Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error When hci_register_dev() fails in hci_uart_register_dev() HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu) and setting hu->hdev to NULL. This means incoming UART data will reach the protocol-specific recv handler in hci_uart_tty_receive() after resources are freed. Clear HCI_UART_PROTO_INIT with a write lock before calling hu->proto->close() and setting hu->hdev to NULL. The write lock ensures all active readers have completed and no new reader can enter the protocol recv path before resources are freed. This allows the protocol-specific recv functions to remove the "HCI_UART_REGISTERED" guard without risking a null pointer dereference if hci_register_dev() fails.

Affected products

Linux
  • <f4b69c35813c432973d340d3600c01de106ed474
  • =<6.18.*
  • <5.15.209
  • =<7.0.*
  • <6.14
  • <ebb39b2d81731b83ee71a1ba6dd0291a57b5ac07
  • <5.10.258
  • =<6.1.*
  • <a673cf6c4ac702cb79ac1f4d7fc4de763a6a3e40
  • ==1dcf08fcff5ca529de6dc0395091f28854f4e54a
  • <6.15
  • <ed4033fb85ccaaf6c3983be3c7b037e48253d232
  • <194f029a4d7f739e44ebc1f473120187b4de5104
  • <6.1.175
  • ==8e5aff600539e5faea294d9612cca50220e602b8
  • <3daa5818e473ed60eb69d8b5c71b651909d28c5a
  • <5.5
  • <6.6.141
  • ==db7509fa110dd9b11134b75894677f30353b2c51
  • <68d39ea5e0adc9ecaea1ce8abd842ec972eb8718
  • =<5.15.*
  • ==6.15
  • =<*
  • <6.12.91
  • <6.15
  • <356dee1bcac4d0d9152390561fa63331ebff211b
  • =<6.12.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler

In the Linux kernel, the following vulnerability has been resolved: perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler Calling perf_allow_kernel() from the NMI context is unsafe and could be fatal. Capture the permission at event-initialization time by storing it in event->hw.flags, and have the NMI handler rely on that cached flag instead of making the call directly.

Affected products

Linux
  • =<6.18.*
  • =<7.0.*
  • <0584e74fa2b27e9e722cfb5b579f79263df20040
  • <6.14
  • <b0a09142622a994c4f4088c3f61db5da87cfc711
  • <2783ed2442ce69ae240b787aee6dae801cef7aec
  • =<*
  • ==6.14
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
dm cache policy smq: fix missing locks in invalidating cache blocks

In the Linux kernel, the following vulnerability has been resolved: dm cache policy smq: fix missing locks in invalidating cache blocks In passthrough mode, the policy invalidate_mapping operation is called simultaneously from multiple workers, thus it should be protected by a lock. Otherwise, we might end up with data races on the allocated blocks counter, or even use-after-free issues with internal data structures when doing concurrent writes. Note that the existing FIXME in smq_invalidate_mapping() doesn't affect passthrough mode since migration tasks don't exist there, but would need attention if supporting fast device shrinking via suspend/resume without target reloading. Reproduce steps: 1. Create a cache device consisting of 1024 cache entries dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. Populate the cache, and record the number of cached blocks fio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k \ --size=64m --direct=1 nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}') 3. Reload the cache into passthrough mode dmsetup suspend cache dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" dmsetup resume cache 4. Write to the passthrough cache. By setting multiple jobs with I/O size equal to the cache block size, cache blocks are invalidated concurrently from different workers. fio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k \ --direct=1 --numjobs=2 --randrepeat=0 --size=64m 5. Check if demoted matches cached block count. These numbers should match but may differ due to the data race. nr_demoted=$(dmsetup status cache | awk '{print $12}') echo "$nr_cached, $nr_demoted"

Affected products

Linux
  • ==4.12
  • <c348ae47d8e65f06429fa41adce9ad986b696766
  • =<5.15.*
  • =<6.6.*
  • =<6.18.*
  • =<6.12.*
  • <4991b5a08751e2e82488fb93ae08849b6aea10d9
  • =<7.0.*
  • <9a5fdfb9e57ec3a8ad2b8fce5e5ffa42d53b130e
  • <93627a29d4b66d4a2def938dfb8610cc80ae454b
  • <2b62d0611c9af14a16bddf22df2612b4f40eb5a1
  • =<*
  • <4.12
  • <1b2bec4a7dcf5f00b7a1cbeeec8997841d783513
  • =<6.1.*
  • =<5.10.*
  • <ac5ee99443891bdb161f5539606a66a1b5e72542
  • <2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
platform/wmi: use generic driver_override infrastructure

In the Linux kernel, the following vulnerability has been resolved: platform/wmi: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Affected products

Linux
  • <6.11
  • =<6.18.*
  • =<6.12.*
  • <13d201bd840d2e2a645ef899f81342cd27ced346
  • =<7.0.*
  • <2c5507010fc3b8e2bd596c63c88f6ad39a69b1c4
  • =<*
  • <8a700b1fc94df4d847a04f14ebc7f8532592b367
  • ==6.11
  • <4dc755d86deed88789540d960e421124bad4c568
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
batman-adv: clear current gateway during teardown

In the Linux kernel, the following vulnerability has been resolved: batman-adv: clear current gateway during teardown batadv_gw_node_free() removes the gateway list entries during mesh teardown, but it does not clear the currently selected gateway. This leaves stale gateway state behind across cleanup and can break a later mesh recreation. Clear bat_priv->gw.curr_gw before walking the gateway list so the selected gateway reference is dropped as part of teardown.

