N/A

x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations

xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT

KVM: coalesced_mmio: add bounds checking

host: make sure log_num < in_num

x86: kvm: Do not release the page inside mmu_set_spte() (CVE-2018-12207 prerequirement)

CVE-2018-12207 prerequirement - code cleanup and simplification

x86: kvm: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (CVE-2018-12207 prerequirement)

x86: kvm: vmx,svm: always run with EFER.NXE=1 when shadow paging is active (CVE-2018-12207 prerequirement)

kvm: Convert kvm_lock to a mutex (CVE-2018-12207 prerequirement)

kvm: mmu: ITLB_MULTIHIT mitigation (adaptation)

crypto: user - fix memory leak in crypto_report

KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID

cifs: Fix lease buffer length error

dccp: Fix memleak in __feat_register_sp

kvm: nVMX: fixed L2 guest possible tricking the L0 hypervisor to access sensitive L1 resources

vt: selection, close sel_buffer race

vhost: Check docket sk_family instead of call getname

netlabel: fixed possible NULL pointer dereference issue while importing some category bitmap into SELinux

block, bfq: fix use-after-free in bfq_idle_slice_timer_body

signal: Extend exec_id to 64bits

signal: Extend exec_id to 64bits

selinux: properly handle multiple messages in selinux_netlink_send()

net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup

kpatch adaptation for CVE-2020-1749

blktrace: Protect q->blk_trace with RCU

blktrace: Protect q->blk_trace with RCU

ext4: avoid declaring fs inconsistent due to invalid file handles (dependency for CVE-2019-19319)

ext4: protect journal inode's blocks using block_validity

ext4: don't perform block validity checks on the journal inode

ext4: protect journal inode's blocks using block_validity

ext4: protect journal inode's blocks using block_validity

scsi: sg: add sg_remove_request in sg_write

x86/speculation: Prevent rogue cross-process SSBD shutdown

x86/speculation: Change misspelled STIPB to STIBP

x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.

x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.

x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS. (kpatch adaptation)

N/A

x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation

make 'user_access_begin()' do 'access_ok()'

include/linux/relay.h: fix percpu annotation in struct rchan

mm: Fix mremap not considering huge pmd devmap

fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()

net/packet: fix overflow in tpacket_rcv

btrfs only search for left_info if there is no right_info

vfio: access to disabled MMIO space of some devices may lead to DoS scenario

vfio: access to disabled MMIO space of some devices may lead to DoS scenario

ext4: fix potential negative array index in do_split()

Fix for missing check in vgacon scrollback handling

fbcon: remove soft scrollback code

fbcon: remove soft scrollback code (adaptation)

nfs: Fix getxattr kernel panic and memory overflow

rbd: require global CAP_SYS_ADMIN for mapping and unmapping

mm/hugetlb: fix a race between hugetlb sysctl handlers

block: allow for_each_bvec to support zero len bvec

hdlc_ppp: add range checks in ppp_cp_parse_cr()

geneve: add transport ports in route lookup for geneve

net/nfc/rawsock.c: add CAP_NET_RAW check

[net] Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel

[net] Bluetooth: A2MP: Fix not initializing all members

netfilter: ctnetlink: add a range check for l3/l4 protonum

icmp: randomize the global rate limiter

blktrace: ensure our debugfs dir exists

Blktrace: bail out early if block debugfs is not configured

blktrace: fix debugfs use after free

perf/core: Fix race in the perf_mmap_close() function

vt: keyboard, simplify vt_kdgkbsent

vt: keyboard, extend func_buf_lock to readers

tty: make FONTX ioctl use the tty pointer they were actually passed

Input: sunkbd - avoid use-after-free in teardown paths

powercap: make attributes only readable by root

powercap: make attributes only readable by root (adaptation)

perf/core: Fix a memory leak in perf_event_parse_addr_filter()

vt: Disable KD_FONT_OP_COPY

speakup: Do not let the line discipline be used several times

xen/events: avoid removing an event channel while handling it

btrfs: inode: Verify inode mode to avoid NULL pointer dereference

jfs: Fix array index bounds check in dbAdjTree

limit size of watch_events dom0 queue.

handle xenwatch_thread patching.

