Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
powerpc/64s: Fix unmap race with PMD migration entries

In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix unmap race with PMD migration entries The following race is possible with migration swap entries or device-private THP entries. e.g. when move_pages is called on a PMD THP page, then there maybe an intermediate state, where PMD entry acts as a migration swap entry (pmd_present() is true). Then if an munmap happens at the same time, then this VM_BUG_ON() can happen in pmdp_huge_get_and_clear_full(). This patch fixes that. Thread A: move_pages() syscall add_folio_for_migration() mmap_read_lock(mm) folio_isolate_lru(folio) mmap_read_unlock(mm) do_move_pages_to_node() migrate_pages() try_to_migrate_one() spin_lock(ptl) set_pmd_migration_entry() pmdp_invalidate() # PMD: _PAGE_INVALID | _PAGE_PTE | pfn set_pmd_at() # PMD: migration swap entry (pmd_present=0) spin_unlock(ptl) [page copy phase] # <--- RACE WINDOW --> Thread B: munmap() mmap_write_downgrade(mm) unmap_vmas() -> zap_pmd_range() zap_huge_pmd() __pmd_trans_huge_lock() pmd_is_huge(): # !pmd_present && !pmd_none -> TRUE (swap entry) pmd_lock() -> # spin_lock(ptl), waits for Thread A to release ptl pmdp_huge_get_and_clear_full() VM_BUG_ON(!pmd_present(*pmdp)) # HITS! [ 287.738700][ T1867] ------------[ cut here ]------------ [ 287.743843][ T1867] kernel BUG at arch/powerpc/mm/book3s64/pgtable.c:187! cpu 0x0: Vector: 700 (Program Check) at [c00000044037f4f0] pc: c000000000094ca4: pmdp_huge_get_and_clear_full+0x6c/0x23c lr: c000000000645dec: zap_huge_pmd+0xb0/0x868 sp: c00000044037f790 msr: 800000000282b033 current = 0xc0000004032c1a00 paca = 0xc000000004fe0000 irqmask: 0x03 irq_happened: 0x09 pid = 1867, comm = a.out kernel BUG at :187! Linux version 6.19.0-12136-g14360d4f917c-dirty (powerpc64le-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #27 SMP PREEMPT Sun Feb 22 10:38:56 IST 2026 enter ? for help [link register ] c000000000645dec zap_huge_pmd+0xb0/0x868 [c00000044037f790] c00000044037f7d0 (unreliable) [c00000044037f7d0] c000000000645dcc zap_huge_pmd+0x90/0x868 [c00000044037f840] c0000000005724cc unmap_page_range+0x176c/0x1f40 [c00000044037fa00] c000000000572ea0 unmap_vmas+0xb0/0x1d8 [c00000044037fa90] c0000000005af254 unmap_region+0xb4/0x128 [c00000044037fb50] c0000000005af400 vms_complete_munmap_vmas+0x138/0x310 [c00000044037fbe0] c0000000005b0f1c do_vmi_align_munmap+0x1ec/0x238 [c00000044037fd30] c0000000005b3688 __vm_munmap+0x170/0x1f8 [c00000044037fdf0] c000000000587f74 sys_munmap+0x2c/0x40 [c00000044037fe10] c000000000032668 system_call_exception+0x128/0x350 [c00000044037fe50] c00000000000d05c system_call_vectored_common+0x15c/0x2ec ---- Exception: 3000 (System Call Vectored) at 0000000010064a2c SP (7fff9b1ee9c0) is in userspace 0:mon> zh commit a30b48bf1b24 ("mm/migrate_device: implement THP migration of zone device pages"), enabled migration for device-private PMD entries. Hence this is one other path where this warning could get trigger from. ------------[ cut here ]------------ WARNING: arch/powerpc/mm/book3s64/hash_pgtable.c:199 at hash__pmd_hugepage_update+0x48/0x284, CPU#3: hmm-tests/1905 Modules linked in: test_hmm CPU: 3 UID: 0 PID: 1905 Comm: hmm-tests Tainted: G B W L N 7.0.0-rc1-01438-g7e2f0ee7581c #21 PREEMPT Tainted: [B]=BAD_PAGE, [W]=WARN, [L]=SOFTLOCKUP, [N]=TEST Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries NIP [c000000000096b70] hash__pmd_hugepage_update+0x48/0x284 LR [c000000000096e7c] hash__pmdp_huge_get_and_clear+0xd0/0xd4 Call Trace: [c000000604707670] [c000000004e102b8] 0xc000000004e102b8 (unreliable) [c000000604707700] [c00000000064ec3c] set_pmd_migration_entry+0x414/0x498 [c000000604707760] [c00000000063e5a4] migrate_vma_col ---truncated---

