CVE-2024-42280

In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp).

CVE-2024-42292

In the Linux kernel, the following vulnerability has been resolved: kobject_uevent: Fix OOB access within zap_modalias_env() zap_modalias_env() wrongly calculates size of memory block to move, sowill cause OOB memory access issue if variable MODALIAS is not the lastone within its @env parameter, fi...

CVE-2024-43820

In the Linux kernel, the following vulnerability has been resolved: dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume rm-raid devices will occasionally trigger the following warning whenbeing resumed after a table load because DM_RECOVERY_RUNNING is set: WARNING: CPU: 7 PID: 5660 at dr...

CVE-2024-45010

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only mark 'subflow' endp as available Adding the following warning ... WARN_ON_ONCE(msk->pm.local_addr_used == 0) ... before decrementing the local_addr_used counter helped to find a bugwhen running the "remove single...

CVE-2024-45022

In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 The __vmap_pages_range_noflush() assumes its argument pages** containspages with the same page shift. However, since commit e9c3cda4d86e ("mm...

CVE-2024-45026

In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix error recovery leading to data corruption on ESE devices Extent Space Efficient (ESE) or thin provisioned volumes need to beformatted on demand during usual IO processing. The dasd_ese_needs_format function checks fo...

CVE-2024-46692

In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: scm: Mark get_wq_ctx() as atomic call Currently get_wq_ctx() is wrongly configured as a standard call. When twoSMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() toresume the corresponding sleeping t...

CVE-2024-46771

In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and callsconnect() with ifindex == 0. Calling connect() for a BCM s...

CVE-2024-47671

In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: prevent kernel-usb-infoleak The syzbot reported a kernel-usb-infoleak in usbtmc_write,we need to clear the structure before filling fields.

CVE-2024-47673

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: pause TCM when the firmware is stopped Not doing so will make us send a host command to the transport while thefirmware is not alive, which will trigger a WARNING. bad state = 0WARNING: CPU: 2 PID: 17434 at driv...

CVE-2024-47699

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() Patch series "nilfs2: fix potential issues with empty b-tree nodes". This series addresses three potential issues with empty b-tree nodes thatcan occur with corrupted fil...

CVE-2024-47740

In the Linux kernel, the following vulnerability has been resolved: f2fs: Require FMODE_WRITE for atomic write ioctls The F2FS ioctls for starting and committing atomic writes check forinode_owner_or_capable(), but this does not give LSMs like SELinux orLandlock an opportunity to deny the write acc...

CVE-2024-49900

In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uninit-value access of new_ea in ea_buffer syzbot reports that lzo1x_1_do_compress is using uninit-value: =====================================================BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 l...

CVE-2024-49952

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: prevent nf_skb_duplicated corruption syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could writeper-cpu variable nf_skb_duplicated in an unsafe way [1]. Disabling preemption as hinted by the splat is not enou...

CVE-2024-50027

In the Linux kernel, the following vulnerability has been resolved: thermal: core: Free tzp copy along with the thermal zone The object pointed to by tz->tzp may still be accessed after beingfreed in thermal_zone_device_unregister(), so move the freeing of itto the point after the removal comple...

CVE-2024-50040

In the Linux kernel, the following vulnerability has been resolved: igb: Do not bring the device up after non-fatal error Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal")changed igb_io_error_detected() to ignore non-fatal pcie errors in orderto avoid hung task that can happen when...

CVE-2024-50041

In the Linux kernel, the following vulnerability has been resolved: i40e: Fix macvlan leak by synchronizing access to mac_filter_hash This patch addresses a macvlan leak issue in the i40e driver caused byconcurrent access to vsi->mac_filter_hash. The leak occurs when multiplethreads attempt to m...

CVE-2024-50095

In the Linux kernel, the following vulnerability has been resolved: RDMA/mad: Improve handling of timed out WRs of mad agent Current timeout handler of mad agent acquires/releases mad_agent_privlock for every timed out WRs. This causes heavy locking contentionwhen higher no. of WRs are to be handle...

