CVE-2023-52515 – RDMA/srp: Do not call scsi_done() from srp_abort()
https://notcve.org/view.php?id=CVE-2023-52515
In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: Do not call scsi_done() from srp_abort() After scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler callback, it performs one of the following actions: * Call scsi_queue_insert(). * Call scsi_finish_command(). * Call scsi_eh_scmd_add(). Hence, SCSI abort handlers must not call scsi_done(). Otherwise all the above actions would trigger a use-after-free. Hence remove the scsi_done() call from srp_abort(). Keep the srp_free_req() call before returning SUCCESS because we may not see the command again if SUCCESS is returned. • https://git.kernel.org/stable/c/d8536670916a685df116b5c2cb256573fd25e4e3 https://git.kernel.org/stable/c/738589592a04180e39b6fb5fe8205d85b7dc69f6 https://git.kernel.org/stable/c/0575df129e2eb4a801beae0e6e041787480f42b9 https://git.kernel.org/stable/c/22fb582405002812d8fb89d0ed1264e97d3d25ad https://git.kernel.org/stable/c/39d6594c457c4728794cb4c3c7be53f93f1ef3ae https://git.kernel.org/stable/c/b3f3b814add77a464911df0080d812b18f61ff38 https://git.kernel.org/stable/c/26788a5b48d9d5cd3283d777d238631c8cd7495a https://git.kernel.org/stable/c/b9bdffb3f9aaeff8379c83f5449c6b42c •
CVE-2023-52513 – RDMA/siw: Fix connection failure handling
https://notcve.org/view.php?id=CVE-2023-52513
In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix connection failure handling In case immediate MPA request processing fails, the newly created endpoint unlinks the listening endpoint and is ready to be dropped. This special case was not handled correctly by the code handling the later TCP socket close, causing a NULL dereference crash in siw_cm_work_handler() when dereferencing a NULL listener. We now also cancel the useless MPA timeout, if immediate MPA request processing fails. This patch furthermore simplifies MPA processing in general: Scheduling a useless TCP socket read in sk_data_ready() upcall is now surpressed, if the socket is already moved out of TCP_ESTABLISHED state. A NULL dereference vulnerability was found in the Linux kernel, which is caused when the siw_cm_work_handler() function attempts to dereference a NULL listener that may be created when immediate MPA request processing fails and the newly created endpoint unlinks the listening endpoint ready to be dropped. • https://git.kernel.org/stable/c/6c52fdc244b5ccc468006fd65a504d4ee33743c7 https://git.kernel.org/stable/c/6e26812e289b374c17677d238164a5a8f5770594 https://git.kernel.org/stable/c/0d520cdb0cd095eac5d00078dfd318408c9b5eed https://git.kernel.org/stable/c/81b7bf367eea795d259d0261710c6a89f548844d https://git.kernel.org/stable/c/5cf38e638e5d01b68f9133968a85e8b3fd1ecf2f https://git.kernel.org/stable/c/eeafc50a77f6a783c2c44e7ec3674a7b693e06f8 https://git.kernel.org/stable/c/53a3f777049771496f791504e7dc8ef017cba590 https://access.redhat.com/security/cve/CVE-2023-52513 • CWE-476: NULL Pointer Dereference •
CVE-2023-52512 – pinctrl: nuvoton: wpcm450: fix out of bounds write
https://notcve.org/view.php?id=CVE-2023-52512
In the Linux kernel, the following vulnerability has been resolved: pinctrl: nuvoton: wpcm450: fix out of bounds write Write into 'pctrl->gpio_bank' happens before the check for GPIO index validity, so out of bounds write may happen. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/a1d1e0e3d80a870cc37a6c064994b89e963d2b58 https://git.kernel.org/stable/c/6c18c386fd13dbb3ff31a1086dabb526780d9bda https://git.kernel.org/stable/c/c9d7cac0fd27c74dd368e80dc4b5d0f9f2e13cf8 https://git.kernel.org/stable/c/87d315a34133edcb29c4cadbf196ec6c30dfd47b •
CVE-2023-52511 – spi: sun6i: reduce DMA RX transfer width to single byte
https://notcve.org/view.php?id=CVE-2023-52511
In the Linux kernel, the following vulnerability has been resolved: spi: sun6i: reduce DMA RX transfer width to single byte Through empirical testing it has been determined that sometimes RX SPI transfers with DMA enabled return corrupted data. This is down to single or even multiple bytes lost during DMA transfer from SPI peripheral to memory. It seems the RX FIFO within the SPI peripheral can become confused when performing bus read accesses wider than a single byte to it during an active SPI transfer. This patch reduces the width of individual DMA read accesses to the RX FIFO to a single byte to mitigate that issue. • https://git.kernel.org/stable/c/ff05ed4ae214011464a0156f05cac1b0b46b5fbc https://git.kernel.org/stable/c/e15bb292b24630ee832bfc7fd616bd72c7682bbb https://git.kernel.org/stable/c/b3c21c9c7289692f4019f163c3b06d8bdf78b355 https://git.kernel.org/stable/c/171f8a49f212e87a8b04087568e1b3d132e36a18 •
CVE-2023-52510 – ieee802154: ca8210: Fix a potential UAF in ca8210_probe
https://notcve.org/view.php?id=CVE-2023-52510
In the Linux kernel, the following vulnerability has been resolved: ieee802154: ca8210: Fix a potential UAF in ca8210_probe If of_clk_add_provider() fails in ca8210_register_ext_clock(), it calls clk_unregister() to release priv->clk and returns an error. However, the caller ca8210_probe() then calls ca8210_remove(), where priv->clk is freed again in ca8210_unregister_ext_clock(). In this case, a use-after-free may happen in the second time we call clk_unregister(). Fix this by removing the first clk_unregister(). Also, priv->clk could be an error code on failure of clk_register_fixed_rate(). Use IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock(). • https://git.kernel.org/stable/c/ded845a781a578dfb0b5b2c138e5a067aa3b1242 https://git.kernel.org/stable/c/28b68cba378e3e50a4082b65f262bc4f2c7c2add https://git.kernel.org/stable/c/cdb46be93c1f7bbf2c4649e9fc5fb147cfb5245d https://git.kernel.org/stable/c/85c2857ef90041f567ce98722c1c342c4d31f4bc https://git.kernel.org/stable/c/55e06850c7894f00d41b767c5f5665459f83f58f https://git.kernel.org/stable/c/84c6aa0ae5c4dc121f9996bb8fed46c80909d80e https://git.kernel.org/stable/c/217efe32a45249eb07dcd7197e8403de98345e66 https://git.kernel.org/stable/c/becf5c147198f4345243c5df0c4f03541 •