Affected products

Linux
  • <5.8
  • =<7.0.*
  • =<*
  • ==5.8
  • <829367e55012c053738ebe7db20c4a90d6609ece
  • <bbcbf045d6c778e82b47a35fc8728387708e9a3d
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()

In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit() when accessing skb->len for tx statistics after usb_submit_urb() has been called: BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760 drivers/net/usb/rtl8150.c:712 Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226 The URB completion handler write_bulk_callback() frees the skb via dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU in softirq context before usb_submit_urb() returns in the submitter, so by the time the submitter reads skb->len the skb has already been queued to the per-CPU completion_queue and freed by net_tx_action(): CPU A (xmit) CPU B (USB completion softirq) ------------ ------------------------------ dev->tx_skb = skb; usb_submit_urb() --+ |-------> write_bulk_callback() | dev_kfree_skb_irq(dev->tx_skb) | net_tx_action() | napi_skb_cache_put() <-- free netdev->stats.tx_bytes | += skb->len; <-- UAF read Fix it by caching skb->len before submitting the URB and using the cached value when updating the tx_bytes counter. The pre-existing tx_bytes semantics are preserved: the counter tracks the original frame length (skb->len), not the ETH_ZLEN/USB-alignment padded "count" value that is handed to the device. Changing that would be a user-visible accounting change and is out of scope for this UAF fix.

Affected products

Linux
  • <23f0e34c64acba15cad4d23e50f41f533da195fa
  • <4dd7eb94f79486b77ca6b4c8676aedbc465dc802
  • =<5.15.*
  • =<6.18.*
  • <5af290c86fa81ddbc86a08d54229af5daa40c6a4
  • =<6.12.*
  • =<7.0.*
  • <30cf9829d09ca958279c937af8e35495cd2f1e09
  • <423b5b86e14e190f6e3161eb5f2ea5f908295ba7
  • <6999d70e0eda39af029fa1891c48f0a8832b09d5
  • <2.6.12
  • ==2.6.12
  • =<*
  • =<5.10.*
  • =<6.1.*
  • <5db090ca07b28a63fb1499690cf19a3f3adafacb
  • <24831b0b2ada9fef18d1f486b7b7c444ee5ba637
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ublk: reset per-IO canceled flag on each fetch

In the Linux kernel, the following vulnerability has been resolved: ublk: reset per-IO canceled flag on each fetch If a ublk server starts recovering devices but dies before issuing fetch commands for all IOs, cancellation of the fetch commands that were successfully issued may never complete. This is because the per-IO canceled flag can remain set even after the fetch for that IO has been submitted - the per-IO canceled flags for all IOs in a queue are reset together only once all IOs for that queue have been fetched. So if a nonempty proper subset of the IOs for a queue are fetched when the ublk server dies, the IOs in that subset will never successfully be canceled, as their canceled flags remain set, and this prevents ublk_cancel_cmd from actually calling io_uring_cmd_done on the commands, despite the fact that they are outstanding. Fix this by resetting the per-IO cancel flags immediately when each IO is fetched instead of waiting for all IOs for the queue (which may never happen).

Affected products

Linux
  • <6.15
  • =<7.0.*
  • <63335e5a67d89bb7cb9b023bbb3785896587a648
  • ==6.15
  • <0842186d2c4e67d2f8c8c2d1d779e8acffd41b5b
  • =<*
  • <6.15
  • ==42ea64e01c96e594fb4f80c54dfe4f934d008a6e
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl

In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]

Affected products

Linux
  • <ffbcf31f032eb454ebfd29309f51366fe57f4ac4
  • =<6.18.*
  • <7.0.13
  • =<7.0.*
  • <e9ffd5f5050fbb199d270a85614cd27ebed6fbac
  • <6.18.36
  • =<6.1.*
  • <617eb7c0961a8dfcfc811844a6396e406b2923ea
  • <6.6.143
  • <5.10.259
  • <0b88ecfbc9dc33b4db8836c37b50cf174e6c0691
  • <6.12.94
  • <aa6ef734016912653a909477fb30aeb66c98b3a2
  • <5.15.210
  • =<5.15.*
  • <ff02add34ffd03449b8115904ebe2ec4fed022d4
  • <4576621dc6577f21a032acfd16c3ad61907a5ea7
  • <943e318eedbeaeea08ece3f5dd44c982f4ed2ef5
  • =<*
  • <6.1.176
  • =<6.12.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
batman-adv: tp_meter: avoid use of uninit sender vars

In the Linux kernel, the following vulnerability has been resolved: batman-adv: tp_meter: avoid use of uninit sender vars batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it proceeds to read sender-only members that were never initialized, leading to undefined behavior. This can be triggered when a node that is currently acting as a receiver in an ongoing tp_meter session receives a malicious ACK packet. Guard against this by checking tp_vars->role immediately after the lookup and bailing out if it is not BATADV_TP_SENDER, before any of those members are accessed.

