A flaw was found in the Linux kernel's eBPF verification code.

bpf, x86: Validate computation of branch displacements for x86-64

A flaw was found in the Linux kernel's eBPF verification code.

A flaw was found in the Linux kernel. A race condition was discovered in the ext4 subsystem. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

vt_kdsetmode: extend console locking

lib/iov_iter: initialize "flags" in new pipe_buffer

x86/xen: Add xenpv_restore_regs_and_return_to_usermode()

kpatch add alt asm definitions

kpatch add paravirt asm definitions

remote stack overflow in Linux kernel

mac80211: do not accept/forward invalid EAPOL frames

ath10k: Fix TKIP Michael MIC verification for PCIe

ath10k: add CCMP PN replay protection for fragmented frames for PCIe

ath10k: drop fragments with multicast DA for SDIO

ath10k: drop fragments with multicast DA for PCIe

mac80211: assure all fragments are encrypted

ath10k: drop MPDU which has discard flag set by firmware for SDIO

mac80211: drop A-MSDUs on old ciphers

cfg80211: mitigate A-MSDU aggregation attacks

mac80211: properly handle A-MSDUs that start with an RFC 1042 header

mac80211: prevent mixed key and fragment cache attacks

mac80211: prevent mixed key and fragment cache attacks (adaptation)

mac80211: prevent attacks on TKIP/WEP as well

mac80211: extend protection against mixed key and fragment cache attacks

mac80211: check defrag PN against current frame

Affects only secure boot __init stage, already booted kernels are not affected

Bluetooth: SMP: Fail if remote and local public keys are identical

KVM: do not allow mapping valid but non-reference-counted pages

bluetooth: eliminate the potential race condition when removing the HCI controller

Bluetooth: verify AMP hci_chan before amp_destroy

Bluetooth: verify AMP hci_chan before amp_destroy

can: bcm: fix infoleak in struct bcm_msg_head

f2fs: fix to avoid out-of-bounds memory access

Bluetooth: fix the erroneous flush_work() order

Bluetooth: use correct lock to prevent UAF of hdev object

Out of scope as the patch is for NFC/Android

seq_file: disallow extremely large seq buffer allocations

KVM: SVM: Periodically schedule when unregistering regions on destroy

bpf: Fix leakage under speculation on mispredicted branches

bpf: Do not mark insn as seen under speculative path verification

bpf: Inherit expanded/patched seen count from old aux data

sctp: validate chunk size in __rcv_asconf_lookup

sctp: add param size validation for SCTP_PARAM_SET_PRIMARY

sctp: add size validation when walking chunks

sctp: validate from_addr_param return

sctp: fix return value check in __sctp_rcv_asconf_lookup

tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop.

virtio_console: Assure used length from device is limited

KVM: X86: MMU: Use the correct inherited permissions to get shadow page

KVM: X86: MMU: Use the correct inherited permissions to get shadow page (adaptation)

NFSv4: Initialise connection to the server in nfs4_alloc_client()

dccp: don't duplicate ccid when cloning dccp sock

ovl: fix missing negative dentry check in ovl_rename()

crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()

bpf: Fix integer overflow in prealloc_elems_and_freelist()

ipv6: use siphash in rt6_exception_hash()

ipv6: make exception cache less predictible

ipv4: use siphash instead of Jenkins in fnhe_hashfun() (adaptation)

ipv4: use siphash instead of Jenkins in fnhe_hashfun() (adaptation)

ipv4 make exception cache less predictible

drm/nouveau: Add a dedicated mutex for the clients list

drm/nouveau: clean up all clients on device removal

drm/nouveau: Add a dedicated mutex for the clients list (adaptation)

Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()

sctp: use init_tag from inithdr for ABORT chunk

sctp: fix the processing for INIT_ACK chunk

sctp: fix the processing for COOKIE_ECHO chunk

sctp: add vtag check in sctp_sf_violation

sctp: add vtag check in sctp_sf_do_8_5_1_E_sa

sctp: add vtag check in sctp_sf_ootb

sctp: fix the processing for INIT chunk

kernel version 5.4 not affected

tlb: mmu_gather: add tlb_flush_*_range APIs

Complex adaptation required. Low impact CVE.

