Christoph Hellwig

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to a race condition in the `dmam free coherent()` function, which can lead to data corruption and crashes. This occurs when a concurrent task makes an allocation with the same `vaddr` and adds it to the devres list between the time `dmam free coherent()` frees a DMA allocation and calls `devres destroy()` to remove and free the data structure used to track the DMA allocation. As a result, there can be two entries in the devres list with the same `vaddr`, and `devres destroy()` can free the wrong entry, triggering the `WARN ON()` in `dmam match`. The fix involves destroying the devres entry before freeing the DMA allocation. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider restricting concurrent tasks during kernel operations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to the initialization of the integrity buffer in the Linux kernel. Metadata added by `bio integrity prep` uses plain `kmalloc`, which leads to random kernel memory being written to media. For PI metadata, this is limited to the app tag that isn't used by kernel-generated metadata, but for non-PI metadata, the entire buffer leaks kernel memory. The fix involves adding the ` GFP ZERO` flag to allocations for writes. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.50 or later. As a temporary workaround, consider restricting access to the vulnerable `bio integrity prep` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a functional regression in the Linux kernel's swiotlb component, which causes double-allocation of slots due to broken alignment handling. This can lead to buffer corruption and/or a hang when using vsock in a virtual machine with a restricted DMA SWIOTLB pool. The problem occurs because swiotlb alloc() expects a page-aligned allocation but returns a pointer to the 'struct page' corresponding to the allocation, resulting in double-allocation of the first half of the 4KiB page. The issue is resolved by treating the allocation alignment separately from any additional alignment requirements from the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel has been identified where the `bfq merge bio()` function can operate with stale cgroup information when a process is migrated to a different cgroup. This can lead to the bio being merged to a request from a different cgroup, or the merging of `bfqqs` for different cgroups, potentially causing use-after-free issues. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.