Affected products

Linux
  • =<5.15.*
  • =<6.18.*
  • <6c65cf23d4c6170fcf5714c32aa64689718cb142
  • <53f931e0146ae5bdab4cba302646827d06b3794b
  • ==4.8
  • =<6.12.*
  • =<5.10.*
  • =<7.0.*
  • <dc2ae5fbd2dadc26735092f140b246841d969a11
  • =<*
  • <9884c9c02d3c90e9215db3c5128f59045d20ae91
  • <ecdaa3e4d91040206afe21bc8a0d1198a0971ff3
  • <1a21c055f66e78973712a4a1be2a554f1ee2e4f4
  • <0e388af04b3958b178a1b979527f93eb46ea1fee
  • <4.8
  • =<6.1.*
  • <85397e48afe6be83ffca5ad3f4792296bfc81d3d
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
crypto: jitterentropy - replace long-held spinlock with mutex

In the Linux kernel, the following vulnerability has been resolved: crypto: jitterentropy - replace long-held spinlock with mutex jent_kcapi_random() serializes the shared jitterentropy state, but it currently holds a spinlock across the jent_read_entropy() call. That path performs expensive jitter collection and SHA3 conditioning, so parallel readers can trigger stalls as contending waiters spin for the same lock. To prevent non-preemptible lock hold, replace rng->jent_lock with a mutex so contended readers sleep instead of spinning on a shared lock held across expensive entropy generation.

Affected products

Linux
  • <ec427dc5286da1ed08f2d510e2147a7581b0cb02
  • =<6.18.*
  • =<7.0.*
  • <01d798e9feb30212952d4e992801ba6bd6a82351
  • =<*
  • <4c03e6eb98443dc4d6d422a9780034a5b75376b4
  • <ff734dbd9e2432601a6dcd167cfb0bf8a36d1880
  • ==4.2
  • <18216b8ab6904753eaf31baf453cb02ecd202ba4
  • =<6.12.*
  • <4.2
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: tls: fix strparser anchor skb leak on offload RX setup failure

In the Linux kernel, the following vulnerability has been resolved: net: tls: fix strparser anchor skb leak on offload RX setup failure When tls_set_device_offload_rx() fails at tls_dev_add(), the error path calls tls_sw_free_resources_rx() to clean up the SW context that was initialized by tls_set_sw_offload(). This function calls tls_sw_release_resources_rx() (which stops the strparser via tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context), but never frees the anchor skb that was allocated by alloc_skb(0) in tls_strp_init(). Note that tls_sw_free_resources_rx() is exclusively used for this "failed to start offload" code path, there's no other caller. The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use the standard strparser"), because the standard strparser doesn't try to pre-allocate an skb. The normal close path in tls_sk_proto_close() handles cleanup by calling tls_sw_strparser_done() (which calls tls_strp_done()) after dropping the socket lock, because tls_strp_done() does cancel_work_sync() and the strparser work handler takes the socket lock.

Affected products

Linux
  • <9c54e76f8d6eb11735918777ef0e0509e089557d
  • <3c405dfa9619e506e75b8e41f8b29a5b99731877
  • <bd07fe6c38b9e44ff3fc02692a53f095c5cc9afc
  • <58689498ca3384851145a754dbb1d8ed1cf9fb54
  • <6.0
  • =<6.18.*
  • =<6.12.*
  • =<7.0.*
  • ==6.0
  • <688f12aa44511dd57e448eb670075c6302ad1dc1
  • =<*
  • =<6.1.*
  • <0c9f399b37ce22a5ed94cc51f03ed07ac7f38e32
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
memory: tegra124-emc: Fix dll_change check

In the Linux kernel, the following vulnerability has been resolved: memory: tegra124-emc: Fix dll_change check The code checking whether the specified memory timing enables DLL in the EMRS register was reversed. DLL is enabled if bit A0 is low. Fix the check.

