Xiyu Yang

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A reference counting issue in the Linux kernel has been identified, specifically in the atmel nand controller init function. This issue occurs in several error handling paths where the function returns an error code without properly balancing the reference count of the `nc->dmac` object, which was previously increased by `dma request channel()`. This can lead to refcount leaks. **Recommendations** To resolve this issue, apply the fix that decrements the refcount of the specific object in the error paths. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a reference count leak in the `uniphier spi probe()` function. This occurs when either `dma get slave caps()` or `devm spi register master()` returns an error code, causing the function to forget to decrease the refcount of both `dma rx` and `dma tx` objects. This may lead to refcount leaks. The issue happens in several error paths in `uniphier spi probe()`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a reference count leak in the `rpc sysfs xprt state change` function in the Linux kernel's sunrpc component. This leak occurs when the 3rd argument `buf` does not match with "offline", "online", or "remove", causing the function to return -EINVAL and forget to decrease the reference count of `rpc xprt` and `rpc xprt switch` objects. This can lead to reference count leaks of both unused objects. The issue can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is a reference count leak in the kfree at end function of the Linux kernel. This occurs when the kunit alloc and get resource function is invoked, causing the returned resource object's refcount to increase without being handled, resulting in a refcount leak. The problem can be fixed by calling kunit alloc resource instead of kunit alloc and get resource. **Recommendations** To resolve the issue, call kunit alloc resource instead of kunit alloc and get resource when invoking the kfree at end function. As a temporary workaround, consider disabling the kunit alloc and get resource function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A reference counting issue occurs in the Linux kernel's iommu/arm-smmu component, specifically in the arm smmu iova to phys hard() function. This issue arises when error scenarios occur in several exception handling paths, causing the function to forget to decrease the refcount of `smmu` increased by arm smmu rpm get(), resulting in a refcount leak. The issue is resolved by jumping to the "out" label when these error scenarios occur. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A reference counting issue in the Linux kernel's iommu/arm-smmu component causes a refcount leak when `arm smmu rpm get()` fails. The `arm smmu rpm get()` function invokes `pm runtime get sync()`, increasing the refcount of the "smmu" even if the return value is less than 0. This issue occurs in some error handling paths of `arm smmu rpm get()` in its caller functions, where the refcount of "smmu" is not decreased when `arm smmu rpm get()` fails. To fix this issue, `pm runtime resume and get()` is called instead of `pm runtime get sync()` in `arm smmu rpm get()`, keeping the refcount balanced in case of failure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.