount_bdev+0x185/0x1b0\n legacy_get_tree+0x27/0x40\n vfs_get_tree+0x25/0xb0\n path_mount+0x465/0xac0\n __x64_sys_mount+0x103/0x140\n\nIt is caused by when initializing dqi_gqlock, the corresponding dqi_type\nand dqi_sb are not properly initialized.\n\nThis issue is introduced by commit 6c85c2c72819, which wants to avoid\naccessing uninitialized variables in error cases. So make global quota\ninfo properly initialized."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:57.145Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c5312fdb1dcfdc1951b018669af88d5d6420b31"
},
{
"url": "https://git.kernel.org/stable/c/01931e1c4e3de5d777253acae64c0e8fd071a1dd"
},
{
"url": "https://git.kernel.org/stable/c/eda31f77317647b9fbf889779ee1fb6907651865"
},
{
"url": "https://git.kernel.org/stable/c/de19433423c7bedabbd4f9a25f7dbc62c5e78921"
}
],
"title": "ocfs2: fix crash when mount with quota enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49274",
"datePublished": "2025-02-26T01:56:19.586Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-05-04T08:33:57.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49256 (GCVE-0-2022-49256)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Actually free the watch
free_watch() does everything barring actually freeing the watch object. Fix
this by adding the missing kfree.
kmemleak produces a report something like the following. Note that as an
address can be seen in the first word, the watch would appear to have gone
through call_rcu().
BUG: memory leak
unreferenced object 0xffff88810ce4a200 (size 96):
comm "syz-executor352", pid 3605, jiffies 4294947473 (age 13.720s)
hex dump (first 32 bytes):
e0 82 48 0d 81 88 ff ff 00 00 00 00 00 00 00 00 ..H.............
80 a2 e4 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8214e6cc>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff8214e6cc>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff8214e6cc>] keyctl_watch_key+0xec/0x2e0 security/keys/keyctl.c:1800
[<ffffffff8214ec84>] __do_sys_keyctl+0x3c4/0x490 security/keys/keyctl.c:2016
[<ffffffff84493a25>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84493a25>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: c73be61cede5882f9605a852414db559c0ebedfd Version: c73be61cede5882f9605a852414db559c0ebedfd Version: c73be61cede5882f9605a852414db559c0ebedfd Version: c73be61cede5882f9605a852414db559c0ebedfd Version: c73be61cede5882f9605a852414db559c0ebedfd |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d92be1a09fbb3dd65600dbfe7eedb40e7228e4b",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "f69aecb49968e14196366bbe896eab0a904229f5",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "7e8c9b0df07a77f0d072603b8ced2677e30e1893",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "31824613a42aacdcbeb325bf07a1c8247a11ebe2",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "3d8dcf278b1ee1eff1e90be848fa2237db4c07a7",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Actually free the watch\n\nfree_watch() does everything barring actually freeing the watch object. Fix\nthis by adding the missing kfree.\n\nkmemleak produces a report something like the following. Note that as an\naddress can be seen in the first word, the watch would appear to have gone\nthrough call_rcu().\n\nBUG: memory leak\nunreferenced object 0xffff88810ce4a200 (size 96):\n comm \"syz-executor352\", pid 3605, jiffies 4294947473 (age 13.720s)\n hex dump (first 32 bytes):\n e0 82 48 0d 81 88 ff ff 00 00 00 00 00 00 00 00 ..H.............\n 80 a2 e4 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff8214e6cc\u003e] kmalloc include/linux/slab.h:581 [inline]\n [\u003cffffffff8214e6cc\u003e] kzalloc include/linux/slab.h:714 [inline]\n [\u003cffffffff8214e6cc\u003e] keyctl_watch_key+0xec/0x2e0 security/keys/keyctl.c:1800\n [\u003cffffffff8214ec84\u003e] __do_sys_keyctl+0x3c4/0x490 security/keys/keyctl.c:2016\n [\u003cffffffff84493a25\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [\u003cffffffff84493a25\u003e] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [\u003cffffffff84600068\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:29.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d92be1a09fbb3dd65600dbfe7eedb40e7228e4b"
},
{
"url": "https://git.kernel.org/stable/c/f69aecb49968e14196366bbe896eab0a904229f5"
},
{
"url": "https://git.kernel.org/stable/c/7e8c9b0df07a77f0d072603b8ced2677e30e1893"
},
{
"url": "https://git.kernel.org/stable/c/31824613a42aacdcbeb325bf07a1c8247a11ebe2"
},
{
"url": "https://git.kernel.org/stable/c/3d8dcf278b1ee1eff1e90be848fa2237db4c07a7"
}
],
"title": "watch_queue: Actually free the watch",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49256",
"datePublished": "2025-02-26T01:56:10.599Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:29.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49250 (GCVE-0-2022-49250)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: rx-macro: fix accessing compander for aux
AUX interpolator does not have compander, so check before accessing
compander data for this.
