Page 302 of 4361 results (0.024 seconds)

CVSS: 4.4EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bond_setup_by_slave() Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. In the following splat [1], the issue is that a lapbether device has been created on a bonding device without members. Then adding a non ARPHRD_ETHER member forced the bonding master to change its type. The fix is to make sure we call dev_close() in bond_setup_by_slave() so that the potential linked lapbether devices (or any other devices having assumptions on the physical device) are removed. A similar bug has been addressed in commit 40baec225765 ("bonding: fix panic on non-ARPHRD_ETHER enslave failure") [1] skbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0 kernel BUG at net/core/skbuff.c:192 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:188 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 lr : skb_panic net/core/skbuff.c:188 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 sp : ffff800096a06aa0 x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000 x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140 x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100 x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001 x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00 x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 Call trace: skb_panic net/core/skbuff.c:188 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 skb_push+0xf0/0x108 net/core/skbuff.c:2446 ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384 dev_hard_header include/linux/netdevice.h:3136 [inline] lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 __lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326 lapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 lapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 bond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332 bond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539 dev_ifsioc+0x754/0x9ac dev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786 sock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217 sock_ioctl+0x4e8/0x834 net/socket.c:1322 vfs_ioctl fs/ioctl.c:51 [inline] __do_ ---truncated--- En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bonding: detener el dispositivo en bond_setup_by_slave(). El compromiso 9eed321cde22 ("net: lapbether: solo admite dispositivos ethernet") ha podido mantener a syzbot alejado de net/lapb, hasta hoy. En el siguiente símbolo [1], el problema es que se ha creado un dispositivo lapbether sobre un dispositivo de unión sin miembros. • https://git.kernel.org/stable/c/872254dd6b1f80cb95ee9e2e22980888533fc293 https://git.kernel.org/stable/c/b4f0e605a508f6d7cda6df2f03a0c676b778b1fe https://git.kernel.org/stable/c/396baca6683f415b5bc2b380289387bef1406edc https://git.kernel.org/stable/c/53064e8239dd2ecfefc5634e991f1025abc2ee0c https://git.kernel.org/stable/c/19554aa901b5833787df4417a05ccdebf351b7f4 https://git.kernel.org/stable/c/87c49806a37f88eddde3f537c162fd0c2834170c https://git.kernel.org/stable/c/d98c91215a5748a0f536e7ccea26027005196859 https://git.kernel.org/stable/c/3cffa2ddc4d3fcf70cde361236f5a614f • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •

CVSS: 4.4EPSS: 0%CPEs: 12EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: usb: config: fix iteration issue in 'usb_get_bos_descriptor()' The BOS descriptor defines a root descriptor and is the base descriptor for accessing a family of related descriptors. Function 'usb_get_bos_descriptor()' encounters an iteration issue when skipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in the same descriptor being read repeatedly. To address this issue, a 'goto' statement is introduced to ensure that the pointer and the amount read is updated correctly. This ensures that the function iterates to the next descriptor instead of reading the same descriptor repeatedly. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: usb: config: soluciona el problema de iteración en 'usb_get_bos_descriptor()'. El descriptor BOS define un descriptor raíz y es el descriptor base para acceder a una familia de descriptores relacionados. • https://git.kernel.org/stable/c/3dd550a2d36596a1b0ee7955da3b611c031d3873 https://git.kernel.org/stable/c/77ce180d68beffd1af620d0121590e16683fc6b8 https://git.kernel.org/stable/c/20a07e1aadcd6990893c532d1b2b507bfa065152 https://git.kernel.org/stable/c/a5c051b6503c0ba543e993cfc295b64f096e0a29 https://git.kernel.org/stable/c/ea4a173d8358b756a780786baa3fc39d282bdbe3 https://git.kernel.org/stable/c/77d4e2a058858b4a94fc469bc1bfc94a0958e252 https://git.kernel.org/stable/c/1fc15d29540a69cfb55c8b8f8c38f1af33178243 https://git.kernel.org/stable/c/9f8dd40c68c176f2c3f1fc8b87bc81756 • CWE-20: Improper Input Validation •

CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid data corruption caused by decline We found a data corruption issue during testing of SMC-R on Redis applications. The benchmark has a low probability of reporting a strange error as shown below. "Error: Protocol error, got "\xe2" as reply type byte" Finally, we found that the retrieved error data was as follows: 0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C 0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2 It is quite obvious that this is a SMC DECLINE message, which means that the applications received SMC protocol message. We found that this was caused by the following situations: client server ¦ clc proposal -------------> ¦ clc accept <------------- ¦ clc confirm -------------> wait llc confirm send llc confirm ¦failed llc confirm ¦ x------ (after 2s)timeout wait llc confirm rsp wait decline (after 1s) timeout (after 2s) timeout ¦ decline --------------> ¦ decline <-------------- As a result, a decline message was sent in the implementation, and this message was read from TCP by the already-fallback connection. This patch double the client timeout as 2x of the server value, With this simple change, the Decline messages should never cross or collide (during Confirm link timeout). This issue requires an immediate solution, since the protocol updates involve a more long-term solution. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/smc: evita la corrupción de datos causada por el rechazo. Encontramos un problema de corrupción de datos durante las pruebas de SMC-R en aplicaciones Redis. El punto de referencia tiene una baja probabilidad de informar un error extraño, como se muestra a continuación. "Error: Error de protocolo, obtuve "\xe2" como byte de tipo de respuesta" Finalmente, encontramos que los datos de error recuperados eran los siguientes: 0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C 0xCB 0x04 0x02 1 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2 Es bastante obvio que este es un mensaje SMC DECLINE, lo que significa que las aplicaciones recibieron un mensaje de protocolo SMC. • https://git.kernel.org/stable/c/0fb0b02bd6fd26cba38002be4a6bbcae2228fd44 https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1 https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563 https://access.redhat.com/security/cve/CVE-2023-52775 https://bugzilla.redhat.com/show_bug.cgi?id=2282690 • CWE-20: Improper Input Validation •

CVSS: -EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: s390/dasd: protect device queue against concurrent access In dasd_profile_start() the amount of requests on the device queue are counted. The access to the device queue is unprotected against concurrent access. With a lot of parallel I/O, especially with alias devices enabled, the device queue can change while dasd_profile_start() is accessing the queue. In the worst case this leads to a kernel panic due to incorrect pointer accesses. Fix this by taking the device lock before accessing the queue and counting the requests. Additionally the check for a valid profile data pointer can be done earlier to avoid unnecessary locking in a hot path. • https://git.kernel.org/stable/c/4fa52aa7a82f9226b3874a69816bda3af821f002 https://git.kernel.org/stable/c/ebdc569a07a3e8dbe66b4184922ad6f88ac0b96f https://git.kernel.org/stable/c/f75617cc8df4155374132f0b500b0b3ebb967458 https://git.kernel.org/stable/c/f1ac7789406e2ca9ac51c41ad2daa597f47bdd4d https://git.kernel.org/stable/c/c841de6247e94e07566d57163d3c0d8b29278f7a https://git.kernel.org/stable/c/6062c527d0403cef27c54b91ac8390c3a497b250 https://git.kernel.org/stable/c/dc96fde8fcb2b896fd6c64802a7f4ece2e69b0be https://git.kernel.org/stable/c/9372aab5d0ff621ea203c8c603e7e5f75 •

CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: af_unix: fix use-after-free in unix_stream_read_actor() syzbot reported the following crash [1] After releasing unix socket lock, u->oob_skb can be changed by another thread. We must temporarily increase skb refcount to make sure this other thread will not free the skb under us. [1] BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866 Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297 CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866 unix_stream_recv_urg net/unix/af_unix.c:2587 [inline] unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666 unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0xe2/0x170 net/socket.c:1066 ____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803 ___sys_recvmsg+0x115/0x1a0 net/socket.c:2845 __sys_recvmsg+0x114/0x1e0 net/socket.c:2875 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fc67492c559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559 RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340 R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388 </TASK> Allocated by task 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523 __alloc_skb+0x287/0x330 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] queue_oob net/unix/af_unix.c:2147 [inline] unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1800 [inline] slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 slab_free mm/slub.c:3809 [inline] kmem_cache_free+0xf8/0x340 mm/slub.c:3831 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015 __kfree_skb net/core/skbuff.c:1073 [inline] consume_skb net/core/skbuff.c:1288 [inline] consume_skb+0xdf/0x170 net/core/skbuff.c:1282 queue_oob net/unix/af_unix.c:2178 [inline] u ---truncated--- En el kernel de Linux, se resolvió la siguiente vulnerabilidad: af_unix: corrige use-after-free en unix_stream_read_actor() syzbot informó el siguiente bloqueo [1] Después de liberar el bloqueo del socket Unix, otro subproceso puede cambiar u-&gt;oob_skb. Debemos aumentar temporalmente el recuento de skb para asegurarnos de que este otro hilo no libere el skb que está debajo de nosotros. [1] ERROR: KASAN: slab-use-after-free en unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866 Lectura de tamaño 4 en la dirección ffff88801f3b9cc4 por tarea syz-executor107/5297 CPU: 1 PID: 5297 Comm : syz-executor107 No contaminado 6.6.0-syzkaller-15910-gb8e3a87a627b #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/10/2023 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [en línea] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan /report.c:588 unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866 unix_stream_recv_urg net/unix/af_unix.c:2587 [en línea] unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666 +0x189 /0x1b0 net/unix/af_unix.c:2903 sock_recvmsg_nosec net/socket.c:1044 [en línea] sock_recvmsg+0xe2/0x170 net/socket.c:1066 ____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803 ___sys_recv mensaje+0x115/ 0x1a0 net/socket.c:2845 __sys_recvmsg+0x114/0x1e0 net/socket.c:2875 do_syscall_x64 arch/x86/entry/common.c:51 [en línea] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c: 82 Entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fc67492c559 Código: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d 6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 &lt;48&gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 0000002f RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559 RDX : 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340 R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388 tarea 5295: kasan_save_stack+0x33/0x50 mm /kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [en línea] slab_post_alloc_hook mm/slab.h:763 [en línea] slab_alloc_node mm/slub.c:3478 [en línea] kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523 __alloc_skb+0x287/0x330 net/core/skbuff.c:641 alloc_skb include/ linux/skbuff.h:1286 [en línea] alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [en línea ] queue_oob net/unix/af_unix.c:2147 [en línea] unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301 sock_sendmsg_nosec net/socket.c:730 [en línea] __sock_sendmsg+0xd5/0x180 net/socket.c: 745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/ common.c:51 [ Inline] do_syscall_64+0x3f/0x110 Arch/x86/entry/Common.c: 82 entry_syscall_64_after_hwframe+0x63/0x6b liberado por tarea 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [en línea] ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 kasan_slab_free include/ linux/kasan.h:164 [en línea] slab_free_hook mm/slub.c:1800 [en línea] slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 slab_free mm/slub.c:3809 [en línea] kmem_cache_free+0xf8/0x340 mm /slub.c:3831 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015 __kfree_skb net/core/skbuff.c:1073 [en línea] consume_skb net/core/skbuff.c:1288 [en línea] consume_skb+0xdf/ 0x170 net/core/skbuff.c:1282 queue_oob net/unix/af_unix.c:2178 [en línea] u ---truncado--- • https://git.kernel.org/stable/c/876c14ad014d0e39c57cbfde53e13d17cdb6d645 https://git.kernel.org/stable/c/75bcfc188abf4fae9c1d5f5dc0a03540be602eef https://git.kernel.org/stable/c/d179189eec426fe4801e4b91efa1889faed12700 https://git.kernel.org/stable/c/eae0b295ce16d8c8b4114c3037993191b4bb92f0 https://git.kernel.org/stable/c/069a3ec329ff43e7869a3d94c62cd03203016bce https://git.kernel.org/stable/c/4b7b492615cf3017190f55444f7016812b66611d • CWE-416: Use After Free •