Ben Greear

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: A vulnerability in the Linux kernel has been resolved by reverting a commit that removed unnecessary RCU-bh critical section protection. The `dev queue xmit nit` function is expected to be called with BH disabled, and the ` dev queue xmit` function has a lock to prevent soft irqs for various locks below and stops preemption for RCU. The referenced commit removed this protection, triggering a lockdep warning due to inconsistent lock state. The warning indicates a possible unsafe locking scenario that could lead to a deadlock. Recommendations: To resolve the issue, update to Linux kernel version 6.6.58 or later. As a temporary workaround, consider disabling the `vrf` module until a patch is available. Restrict access to the `dev queue xmit nit` function to minimize the risk of exploitation. Avoid using the `rcu read lock bh` function in the affected code path until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A vulnerability has been resolved in the Linux kernel where the `alloc tag module unload` function must wait for pending `kfree rcu` calls. This issue occurs when the `nf nat` module exit calls `kfree rcu` on addresses, but the free operation is still pending when `alloc tag` checks for leaks. Waiting for outstanding `kfree rcu` operations to complete before checking resolves this warning. A reproducer is provided using `unshare`, `iptables-nft`, and `rmmod` commands. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the debugfs feature in the Linux kernel, where a logic error in the wait/cancellation handling during remove operations can cause deadlocks. Specifically, when the refcount hits zero, the completion can be finished without waiting, but if it doesn't, all cancellations need to be triggered. However, the current implementation can never enter the loop to trigger these cancellations. This problem occurs even when debugfs cancellations are used, and it happens during concurrent debugfs remove operations while files are being accessed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free race condition exists in the Linux kernel, specifically in the mt76 module, related to tx status on station removal. There is a small window where ongoing tx activity can lead to a skb being added to the status tracking idr after it has been cleaned up, keeping the wcid linked in the status poll list. This issue occurs due to the timing of when the wcid pointer is cleared in dev->wcid during mt76 sta pre rcu remove. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A crash issue in the Linux kernel has been resolved, specifically related to the mt76 driver for the mt7921 device. When the network interface controller (nic) fails to start, there is a possibility that a reset work item has already been scheduled, leading to a use-after-free crash if cleanup is called before the work item is executed. This issue has been observed on an x86 64 apu2 system when the mt7921k radio fails to function, resulting in an operating system crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.12.13 **Description** The issue is related to the mac80211 subsystem in the Linux kernel, which allows attackers to cause a denial of service by injecting a frame with 802.11a rates when a device supporting only 5 GHz is used. This results in a NULL pointer dereference in the radiotap parser. **Recommendations** For Linux kernel versions prior to 5.12.13, update to version 5.12.13 or later to resolve the issue. As a temporary workaround, consider restricting the use of devices that support only 5 GHz to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved, specifically in the mt76 module for the mt7915 device. The issue was related to the tx skb dma unmap, where the first pointer in the txp needed to be unmapped to prevent leaking DMA mapping entries. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.