Complex adaptation required. Low impact CVE.

Complex adaptation required. Low impact CVE.

xen/netback: fix rx queue stall detection

xen/netback: don't queue unlimited number of packages

xen/netback: fix rx queue stall detection (adaptation)

netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc

xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like

atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait

UBUNTU: SAUCE: vfs: Out-of-bounds write of heap buffer in fs_context.c

UBUNTU: SAUCE: vfs: test that one given mount param is not larger than PAGE_SIZE

drm/i915: Flush TLBs before releasing backing store

drm/i915: Flush TLBs before releasing backing store (kpatch adaptation)

cgroup-v1: Require capabilities to set release_agent

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

Out of scope as the patch is aarch64 related

cgroup: Use open-time cgroup namespace for process migration perm checks

cgroup: Use open-time cgroup namespace for process migration perm checks(adaptation).

netfilter: nf_tables_offload: incorrect flow offload action

netfilter: nf_tables_offload: incorrect flow offload action array size (adaptation)

kernel version 5.4, 5.10 not affected

netfilter: nf_tables: initialize registers in nft_do_chain()

net: sched: fix use-after-free in tc_new_tfilter()

nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION

esp: Fix possible buffer overflow in ESP transformation

sock: remove one redundant SKB_FRAG_PAGE_ORDER macro (CVE-2022-27666 dependency)

llc: fix netdevice reference leaks in llc_ui_bind()

block-map: add __GFP_ZERO flag for alloc_page in function

swiotlb: fix info leak with DMA_FROM_DEVICE

perf: Fix sys_perf_event_open() race against self

floppy: disable FDRAWCMD by default

SUNRPC: Ensure we flush any closed sockets before

net/sched: cls_u32: fix netns refcount changes in

ext4: verify dir block before splitting it

ext4: make variable "count" signed

ext4: avoid cycles in directory h-tree

secure_seq: use the 64 bits of the siphash for port offset

netfilter: nf_tables: disallow non-stateful expression in sets earlier

perturb functionality missing in kernels earlier than 4.14.285-215.501.amzn2

Not affected without certain conditions - Secure Boot, configured kgdb/kdb. Complex adaptation

Out of scope - related to PowerPC 32-bit.

Duplicate of CVE-2022-1966

fbcon: Disallow setting font bigger than screen size

fbcon: Prevent that screen size is smaller than font size

fbmem: Check virtual screen sizes in fb_set_var()

Kernel lockdown bypass when UEFI secure boot is disabled / unavailable and IMA appraisal is enabled.

netfilter: nf_tables: stricter validation of element data

xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in

netfilter: nf_queue: do not allow packet truncation below

xen/blkfront: fix leaking data in shared pages

Out of scope - ARM architecture.

xen/netfront: fix leaking data in shared pages

xen/netfront: force data bouncing when backend is untrusted

xen/netfront: force data bouncing when backend is untrusted (adaptation)

xen/blkfront: force data bouncing when backend is untrusted

xen/blkfront: force data bouncing when backend is untrusted (adaptation)

tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push()

tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()

net_sched: cls_route: remove from list when handle is 0

UBUNTU: SAUCE: netfilter: nf_tables: do not allow SET_ID to refer to another table

UBUNTU: SAUCE: netfilter: nf_tables: do not allow RULE_ID to refer to another table

media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls

Livepatching Retbleed may decrease the stability and performance of the kernel, while vulnerability has a medium security impact and only for a certain hardware environment.

bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()

[PATCH v4 1/2] ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

mm/mremap: hold the rmap lock in write mode when moving page table

netfilter: nf_conntrack_irc: Fix forged IP logic

efi: capsule-loader: Fix use-after-free in efi_capsule_write

efi: capsule-loader: Fix use-after-free in efi_capsule_write (adaptation)

af_key: Do not call xfrm_probe_algs in parallel

KVM: Add infrastructure and macro to mark VM as bugged

KVM: Add infrastructure and macro to mark VM as bugged (adaptation)

KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq

KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast()

io_uring/af_unix: defer registered files gc to io_uring release

io_uring/af_unix: defer registered files gc to io_uring release

ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC

pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

Livepatching Retbleed may decrease the stability and performance of the kernel, while vulnerability has a medium security impact and only for a certain hardware environment.

