CVE-2024-43861

In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: fix memory leak for not ip packets Free the unused skb when not ip packets arrive.

CVE-2024-46737

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds()the kernel crashes in nvmet_tcp_release_queue_work() because ofa NULL pointer dereference. nvmet: failed to install ...

CVE-2024-44999

In the Linux kernel, the following vulnerability has been resolved: gtp: pull network headers in gtp_dev_xmit() syzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1] We must make sure the IPv4 or Ipv6 header is pulled in skb->headbefore accessing fields in them. Use pskb_inet_may_pull(...

CVE-2024-46691

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Move unregister out of atomic section Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-locknon-sleeping")' moved the pmic_glink client list under a spinlock, as itis accessed by the rpmsg/glink callback, ...

CVE-2024-44950

In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: fix invalid FIFO access with special register set When enabling access to the special register set, Receiver time-out andRHR interrupts can happen. In this case, the IRQ handler will try to readfrom the FIFO thru...

CVE-2024-45003

In the Linux kernel, the following vulnerability has been resolved: vfs: Don't evict inode under the inode lru traversing context The inode reclaiming process(See function prune_icache_sb) collects allreclaimable inodes and mark them with I_FREEING flag at first, at thattime, other processes will b...

CVE-2024-46707

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Make ICC_SGI _EL1 undef in the absence of a vGICv3 On a system with a GICv3, if a guest hasn't been configured withGICv3 and that the host is not capable of GICv2 emulation,a write to any of the ICC_SGI _EL1 registers i...

CVE-2024-46780

In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtimefor modifications/repairs, but they are also regularly swapped, replacedduring resizing, an...

CVE-2024-42262

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Fix potential memory leak in the performance extension If fetching of userspace memory fails during the main loop, all drm syncobjs looked up until that point will be leaked because of the missingdrm_syncobj_put. Fix it by...

CVE-2024-45021

In the Linux kernel, the following vulnerability has been resolved: memcg_write_event_control(): fix a user-triggerable oops we are not guaranteed that anything past the terminating NULis mapped (let alone initialized with anything sane).

CVE-2024-46681

In the Linux kernel, the following vulnerability has been resolved: pktgen: use cpus_read_lock() in pg_net_init() I have seen the WARN_ON(smp_processor_id() != cpu) firingin pktgen_thread_worker() during tests. We must use cpus_read_lock()/cpus_read_unlock()around the for_each_online_cpu(cpu) loop....

CVE-2024-46746

In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() hasbeen called. Hence, hid driver_data should be freed only after thehid_destroy_device() function retu...

CVE-2024-44974

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: avoid possible UaF when selecting endp select_local_address() and select_signal_address() both select anendpoint entry from the list inside an RCU protected section, but returna reference to it, to be read later on. If t...

CVE-2024-46702

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Mark XDomain as unplugged when router is removed I noticed that when we do discrete host router NVM upgrade and it getshot-removed from the PCIe side as a result of NVM firmware authentication,if there is another host ...

CVE-2024-43895

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip Recompute DSC Params if no Stream on Link [why]Encounter NULL pointer dereference uner mst + dsc setup. BUG: kernel NULL pointer dereference, address: 0000000000000008PGD 0 P4D 0Oops: 0000 [#1] PREEMPT SMP NOP...

CVE-2024-46678

In the Linux kernel, the following vulnerability has been resolved: bonding: change ipsec_lock from spin lock to mutex In the cited commit, bond->ipsec_lock is added to protect ipsec_list,hence xdo_dev_state_add and xdo_dev_state_delete are called insidethis lock. As ipsec_lock is a spin lock an...

CVE-2024-44961

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Forward soft recovery errors to userspace As we discussed before[1], soft recovery should beforwarded to userspace, or we can get into a reallybad state where apps will keep submitting hangingcommand buffers cascading u...

CVE-2024-44986

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in ip6_finish_output2() If skb_expand_head() returns NULL, skb has been freedand associated dst/idev could also have been freed. We need to hold rcu_read_lock() to make sure the dst andassociated idev are ali...

CVE-2024-47663

In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such casead9834_calc_freqreg() call will lead to division by zero. Checking'if (fout > (clk_freq / 2...

CVE-2024-44998

In the Linux kernel, the following vulnerability has been resolved: atm: idt77252: prevent use after free in dequeue_rx() We can't dereference "skb" after calling vcc->push() because the skbis released.

CVE-2024-46782

In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable,then call nf_unregister_net_hooks(). It should be done in the reverse wa...

CVE-2024-46832

In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU...

CVE-2024-46680

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix random crash seen while removing driver This fixes the random kernel crash seen while removing the driver, whenrunning the load/unload test over multiple iterations. modprobe btnxpuart hciconfig hci0 reset...

CVE-2024-45015

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() For cases where the crtc's connectors_changed was set without enable/activegetting toggled , there is an atomic_enable() call followed by anatomic_disable() bu...

