CVE-2023-53126

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix sas_hba.phy memory leak in mpi3mr_remove() Free mrioc->sas_hba.phy at .remove.

CVE-2023-53134

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Avoid order-5 memory allocation for TPA data The driver needs to keep track of all the possible concurrent TPA (GRO/LRO)completions on the aggregation ring. On P5 chips, the maximum numberof concurrent TPA is 256 and the a...

CVE-2024-26731

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready() syzbot reported the following NULL pointer dereference issue [1]: BUG: kernel NULL pointer dereference, address: 0000000000000000[...]RIP: 0010:0x0[...]Cal...

CVE-2024-26781

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix possible deadlock in subflow diag Syzbot and Eric reported a lockdep splat in the subflow diag: WARNING: possible circular locking dependency detected6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted syz-executor.2/...

CVE-2024-26849

In the Linux kernel, the following vulnerability has been resolved: netlink: add nla be16/32 types to minlen array BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]BUG: KMSAN: uninit-value in...

CVE-2024-26854

In the Linux kernel, the following vulnerability has been resolved: ice: fix uninitialized dplls mutex usage The pf->dplls.lock mutex is initialized too late, after its first use.Move it to the top of ice_dpll_init.Note that the "err_exit" error path destroys the mutex. And the mutex isthe last ...

CVE-2024-26910

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix performance regression in swap operation The patch "netfilter: ipset: fix race condition between swap/destroyand kernel side add/del/test", commit 28628fa9 fixes a race condition.But the synchronize_rcu() adde...

CVE-2024-35798

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race in read_extent_buffer_pages() There are reports from tree-checker that detects corrupted nodes,without any obvious pattern so possibly an overwrite in memory.After some debugging it turns out there's a race when rea...

CVE-2024-35832

In the Linux kernel, the following vulnerability has been resolved: bcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit bch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut.It should be freed by kvfree not kfree.Or umount will triger: [ 406.829178 ] BUG: unable to handle page fau...

CVE-2024-36910

In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resulting memory is shared. Caller...

CVE-2024-36914

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip on writeback when it's not applicable [WHY]dynamic memory safety error detector (KASAN) catches and generates errormessages "BUG: KASAN: slab-out-of-bounds" as writeback connector does notsupport certain featu...

CVE-2024-36949

In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: sync all devices to wait all processes being evicted If there are more than one device doing reset in parallel, the firstdevice will call kfd_suspend_all_processes() to evict all processeson all devices, this call takes...

CVE-2024-36963

In the Linux kernel, the following vulnerability has been resolved: tracefs: Reset permissions on remount if permissions are options There's an inconsistency with the way permissions are handled in tracefs.Because the permissions are generated when accessed, they default to theroot inode's permissi...

CVE-2024-37354

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix crash on racing fsync and size-extending write into prealloc We have been seeing crashes on duplicate keys inbtrfs_set_item_key_safe(): BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)-------...

CVE-2024-38590

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Modify the print level of CQE error Too much print may lead to a panic in kernel. Change ibdev_err() toibdev_err_ratelimited(), and change the printing level of cqe dumpto debug level.

CVE-2024-38603

In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() pci_alloc_irq_vectors() allocates an irq vector. When devm_add_action()fails, the irq vector is not freed, which leads to a memory leak. Replace the devm_add_action ...

CVE-2024-40900

In the Linux kernel, the following vulnerability has been resolved: cachefiles: remove requests from xarray during flushing requests Even with CACHEFILES_DEAD set, we can still read the requests, so in thefollowing concurrency the request may be used after it has been freed: mount | daemon_thread1 ...

CVE-2024-40934

In the Linux kernel, the following vulnerability has been resolved: HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Fix a memory leak on logi_dj_recv_send_report() error path.

CVE-2024-40970

In the Linux kernel, the following vulnerability has been resolved: Avoid hw_desc array overrun in dw-axi-dmac I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()handles the hw_desc ...

CVE-2024-40979

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix kernel crash during resume Currently during resume, QMI target memory is not properly handled, resultingin kernel crash in case DMA remap is not supported: BUG: Bad page state in process kworker/u16:54 pfn:36e80pa...

CVE-2024-41019

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Validate ff offset This adds sanity checks for ff offset. There is a checkon rt->first_free at first, but walking through by ffwithout any check. If the second ff is a large offset.We may encounter an out-of-bound read...

CVE-2024-41047

In the Linux kernel, the following vulnerability has been resolved: i40e: Fix XDP program unloading while removing the driver The commit 6533e558c650 ("i40e: Fix reset path while removingthe driver") introduced a new PF state "__I40E_IN_REMOVE" to blockmodifying the XDP program while the driver is ...

CVE-2024-41067

In the Linux kernel, the following vulnerability has been resolved: btrfs: scrub: handle RST lookup error correctly [BUG]When running btrfs/060 with forced RST feature, it would crash thefollowing ASSERT() inside scrub_read_endio(): ASSERT(sector_nr nr_sectors); Before that, we would have tree dump...

CVE-2024-41074

In the Linux kernel, the following vulnerability has been resolved: cachefiles: Set object to close if ondemand_id < 0 in copen If copen is maliciously called in the user mode, it may delete the requestcorresponding to the random id. And the request may have not been read yet. Note that when the...

CVE-2024-41087

In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jumpto the err_out label, which will call devres_release_group().devres_release_group() will trigger a call to ata_host...

CVE-2024-42274

In the Linux kernel, the following vulnerability has been resolved: Revert "ALSA: firewire-lib: operate for period elapse event in process context" Commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse eventin process context") removed the process context workqueue fromamdtp_domain_st...

