Page 13 of 2814 results (0.012 seconds)

CVSS: -EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths Any codepath that zaps page table entries must invoke MMU notifiers to ensure that secondary MMUs (like KVM) don't keep accessing pages which aren't mapped anymore. Secondary MMUs don't hold their own references to pages that are mirrored over, so failing to notify them can lead to page use-after-free. I'm marking this as addressing an issue introduced in commit f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of the security impact of this only came in commit 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP"), which actually omitted flushes for the removal of present PTEs, not just for the removal of empty page tables. khugepaged in Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers. • https://git.kernel.org/stable/c/f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 https://git.kernel.org/stable/c/275c626c131cfe141beeb6c575e31fa53d32da19 https://git.kernel.org/stable/c/c23105673228c349739e958fa33955ed8faddcaf https://git.kernel.org/stable/c/ff2a1a6f869650aec99e9d070b5ab625bfbc5bc3 https://git.kernel.org/stable/c/5ffc2a75534d9d74d49760f983f8eb675fa63d69 https://git.kernel.org/stable/c/7f445ca2e0e59c7971d0b7b853465e50844ab596 https://git.kernel.org/stable/c/1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3 https://git.kernel.org/stable/c/5450535901d89a5dcca5fbbc59a24fe89 •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free during gpu recovery [Why] [ 754.862560] refcount_t: underflow; use-after-free. [ 754.862898] Call Trace: [ 754.862903] <TASK> [ 754.862913] amdgpu_job_free_cb+0xc2/0xe1 [amdgpu] [ 754.863543] drm_sched_main.cold+0x34/0x39 [amd_sched] [How] The fw_fence may be not init, check whether dma_fence_init is performed before job free • https://git.kernel.org/stable/c/d2a89cd942edd50c1e652004fd64019be78b0a96 https://git.kernel.org/stable/c/3cb93f390453cde4d6afda1587aaa00e75e09617 •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: fscache: Fix oops due to race with cookie_lru and use_cookie If a cookie expires from the LRU and the LRU_DISCARD flag is set, but the state machine has not run yet, it's possible another thread can call fscache_use_cookie and begin to use it. When the cookie_worker finally runs, it will see the LRU_DISCARD flag set, transition the cookie->state to LRU_DISCARDING, which will then withdraw the cookie. Once the cookie is withdrawn the object is removed the below oops will occur because the object associated with the cookie is now NULL. Fix the oops by clearing the LRU_DISCARD bit if another thread uses the cookie before the cookie_worker runs. BUG: kernel NULL pointer dereference, address: 0000000000000008 ... CPU: 31 PID: 44773 Comm: kworker/u130:1 Tainted: G E 6.0.0-5.dneg.x86_64 #1 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Workqueue: events_unbound netfs_rreq_write_to_cache_work [netfs] RIP: 0010:cachefiles_prepare_write+0x28/0x90 [cachefiles] ... Call Trace: netfs_rreq_write_to_cache_work+0x11c/0x320 [netfs] process_one_work+0x217/0x3e0 worker_thread+0x4a/0x3b0 kthread+0xd6/0x100 • https://git.kernel.org/stable/c/12bb21a29c19aae50cfad4e2bb5c943108f34a7d https://git.kernel.org/stable/c/37f0b459c9b67e14fe4dcc3a15d286c4436ed01d https://git.kernel.org/stable/c/b5b52de3214a29911f949459a79f6640969b5487 •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). • https://git.kernel.org/stable/c/347c4a8747104a945ecced358944e42879176ca5 https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125 https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8 https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917 https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13 https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949 •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: media: v4l2-dv-timings.c: fix too strict blanking sanity checks Sanity checks were added to verify the v4l2_bt_timings blanking fields in order to avoid integer overflows when userspace passes weird values. But that assumed that userspace would correctly fill in the front porch, backporch and sync values, but sometimes all you know is the total blanking, which is then assigned to just one of these fields. And that can fail with these checks. So instead set a maximum for the total horizontal and vertical blanking and check that each field remains below that. That is still sufficient to avoid integer overflows, but it also allows for more flexibility in how userspace fills in these fields. • https://git.kernel.org/stable/c/15ded23db134da975b49ea99770de0346c193b24 https://git.kernel.org/stable/c/3d43b2b8a3cdadd6cef9ac8ef5d156b6214a01c8 https://git.kernel.org/stable/c/9cf9211635b68e8e0c8cb88d43ca7dc83e4632aa https://git.kernel.org/stable/c/b4a3a01762ae072c7f6ff2ff53b5019761288346 https://git.kernel.org/stable/c/683015ae163481457a16fad2317af66360dc4762 https://git.kernel.org/stable/c/491c0959f01d87bcbd5a1498bc70e0a3382c65a8 https://git.kernel.org/stable/c/dc7276c3f6ca008be1faf531f84b49906c9bcf7f https://git.kernel.org/stable/c/0d73b49c4037199472b29574ae21c21ae •