nvme: ensure subsystem reset is single threaded

net/l2tp: Fix reference count leak in l2tp_udp_recv_core

net: fix a concurrency bug in l2tp_tunnel_register()

l2tp: Serialize access to sk_user_data with sk_callback_lock

l2tp: Don't sleep and disable BH under writer-side sk_callback_lock

net: sched: atm: dont intepret cls results when asked to drop

net: sched: cbq: dont intepret cls results when asked to drop

x86/bugs: Flush IBP in ib_prctl_set()

net: sched: disallow noqueue for qdisc classes

ipv6: raw: Deduct extension header length in rawv6_push_pending_frames

nilfs2: fix leak of nilfs_root in case of writer thread creation failure

mISDN: fix use-after-free bugs in l1oip timer handlers

mISDN: fix use-after-free bugs in l1oip timer handlers (adaptation)

r8152: Rate limit overflow messages

Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu

memcg: enable accounting of ipc resources

bnx2x: fix potential memory leak in bnx2x_tpa_stop()

fbdev: smscufx: Fix use-after-free in ufx_ops_open()

HID: roccat: Fix use-after-free in roccat_read()

net: mvpp2: fix mvpp2 debugfs leak

net: mvpp2: fix mvpp2 debugfs leak (adaptation)

KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS

net: mpls: fix stale pointer if allocation fails during device rename

rds: rds_rm_zerocopy_callback() use list_first_entry()

sched/rt: pick_next_rt_entity(): check list_entry

scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress

prlimit: do_prlimit needs to have a speculation check

fs: hfsplus: fix UAF issue in hfsplus_put_super

fbcon: Check font dimension limits

vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF

USB: ene_usb6250: Allocate enough memory for full object

netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()

xfs: fix up non-directory creation in SGID directories

tun: avoid double free in tun_free_netdev

xfs: verify buffer contents when we skip log replay

net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()

i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()

net: qcom/emac: Fix use after free bug in emac_remove due to race condition

net: sched: fix race condition in qdisc_graft()

ext4: fix use-after-free in ext4_xattr_set_entry

ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h

bpf: Fix incorrect verifier pruning due to missing register precision taints

net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg

netfilter: nf_tables: deactivate anonymous set from preparation phase

ipvlan:Fix out-of-bounds caused by unclear skb->cb

btrfs: check return value of btrfs_commit_transaction in relocation

btrfs: unset reloc control if transaction commit fails in prepare_to_relocate()

net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

memstick: r592: Fix UAF bug in r592_remove due to race condition

kernel/relay.c: fix read_pos error when multiple readers

relayfs: fix out-of-bounds access in relay_file_read

vc_screen: don't clobber return value in vcs_read

vc_screen: modify vcs_size() handling in vcs_read()

ext4: improve error recovery code paths in __ext4_remount()

ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum

This is a low priority CVE & the patch impacts many critical components of the networking subsystem & it requires multiple complex adaptations in those components to avoid losing existing connections on patch/unpatch.

netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE

netfilter: nf_tables: prevent OOB access in nft_byteorder_eval

net/sched: cls_u32: Fix reference counter leak leading to overflow

net/sched: sch_qfq: account for stab overhead in qfq_enqueue

net/sched: cls_fw: Fix improper refcount update leads to use-after-free

hw: amd: Cross-Process Information Leak

A low priority AMD Inception vulnerability that affects Zen3/Zen4 & relates to RetBleed fixes requiring microcode updates, we can't do much about it in KCare Infra.

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

net: add atomic_long_t to net_device_stats fields

net: add atomic_long_t to net_device_stats fields

geneve: make sure to pull inner header in geneve_rx()

net/rds: fix WARNING in rds_conn_connect_if_down

netfilter: nf_conntrack_h323: Add protection for bmp length

drm/amdkfd: don't allow mapping the MMIO HDP page with large pages

ata: libata-core: Fix null pointer dereference on error

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

xen/netback: Ensure protocol headers don't fall in the non-linear area

mm/hugetlb: fix races when looking up a CONT-PTE/PMD size (adaptation)

nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()

nilfs2: fix leak of nilfs_root in case of writer thread creation failure

scsi: stex: Properly zero out the passthrough command structure