Without this checkan array of out bounds access will be made in
comp_enabled[] array.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-rx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9208ecc703b5ed5b12d7ea13c79207f4c8456638",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "87a2b44cb3005d30c3a72234d1e47b03ae3bb29a",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "6aa8ef9535dbd561293406608ebe791627b10196",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "42c709c4e1ce4c136891530646c9abd5dff3524f",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-rx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: rx-macro: fix accessing compander for aux\n\nAUX interpolator does not have compander, so check before accessing\ncompander data for this.\n\nWithout this checkan array of out bounds access will be made in\ncomp_enabled[] array."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:21.563Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9208ecc703b5ed5b12d7ea13c79207f4c8456638"
},
{
"url": "https://git.kernel.org/stable/c/87a2b44cb3005d30c3a72234d1e47b03ae3bb29a"
},
{
"url": "https://git.kernel.org/stable/c/6aa8ef9535dbd561293406608ebe791627b10196"
},
{
"url": "https://git.kernel.org/stable/c/42c709c4e1ce4c136891530646c9abd5dff3524f"
}
],
"title": "ASoC: codecs: rx-macro: fix accessing compander for aux",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49250",
"datePublished": "2025-02-26T01:56:07.719Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:21.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49254 (GCVE-0-2022-49254)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()
In cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to
ctx->active_fmt and there is a dereference of it after that, which could
lead to NULL pointer dereference on failure of devm_kzalloc().
Fix this bug by adding a NULL check of ctx->active_fmt.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings, and our static
analyzer no longer warns about this code.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/ti-vpe/cal-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa613ac270292e102503e9767882e39200efe608",
"status": "affected",
"version": "7168155002cf7aadbfaa14a28f037c880a214764",
"versionType": "git"
},
{
"lessThan": "91e2805579ab0783eed53acc2bf9fb553e939004",
"status": "affected",
"version": "7168155002cf7aadbfaa14a28f037c880a214764",
"versionType": "git"
},
{
"lessThan": "1381f1a629a090c251965edb56f849ad648414a4",
"status": "affected",
"version": "7168155002cf7aadbfaa14a28f037c880a214764",
"versionType": "git"
},
{
"lessThan": "abd77889851d2ead0d0c9c4d29f1808801477b00",
"status": "affected",
"version": "7168155002cf7aadbfaa14a28f037c880a214764",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/ti-vpe/cal-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()\n\nIn cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to\nctx-\u003eactive_fmt and there is a dereference of it after that, which could\nlead to NULL pointer dereference on failure of devm_kzalloc().\n\nFix this bug by adding a NULL check of ctx-\u003eactive_fmt.\n\nThis bug was found by a static analyzer.\n\nBuilds with \u0027make allyesconfig\u0027 show no new warnings, and our static\nanalyzer no longer warns about this code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:27.253Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa613ac270292e102503e9767882e39200efe608"
},
{
"url": "https://git.kernel.org/stable/c/91e2805579ab0783eed53acc2bf9fb553e939004"
},
{
"url": "https://git.kernel.org/stable/c/1381f1a629a090c251965edb56f849ad648414a4"
},
{
"url": "https://git.kernel.org/stable/c/abd77889851d2ead0d0c9c4d29f1808801477b00"
}
],
"title": "media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49254",
"datePublished": "2025-02-26T01:56:09.619Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:27.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49261 (GCVE-0-2022-49261)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gem: add missing boundary check in vm_access
A missing bounds check in vm_access() can lead to an out-of-bounds read
or write in the adjacent memory area, since the len attribute is not
validated before the memcpy later in the function, potentially hitting:
[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000
[ 183.637934] #PF: supervisor read access in kernel mode
[ 183.637997] #PF: error_code(0x0000) - not-present page
[ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0
[ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI
[ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1
[ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019
[ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10
[ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246
[ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc
[ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004
[ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000
[ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000
[ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000
[ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000
[ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0
[ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 183.650142] Call Trace:
[ 183.650988] <TASK>
[ 183.651793] vm_access+0x1f0/0x2a0 [i915]
[ 183.652726] __access_remote_vm+0x224/0x380
