Chen Ridong

### Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) ### Description: The Linux kernel contains a flaw within the kernfs subsystem related to the active reference lifecycle and draining guard mechanisms. The `kernfs should drain open files()` check was overly sensitive, potentially triggering false positives during legitimate operations between `kernfs unbreak active protection()` and `kernfs put active()`. This issue stemmed from the active reference not being truly active after unbreak, despite being crucial for accurate counting. ### Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A soft lockup issue was found in the Linux kernel when approximately 56,000 tasks were in the OOM cgroup. This issue occurred because traversing thousands of processes in the OOM cgroup took a long time, leading to a soft lockup in the OOM process. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** To fix this issue, call `cond resched` in the `mem cgroup scan tasks` function per 1000 iterations. For global OOM, call `touch softlockup watchdog` per 1000 iterations to avoid this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free (UAF) issue has been identified in the Linux kernel, specifically in the `padata` module. This issue can occur when the `reorder work` function is executed, allowing a potential UAF to happen. The problem arises from the fact that the previous patch, which aimed to avoid UAF for ` do serial`, does not prevent the UAF issue for `reorder work`. The UAF can happen when a new request is added while the `padata reorder` function is processing remaining requests, leading to a situation where the `pd` object is freed prematurely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.10.0-14930-gafbffd6c3ede **Description** The issue is related to a slab-out-of-bounds read in the `key task permission` function. This can be caused by a mistake in the `search nested keyrings` function when it iterates through slots in a node. If a slot pointer is meta and the node's back pointer is not null, it proceeds to `descend to node`. However, if the node is the root and one of the slots points to a shortcut, it may be treated as a keyring, leading to a read out-of-bounds. The vulnerability can be reproduced by obtaining more than 32 inputs with similar hashes and rebooting and adding these keys. **Recommendations** To fix this issue, one should jump to `descend to node` if the pointer is a shortcut, regardless of whether the node is the root or not. As a temporary workaround, consider restricting access to the `search nested keyrings` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A null pointer dereference issue has been resolved in the Linux kernel's dmaengine, specifically in the at xdmac component. The `at xdmac memset create desc` function may return NULL, leading to a null pointer dereference. This can occur when the `len` input is incorrect or when the `atchan->free descs list` is empty and memory is exhausted. A check has been added to prevent this issue. **Recommendations** For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider adding a check to avoid null pointer dereferences in the `at xdmac prep dma memset` function until a patch is available. Restrict access to the `at xdmac` component to minimize the risk of exploitation. Avoid using the `len` input in the affected `at xdmac memset create desc` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.0 **Description** A use-after-free bug was found in the Linux kernel, specifically in the padata reorder function. This issue can be triggered when the `padata find next` function is called after the `pd` object has been freed, leading to a slab-use-after-free error. The bug was identified when running the ltp test, which caused a KASAN error. The issue arises when the `padata reorder` function loops and the `alg` is deleted, causing the reference count to decrease to 0 before entering `padata find next`. To address this issue, it is necessary to ensure that the `do serial` function is called with BHs disabled and under RCU protection. **Recommendations** For Linux kernel versions prior to 6.6.0, to resolve this issue, add `synchronize rcu()` in the `padata free shell` function to wait for all ` do serial` calls to finish, ensuring that the `pd` object is not freed prematurely. As a temporary workaround, consider adding a delay, such as `mdelay(10)`, before calling `padata find next` in the `padata reorder` function to reduce the likelihood of the issue occurring. However, this is not a permanent fix and should be replaced with the proper synchronization mechanism.