CVE-2024-50184

In the Linux kernel, the following vulnerability has been resolved: virtio_pmem: Check device status before requesting flush If a pmem device is in a bad status, the driver side could wait forhost ack forever in virtio_pmem_flush(), causing the system to hang. So add a status check in the beginning...

CVE-2024-50196

In the Linux kernel, the following vulnerability has been resolved: pinctrl: ocelot: fix system hang on level based interrupts The current implementation only calls chained_irq_enter() andchained_irq_exit() if it detects pending interrupts. for (i = 0; i stride; i++) { uregmap_read(info->map, id...

CVE-2024-53044

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext() This command: $ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsactError: block dev insert failed: -EBUSY. fails because user space requests the same...

CVE-2024-53047

In the Linux kernel, the following vulnerability has been resolved: mptcp: init: protect sched with rcu_read_lock Enabling CONFIG_PROVE_RCU_LIST with its dependence CONFIG_RCU_EXPERTcreates this splat when an MPTCP socket is created: =============================WARNING: suspicious RCU usage6.12.0-...

CVE-2024-53179

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free of signing key Customers have reported use-after-free in @ses->auth_key.response withSMB2.1 + sign mounts which occurs due to following race: task A task Bcifs_mount()dfs_mount_share()get_session(...

CVE-2024-56543

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Skip Rx TID cleanup for self peer During peer create, dp setup for the peer is done where Rx TID isupdated for all the TIDs. Peer object for self peer will not go throughdp setup. When core halts, dp cleanup is done f...

CVE-2024-56573

In the Linux kernel, the following vulnerability has been resolved: efi/libstub: Free correct pointer on failure cmdline_ptr is an out parameter, which is not allocated by the functionitself, and likely points into the caller's stack. cmdline refers to the pool allocation that should be freed when ...

CVE-2024-56629

In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix when get product name maybe null pointer Due to incorrect dev->product reporting by certain devices, nullpointer dereferences occur when dev->product is empty, leading topotential system crashes. This issue wa...

CVE-2024-56659

In the Linux kernel, the following vulnerability has been resolved: net: lapb: increase LAPB_HEADER_LEN It is unclear if net/lapb code is supposed to be ready for 8021q. We can at least avoid crashes like the following : skbuff: skb_under_panic: text:ffffffff8aabe1f6 len:24 put:20 head:ffff88802824...

CVE-2024-56677

In the Linux kernel, the following vulnerability has been resolved: powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init() During early init CMA_MIN_ALIGNMENT_BYTES can be PAGE_SIZE,since pageblock_order is still zero and it gets initializedlater during initmem_init() e.g.setup_a...

CVE-2024-56678

In the Linux kernel, the following vulnerability has been resolved: powerpc/mm/fault: Fix kfence page fault reporting copy_from_kernel_nofault() can be called when doing read of /proc/kcore./proc/kcore can have some unmapped kfence objects which when read viacopy_from_kernel_nofault() can cause pag...

CVE-2024-56746

In the Linux kernel, the following vulnerability has been resolved: fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() When information such as info->screen_base is not ready, callingsh7760fb_free_mem() does not release memory correctly. Calldma_free_coherent() instead.

CVE-2020-36788

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: avoid a use-after-free when BO init fails nouveau_bo_init() is backed by ttm_bo_init() and ferries its return codeback to the caller. On failures, ttm_bo_init() invokes the provideddestructor which should de-initialize...

CVE-2021-47090

In the Linux kernel, the following vulnerability has been resolved: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() Hulk Robot reported a panic in put_page_testzero() when testingmadvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retryingget_any_page(). This is becau...

CVE-2021-47138

In the Linux kernel, the following vulnerability has been resolved: cxgb4: avoid accessing registers when clearing filters Hardware register having the server TID base can containinvalid values when adapter is in bad state (for example,due to AER fatal error). Reading these invalid values in thereg...

