CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48990 – drm/amdgpu: fix use-after-free during gpu recovery
https://notcve.org/view.php?id=CVE-2022-48990
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free during gpu recovery [Why] [ 754.862560] refcount_t: underflow; use-after-free. [ 754.862898] Call Trace: [ 754.862903] <TASK> [ 754.862913] amdgpu_job_free_cb+0xc2/0xe1 [amdgpu] [ 754.863543] drm_sched_main.cold+0x34/0x39 [amd_sched] [How] The fw_fence may be not init, check whether dma_fence_init is performed before job free • https://git.kernel.org/stable/c/d2a89cd942edd50c1e652004fd64019be78b0a96 https://git.kernel.org/stable/c/3cb93f390453cde4d6afda1587aaa00e75e09617 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48988 – memcg: fix possible use-after-free in memcg_write_event_control()
https://notcve.org/view.php?id=CVE-2022-48988
In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). • https://git.kernel.org/stable/c/347c4a8747104a945ecced358944e42879176ca5 https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125 https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8 https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917 https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13 https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48986 – mm/gup: fix gup_pud_range() for dax
https://notcve.org/view.php?id=CVE-2022-48986
In the Linux kernel, the following vulnerability has been resolved: mm/gup: fix gup_pud_range() for dax For dax pud, pud_huge() returns true on x86. So the function works as long as hugetlb is configured. However, dax doesn't depend on hugetlb. Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as well. This fixes the below kernel panic: general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP < snip > Call Trace: <TASK> get_user_pages_fast+0x1f/0x40 iov_iter_get_pages+0xc6/0x3b0 ? mempool_alloc+0x5d/0x170 bio_iov_iter_get_pages+0x82/0x4e0 ? • https://git.kernel.org/stable/c/414fd080d125408cb15d04ff4907e1dd8145c8c7 https://git.kernel.org/stable/c/c133d8eb894cb280f331608c6f1962ba9fbfe6b0 https://git.kernel.org/stable/c/538162d21ac877b060dc057c89f13718f5caffc5 https://git.kernel.org/stable/c/8b1a7762e0dac5db42a003009fdcb425f10baa07 https://git.kernel.org/stable/c/04edfa3dc06ecfc6133a33bc7271298782dee875 https://git.kernel.org/stable/c/f1cf856123ceb766c49967ec79b841030fa1741f https://git.kernel.org/stable/c/3ac29732a2ffa64c7de13a072b0f2848b9c11037 https://git.kernel.org/stable/c/e06d13c36ded750c72521b600293befeb •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48982 – Bluetooth: Fix crash when replugging CSR fake controllers
https://notcve.org/view.php?id=CVE-2022-48982
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix crash when replugging CSR fake controllers It seems fake CSR 5.0 clones can cause the suspend notifier to be registered twice causing the following kernel panic: [ 71.986122] Call Trace: [ 71.986124] <TASK> [ 71.986125] blocking_notifier_chain_register+0x33/0x60 [ 71.986130] hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da] [ 71.986154] btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477] [ 71.986159] ? __pm_runtime_set_status+0x1a9/0x300 [ 71.986162] ? ktime_get_mono_fast_ns+0x3e/0x90 [ 71.986167] usb_probe_interface+0xe3/0x2b0 [ 71.986171] really_probe+0xdb/0x380 [ 71.986174] ? pm_runtime_barrier+0x54/0x90 [ 71.986177] __driver_probe_device+0x78/0x170 [ 71.986180] driver_probe_device+0x1f/0x90 [ 71.986183] __device_attach_driver+0x89/0x110 [ 71.986186] ? driver_allows_async_probing+0x70/0x70 [ 71.986189] bus_for_each_drv+0x8c/0xe0 [ 71.986192] __device_attach+0xb2/0x1e0 [ 71.986195] bus_probe_device+0x92/0xb0 [ 71.986198] device_add+0x422/0x9a0 [ 71.986201] ? • https://git.kernel.org/stable/c/549b46f8130effccf168293270bb3b1d5da529cc https://git.kernel.org/stable/c/a49894a5ac3656f1a4f0f6b110460060e8026bf8 https://git.kernel.org/stable/c/dc8fa6570deadb70c3fb74d7cd8ce38849feaed0 https://git.kernel.org/stable/c/b5ca338751ad4783ec8d37b5d99c3e37b7813e59 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48979 – drm/amd/display: fix array index out of bound error in DCN32 DML
https://notcve.org/view.php?id=CVE-2022-48979
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix array index out of bound error in DCN32 DML [Why&How] LinkCapacitySupport array is indexed with the number of voltage states and not the number of max DPPs. Fix the error by changing the array declaration to use the correct (larger) array size of total number of voltage states. • https://git.kernel.org/stable/c/3d8a298b2e83b98042e6ec726e934f535b23e6aa https://git.kernel.org/stable/c/aeffc8fb2174f017a10df114bc312f899904dc68 •