xen-blkback: set ring->xenblkd to NULL after kthread_stop()

tty: Fix ->pgrp locking in tiocspgrp()

tty: Fix ->session locking

[PATCH] tracing: Fix race in trace_open and buffer resize call

UBUNTU: SAUCE: target: fix XCOPY NAA identifier lookup

UBUNTU: SAUCE: target: fix XCOPY NAA identifier lookup (adaptation )

nfsd4: readdirplus shouldn't return parent of export

futex: Ensure the correct return value from futex_lock_pi

futex: Simplify fixup_pi_state_owner

futex: Replace pointless printk in fixup_owner

futex: Provide and use pi_state_update_owner

futex: Handle faults correctly for PI futexes

nbd: freeze the queue while we're adding connections

Out of scope. Android related patch.

scsi: iscsi: Restrict sessions and handles to admin capabilities

sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output

scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE

scsi: iscsi: Verify lengths on passthrough PDUs

bpf: Prohibit alu ops for pointer types not defining ptr_limit

bpf: Fix off-by-one for area size in creating mask to left

bpf: Simplify alu_limit masking for pointer arithmetic

bpf: Add sanity check for upper ptr_limit

bpf, x86: Validate computation of branch displacements for x86-64

Xen/x86: don't bail early from clear_foreign_p2m_mapping()

Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()

Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages()

Xen/gntdev: correct error checking in gntdev_map_grant_pages()

xen-blkback: don't "handle" error by BUG()

xen-netback: don't "handle" error by BUG()

xen-scsiback: don't "handle" error by BUG()

xen-blkback: fix error handling in xen_blkbk_map()

xen-blkback: fix error handling in xen_blkbk_map()

Xen/gnttab: handle p2m update errors on a per-slot basis

xen-netback: respect gnttab_map_refs()'s return value

net: mac802154: Fix general protection fault

cipso,calipso: resolve a number of problems with the DOI refcounts

bpf: Fix masking negation logic upon negative dst register

dm ioctl: fix out of bounds array access when no devices

xen-blkback: don't leak persistent grants from xen_blkbk_map()

btrfs: fix race when cloning extent buffer during rewind of an old

perf/x86/intel: Fix a crash caused by zero PEBS status

gup: document and work around "COW can break either way" issue

nfc: fix memory leak in llcp_sock_bind() (dependency)

nfc: fix refcount leak in llcp_sock_bind()

nfc: fix refcount leak in llcp_sock_connect()

nfc: fix memory leak in llcp_sock_connect()

sctp: delay auto_asconf init until binding the first addr

nfc: Avoid endless loops caused by repeated llcp_sock_connect()

bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged"

bpf: Move off_reg into sanitize_ptr_alu

bpf: Ensure off_reg has no mixed signed bounds for all types

bpf: Rework ptr_limit into alu_limit and add common error path

bpf: Refactor and streamline bounds check into helper

bpf: Refactor and streamline bounds check into helper

bpf: Move sanitize_val_alu out of op switch

bpf: Tighten speculative pointer arithmetic mask

dccp: avoid double free of ccid on child socket

KVM: do not allow mapping valid but non-reference-counted pages

can: bcm: delay release of struct bcm_op after synchronize_rcu

sctp: validate from_addr_param return

sctp: add size validation when walking chunks

sctp: fix return value check in __sctp_rcv_asconf_lookup

sctp: validate chunk size in __rcv_asconf_lookup

sctp: add param size validation for SCTP_PARAM_SET_PRIMARY

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

net: xilinx_emaclite: Do not print real IOMEM pointer

usb: max-3421: Prevent corruption of freed memory

usb: max-3421: Prevent corruption of freed memory (adaptation)

KVM: X86: MMU: Use the correct inherited permissions to get shadow page

KVM: X86: MMU: Use the correct inherited permissions to get shadow page (adaptation)

tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop.

ovl: prevent private clone if bind mount is not allowed

ext4: fix race writing to an inline_data file while its xattrs are changing

vt_kdsetmode: extend console locking

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

fuse: fix bad inode

NFSv4: Initialise connection to the server in nfs4_alloc_client()

bpf: fix truncated jump targets on heavy expansions

Not backported to 4.14.

drm/i915: Flush TLBs before releasing backing store

drm/i915: Flush TLBs before releasing backing store (kpatch adaptation)

NFSv4: Handle case where the lookup of a directory fails

tipc: improve size validations for received domain records

udf: Restore i_lenAlloc when inode expansion fails

udf: Fix NULL ptr deref when converting from inline format

lib/iov_iter: initialize "flags" in new pipe_buffer

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

Complex adaptation required. Low impact CVE.

Complex adaptation required. Low impact CVE.

Complex adaptation required. Low impact CVE.

Complex adaptation required. Low impact CVE.

