Krzysztof Kozlowski

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel has been resolved, specifically in the qcom scm smc firmware. The problem was related to handling a missing SCM device. A commit was made to explicitly handle the case where qcom scm get tzmem pool() can return NULL, ensuring its users can properly manage this situation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been identified, related to a missing read barrier in the `qcom scm get tzmem pool()` function. This issue can cause the fetching of a stale ` scm` variable value, potentially leading to a NULL pointer dereference. The problem arose from a commit that introduced a write barrier without a corresponding read barrier, which is necessary for accessing the ` scm` variable from concurrent contexts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue occurs when the SCM driver fails during the probe, leaving the global ' scm' variable assigned. This can cause external users of the driver to assume the probe finished successfully, potentially leading to a NULL pointer exception. The problem is triggered by introducing probe deferral in the SCM driver. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the Linux kernel, specifically the ASoC: qcom: sc7280 component. A commit moved the allocation of Soundwire stream runtime from the Qualcomm Soundwire driver to individual machine sound card drivers, but forgot to update the SC7280 card. This results in a NULL pointer dereference or other effects of uninitialized memory accesses during sound playback, similar to an issue confirmed on SDM845. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `st dwc3 probe()` function in the Linux kernel, which is associated with the reuse of previously freed memory. This can lead to an impact on the confidentiality, integrity, and availability of protected information. The problem arises from the probe function not performing any platform device allocation, making the error path "undo platform dev alloc" unnecessary. This drops the reference count from the platform device being probed, potentially resulting in unbalanced device reference counts and premature release of device resources, thus possible use-after-free when releasing remaining devm-managed resources. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.1.0-rt5-00325-g8a5f56bcfcca #8 **Description** The issue is related to a use-after-free vulnerability in the Linux kernel, specifically in the hci qca driver. This vulnerability occurs when the driver shutdown callback is invoked on a closed serdev, causing a use-after-free error during system reboot with Qualcomm Atheros Bluetooth. The vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for the hci qca driver shutdown callback. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.1.0-rt5-00350-gb2450b7e00be-dirty #26 **Description** The vulnerability is related to a slab-out-of-bounds issue in the `handle rx uart` function of the `qcom-geni-serial` driver. This occurs when the RX FIFO depth is updated after the probe, causing the RX UART handle code to read beyond the bounds of the `port->rx fifo` buffer. The issue can be observed in certain configurations with Qualcomm Bluetooth HCI UART devices and KASAN. Technical details about exploitation include: - The `qcom geni serial port setup` function updates the RX FIFO depth (`port->rx fifo depth`) to match real device capabilities. - The RX UART handle code reads `port->rx fifo depth` number of words into the `port->rx fifo` buffer, thus exceeding the bounds. - Vulnerable function names include `handle rx uart`, `qcom geni serial handle rx`, and `qcom geni serial isr`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential NULL pointer dereference in the `nfc genl dump ses done()` function. This function should check if the received argument is non-NULL because its allocation could fail earlier in `dumpit()` (`nfc genl dump ses()`). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in the Linux kernel, specifically in the fsl ifc driver. On probe error, the driver fails to free the memory allocated for the private structure, which can lead to a memory leak. The fix involves using resource-managed allocation to address this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in the Linux kernel, specifically in the fsl ifc driver. On probe error, the driver fails to unmap IO memory, leading to a memory leak. The Smatch report warns that `fsl ifc ctrl dev->gregs` is not released on lines 298 in the `fsl ifc ctrl probe()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue concerns the Linux kernel, where various PV features (Async PF, PV EOI, steal time) work through memory shared with the hypervisor. When restoring from hibernation, these features must be properly torn down to prevent the hypervisor from writing to stale locations after jumping to the previously hibernated kernel. The job is already done for secondary CPUs by kvm cpu down prepare(), and syscore ops are registered to do the same for the boot CPU. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A possible NULL pointer dereference of resource issue has been resolved in the Linux kernel. The `platform get resource byname()` function can return NULL, which would be immediately dereferenced by `resource size()`. To fix this, the resource is now dereferenced after validation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.