[ 183.653561] mem_rw.isra.0+0xf9/0x190
[ 183.654402] vfs_read+0x9d/0x1b0
[ 183.655238] ksys_read+0x63/0xe0
[ 183.656065] do_syscall_64+0x38/0xc0
[ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 183.657663] RIP: 0033:0x7fe5ef725142
[ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142
[ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005
[ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046
[ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0
[ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000
Changes since v1:
- Updated if condition with range_overflows_t [Chris Wilson]
[mauld: tidy up the commit message and add Cc: stable]
(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 9f909e215fea0652023b9ed09d3d7bfe10386423 Version: 9f909e215fea0652023b9ed09d3d7bfe10386423 Version: 9f909e215fea0652023b9ed09d3d7bfe10386423 Version: 9f909e215fea0652023b9ed09d3d7bfe10386423 Version: 9f909e215fea0652023b9ed09d3d7bfe10386423 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_mman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89ddcc81914ab58cc203acc844f27d55ada8ec0e",
"status": "affected",
"version": "9f909e215fea0652023b9ed09d3d7bfe10386423",
"versionType": "git"
},
{
"lessThan": "312d3d4f49e12f97260bcf972c848c3562126a18",
"status": "affected",
"version": "9f909e215fea0652023b9ed09d3d7bfe10386423",
"versionType": "git"
},
{
"lessThan": "5f6e560e3e86ac053447524224e411034f41f5c7",
"status": "affected",
"version": "9f909e215fea0652023b9ed09d3d7bfe10386423",
"versionType": "git"
},
{
"lessThan": "8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa",
"status": "affected",
"version": "9f909e215fea0652023b9ed09d3d7bfe10386423",
"versionType": "git"
},
{
"lessThan": "3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7",
"status": "affected",
"version": "9f909e215fea0652023b9ed09d3d7bfe10386423",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_mman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: add missing boundary check in vm_access\n\nA missing bounds check in vm_access() can lead to an out-of-bounds read\nor write in the adjacent memory area, since the len attribute is not\nvalidated before the memcpy later in the function, potentially hitting:\n\n[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000\n[ 183.637934] #PF: supervisor read access in kernel mode\n[ 183.637997] #PF: error_code(0x0000) - not-present page\n[ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0\n[ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI\n[ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1\n[ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019\n[ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10\n[ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246\n[ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc\n[ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004\n[ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000\n[ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000\n[ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000\n[ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000\n[ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0\n[ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 183.650142] Call Trace:\n[ 183.650988] \u003cTASK\u003e\n[ 183.651793] vm_access+0x1f0/0x2a0 [i915]\n[ 183.652726] __access_remote_vm+0x224/0x380\n[ 183.653561] mem_rw.isra.0+0xf9/0x190\n[ 183.654402] vfs_read+0x9d/0x1b0\n[ 183.655238] ksys_read+0x63/0xe0\n[ 183.656065] do_syscall_64+0x38/0xc0\n[ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 183.657663] RIP: 0033:0x7fe5ef725142\n[ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142\n[ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005\n[ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046\n[ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0\n[ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000\n\nChanges since v1:\n - Updated if condition with range_overflows_t [Chris Wilson]\n\n[mauld: tidy up the commit message and add Cc: stable]\n(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:36.170Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89ddcc81914ab58cc203acc844f27d55ada8ec0e"
},
{
"url": "https://git.kernel.org/stable/c/312d3d4f49e12f97260bcf972c848c3562126a18"
},
{
"url": "https://git.kernel.org/stable/c/5f6e560e3e86ac053447524224e411034f41f5c7"
},
{
"url": "https://git.kernel.org/stable/c/8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa"
},
{
"url": "https://git.kernel.org/stable/c/3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7"
}
],
"title": "drm/i915/gem: add missing boundary check in vm_access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49261",
"datePublished": "2025-02-26T01:56:13.077Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:36.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49350 (GCVE-0-2022-49350)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mdio: unexport __init-annotated mdio_bus_init()
EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.
modpost used to detect it, but it has been broken for a decade.
Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.
There are two ways to fix it:
- Remove __init
- Remove EXPORT_SYMBOL
I chose the latter for this case because the only in-tree call-site,
drivers/net/phy/phy_device.c is never compiled as modular.
