CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48986 – mm/gup: fix gup_pud_range() for dax
https://notcve.org/view.php?id=CVE-2022-48986
In the Linux kernel, the following vulnerability has been resolved: mm/gup: fix gup_pud_range() for dax For dax pud, pud_huge() returns true on x86. So the function works as long as hugetlb is configured. However, dax doesn't depend on hugetlb. Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as well. This fixes the below kernel panic: general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP < snip > Call Trace: <TASK> get_user_pages_fast+0x1f/0x40 iov_iter_get_pages+0xc6/0x3b0 ? mempool_alloc+0x5d/0x170 bio_iov_iter_get_pages+0x82/0x4e0 ? • https://git.kernel.org/stable/c/414fd080d125408cb15d04ff4907e1dd8145c8c7 https://git.kernel.org/stable/c/c133d8eb894cb280f331608c6f1962ba9fbfe6b0 https://git.kernel.org/stable/c/538162d21ac877b060dc057c89f13718f5caffc5 https://git.kernel.org/stable/c/8b1a7762e0dac5db42a003009fdcb425f10baa07 https://git.kernel.org/stable/c/04edfa3dc06ecfc6133a33bc7271298782dee875 https://git.kernel.org/stable/c/f1cf856123ceb766c49967ec79b841030fa1741f https://git.kernel.org/stable/c/3ac29732a2ffa64c7de13a072b0f2848b9c11037 https://git.kernel.org/stable/c/e06d13c36ded750c72521b600293befeb •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48983 – io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
https://notcve.org/view.php?id=CVE-2022-48983
In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() Syzkaller reports a NULL deref bug as follows: BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3 Read of size 4 at addr 0000000000000138 by task file1/1955 CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ? io_tctx_exit_cb+0x53/0xd3 kasan_report+0xbb/0x1f0 ? io_tctx_exit_cb+0x53/0xd3 kasan_check_range+0x140/0x190 io_tctx_exit_cb+0x53/0xd3 task_work_run+0x164/0x250 ? task_work_cancel+0x30/0x30 get_signal+0x1c3/0x2440 ? lock_downgrade+0x6e0/0x6e0 ? • https://git.kernel.org/stable/c/d56d938b4bef3e1421a42023cdcd6e13c1f50831 https://git.kernel.org/stable/c/f895511de9d27fff71dad2c234ad53b4afd2b06c https://git.kernel.org/stable/c/d91edca1943453aaaba4f380f6f364346222e5cf https://git.kernel.org/stable/c/998b30c3948e4d0b1097e639918c5cff332acac5 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48982 – Bluetooth: Fix crash when replugging CSR fake controllers
https://notcve.org/view.php?id=CVE-2022-48982
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix crash when replugging CSR fake controllers It seems fake CSR 5.0 clones can cause the suspend notifier to be registered twice causing the following kernel panic: [ 71.986122] Call Trace: [ 71.986124] <TASK> [ 71.986125] blocking_notifier_chain_register+0x33/0x60 [ 71.986130] hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da] [ 71.986154] btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477] [ 71.986159] ? __pm_runtime_set_status+0x1a9/0x300 [ 71.986162] ? ktime_get_mono_fast_ns+0x3e/0x90 [ 71.986167] usb_probe_interface+0xe3/0x2b0 [ 71.986171] really_probe+0xdb/0x380 [ 71.986174] ? pm_runtime_barrier+0x54/0x90 [ 71.986177] __driver_probe_device+0x78/0x170 [ 71.986180] driver_probe_device+0x1f/0x90 [ 71.986183] __device_attach_driver+0x89/0x110 [ 71.986186] ? driver_allows_async_probing+0x70/0x70 [ 71.986189] bus_for_each_drv+0x8c/0xe0 [ 71.986192] __device_attach+0xb2/0x1e0 [ 71.986195] bus_probe_device+0x92/0xb0 [ 71.986198] device_add+0x422/0x9a0 [ 71.986201] ? • https://git.kernel.org/stable/c/549b46f8130effccf168293270bb3b1d5da529cc https://git.kernel.org/stable/c/a49894a5ac3656f1a4f0f6b110460060e8026bf8 https://git.kernel.org/stable/c/dc8fa6570deadb70c3fb74d7cd8ce38849feaed0 https://git.kernel.org/stable/c/b5ca338751ad4783ec8d37b5d99c3e37b7813e59 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48981 – drm/shmem-helper: Remove errant put in error path
https://notcve.org/view.php?id=CVE-2022-48981
In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free. • https://git.kernel.org/stable/c/2194a63a818db71065ebe09c8104f5f021ca4e7b https://git.kernel.org/stable/c/585a07b820059462e0c93b76c7de2cd946b26b40 https://git.kernel.org/stable/c/6a4da05acd062ae7774b6b19cef2b7d922902d36 https://git.kernel.org/stable/c/83e3da8bb92fcfa7a1d232cf55f9e6c49bb84942 https://git.kernel.org/stable/c/586847b98e20ab02212ca5c1fc46680384e68a28 https://git.kernel.org/stable/c/24013314be6ee4ee456114a671e9fa3461323de8 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48980 – net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
https://notcve.org/view.php?id=CVE-2022-48980
In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() The SJA1105 family has 45 L2 policing table entries (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but accounting for the difference in port count (5 in SJA1105 vs 10 in SJA1110) does not fully explain the difference. Rather, the SJA1110 also has L2 ingress policers for multicast traffic. If a packet is classified as multicast, it will be processed by the policer index 99 + SRCPORT. The sja1105_init_l2_policing() function initializes all L2 policers such that they don't interfere with normal packet reception by default. To have a common code between SJA1105 and SJA1110, the index of the multicast policer for the port is calculated because it's an index that is out of bounds for SJA1105 but in bounds for SJA1110, and a bounds check is performed. The code fails to do the proper thing when determining what to do with the multicast policer of port 0 on SJA1105 (ds->num_ports = 5). • https://git.kernel.org/stable/c/38fbe91f2287c696f290d9115901aa435f7166a8 https://git.kernel.org/stable/c/5e88c6f4aaa70c542e59e5a9d2244bcc99cd245d https://git.kernel.org/stable/c/147f3e3d84054117ae6b9bf317ec4fda9f991192 https://git.kernel.org/stable/c/f8bac7f9fdb0017b32157957ffffd490f95faa07 •