Complex adaptation required. Low impact CVE.

xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate

hugetlbfs: flush TLBs correctly after huge_pmd_unshare

use init_tag from inithdr for ABORT chunk

fix the processing for COOKIE_ECHO chunk

sctp: add vtag check in sctp_sf_violation

sctp: add vtag check in sctp_sf_do_8_5_1_E_sa

sctp: add vtag check in sctp_sf_ootb

cgroup-v1: Require capabilities to set release_agent

ipv4: make exception cache less predictible

ipv4: use siphash instead of Jenkins in fnhe_hashfun()

ipv4: use siphash instead of Jenkins in fnhe_hashfun() (adaptation)

Initialize registers to avoid stack leak into userspace.

Bail out in case userspace uses unsupported registers.

net/packet: fix slab-out-of-bounds access in packet_recvmsg()

net/packet: fix slab-out-of-bounds access in packet_recvmsg()

nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION

esp: Fix possible buffer overflow in ESP transformation

llc: fix netdevice reference leaks in llc_ui_bind()

xprtrdma: fix incorrect header size calculations

block-map: add __GFP_ZERO flag for alloc_page in function

ext4: verify dir block before splitting it

ext4: make variable "count" signed

ext4: avoid cycles in directory h-tree

perturb functionality missing in kernels earlier than 4.14.285-215.501.amzn2

secure_seq: use the 64 bits of the siphash for port offset

Out of scope - related to PowerPC 32-bit.

Duplicate of CVE-2022-32250

netfilter: nf_tables: disallow non-stateful expression in

net: rose: fix UAF bugs caused by timer handler

net: rose: fix UAF bugs caused by timer handler (adaptation)

Out of scope - ARM architecture.

xen/blkfront: fix leaking data in shared pages

net: Rename and export copy_skb_header

xen/netfront: fix leaking data in shared pages

xen/netfront: force data bouncing when backend is untrusted (adaptation)

xen/blkfront: force data bouncing when backend is untrusted

fuse: fix pipe buffer lifetime for direct_io

fuse: fix pipe buffer lifetime for direct_io (kpatch adaptation)

af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register

fix double dev_kfree_skb in error path

fix double dev_kfree_skb() in error path

net/x25: Fix null-ptr-deref caused by x25_disconnect

Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE

perf: Fix sys_perf_event_open() race against self

net/sched: cls_u32: fix netns refcount changes in u32_change()

Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""

fbcon: Disallow setting font bigger than screen size

x86: Clear .brk area at early boot

xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in

[PATCH v4 1/2] ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

UBUNTU: SAUCE: net_sched: cls_route: remove from list when handle is 0

netfilter: nf_queue: do not allow packet truncation below transport header offset

netfilter: nf_conntrack_irc: Fix forged IP logic

af_key: Do not call xfrm_probe_algs in parallel

efi: capsule-loader: Fix use-after-free in efi_capsule_write

efi: capsule-loader: Fix use-after-free in efi_capsule_write (adaptation)

bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()

tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push()

tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()

KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated

KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq

KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast()

KVM: Add infrastructure and macro to mark VM as bugged

KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq (adaptation)

tcp/udp: Fix memory leak in ipv6_renew_options().

Fix double fget() in vhost_net_set_backend()

xfs: verify buffer contents when we skip log replay

net: sched: cbq: dont intepret cls results when asked to drop

net: qcom/emac: Fix use after free bug in emac_remove due to race condition

net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg

netfilter: nf_tables: split set destruction in deactivate and destroy phase

netfilter: nft_hash: fix nft_hash_deactivate

netfilter: nf_tables: bogus EBUSY when deleting set after flush

netfilter: nf_tables: deactivate anonymous set from preparation phase

netfilter: nf_tables: split set destruction in deactivate and destroy phase (adaptation)

netfilter: nf_tables: bogus EBUSY when deleting set after flush (Revert)

netfilter: nf_tables: split set destruction in deactivate and destroy phase

netfilter: nf_tables: split set destruction in deactivate and destroy phase

net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()

ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum

dm ioctl: fix nested locking in table_clear() to remove deadlock concern

netfilter: nf_tables: do not allow RULE_ID to refer to another chain

netfilter: nf_tables: do not allow SET_ID to refer to another table

netfilter: nf_tables: do not allow SET_ID to refer to another table

netfilter: nf_tables: stricter validation of element data

btrfs: check return value of btrfs_commit_transaction in relocation

btrfs: unset reloc control if transaction commit fails in prepare_to_relocate()

ext4: improve error recovery code paths in __ext4_remount()

This is a low priority CVE & the patch impacts many critical components of the networking subsystem & it requires multiple complex adaptations in those components to avoid losing existing connections on patch/unpatch.

