Liu Jian

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.13.0-rc7+ **Description** A problem was encountered during stability testing in the Linux kernel, where the NAPI poll function `process backlog()` returned 1, exceeding its budget of 0, when `net.core.dev weight` was set to 0. This caused a double add issue in the list, resulting in a warning. The issue occurs when the napi's weight is set to 0, allowing `process backlog()` to return 0 and clear the `NAPI STATE SCHED` bit of `napi->state`, causing the napi to be re-polled until ` do softirq()` times out. Making the napi's weight always non-zero solves this problem. Triggering this issue requires system-wide admin privileges. **Recommendations** For Linux kernel versions prior to 6.13.0-rc7+, as a temporary workaround, consider setting `net.core.dev weight` to a non-zero value to prevent the issue. To resolve the issue, update the Linux kernel to a version where this problem has been fixed, ensuring that `net.core.dev weight` is always non-zero.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.12.0-rc4-dirty **Description** A use-after-free issue has been identified in the Linux kernel's sunrpc module, specifically related to the kernel's TCP socket handling. This issue arises when the TCP socket in a network namespace is shut down and closed, but the FIN message with acknowledgement is discarded, leading to the nfsd side continuing to send retransmission messages. As a result, when the TCP socket processes the received message, it sends the FIN message in the sending queue, and the TCP timer is re-established, causing problems when the network namespace is deleted. **Recommendations** To resolve this issue, hold the netns refcnt for the TCP kernel socket as done in other modules. This can be backported to earlier kernels. A proper fix that cleans up the interfaces will follow, but may not be easy to backport. For versions prior to 6.12.0-rc4-dirty, consider applying the provided fix or waiting for an official patch.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free issue in the Linux kernel's tcp component has been resolved. The issue occurred in the `reqsk timer handler()` function and was caused by the incorrect handling of the `nreq` variable. The commit that fixed the issue replaced `inet csk reqsk queue drop and put()` with ` inet csk reqsk queue drop()` and `reqsk put()` in `reqsk timer handler()`. To prevent the use-after-free issue, `oreq` should be passed to `reqsk put()` instead of `req`. This issue could occur when `reqsk` is migrated but the retry attempt fails, for example, due to a timeout. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the function `hix5hd2 rx()` in the Linux kernel, specifically in the module `drivers/net/ethernet/hisilicon/hix5hd2 gmac.c`. It involves the potential reuse of previously freed memory, which could allow an attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs because the `skb` is delivered to `napi gro receive()`, which may free it, and subsequent dereferencing of `skb` may trigger a use-after-free condition. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential use-after-free in the `hisi femac rx()` function. This occurs because the `skb` is delivered to `napi gro receive()`, which may free it. After this, dereferencing `skb` may trigger a use-after-free. The exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.