CVE-2024-42314

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix extent map use-after-free when adding pages to compressed bio At add_ra_bio_pages() we are accessing the extent map to calculate'add_size' after we dropped our reference on the extent map, resultingin a use-after-free. F...

CVE-2024-43843

In the Linux kernel, the following vulnerability has been resolved: riscv, bpf: Fix out-of-bounds issue when preparing trampoline image We get the size of the trampoline image during the dry run phase andallocate memory based on that size. The allocated image will then bepopulated with instructions...

CVE-2024-43868

In the Linux kernel, the following vulnerability has been resolved: riscv/purgatory: align riscv_kernel_entry When alignment handling is delegated to the kernel, everything must beword-aligned in purgatory, since the trap handler is then set to thekexec one. Without the alignment, hitting the excep...

CVE-2024-43880

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_erp: Fix object nesting warning ACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former cancontain more ACLs (i.e., tc filters), but the...

CVE-2024-44949

In the Linux kernel, the following vulnerability has been resolved: parisc: fix a possible DMA corruption ARCH_DMA_MINALIGN was defined as 16 - this is too small - it may bepossible that two unrelated 16-byte allocations share a cache line. Ifone of these allocations is written using DMA and the ot...

CVE-2024-46678

In the Linux kernel, the following vulnerability has been resolved: bonding: change ipsec_lock from spin lock to mutex In the cited commit, bond->ipsec_lock is added to protect ipsec_list,hence xdo_dev_state_add and xdo_dev_state_delete are called insidethis lock. As ipsec_lock is a spin lock an...

CVE-2024-46710

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Prevent unmapping active read buffers The kms paths keep a persistent map active to read and compare the cursorbuffer. These maps can race with each other in simple scenario where:a) buffer "a" mapped for updateb) buffe...

CVE-2024-46716

In the Linux kernel, the following vulnerability has been resolved: dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor Remove list_del call in msgdma_chan_desc_cleanup, this should be the roleof msgdma_free_descriptor. In consequence replace list_add_tail withlist_move_tai...

CVE-2024-46782

In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable,then call nf_unregister_net_hooks(). It should be done in the reverse wa...

CVE-2024-46798

In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, CONFIG_KASAN=y CONFIG_KASAN_GENERIC=y CONFIG_KASAN_INLINE=y CONFIG_KASAN_VMALLOC=y CONFIG_FRAME_WARN=4096 kernel detects that snd...

CVE-2024-46802

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: added NULL check at start of dc_validate_stream [Why]prevent invalid memory access [How]check if dc and stream are NULL

CVE-2024-46843

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause akernel panic if ufshcd_async_scan fails during ufshcd_probe_hba beforeadding a SCSI host with scsi_add_host and...

CVE-2024-47720

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func This commit adds a null check for the set_output_gamma function pointerin the dcn30_set_output_transfer_func function. Previously,set_output_gam...

CVE-2024-47736

In the Linux kernel, the following vulnerability has been resolved: erofs: handle overlapped pclusters out of crafted images properly syzbot reported a task hang issue due to a deadlock case where it iswaiting for the folio lock of a cached folio that will be used forcache I/Os. After looking into ...

CVE-2024-49855

In the Linux kernel, the following vulnerability has been resolved: nbd: fix race between timeout and normal completion If request timetout is handled by nbd_requeue_cmd(), normal completionhas to be stopped for avoiding to complete this requeued request, otheruse-after-free can be triggered. Fix t...

CVE-2024-49866

In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Fix a race during cpuhp processing There is another found exception that the "timerlat/1" thread wasscheduled on CPU0, and lead to timer corruption finally: ODEBUG: init active (active state 0) object: ffff888237c...

CVE-2024-49893

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check stream_status before it is used [WHAT & HOW]dc_state_get_stream_status can return null, and therefore null must bechecked before stream_status is used. This fixes 1 NULL_RETURNS issue reported by Coverity.

CVE-2024-49961

In the Linux kernel, the following vulnerability has been resolved: media: i2c: ar0521: Use cansleep version of gpiod_set_value() If we use GPIO reset from I2C port expander, we must use *_cansleep()variant of GPIO functions.This was not done in ar0521_power_on()/ar0521_power_off() functions.Let's ...

CVE-2024-50098

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down There is a history of deadlock if reboot is performed at the beginningof booting. SDEV_QUIESCE was set for all LU's scsi_devices by UFSshutdown, and at that time the audio dri...

CVE-2024-50105

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: sc7280: Fix missing Soundwire runtime stream alloc Commit 15c7fab0e047 ("ASoC: qcom: Move Soundwire runtime stream alloc tosoundcards") moved the allocation of Soundwire stream runtime from theQualcomm Soundwire driver ...

CVE-2024-50140

In the Linux kernel, the following vulnerability has been resolved: sched/core: Disable page allocation in task_tick_mm_cid() With KASAN and PREEMPT_RT enabled, calling task_work_add() intask_tick_mm_cid() may cause the following splat. [ 63.696416] BUG: sleeping function called from invalid contex...

CVE-2024-50170

In the Linux kernel, the following vulnerability has been resolved: net: bcmasp: fix potential memory leak in bcmasp_xmit() The bcmasp_xmit() returns NETDEV_TX_OK without freeing skbin case of mapping fails, add dev_kfree_skb() to fix it.

CVE-2024-50172

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix a possible memory leak In bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() failsdriver is not freeing the memory allocated for "rdev->chip_ctx".

CVE-2024-53045

In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: fix bounds checker error in dapm_widget_list_create The widgets array in the snd_soc_dapm_widget_list has a __counted_byattribute attached to it, which points to the num_widgets variable. Thisattribute is used in bounds...