Omar Sandoval

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.12.0-rc3-00013-geca631b8fe80 Description: A race condition exists between `rq qos wait()` and `rq qos wake function()` in the Linux kernel, leading to a crash. The issue occurs when `rq qos wake function()` deletes the waitqueue entry and then calls `wake up process()`, but `rq qos wait()` has already returned and clobbered the `data->task` pointer. This results in `wake up process()` being called with an invalid pointer, causing a crash. The estimated number of potentially affected devices is not specified. Recommendations: To resolve the issue, update the Linux kernel to a version that includes the fix for the `blk-rq-qos` crash. As a temporary workaround, consider disabling the `rq qos wake function()` function until a patch is available. Restrict access to the vulnerable `rq qos wait()` function to minimize the risk of exploitation. Avoid using the `data->task` pointer in the affected code path until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel version 6.9.0 Description: The vulnerability is related to a crash in the btrfs file system when there is a race condition between fsync and size-extending write into prealloc. This can lead to a BUG() being triggered, causing the system to crash. The issue is caused by overlapping prealloc extents in the log tree, which can occur when logging a changed extent from fsync. The vulnerability can be exploited by an attacker to cause a denial-of-service (DoS) condition. Recommendations: To resolve the issue, update the Linux kernel to a version that includes the fix for the btrfs crash on racing fsync and size-extending write into prealloc. As a temporary workaround, consider disabling the btrfs file system or avoiding the use of fsync and size-extending writes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.17.0-rc4 **Description** The vulnerability is related to a premature return from the `btrfs commit transaction()` function in the Linux kernel's btrfs module, which can cause a crash. The issue is associated with the `btrfs relocate block group()` function. There is no information about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** To resolve the issue, upgrade to Linux kernel version 5.17-rc5 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel has been identified, specifically in the btrfs module. The problem occurs when certain functions, such as `btrfs qgroup inherit()`, `btrfs alloc tree block`, or `btrfs insert root()`, fail during the execution of `create subvol()`. This failure leads to a memory leak because `anon dev` is not properly freed. The error handling in `create subvol()` has been reorganized to address this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.