(CONFIG_PHYLIB is boolean)
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/mdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab64ec2c75683f30ccde9eaaf0761002f901aa12",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "5534bcd7c40299862237c4a8fd9c5031b3db1538",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "6a90a44d53428a3bf01bd80df9ba78b19959270c",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "7759c3222815b945a94b212bc0c6cdec475cfec2",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "59fa94cddf9eef8d8dae587373eed8b8f4eb11d7",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "f5c68137f1191ba3fcf6260ec71b30be2e2bf4c3",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "f2f0f8c18b60ca64ff50892ed899cf1c77864755",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "35b42dce619701f1300fb8498dae82c9bb1f0263",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/mdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdio: unexport __init-annotated mdio_bus_init()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the only in-tree call-site,\ndrivers/net/phy/phy_device.c is never compiled as modular.\n(CONFIG_PHYLIB is boolean)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:51.230Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab64ec2c75683f30ccde9eaaf0761002f901aa12"
},
{
"url": "https://git.kernel.org/stable/c/5534bcd7c40299862237c4a8fd9c5031b3db1538"
},
{
"url": "https://git.kernel.org/stable/c/6a90a44d53428a3bf01bd80df9ba78b19959270c"
},
{
"url": "https://git.kernel.org/stable/c/7759c3222815b945a94b212bc0c6cdec475cfec2"
},
{
"url": "https://git.kernel.org/stable/c/59fa94cddf9eef8d8dae587373eed8b8f4eb11d7"
},
{
"url": "https://git.kernel.org/stable/c/f5c68137f1191ba3fcf6260ec71b30be2e2bf4c3"
},
{
"url": "https://git.kernel.org/stable/c/f2f0f8c18b60ca64ff50892ed899cf1c77864755"
},
{
"url": "https://git.kernel.org/stable/c/35b42dce619701f1300fb8498dae82c9bb1f0263"
}
],
"title": "net: mdio: unexport __init-annotated mdio_bus_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49350",
"datePublished": "2025-02-26T02:11:03.514Z",
"dateReserved": "2025-02-26T02:08:31.544Z",
"dateUpdated": "2025-05-04T08:35:51.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49249 (GCVE-0-2022-49249)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: wc938x: fix accessing array out of bounds for enum type
Accessing enums using integer would result in array out of bounds access
on platforms like aarch64 where sizeof(long) is 8 compared to enum size
which is 4 bytes.
Fix this by using enumerated items instead of integers.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd938x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "adafea71b49ec4dbc44e0b84ec6eb602004a7a08",
"status": "affected",
"version": "e8ba1e05bdc016700c85fad559a812c2e795442f",
"versionType": "git"
},
{
"lessThan": "f03c0c94186d5876857132d97e28f20cdc100bdc",
"status": "affected",
"version": "e8ba1e05bdc016700c85fad559a812c2e795442f",
"versionType": "git"
},
{
"lessThan": "d09aee1b1da196be11ed86dd4897f228f2487613",
"status": "affected",
"version": "e8ba1e05bdc016700c85fad559a812c2e795442f",
"versionType": "git"
},
{
"lessThan": "cc587b7c8fbbe128f6bd0dad025a0caea5e6d164",
"status": "affected",
"version": "e8ba1e05bdc016700c85fad559a812c2e795442f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd938x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wc938x: fix accessing array out of bounds for enum type\n\nAccessing enums using integer would result in array out of bounds access\non platforms like aarch64 where sizeof(long) is 8 compared to enum size\nwhich is 4 bytes.\n\nFix this by using enumerated items instead of integers."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:20.386Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/adafea71b49ec4dbc44e0b84ec6eb602004a7a08"
},
{
"url": "https://git.kernel.org/stable/c/f03c0c94186d5876857132d97e28f20cdc100bdc"
},
{
"url": "https://git.kernel.org/stable/c/d09aee1b1da196be11ed86dd4897f228f2487613"
},
{
"url": "https://git.kernel.org/stable/c/cc587b7c8fbbe128f6bd0dad025a0caea5e6d164"
}
],
"title": "ASoC: codecs: wc938x: fix accessing array out of bounds for enum type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49249",
"datePublished": "2025-02-26T01:56:07.215Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:20.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49257 (GCVE-0-2022-49257)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Fix NULL dereference in error cleanup
In watch_queue_set_size(), the error cleanup code doesn't take account of
the fact that __free_page() can't handle a NULL pointer when trying to free
up buffer pages that did get allocated.
Fix this by only calling __free_page() on the pages actually allocated.
Without the fix, this can lead to something like the following:
BUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473
Read of size 4 at addr 0000000000000034 by task syz-executor168/3599
...