netfilter: nf_tables: incorrect error path handling

netfilter: nf_tables: prevent OOB access in nft_byteorder_eval

net/sched: cls_u32: Fix reference counter leak leading to overflow

net/sched: sch_qfq: account for stab overhead in qfq_enqueue

net/sched: cls_fw: Fix improper refcount update leads to use-after-free

Rejected by NIST. Consult CVE-2023-4206, CVE-2023-4207, CVE-2023-4208.

sctp: fix potential deadlock on &net->sctp.addr_wq_lock

net/sched: cls_route: No longer copy tcf_result on update

net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free

xfrm: add NULL check in xfrm_update_ae_params

net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free

af_unix: Fix null-ptr-deref in unix_stream_sendpage().

net/sched: sch_hfsc: Ensure inner classes have fsc curve

net: sched: sch_qfq: Fix UAF in qfq_dequeue()

net: sched: sch_qfq: Fix UAF in qfq_dequeue() (adaptation)

netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro

The patch removes functionality.

netfilter: xt_u32: validate user space input

netfilter: xt_u32: validate user space input (adaptation)

netfilter: xt_sctp: validate the flag_info count

net: xfrm: Fix xfrm_address_filter OOB read

igb: set max size RX buffer when store bad packet is enabled

igb: set max size RX buffer when store bad packet is enabled

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use netfilter functionality.

vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF

fs/jfs: Add a mutex named txEnd_lmLogClose_mutex to prevent a race condition between txEnd and lmLogClose functions

perf: Disallow mis-matched inherited group reads (adaptation)

perf: Disallow mis-matched inherited group reads (adaptation)

net: sched: fix race condition in qdisc_graft()

ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

ipv6: remove max_size check inline with ipv4

ipv6: remove max_size check inline with ipv4

smb: client: fix OOB in smbCalcSize()

netfilter: nf_tables: Reject tables of unsupported family

perf: Fix perf_event_validate_size()

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv

Complex adaptation is required, vendor retired ATA over Ethernet driver.

x86/xen: Add xenpv_restore_regs_and_return_to_usermode()

N/A

N/A

N/A

Restrict access to pagemap/kpageflags/kpagecount

vmx_vcpu_run wrapper

x86/CPU/AMD: Do not leak quotient data after a division by 0

net: mpls: fix stale pointer if allocation fails during device rename

scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress

fs: hfsplus: fix UAF issue in hfsplus_put_super

netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()

USB: ene_usb6250: Allocate enough memory for full object

Disabling tcindex classifier

prlimit: do_prlimit needs to have a speculation check

Issue is absorbed by CVE-2023-1829.

uaccess: Add speculation barrier to copy_from_user()

xen/netback: Ensure protocol headers don't fall in the non-linear area

ipv6: raw: Deduct extension header length in rawv6_push_pending_frames

net/ulp: prevent ULP without clone op from entering the LISTEN status

HID: check empty report_list in hid_validate_values()

x86/bugs: Flush IBP in ib_prctl_set()

Code from this cve inlined in sleepy thread 'xenvif_kthread_guest_rx' that we can't patch

Code from this cve inlined in sleepy thread 'xenvif_kthread_guest_rx' that we can't patch

media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls

Livepatching Retbleed may decrease the stability and performance of the kernel, while vulnerability has a medium security impact and only for a certain hardware environment.

fs: fix UAF/GPF bug in nilfs_mdt_destroy

bnx2x: fix potential memory leak in bnx2x_tpa_stop()

Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu

mISDN: fix use-after-free bugs in l1oip timer handlers

mISDN: fix use-after-free bugs in l1oip timer handlers (adaptation)

r8152: Rate limit overflow messages

nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()

nilfs2: fix leak of nilfs_root in case of writer thread creation failure

nilfs2: fix leak of nilfs_root in case of writer thread creation failure

pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write

scsi: stex: Properly zero out the passthrough command structure

fbdev: smscufx: Fix use-after-free in ufx_ops_open()

HID: roccat: Fix use-after-free in roccat_read()

usb: mon: make mmapped memory read only

seq_file: Disallow extremely large seq buffer allocations

netfilter: x_tables: fix compat match/target pad out-of-bound write

netfilter: x_tables: Use correct memory barriers.

bpf: Fix leakage of uninitialized bpf stack under speculation

bpf: Wrap aux data inside bpf_sanitize_info container

bpf: Fix mask direction swap upon off reg sign change

bpf: No need to simulate speculative domain for immediates