Jan Kara

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.18 **Description** The Linux kernel contains a flaw in the btrfs subsystem related to dirty metadata page handling. Specifically, the kernel may strictly require a dirty metadata threshold for metadata writepages, potentially leading to a deadlock situation. This can occur when a cgroup has a limited memory allocation and a task dirties more pages than the cgroup's dirty limit. The btrfs internal threshold for writeback can exceed the cgroup's dirty limit, preventing writeback and causing processes to hang while waiting to reduce the number of dirty pages. This issue affects kernels before version 6.18, but newer kernels utilizing AS KERNEL FILE may not be impacted. The issue can cause a system hang and kernel coredump, with reports indicating over 1000 processes waiting at the io schedule timeout() function. **Recommendations** versions prior to 6.18: Update to version 6.18 or later to address the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use after free issue was found in the Linux kernel's BFQ IO scheduler. This occurs when a bio is associated with a cgroup that has already been offlined, leading to the insertion of a `bfq group` into a service tree. Once the last bio associated with this `bfq group` is completed, the `bfq group` is freed, causing issues for service tree users. The problem is resolved by ensuring that operations are only performed on online `bfq group` instances. If the associated `bfq group` is not online, the first online parent is selected instead. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential integer overflow in the dirty throttling logic of the Linux kernel's mm/writeback component. This logic assumes that dirty limits in page units fit into 32-bits. The problem arises when the removed (u64) cast from the multiplication introduces a multiplication overflow on 32-bit architectures if `wb thresh` * `bg thresh` >= 1<<32, which can occur with default settings and 4GB of RAM. Additionally, the use of `div64 u64()` is unnecessarily expensive on 32-bit architectures, and `div64 ul()` can be used instead for safety and efficiency. If dirty thresholds exceed 1<<32 pages, dirty balancing may fail in multiple ways, making the fix for one possible overflow moot. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's nilfs2 filesystem has been resolved. The issue occurs when mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images, causing a kernel bug in `lru add fn()`. This is due to the link count of a metadata file getting corrupted to 0, and `nilfs evict inode()` trying to delete that inode. The inconsistency happens because directories containing the inode numbers of these metadata files are read without checking. The fix involves treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.52 **Description** The issue concerns the Linux kernel, where a vulnerability has been resolved related to the udf filesystem. The problem arises when mounting filesystems where the partition would overflow the 32-bits used for block number, or when the partition length is so large that it cannot safely index bits in a block bitmap. **Recommendations** Update to Linux kernel version 6.6.52 or later to resolve the issue. As a temporary workaround, consider avoiding the mounting of filesystems with excessively large partition lengths until a patch is available. Restrict access to the udf filesystem to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the ext4 file system in the Linux kernel, where a vulnerability can cause corruption of the buddy bitmap due to fast commit replay marking blocks as free that are already marked as such. This can lead to potential impacts on confidentiality, integrity, and availability of protected information. The vulnerability is caused by a race condition, allowing an attacker to exploit it. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Universal Disk Format (UDF) in the Linux kernel, where a problem with preallocation discarding at indirect extent boundaries could lead to corruption of the extent tree header. The code has been fixed to use `udf delete aext()` for deleting extents, which helps avoid code duplication. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A maliciously corrupted filesystem can contain cycles in the h-tree stored inside a directory, potentially leading to the kernel corrupting tree nodes and accessing unallocated memory. The issue arises when the kernel does a node split and traverses block numbers that are not unique. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to the fixed version **Description** A vulnerability in the Linux kernel has been identified, which can lead to use-after-free issues. This occurs when the parent of a bfqq changes between the decision to merge two queues and the actual merge operation, potentially resulting in the merge of queues with different parents. This can happen due to various reasons, such as a process submitting IO for a different cgroup, causing the bfqq to be reparented. The issue can lead to use-after-free errors, as seen in the example where the parent cgroup of the bfqq being merged is already offline and being destroyed. **Recommendations** For Linux kernel versions prior to the fixed version, the issue can be resolved by applying a patch that checks if the parent of the two bfqqs being merged in bfq setup merge() is the same, thus avoiding the merge of queues with different parents. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel has been identified where the `bfq merge bio()` function can operate with stale cgroup information when a process is migrated to a different cgroup. This can lead to the bio being merged to a request from a different cgroup, or the merging of `bfqqs` for different cgroups, potentially causing use-after-free issues. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved, which was related to data corruption after conversion from inline format in the ocfs2 file system. The issue occurred because the code attempted to zero out pages beyond the file size, but these pages were ignored by the writeback code, resulting in data loss when the file was grown. The problem was fixed by not doing the pointless zeroing during conversion from inline format, similar to the standard write path. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.8.6 **Description** An issue was discovered in the Linux kernel. There is an out of bounds write in the `ad5755 parse dt` function. **Recommendations** For versions prior to 4.8.6, update to version 4.8.6 or later to resolve the issue.