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:446 [inline]
kasan_report.cold+0x66/0xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
page_ref_count include/linux/page_ref.h:67 [inline]
put_page_testzero include/linux/mm.h:717 [inline]
__free_pages+0x1f/0x1b0 mm/page_alloc.c:5473
watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275
pipe_ioctl+0xac/0x2b0 fs/pipe.c:632
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: c73be61cede5882f9605a852414db559c0ebedfd Version: c73be61cede5882f9605a852414db559c0ebedfd Version: c73be61cede5882f9605a852414db559c0ebedfd Version: c73be61cede5882f9605a852414db559c0ebedfd Version: c73be61cede5882f9605a852414db559c0ebedfd |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ae75b4ed30322b42abaa75ef1b784addfdb7dc9",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "695c47cea02b9101e2fc2e7d36d552128592b347",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "112a2f9b0a8457794095a0450598f150724ec456",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "b6f5ad3e45d19f9c4ee3e8a2aff829f28d68591d",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "a635415a064e77bcfbf43da413fd9dfe0bbed9cb",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Fix NULL dereference in error cleanup\n\nIn watch_queue_set_size(), the error cleanup code doesn\u0027t take account of\nthe fact that __free_page() can\u0027t handle a NULL pointer when trying to free\nup buffer pages that did get allocated.\n\nFix this by only calling __free_page() on the pages actually allocated.\n\nWithout the fix, this can lead to something like the following:\n\nBUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473\nRead of size 4 at addr 0000000000000034 by task syz-executor168/3599\n...\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n __kasan_report mm/kasan/report.c:446 [inline]\n kasan_report.cold+0x66/0xdf mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\n instrument_atomic_read include/linux/instrumented.h:71 [inline]\n atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]\n page_ref_count include/linux/page_ref.h:67 [inline]\n put_page_testzero include/linux/mm.h:717 [inline]\n __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473\n watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275\n pipe_ioctl+0xac/0x2b0 fs/pipe.c:632\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:31.060Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ae75b4ed30322b42abaa75ef1b784addfdb7dc9"
},
{
"url": "https://git.kernel.org/stable/c/695c47cea02b9101e2fc2e7d36d552128592b347"
},
{
"url": "https://git.kernel.org/stable/c/112a2f9b0a8457794095a0450598f150724ec456"
},
{
"url": "https://git.kernel.org/stable/c/b6f5ad3e45d19f9c4ee3e8a2aff829f28d68591d"
},
{
"url": "https://git.kernel.org/stable/c/a635415a064e77bcfbf43da413fd9dfe0bbed9cb"
}
],
"title": "watch_queue: Fix NULL dereference in error cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49257",
"datePublished": "2025-02-26T01:56:11.072Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:31.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39878 (GCVE-0-2025-39878)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error
The function move_dirty_folio_in_page_array() was created by commit
ce80b76dd327 ("ceph: introduce ceph_process_folio_batch() method") by
moving code from ceph_writepages_start() to this function.
This new function is supposed to return an error code which is checked
by the caller (now ceph_process_folio_batch()), and on error, the
caller invokes redirty_page_for_writepage() and then breaks from the
loop.
However, the refactoring commit has gone wrong, and it by accident, it
always returns 0 (= success) because it first NULLs the pointer and
then returns PTR_ERR(NULL) which is always 0. This means errors are
silently ignored, leaving NULL entries in the page array, which may
later crash the kernel.
The simple solution is to call PTR_ERR() before clearing the pointer.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd1616ecbea920d228c56729461ed223cc501425",
"status": "affected",
"version": "ce80b76dd32764cc914975777e058d4fae4f0ea0",
"versionType": "git"
},
{
"lessThan": "249e0a47cdb46bb9eae65511c569044bd8698d7d",
"status": "affected",
"version": "ce80b76dd32764cc914975777e058d4fae4f0ea0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix crash after fscrypt_encrypt_pagecache_blocks() error\n\nThe function move_dirty_folio_in_page_array() was created by commit\nce80b76dd327 (\"ceph: introduce ceph_process_folio_batch() method\") by\nmoving code from ceph_writepages_start() to this function.\n\nThis new function is supposed to return an error code which is checked\nby the caller (now ceph_process_folio_batch()), and on error, the\ncaller invokes redirty_page_for_writepage() and then breaks from the\nloop.\n\nHowever, the refactoring commit has gone wrong, and it by accident, it\nalways returns 0 (= success) because it first NULLs the pointer and\nthen returns PTR_ERR(NULL) which is always 0. This means errors are\nsilently ignored, leaving NULL entries in the page array, which may\nlater crash the kernel.\n\nThe simple solution is to call PTR_ERR() before clearing the pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:37.095Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd1616ecbea920d228c56729461ed223cc501425"
},
{
"url": "https://git.kernel.org/stable/c/249e0a47cdb46bb9eae65511c569044bd8698d7d"
}
],
"title": "ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39878",
"datePublished": "2025-09-23T06:00:48.850Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-09-29T06:01:37.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39885 (GCVE-0-2025-39885)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-10-02 13:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix recursive semaphore deadlock in fiemap call
syzbot detected a OCFS2 hang due to a recursive semaphore on a
FS_IOC_FIEMAP of the extent list on a specially crafted mmap file.