CVE-2021-47267

In the Linux kernel, the following vulnerability has been resolved: usb: fix various gadget panics on 10gbps cabling usb_assign_descriptors() is called with 5 parameters,the last 4 of which are the usb_descriptor_header for:full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),high-spe...

CVE-2021-47566

In the Linux kernel, the following vulnerability has been resolved: proc/vmcore: fix clearing user buffer by properly using clear_user() To clear a user buffer we cannot simply use memset, we have to useclear_user(). With a virtio-mem device that registers a vmcore_cb andhas some logically unplugge...

CVE-2022-48656

In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get() We should call of_node_put() for the reference returned byof_parse_phandle() in fail path or when it is not used anymore.Here we only need to move the of_n...

CVE-2022-48662

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Really move i915_gem_context.link under ref protection i915_perf assumes that it can use the i915_gem_context reference toprotect its i915->gem.contexts.list iteration. However, this requiresthat we do not remove t...

CVE-2022-48771

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix stale file descriptors on failed usercopy A failing usercopy of the fence_rep object will lead to a stale entry inthe file descriptor table as put_unused_fd() won't release it. Thisenables userland to refer to a dan...

CVE-2022-48789

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix possible use-after-free in transport error_recovery work While nvme_tcp_submit_async_event_work is checking the ctrl and queuestate before preparing the AER command and scheduling io_work, in orderto fully prevent a r...

CVE-2022-48918

In the Linux kernel, the following vulnerability has been resolved: iwlwifi: mvm: check debugfs_dir ptr before use When "debugfs=off" is used on the kernel command line, iwiwifi'smvm module uses an invalid/unchecked debugfs_dir pointer and causesa BUG: BUG: kernel NULL pointer dereference, address:...

CVE-2022-49014

In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix use-after-free in tun_detach() syzbot reported use-after-free in tun_detach() [1]. This causes calltrace like below: ==================================================================BUG: KASAN: use-after-free in noti...

CVE-2023-52515

In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: Do not call scsi_done() from srp_abort() After scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handlercallback, it performs one of the following actions: Call scsi_queue_insert(). Call scsi_finish_command(). Call...

CVE-2023-52627

In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7091r: Allow users to configure device events AD7091R-5 devices are supported by the ad7091r-5 driver together withthe ad7091r-base driver. Those drivers declared iio events for notifyinguser space when ADC readings fal...

CVE-2023-52773

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix a NULL pointer dereference in amdgpu_dm_i2c_xfer() When ddc_service_construct() is called, it explicitly checks both thelink type and whether there is something on the link which willdictate whether the pin is ...

CVE-2024-22705

An issue was discovered in ksmbd in the Linux kernel before 6.6.10. smb2_get_data_area_len in fs/smb/server/smb2misc.c can cause an smb_strndup_from_utf16 out-of-bounds access because the relationship between Name data and CreateContexts data is mishandled.

CVE-2024-26684

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Commit 56e58d6c8a56 ("net: stmmac: Implement Safety Features inXGMAC core") checks and reports safety errors, but leaves theData Path Parity Errors for each chan...

CVE-2024-26749

In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() ...cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request);list_del_init(&priv_req->list);... 'priv_req' actually free at cdns3_gadget_ep_fr...

CVE-2024-26845

In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Add TMF to tmr_list handling An abort that is responded to by iSCSI itself is added to tmr_list but doesnot go to target core. A LUN_RESET that goes through tmr_list takes arefcounter on the abort and waits for ...

CVE-2024-26871

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix NULL pointer dereference in f2fs_submit_page_write() BUG: kernel NULL pointer dereference, address: 0000000000000014RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs]Call Trace:? show_regs+0x6e/0x80? __die+0x29/0x70? pag...

CVE-2024-35829

In the Linux kernel, the following vulnerability has been resolved: drm/lima: fix a memleak in lima_heap_alloc When lima_vm_map_bo fails, the resources need to be deallocated, orthere will be memleaks.