CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2021-47641 – video: fbdev: cirrusfb: check pixclock to avoid divide by zero
https://notcve.org/view.php?id=CVE-2021-47641
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: video: fbdev: cirrusfb: check pixclock to avoid divide by zero Do a sanity check on pixclock value to avoid divide by zero. If the pixclock value is zero, the cirrusfb driver will round up pixclock to get the derived frequency as close to maxclock as possible. Syzkaller reported a divide error in cirrusfb_check_pixclock. divide error: 0000 [#1] SMP KASAN PTI CPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1 Hardware name: QEMU... • https://git.kernel.org/stable/c/c656d04247a2654ede5cead2ecbf83431dad5261 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2021-47640 – powerpc/kasan: Fix early region not updated correctly
https://notcve.org/view.php?id=CVE-2021-47640
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix early region not updated correctly The shadow's page table is not updated when PTE_RPN_SHIFT is 24 and PAGE_SHIFT is 12. It not only causes false positives but also false negative as shown the following text. Fix it by bringing the logic of kasan_early_shadow_page_entry here. 1. False Positive: ================================================================== BUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50 Wr... • https://git.kernel.org/stable/c/cbd18991e24fea2c31da3bb117c83e4a3538cd11 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2021-47639 – KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU
https://notcve.org/view.php?id=CVE-2021-47639
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU Zap both valid and invalid roots when zapping/unmapping a gfn range, as KVM must ensure it holds no references to the freed page after returning from the unmap operation. Most notably, the TDP MMU doesn't zap invalid roots in mmu_notifier callbacks. This leads to use-after-free and other issues if the mmu_notifier runs to completion while an invalid root zapper yields as KVM ... • https://git.kernel.org/stable/c/b7cccd397f310739fb85383033e95580f99927e0 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2021-47638 – ubifs: rename_whiteout: Fix double free for whiteout_ui->data
https://notcve.org/view.php?id=CVE-2021-47638
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ubifs: rename_whiteout: Fix double free for whiteout_ui->data 'whiteout_ui->data' will be freed twice if space budget fail for rename whiteout operation as following process: rename_whiteout dev = kmalloc whiteout_ui->data = dev kfree(whiteout_ui->data) // Free first time iput(whiteout) ubifs_free_inode kfree(ui->data) // Double free! KASAN reports: ================================================================== BUG: KASAN: double-free o... • https://git.kernel.org/stable/c/9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2021-47637 – ubifs: Fix deadlock in concurrent rename whiteout and inode writeback
https://notcve.org/view.php?id=CVE-2021-47637
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix deadlock in concurrent rename whiteout and inode writeback Following hung tasks: [ 77.028764] task:kworker/u8:4 state:D stack: 0 pid: 132 [ 77.028820] Call Trace: [ 77.029027] schedule+0x8c/0x1b0 [ 77.029067] mutex_lock+0x50/0x60 [ 77.029074] ubifs_write_inode+0x68/0x1f0 [ubifs] [ 77.029117] __writeback_single_inode+0x43c/0x570 [ 77.029128] writeback_sb_inodes+0x259/0x740 [ 77.029148] wb_writeback+0x107/0x4d0 [ 77.029163] wb_work... • https://git.kernel.org/stable/c/9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2021-47636 – ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()
https://notcve.org/view.php?id=CVE-2021-47636
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() Function ubifs_wbuf_write_nolock() may access buf out of bounds in following process: ubifs_wbuf_write_nolock(): aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096 if (aligned_len <= wbuf->avail) ... // Not satisfy if (wbuf->used) { ubifs_leb_write() // Fill some data in avail wbuf len -= wbuf->avail; // len is still not 8-bytes aligned aligned_len -= wbuf->avail;... • https://git.kernel.org/stable/c/1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2021-47635 – ubifs: Fix to add refcount once page is set private
https://notcve.org/view.php?id=CVE-2021-47635
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix to add refcount once page is set private MM defined the rule [1] very clearly that once page was set with PG_private flag, we should increment the refcount in that page, also main flows like pageout(), migrate_page() will assume there is one additional page reference count if page_has_private() returns true. Otherwise, we may get a BUG in page migration: page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8 index:... • https://git.kernel.org/stable/c/1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d •
CVSS: -EPSS: %CPEs: 17EXPL: 0CVE-2021-47634 – ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
https://notcve.org/view.php?id=CVE-2021-47634
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_atta... • https://git.kernel.org/stable/c/714fb87e8bc05ff78255afc0dca981e8c5242785 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2021-47633 – ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
https://notcve.org/view.php?id=CVE-2021-47633
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 The bug was found during fuzzing. Stacktrace locates it in ath5k_eeprom_convert_pcal_info_5111. When none of the curve is selected in the loop, idx can go up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. pd = &chinfo[pier].pd_curves[idx]; There are many OOB writes using pd later in the code. So I added a sanity check for idx. Checks for other loops involving AR5K_EEPROM_N_PD_C... • https://git.kernel.org/stable/c/f4de974019a0adf34d0e7de6b86252f1bd266b06 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2021-47632 – powerpc/set_memory: Avoid spinlock recursion in change_page_attr()
https://notcve.org/view.php?id=CVE-2021-47632
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc/set_memory: Avoid spinlock recursion in change_page_attr() Commit 1f9ad21c3b38 ("powerpc/mm: Implement set_memory() routines") included a spin_lock() to change_page_attr() in order to safely perform the three step operations. But then commit 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against concurrent accesses") modify it to use pte_update() and do the operation safely against concurrent access. In the meantime, Maxime reported ... • https://git.kernel.org/stable/c/6def4eaf0391f24be541633a954c0e4876858b1e •