CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49272 – ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
https://notcve.org/view.php?id=CVE-2022-49272
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock syzbot caught a potential deadlock between the PCM runtime->buffer_mutex and the mm->mmap_lock. It was brought by the recent fix to cover the racy read/write and other ioctls, and in that commit, I overlooked a (hopefully only) corner case that may take the revert lock, namely, the OSS mmap. The OSS mmap operation exceptionally allows to re-configure the parameters inside t... • https://git.kernel.org/stable/c/8527c8f052fb42091c6569cb928e472376a4a889 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2022-49271 – cifs: prevent bad output lengths in smb2_ioctl_query_info()
https://notcve.org/view.php?id=CVE-2022-49271
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: prevent bad output lengths in smb2_ioctl_query_info() When calling smb2_ioctl_query_info() with smb_query_info::flags=PASSTHRU_FSCTL and smb_query_info::output_buffer_length=0, the following would return 0x10 buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length); if (IS_ERR(buffer)) { kfree(vars); return PTR_ERR(buffer); } rather than a valid pointer thus making IS_ERR() check fail. This would then cause a... • https://git.kernel.org/stable/c/9963ccea6087268e1275b992dca5d0dd4b938765 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49270 – dm: fix use-after-free in dm_cleanup_zoned_dev()
https://notcve.org/view.php?id=CVE-2022-49270
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: dm: fix use-after-free in dm_cleanup_zoned_dev() dm_cleanup_zoned_dev() uses queue, so it must be called before blk_cleanup_disk() starts its killing: blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()-> ->...RCU...->blk_free_queue_rcu()->kmem_cache_free() Otherwise, RCU callback may be executed first and dm_cleanup_zoned_dev() will touch free'd memory: BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0 Read... • https://git.kernel.org/stable/c/bb37d77239af25cde59693dbe3fac04dd17d7b29 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2022-49269 – can: isotp: sanitize CAN ID checks in isotp_bind()
https://notcve.org/view.php?id=CVE-2022-49269
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: can: isotp: sanitize CAN ID checks in isotp_bind() Syzbot created an environment that lead to a state machine status that can not be reached with a compliant CAN ID address configuration. The provided address information consisted of CAN ID 0x6000001 and 0xC28001 which both boil down to 11 bit CAN IDs 0x001 in sending and receiving. Sanitize the SFF/EFF CAN ID values before performing the address checks. • https://git.kernel.org/stable/c/e057dd3fc20ffb3d7f150af46542a51b59b90127 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49268 – ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM
https://notcve.org/view.php?id=CVE-2022-49268
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM Do not call snd_dma_free_pages() when snd_dma_alloc_pages() returns -ENOMEM because it leads to a NULL pointer dereference bug. The dmesg says: [ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12 [ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ T1387] #PF: supervisor read access in kernel mode [ T1387] #PF: error_code(0x0000) - not-pr... • https://git.kernel.org/stable/c/d16046ffa6de040bf580a64d5f4d0aa18258a854 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2022-49267 – mmc: core: use sysfs_emit() instead of sprintf()
https://notcve.org/view.php?id=CVE-2022-49267
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: mmc: core: use sysfs_emit() instead of sprintf() sprintf() (still used in the MMC core for the sysfs output) is vulnerable to the buffer overflow. Use the new-fangled sysfs_emit() instead. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. • https://git.kernel.org/stable/c/659ca56b5415c7a1d05e185c36fad80ba165d063 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2022-49266 – block: fix rq-qos breakage from skipping rq_qos_done_bio()
https://notcve.org/view.php?id=CVE-2022-49266
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: block: fix rq-qos breakage from skipping rq_qos_done_bio() a647a524a467 ("block: don't call rq_qos_ops->done_bio if the bio isn't tracked") made bio_endio() skip rq_qos_done_bio() if BIO_TRACKED is not set. While this fixed a potential oops, it also broke blk-iocost by skipping the done_bio callback for merged bios. Before, whether a bio goes through rq_qos_throttle() or rq_qos_merge(), rq_qos_done_bio() would be called on the bio on comple... • https://git.kernel.org/stable/c/a647a524a46736786c95cdb553a070322ca096e3 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49265 – PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()
https://notcve.org/view.php?id=CVE-2022-49265
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove() When a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following sleep-in-atomic bug will be seen, as genpd_debug_remove() will be called with a spinlock being held. [ 0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460 [ 0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0 [ 0.029219] preempt_count: ... • https://git.kernel.org/stable/c/718072ceb211833f3c71724f49d733d636067191 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2022-49264 – exec: Force single empty string when argv is empty
https://notcve.org/view.php?id=CVE-2022-49264
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: exec: Force single empty string when argv is empty Quoting[1] Ariadne Conill: "In several other operating systems, it is a hard requirement that the second argument to execve(2) be the name of a program, thus prohibiting a scenario where argc < 1. POSIX 2017 also recommends this behaviour, but it is not an explicit requirement[2]: The argument arg0 should point to a filename string that is associated with the process being started by one of... • https://git.kernel.org/stable/c/41f6ea5b9aaa28b740d47ffe995a5013211fdbb0 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49263 – brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path
https://notcve.org/view.php?id=CVE-2022-49263
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path This avoids leaking memory if brcmf_chip_get_raminfo fails. Note that the CLM blob is released in the device remove path. • https://git.kernel.org/stable/c/82f93cf46d6007ffa003b2d4a2834563b6b84d21 •