Affected products

Linux
  • <05f138fc7e27ee8e7a83ccf966c3fa26cda44dda
  • ==4.2
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • =<7.0.*
  • <a85967331144fde9300be38bb44d2558eb6b742e
  • <7e19e72f306484996c52ff96cc92f69b78ed5435
  • <1793249c067a4b28e1aba0ad0e4d73aa9f9e165a
  • <9597ab9a8296ab337e6820f8a717ff621078b632
  • =<*
  • <1ebbbef47d11cc90219c081492ccf995aaa3e9b3
  • <db0ae80865b515cc0b705c85877ec00f7eebe9fe
  • <4.2
  • =<6.1.*
  • =<5.10.*
  • <2369b1831161356e1bcb51385d3e532dc4fe2771
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
quota: Fix race of dquot_scan_active() with quota deactivation

In the Linux kernel, the following vulnerability has been resolved: quota: Fix race of dquot_scan_active() with quota deactivation dquot_scan_active() can race with quota deactivation in quota_release_workfn() like: CPU0 (quota_release_workfn) CPU1 (dquot_scan_active) ============================== ============================== spin_lock(&dq_list_lock); list_replace_init( &releasing_dquots, &rls_head); /* dquot X on rls_head, dq_count == 0, DQ_ACTIVE_B still set */ spin_unlock(&dq_list_lock); synchronize_srcu(&dquot_srcu); spin_lock(&dq_list_lock); list_for_each_entry(dquot, &inuse_list, dq_inuse) { /* finds dquot X */ dquot_active(X) -> true atomic_inc(&X->dq_count); } spin_unlock(&dq_list_lock); spin_lock(&dq_list_lock); dquot = list_first_entry(&rls_head); WARN_ON_ONCE(atomic_read(&dquot->dq_count)); The problem is not only a cosmetic one as under memory pressure the caller of dquot_scan_active() can end up working on freed dquot. Fix the problem by making sure the dquot is removed from releasing list when we acquire a reference to it.

Affected products

Linux
  • =<6.18.*
  • <5.15.209
  • =<7.0.*
  • <e93ab401da4b2e2c1b8ef2424de2f238d51c8b2d
  • <5.10.258
  • <fdd424d7c35633ac577fd87d1b043d1b8a6cd350
  • =<6.1.*
  • <6.6
  • ==2a1ddddba6541143c8f73962f3021f1789114284
  • <4.20
  • <61e25f664dc2a08299e07d84c85776abc2350f75
  • <6678dde265708003c2b42551af4a2e3cb05decd5
  • ==bb7e3a019b52d829949d02b64ebab37838148fbf
  • <6.6
  • <6.1.175
  • <5.5
  • ==6.6
  • ==061a18239ced5eb086967a2b4451cb1cc5ce0702
  • <ac8a2e0d287ebf35e5d7e51e260b4e146648ba4a
  • <2bdc80f4619411e5bd4a3ef23f51e14021ed457c
  • =<5.15.*
  • <82cbdb4c1ebb5ea7d7bd45c18d3483b5bd32ebc1
  • <f9438cb8c8ec3adc84b2b450a3aab0123d074c3b
  • =<*
  • =<6.12.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
smb/client: fix possible infinite loop and oob read in symlink_data()

In the Linux kernel, the following vulnerability has been resolved: smb/client: fix possible infinite loop and oob read in symlink_data() On 32-bit architectures, the infinite loop is as follows: len = p->ErrorDataLength == 0xfffffff8 u8 *next = p->ErrorContextData + len next == p On 32-bit architectures, the out-of-bounds read is as follows: len = p->ErrorDataLength == 0xfffffff0 u8 *next = p->ErrorContextData + len next == (u8 *)p - 8

Affected products

Linux
  • <b41598bf54b3fe528994e573df6008f8f4d0a4f4
  • =<6.18.*
  • <6.1
  • <6.1
  • =<6.12.*
  • <1cfa2d59f669db28d6292d10ff87ca6837c781b0
  • =<7.0.*
  • <1b9331b16b0ed9414dcf7583d8134bdfeb117aae
  • <7d9a7f1f96cd617ee9e75bb22217c709038e26b8
  • =<*
  • ==6.1
  • =<6.6.*
  • <97a05b0ae9ea5ec052be2eef0f9cc7ce03501bbb
  • ==2d046892a493d9760c35fdaefc3017f27f91b621
  • =<6.1.*
  • <cd4b9b662f0fb9aa97ee6bf9034eca76fc6cab23