context_switch kernel/sched/core.c:5357 [inline]
__schedule+0x1798/0x4cc0 kernel/sched/core.c:6961
__schedule_loop kernel/sched/core.c:7043 [inline]
schedule+0x165/0x360 kernel/sched/core.c:7058
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115
rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185
__down_write_common kernel/locking/rwsem.c:1317 [inline]
__down_write kernel/locking/rwsem.c:1326 [inline]
down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591
ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142
do_page_mkwrite+0x14d/0x310 mm/memory.c:3361
wp_page_shared mm/memory.c:3762 [inline]
do_wp_page+0x268d/0x5800 mm/memory.c:3981
handle_pte_fault mm/memory.c:6068 [inline]
__handle_mm_fault+0x1033/0x5440 mm/memory.c:6195
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]
RIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]
RIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26
Code: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89
f7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f
1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41
RSP: 0018:ffffc9000403f950 EFLAGS: 00050256
RAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038
RDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060
RBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42
R10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098
R13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060
copy_to_user include/linux/uaccess.h:225 [inline]
fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145
ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806
ioctl_fiemap fs/ioctl.c:220 [inline]
do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532
__do_sys_ioctl fs/ioctl.c:596 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5f13850fd9
RSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9
RDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004
RBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0
R13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b
ocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since
v2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the
extent list of this running mmap executable. The user supplied buffer to
hold the fiemap information page faults calling ocfs2_page_mkwrite() which
will take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same
semaphore. This recursive semaphore will hold filesystem locks and causes
a hang of the fileystem.
The ip_alloc_sem protects the inode extent list and size. Release the
read semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()
and ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock
on the last extent but simplifies the error path.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16e518ca84dfe860c20a62f3615e14e8af0ace57",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "7e1514bd44ef68007703c752c99ff7319f35bce6",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "ef30404980e4c832ef9bba1b10c08f67fa77a9ec",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "36054554772f95d090eb45793faf6aa3c0254b02",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "0709bc11b942870fc0a7be150e42aea42321093a",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "9efcb7a8b97310efed995397941a292cf89fa94f",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "04100f775c2ea501927f508f17ad824ad1f23c8d",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix recursive semaphore deadlock in fiemap call\n\nsyzbot detected a OCFS2 hang due to a recursive semaphore on a\nFS_IOC_FIEMAP of the extent list on a specially crafted mmap file.\n\ncontext_switch kernel/sched/core.c:5357 [inline]\n __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961\n __schedule_loop kernel/sched/core.c:7043 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:7058\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115\n rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185\n __down_write_common kernel/locking/rwsem.c:1317 [inline]\n __down_write kernel/locking/rwsem.c:1326 [inline]\n down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591\n ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142\n do_page_mkwrite+0x14d/0x310 mm/memory.c:3361\n wp_page_shared mm/memory.c:3762 [inline]\n do_wp_page+0x268d/0x5800 mm/memory.c:3981\n handle_pte_fault mm/memory.c:6068 [inline]\n __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195\n handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364\n do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387\n handle_page_fault arch/x86/mm/fault.c:1476 [inline]\n exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532\n asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623\nRIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]\nRIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]\nRIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]\nRIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26\nCode: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89\nf7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 \u003cf3\u003e a4 0f\n1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41\nRSP: 0018:ffffc9000403f950 EFLAGS: 00050256\nRAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038\nRDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060\nRBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42\nR10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098\nR13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060\n