Damien Le Moal

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A potential deadlock situation has been identified in the Linux kernel, specifically in the `blk ia range sysfs show()` function. This issue arises when the queue sysfs lock is used while reading the value of a range attribute, creating a possible deadlock scenario with disk removal. The problem is signaled by lockdep with a splat when the device is removed. **Recommendations** Remove the `mutex lock()` and `mutex unlock()` calls from the `blk ia range sysfs show()` function to resolve the potential deadlock situation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.17.0-rc8+ **Description** A use-after-free issue has been identified in the Linux kernel, specifically in the mpt3sas driver. The function `mpt3sas transport port remove()` frees the port field of the `sas expander` structure, leading to a use-after-free error when the `ioc info()` call is executed. This issue can be triggered when removing the driver module, such as during `rmmod`. The error is detected by KASAN, which reports a read of size 1 at an address that has already been freed. **Recommendations** For Linux kernel versions prior to 5.17.0-rc8+, introduce a local variable `port id` to store the port ID value before executing `mpt3sas transport port remove()`. Then, use this local variable in the call to `ioc info()` instead of dereferencing the freed port structure.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak issue has been identified in the Linux kernel, specifically in the `pm8001 chip fw flash update req()` function. This issue arises when `pm8001 chip fw flash update build()` fails, resulting in the allocated `struct fw control ex` not being freed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A task leak issue in the Linux kernel has been resolved. The problem occurred in the `pm8001 send abort all()` function, where allocated SAS tasks were not properly freed if `pm8001 tag alloc()` or `pm8001 mpi build cmd()` failed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `scsi mode sense()` function in the Linux kernel, which has problems with buffer length handling. Specifically, the allocation length field of the MODE SENSE(10) command is 16-bits, but it is set by assigning `len` to byte 8 only, thus truncating buffer lengths larger than 255. Additionally, if `scsi mode sense()` is called with `len` smaller than 8 with `sdev->use 10 for ms` set, or smaller than 4 otherwise, the buffer length is increased to 8 and 4 respectively, and the buffer is zero-filled with these increased values, thus corrupting the memory following the buffer. The issue can be exploited to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.