Tyrel Datwyler

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved, specifically in the ibmvfc module. The issue arises from the back pointer from a queue to the vhost adapter not being set until after subcrq interrupt registration, which can lead to a crash during kexec/kdump on Power 9 with legacy XICS interrupt controller. This crash occurs when a pending subcrq interrupt from the previous kernel is replayed immediately upon IRQ registration, resulting in the dereference of a garbage backpointer in ibmvfc interrupt scsi(). The kernel attempted to read a user page, which may indicate an exploit attempt. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.13.0-rc7 **Description** A vulnerability in the Linux kernel has been resolved, which involved a bad pointer dereference when the ehandler kthread is invalid. The issue occurred when the error handler thread failed to spawn, causing the `shost->ehandler` to be set to `ERR PTR(-ENOMEM)`. As a result, the error handler cleanup code in `scsi host dev release()` would call `kthread stop()` even if the kthread was not successfully spawned, leading to a NULL pointer dereference. This vulnerability could be exploited to cause a kernel crash or potentially execute arbitrary code. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, ensure that the kernel version is 5.13.0-rc7 or later. If updating the kernel is not feasible, consider applying the patch manually to fix the issue. As a temporary workaround, consider disabling the `scsi host dev release()` function or restricting access to the vulnerable module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.11.8 **Description** The issue is related to a user-tolerable buffer overflow in the RPA PCI Hotplug driver when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because `add slot store` and `remove slot store` mishandle `drc name` '0' termination. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Linux kernel versions through 5.11.8, update to a version later than 5.11.8 to resolve the issue. As a temporary workaround, consider restricting access to the `rpadlpar sysfs` driver to minimize the risk of exploitation. Avoid using the `drc name` variable in the affected driver until the issue is resolved. At the moment, there is no other information about additional mitigation measures.