copy_to_user include/linux/uaccess.h:225 [inline]\n fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145\n ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532\n __do_sys_ioctl fs/ioctl.c:596 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5f13850fd9\nRSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9\nRDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004\nRBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0\nR13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b\n\nocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since\nv2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the\nextent list of this running mmap executable. The user supplied buffer to\nhold the fiemap information page faults calling ocfs2_page_mkwrite() which\nwill take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same\nsemaphore. This recursive semaphore will hold filesystem locks and causes\na hang of the fileystem.\n\nThe ip_alloc_sem protects the inode extent list and size. Release the\nread semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()\nand ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock\non the last extent but simplifies the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:32.512Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16e518ca84dfe860c20a62f3615e14e8af0ace57"
},
{
"url": "https://git.kernel.org/stable/c/7e1514bd44ef68007703c752c99ff7319f35bce6"
},
{
"url": "https://git.kernel.org/stable/c/ef30404980e4c832ef9bba1b10c08f67fa77a9ec"
},
{
"url": "https://git.kernel.org/stable/c/36054554772f95d090eb45793faf6aa3c0254b02"
},
{
"url": "https://git.kernel.org/stable/c/0709bc11b942870fc0a7be150e42aea42321093a"
},
{
"url": "https://git.kernel.org/stable/c/1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e"
},
{
"url": "https://git.kernel.org/stable/c/9efcb7a8b97310efed995397941a292cf89fa94f"
},
{
"url": "https://git.kernel.org/stable/c/04100f775c2ea501927f508f17ad824ad1f23c8d"
}
],
"title": "ocfs2: fix recursive semaphore deadlock in fiemap call",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39885",
"datePublished": "2025-09-23T06:00:52.584Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-10-02T13:26:32.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49285 (GCVE-0-2022-49285)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: accel: mma8452: use the correct logic to get mma8452_data
The original logic to get mma8452_data is wrong, the *dev point to
the device belong to iio_dev. we can't use this dev to find the
correct i2c_client. The original logic happen to work because it
finally use dev->driver_data to get iio_dev. Here use the API
to_i2c_client() is wrong and make reader confuse. To correct the
logic, it should be like this
struct mma8452_data *data = iio_priv(dev_get_drvdata(dev));
But after commit 8b7651f25962 ("iio: iio_device_alloc(): Remove
unnecessary self drvdata"), the upper logic also can't work.
When try to show the avialable scale in userspace, will meet kernel
dump, kernel handle NULL pointer dereference.
So use dev_to_iio_dev() to correct the logic.
Dual fixes tags as the second reflects when the bug was exposed, whilst
the first reflects when the original bug was introduced.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/mma8452.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c0bb583a4444cce224e8661090cbffc98e2fe07",
"status": "affected",
"version": "c3cdd6e48e35b7a02f28e301ef30a87ff3cd6527",
"versionType": "git"
},
{
"lessThan": "d2d9ebdbff79d87d27652578e6d1638ad3b5f3bf",
"status": "affected",
"version": "c3cdd6e48e35b7a02f28e301ef30a87ff3cd6527",
"versionType": "git"
},
{
"lessThan": "c87b7b12f48db86ac9909894f4dc0107d7df6375",
"status": "affected",
"version": "c3cdd6e48e35b7a02f28e301ef30a87ff3cd6527",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/mma8452.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: mma8452: use the correct logic to get mma8452_data\n\nThe original logic to get mma8452_data is wrong, the *dev point to\nthe device belong to iio_dev. we can\u0027t use this dev to find the\ncorrect i2c_client. The original logic happen to work because it\nfinally use dev-\u003edriver_data to get iio_dev. Here use the API\nto_i2c_client() is wrong and make reader confuse. To correct the\nlogic, it should be like this\n\n struct mma8452_data *data = iio_priv(dev_get_drvdata(dev));\n\nBut after commit 8b7651f25962 (\"iio: iio_device_alloc(): Remove\nunnecessary self drvdata\"), the upper logic also can\u0027t work.\nWhen try to show the avialable scale in userspace, will meet kernel\ndump, kernel handle NULL pointer dereference.\n\nSo use dev_to_iio_dev() to correct the logic.\n\nDual fixes tags as the second reflects when the bug was exposed, whilst\nthe first reflects when the original bug was introduced."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:15.589Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c0bb583a4444cce224e8661090cbffc98e2fe07"
},
{
"url": "https://git.kernel.org/stable/c/d2d9ebdbff79d87d27652578e6d1638ad3b5f3bf"
},
{
"url": "https://git.kernel.org/stable/c/c87b7b12f48db86ac9909894f4dc0107d7df6375"
}
],
"title": "iio: accel: mma8452: use the correct logic to get mma8452_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49285",
"datePublished": "2025-02-26T01:56:25.096Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-05-04T08:34:15.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49253 (GCVE-0-2022-49253)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: usb: go7007: s2250-board: fix leak in probe()