Affected products

Linux
  • =<5.15.*
  • <3.1
  • =<6.18.*
  • =<6.12.*
  • =<7.0.*
  • <a340a51ed801eab7bb454150c226323b865263cc
  • ==3.1
  • <9a1a8ed4facfe843bde6fdfcf7af0e9923eb2e17
  • =<*
  • <a3f3f1ec8aad84c5dd386c430b9c61cddd85b18f
  • <6de089b545db013433cf934bb4e4433dec2dd65f
  • <30bda3ef4b0cac777f1a7c314cd08b8ff6437365
  • <e2ec4c712d19141ca7bf7fbbb1d842f73abaa186
  • <17e3a441111cd1a530cd6ee69a22f3161d80d810
  • =<6.1.*
  • =<5.10.*
  • <ae7aeb0ce3c0ebbe357ed525779acac197a18086
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: airoha: fix BQL imbalance in TX path

In the Linux kernel, the following vulnerability has been resolved: net: airoha: fix BQL imbalance in TX path Fix a possible BQL imbalance in airoha_dev_xmit(), where inflight packets are accounted only for the AIROHA_NUM_TX_RING netdev TX queues. The queue index is computed as: qid = skb_get_queue_mapping(skb) % ARRAY_SIZE(qdma->q_tx) txq = netdev_get_tx_queue(dev, qid); However, airoha_qdma_tx_napi_poll() accounts completions across all netdev TX queues (num_tx_queues), leading to inconsistent BQL accounting. Also reset all netdev TX queues in the ndo_stop callback.

Affected products

Linux
  • <ded2694247a55a16d0ebbe2d6f9139305c21457a
  • <6.13
  • =<6.18.*
  • <6.13
  • <aaad53a55812acd2355c0e5478896381e78b0110
  • =<7.0.*
  • ==6.13
  • =<*
  • <2d9f5a118205da2683ffcec78b9347f1f01a820e
  • ==ca24fcac1daaa5e8a667981d81986a3eb4b9fb04
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
futex: Prevent lockup in requeue-PI during signal/ timeout wakeup

In the Linux kernel, the following vulnerability has been resolved: futex: Prevent lockup in requeue-PI during signal/ timeout wakeup During wait-requeue-pi (task A) and requeue-PI (task B) the following race can happen: Task A Task B futex_wait_requeue_pi() futex_setup_timer() futex_do_wait() futex_requeue() CLASS(hb, hb1)(&key1); CLASS(hb, hb2)(&key2); *timeout* futex_requeue_pi_wakeup_sync() requeue_state = Q_REQUEUE_PI_IGNORE *blocks on hb->lock* futex_proxy_trylock_atomic() futex_requeue_pi_prepare() Q_REQUEUE_PI_IGNORE => -EAGAIN double_unlock_hb(hb1, hb2) *retry* Task B acquires both hb locks and attempts to acquire the PI-lock of the top most waiter (task B). Task A is leaving early due to a signal/ timeout and started removing itself from the queue. It updates its requeue_state but can not remove it from the list because this requires the hb lock which is owned by task B. Usually task A is able to swoop the lock after task B unlocked it. However if task B is of higher priority then task A may not be able to wake up in time and acquire the lock before task B gets it again. Especially on a UP system where A is never scheduled. As a result task A blocks on the lock and task B busy loops, trying to make progress but live locks the system instead. Tragic. This can be fixed by removing the top most waiter from the list in this case. This allows task B to grab the next top waiter (if any) in the next iteration and make progress. Remove the top most waiter if futex_requeue_pi_prepare() fails. Let the waiter conditionally remove itself from the list in handle_early_requeue_pi_wakeup().

Affected products

Linux
  • <69a7cfc66405aeaa2483147653d031b3592ffc9c
  • <0aacb6d18f76552e3e0ee25d9f40d21b3486f4cf
  • <bc7304f3ae20972d11db6e0b1b541c63feda5f05
  • =<6.18.*
  • =<6.12.*
  • <4e0ed44e51727d56244a822ab941efe507c47966
  • =<7.0.*
  • <e3f95b1ba242e37093305812df7fdbe7288a43ac
  • <5.15
  • =<*
  • ==5.15
  • =<6.1.*
  • <0304d60abb9dcc02bc7fe6d1850f4ca206e8f1a0
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF. Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held. Fix by holding the lock.