CVE-2024-45028

In the Linux kernel, the following vulnerability has been resolved: mmc: mmc_test: Fix NULL dereference on allocation failure If the "test->highmem = alloc_pages()" allocation fails then calling__free_pages(test->highmem) will result in a NULL dereference. Alsochange the error code to -ENOMEM...

CVE-2024-46830

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forciblyleave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMXreads guest memory...

CVE-2024-47669

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 ("nilfs2: separate wait function fromnilfs_segctor_write") was applied, the log writing functionnilfs_segctor_do_construct() was able to i...

CVE-2024-44985

In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible UAF in ip6_xmit() If skb_expand_head() returns NULL, skb has been freedand the associated dst/idev could also have been freed. We must use rcu_read_lock() to prevent a possible UAF.

CVE-2024-46738

In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table invmci_resource_remove(), the search is performed using the resourcehandle by comparing context and resourc...

CVE-2024-43894

In the Linux kernel, the following vulnerability has been resolved: drm/client: fix null pointer dereference in drm_client_modeset_probe In drm_client_modeset_probe(), the return value of drm_mode_duplicate() isassigned to modeset->mode, which will lead to a possible NULL pointerdereference on f...

CVE-2024-44977

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Validate TA binary size Add TA binary size validation to avoid OOB write. (cherry picked from commit c0a04e3570d72aaf090962156ad085e37c62e442)

CVE-2024-46739

In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. Thispointer is valid only for the secondary channels. Also, rescind callbackis meant for pri...

CVE-2024-43897

In the Linux kernel, the following vulnerability has been resolved: net: drop bad gso csum_start and offset in virtio_net_hdr Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets. The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is i...

CVE-2024-44988

In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Fix out-of-bound access If an ATU violation was caused by a CPU Load operation, the SPID couldbe larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array).

CVE-2024-44996

In the Linux kernel, the following vulnerability has been resolved: vsock: fix recursive ->recvmsg calls After a vsock socket has been added to a BPF sockmap, its prot->recvmsghas been replaced with vsock_bpf_recvmsg(). Thus the followingrecursiion could happen: vsock_bpf_recvmsg()-> __vso...

CVE-2024-45011

In the Linux kernel, the following vulnerability has been resolved: char: xillybus: Check USB endpoints when probing device Ensure, as the driver probes the device, that all endpoints that thedriver may attempt to access exist and are of the correct type. All XillyUSB devices must have a Bulk IN an...

CVE-2024-46674

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: st: fix probed platform device ref count on probe error path The probe function never performs any paltform device allocation, thuserror path "undo_platform_dev_alloc" is entirely bogus. It drops thereference count from ...

CVE-2024-46798

In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, CONFIG_KASAN=y CONFIG_KASAN_GENERIC=y CONFIG_KASAN_INLINE=y CONFIG_KASAN_VMALLOC=y CONFIG_FRAME_WARN=4096 kernel detects that snd...

CVE-2024-46829

In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In thegood case it returns with the lock held and in the deadlock case it emits awarning and goes into an endle...

CVE-2024-46689

In the Linux kernel, the following vulnerability has been resolved: soc: qcom: cmd-db: Map shared memory as WC, not WB Linux does not write into cmd-db region. This region of memory is writeprotected by XPU. XPU may sometime falsely detect clean cache evictionas "write" into the write protected reg...

CVE-2024-46847

In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 ("mm: fix incorrect vbq reference inpurge_fragmented_block") extended the 'vmap_block' structure to contain a'cpu' field which is set at alloc...

CVE-2024-44949

In the Linux kernel, the following vulnerability has been resolved: parisc: fix a possible DMA corruption ARCH_DMA_MINALIGN was defined as 16 - this is too small - it may bepossible that two unrelated 16-byte allocations share a cache line. Ifone of these allocations is written using DMA and the ot...

CVE-2024-44983

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: validate vlan header Ensure there is sufficient room to access the protocol field of theVLAN header, validate it once before the flowtable lookup. =====================================================BUG: KMSA...

CVE-2024-45019

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Take state lock during tx timeout reporter mlx5e_safe_reopen_channels() requires the state lock taken. Thereferenced changed in the Fixes tag removed the lock to fix anotherissue. This patch adds it back but at a later p...

CVE-2024-46676

In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Add poll mod list filling check In case of im_protocols value is 1 and tm_protocols value is 0 thiscombination successfully passes the check'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().But then after pn...

CVE-2024-46796

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was alread...

CVE-2024-46851

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct() dc_state_destruct() nulls the resource context of the DC state. The pipecontext passed to dcn10_set_drr() is a member of this resource context. If dc_state...

CVE-2024-47664

In the Linux kernel, the following vulnerability has been resolved: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware If the value of max_speed_hz is 0, it may cause a division by zeroerror in hisi_calc_effective_speed().The value of max_speed_hz is provided by firm...

CVE-2024-46823

In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the'overflow_allocation_test' function scope. However, it is being used asa driver name when calling 'kunit_driver_create' from'kunit_d...

CVE-2024-46845

In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise andtimer latency. If the program using this is killed via a SIGTERM, thethreads are shutdown one at a time a...