Call i2c_unregister_device(audio) on this error path.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/go7007/s2250-board.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bbdd0e15738336e6b1208304ae98525117877bbd",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "a97130cd5b0c00eec169b10a16d922b9ea67324a",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "b7dd177225355da55f8d80d8e568928e0eec3608",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "14cd5a8e61c654828a1f1056d56f0b0a524d2c69",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "44973633b0064c46083833b55dd0a45e6235f8ca",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "895364fa97e60749855f789bc4568883fc7a8b39",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "b5470f3efa530b10296257bb578ce4b1769e9a04",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "948ad5e5624487079c24cb5c81c74ddd02832440",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "67e4550ecd6164bfbdff54c169e5bbf9ccfaf14d",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/go7007/s2250-board.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usb: go7007: s2250-board: fix leak in probe()\n\nCall i2c_unregister_device(audio) on this error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:26.109Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bbdd0e15738336e6b1208304ae98525117877bbd"
},
{
"url": "https://git.kernel.org/stable/c/a97130cd5b0c00eec169b10a16d922b9ea67324a"
},
{
"url": "https://git.kernel.org/stable/c/b7dd177225355da55f8d80d8e568928e0eec3608"
},
{
"url": "https://git.kernel.org/stable/c/14cd5a8e61c654828a1f1056d56f0b0a524d2c69"
},
{
"url": "https://git.kernel.org/stable/c/44973633b0064c46083833b55dd0a45e6235f8ca"
},
{
"url": "https://git.kernel.org/stable/c/895364fa97e60749855f789bc4568883fc7a8b39"
},
{
"url": "https://git.kernel.org/stable/c/b5470f3efa530b10296257bb578ce4b1769e9a04"
},
{
"url": "https://git.kernel.org/stable/c/948ad5e5624487079c24cb5c81c74ddd02832440"
},
{
"url": "https://git.kernel.org/stable/c/67e4550ecd6164bfbdff54c169e5bbf9ccfaf14d"
}
],
"title": "media: usb: go7007: s2250-board: fix leak in probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49253",
"datePublished": "2025-02-26T01:56:09.146Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:26.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39882 (GCVE-0-2025-39882)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-29 06:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: fix potential OF node use-after-free
The for_each_child_of_node() helper drops the reference it takes to each
node as it iterates over children and an explicit of_node_put() is only
needed when exiting the loop early.
Drop the recently introduced bogus additional reference count decrement
at each iteration that could potentially lead to a use-after-free.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 7d98166183d627c0b9daca7672b2191fae0f8a03 Version: 31ce7c089b50c3d3056c37e0e25e7535e4428ae1 Version: fae58d0155a979a8c414bbc12db09dd4b2f910d0 Version: 1f403699c40f0806a707a9a6eed3b8904224021a |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_drm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2fbe0f9f80b9cfa1e06ddcf8b863d918394ef1d",
"status": "affected",
"version": "7d98166183d627c0b9daca7672b2191fae0f8a03",
"versionType": "git"
},
{
"lessThan": "b58a26cdd4795c1ce6a80e38e9348885555dacd6",
"status": "affected",
"version": "31ce7c089b50c3d3056c37e0e25e7535e4428ae1",
"versionType": "git"
},
{
"lessThan": "c4901802ed1ce859242e10af06e6a7752cba0497",
"status": "affected",
"version": "fae58d0155a979a8c414bbc12db09dd4b2f910d0",
"versionType": "git"
},
{
"lessThan": "4de37a48b6b58faaded9eb765047cf0d8785ea18",
"status": "affected",
"version": "1f403699c40f0806a707a9a6eed3b8904224021a",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_drm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.6.107",
"status": "affected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThan": "6.12.48",
"status": "affected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThan": "6.16.8",
"status": "affected",
"version": "6.16.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.6.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.12.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.16.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: fix potential OF node use-after-free\n\nThe for_each_child_of_node() helper drops the reference it takes to each\nnode as it iterates over children and an explicit of_node_put() is only\nneeded when exiting the loop early.\n\nDrop the recently introduced bogus additional reference count decrement\nat each iteration that could potentially lead to a use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T06:01:42.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2fbe0f9f80b9cfa1e06ddcf8b863d918394ef1d"
},
{
"url": "https://git.kernel.org/stable/c/b58a26cdd4795c1ce6a80e38e9348885555dacd6"
},
{
"url": "https://git.kernel.org/stable/c/c4901802ed1ce859242e10af06e6a7752cba0497"
},
{
"url": "https://git.kernel.org/stable/c/4de37a48b6b58faaded9eb765047cf0d8785ea18"
}
],
"title": "drm/mediatek: fix potential OF node use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39882",
"datePublished": "2025-09-23T06:00:51.036Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-09-29T06:01:42.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…