Affected products

Linux
  • ==3.17
  • =<6.1.*
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • <6b4d226d01ab7da0d2027a2a1e3a6079152e5065
  • =<7.0.*
  • <9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e
  • <3.17
  • <385b2d0468a0871fc716c549fa3b0c257c7dbcb3
  • =<*
  • <5c7209a341ff2ac338b2b0375c34a307b37c9ac2
  • <c7777f534a8018ae4bb1c80d8925af4df588a314
  • <60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4
  • <c27224daf0b08efbb2b24ed64b6139b294f5473a
  • =<5.10.*
  • <541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail(). Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain. Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.

Affected products

Linux
  • <8fc289e809f3eb7e36cadc4684ab6fad747a5a93
  • <7.0
  • =<7.0.*
  • =<*
  • ==7.0
  • <5474e6e17a262db45c60575c73f70210f5c7001f
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size

In the Linux kernel, the following vulnerability has been resolved: ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size The generic/642 test-case can reproduce the kernel crash: [40243.605254] ------------[ cut here ]------------ [40243.605956] kernel BUG at fs/ceph/xattr.c:918! [40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI [40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full) [40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [40243.611820] Workqueue: ceph-msgr ceph_con_workfn [40243.612715] RIP: 0010:__ceph_build_xattrs_blob+0x1b8/0x1e0 [40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc [40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287 [40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000 [40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000 [40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000 [40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000 [40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd [40243.624054] FS: 0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000 [40243.625331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0 [40243.627408] Call Trace: [40243.627839] <TASK> [40243.628188] __prep_cap+0x3fd/0x4a0 [40243.628789] ? do_raw_spin_unlock+0x4e/0xe0 [40243.629474] ceph_check_caps+0x46a/0xc80 [40243.630094] ? __lock_acquire+0x4a2/0x2650 [40243.630773] ? find_held_lock+0x31/0x90 [40243.631347] ? handle_cap_grant+0x79f/0x1060 [40243.632068] ? lock_release+0xd9/0x300 [40243.632696] ? __mutex_unlock_slowpath+0x3e/0x340 [40243.633429] ? lock_release+0xd9/0x300 [40243.634052] handle_cap_grant+0xcf6/0x1060 [40243.634745] ceph_handle_caps+0x122b/0x2110 [40243.635415] mds_dispatch+0x5bd/0x2160 [40243.636034] ? ceph_con_process_message+0x65/0x190 [40243.636828] ? lock_release+0xd9/0x300 [40243.637431] ceph_con_process_message+0x7a/0x190 [40243.638184] ? kfree+0x311/0x4f0 [40243.638749] ? kfree+0x311/0x4f0 [40243.639268] process_message+0x16/0x1a0 [40243.639915] ? sg_free_table+0x39/0x90 [40243.640572] ceph_con_v2_try_read+0xf58/0x2120 [40243.641255] ? lock_acquire+0xc8/0x300 [40243.641863] ceph_con_workfn+0x151/0x820 [40243.642493] process_one_work+0x22f/0x630 [40243.643093] ? process_one_work+0x254/0x630 [40243.643770] worker_thread+0x1e2/0x400 [40243.644332] ? __pfx_worker_thread+0x10/0x10 [40243.645020] kthread+0x109/0x140 [40243.645560] ? __pfx_kthread+0x10/0x10 [40243.646125] ret_from_fork+0x3f8/0x480 [40243.646752] ? __pfx_kthread+0x10/0x10 [40243.647316] ? __pfx_kthread+0x10/0x10 [40243.647919] ret_from_fork_asm+0x1a/0x30 [40243.648556] </TASK> [40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit kvm_intel kvm irqbypass joydev ghash_clmulni_intel aesni_intel rapl input_leds mac_hid psmouse vga16fb serio_raw vgastate floppy i2c_piix4 pata_acpi bochs qemu_fw_cfg i2c_smbus sch_fq_codel rbd dm_crypt msr parport_pc ppdev lp parport efi_pstore [40243.654766] ---[ end trace 0000000000000000 ]--- Commit d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size") moved the required_blob_size computation to before the __build_xattrs() call, introducing a race. __build_xattrs() releases and reacquires i_ceph_lock during execution. In that window, handle_cap_grant() may update i_xattrs.blob with a newer MDS-provided blob and bump i_xattrs.version. When __bui ---truncated---

Affected products

Linux
  • <6.0
  • <368d21ae9081c93497b1c8163bed3eddcb2443ff
  • =<6.18.*
  • <d5bd8b4e39cfa8b087448adcd48088065cd629d5
  • =<7.0.*
  • ==6.0
  • =<*
  • <7eb72425c4e3234926502eb262f9d6193ccd572c
  • =<6.12.*
  • <0c22d9511cbde746622f8e4c11aaa63fe76d45f9