CVE-2024-50004

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35 [WHY & HOW]Mismatch in DCN35 DML2 cause bw validation failed to acquire unexpected DPP pipe to causegrey screen and system hang. Remove EnhancedPre...

CVE-2024-50020

In the Linux kernel, the following vulnerability has been resolved: ice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count() This patch addresses an issue with improper reference count handling in theice_sriov_set_msix_vec_count() function. First, the function calls ice_get_vf_by_id...

CVE-2024-50253

In the Linux kernel, the following vulnerability has been resolved: bpf: Check the validity of nr_words in bpf_iter_bits_new() Check the validity of nr_words in bpf_iter_bits_new(). Without thischeck, when multiplication overflow occurs for nr_bits (e.g., whennr_words = 0x0400-0001, nr_bits becomes...

CVE-2024-50281

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: dcp: fix NULL dereference in AEAD crypto operation When sealing or unsealing a key blob we currently do not wait forthe AEAD cipher operation to finish and simply return after submittingthe request. If there is some ...

CVE-2024-50286

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create There is a race condition between ksmbd_smb2_session_create andksmbd_expire_session. This patch add missing sessions_table_lockwhile adding/deleting session from global se...

CVE-2024-53109

In the Linux kernel, the following vulnerability has been resolved: nommu: pass NULL argument to vma_iter_prealloc() When deleting a vma entry from a maple tree, it has to pass NULL tovma_iter_prealloc() in order to calculate internal state of the tree, butit passed a wrong argument. As a result, n...

CVE-2024-50005

In the Linux kernel, the following vulnerability has been resolved: mac802154: Fix potential RCU dereference issue in mac802154_scan_worker In the mac802154_scan_worker function, the scan_req->type field wasaccessed after the RCU read-side critical section was unlocked. Accordingto RCU usage rul...

CVE-2024-50268

In the Linux kernel, the following vulnerability has been resolved: usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() The "*cmd" variable can be controlled by the user via debugfs. That means"new_cam" can be as high as 255 while the size of the uc->updated[] arrayis UC...

CVE-2024-53071

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Be stricter about IO mapping flags The current panthor_device_mmap_io() implementation has two issues: For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET,panthor_device_mmap_io() bails if VM_WRITE is set, but does not c...

CVE-2024-53107

In the Linux kernel, the following vulnerability has been resolved: fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args() The "arg->vec_len" variable is a u64 that comes from the user at the startof the function. The "arg->vec_len * sizeof(struct page_region))"multiplication c...

CVE-2024-49947

In the Linux kernel, the following vulnerability has been resolved: net: test for not too small csum_start in virtio_net_hdr_to_skb() syzbot was able to trigger this warning [1], after injecting amalicious packet through af_packet, setting skb->csum_start and thusthe transport header to an incor...

CVE-2024-50165

In the Linux kernel, the following vulnerability has been resolved: bpf: Preserve param->string when parsing mount options In bpf_parse_param(), keep the value of param->string intact so it canbe freed later. Otherwise, the kmalloc area pointed to by param->stringwill be leaked as shown be...

CVE-2024-50292

In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove In case of error when requesting ctrl_chan DMA channel, ctrl_chan is notnull. So the release of the dma channel leads to the following issue:[ 4.879000] st,stm32...

CVE-2024-53083

In the Linux kernel, the following vulnerability has been resolved: usb: typec: qcom-pmic: init value of hdr_len/txbuf_len earlier If the read of USB_PDPHY_RX_ACKNOWLEDGE_REG failed, then hdr_len andtxbuf_len are uninitialized. This commit stops to print uninitializedvalue and misleading/false data...

CVE-2024-53111

In the Linux kernel, the following vulnerability has been resolved: mm/mremap: fix address wraparound in move_page_tables() On 32-bit platforms, it is possible for the expression len + old_addr < old_end to be false-positive if len + old_addr wraps around.old_addr is the cursor in the old range ...

CVE-2024-50217

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids() Mounting btrfs from two images (which have the same one fsid and twodifferent dev_uuids) in certain executing order may trigger an UAF forvariable 'devic...

CVE-2024-50276

In the Linux kernel, the following vulnerability has been resolved: net: vertexcom: mse102x: Fix possible double free of TX skb The scope of the TX skb is wider than just mse102x_tx_frame_spi(),so in case the TX skb room needs to be expanded, we should free thethe temporary skb instead of the origi...

CVE-2024-49980

In the Linux kernel, the following vulnerability has been resolved: vrf: revert "vrf: Remove unnecessary RCU-bh critical section" This reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853. dev_queue_xmit_nit is expected to be called with BH disabled.__dev_queue_xmit has the following: /* Disable...

CVE-2024-50291

In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: add missing buffer index check dvb_vb2_expbuf() didn't check if the given buffer index wasfor a valid buffer. Add this check.

CVE-2024-49976

In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Drop interface_lock in stop_kthread() stop_kthread() is the offline callback for "trace/osnoise:online", sincecommit 5bfbcd1ee57b ("tracing/timerlat: Add interface_lock around clearingof kthread in stop_kthread()"...

CVE-2024-49876

In the Linux kernel, the following vulnerability has been resolved: drm/xe: fix UAF around queue destruction We currently do stuff like queuing the final destruction step on arandom system wq, which will outlive the driver instance. With badtiming we can teardown the driver with one or more work wo...

CVE-2024-50161

In the Linux kernel, the following vulnerability has been resolved: bpf: Check the remaining info_cnt before repeating btf fields When trying to repeat the btf fields for array of nested struct, itdoesn't check the remaining info_cnt. The following splat will bereported when the value of ret * nele...

CVE-2024-50174

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix race when converting group handle to group object XArray provides it's own internal lock which protects the internal arraywhen entries are being simultaneously added and removed. However thereis still a race betwee...

CVE-2024-50011

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: soc-acpi-intel-rpl-match: add missing empty item There is no links_num in struct snd_soc_acpi_mach {}, and we test!link->num_adr as a condition to end the loop in hda_sdw_machine_select().So an empty item in struct ...

CVE-2024-50034

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC Eric report a panic on IPPROTO_SMC, and give the factsthat when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too. Bug: Unable to handle kernel NULL pointer derefe...

CVE-2024-50071

In the Linux kernel, the following vulnerability has been resolved: pinctrl: nuvoton: fix a double free in ma35_pinctrl_dt_node_to_map_func() 'new_map' is allocated using devm_* which takes care of freeing theallocated data on device removal, call to .dt_free_map = pinconf_generic_dt_free_map doubl...

CVE-2024-50129

In the Linux kernel, the following vulnerability has been resolved: net: pse-pd: Fix out of bound for loop Adjust the loop limit to prevent out-of-bounds access when iterating overPI structures. The loop should not reach the index pcdev->nr_lines sincewe allocate exactly pcdev->nr_lines numbe...

CVE-2024-49942

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Prevent null pointer access in xe_migrate_copy xe_migrate_copy designed to copy content of TTM resources. When sourceresource is null, it will trigger a NULL pointer dereference inxe_migrate_copy. To avoid this situation, u...

CVE-2024-50043

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix possible badness in FREE_STATEID When multiple FREE_STATEIDs are sent for the same delegation stateid,it can lead to a possible either use-after-free or counter refcountunderflow errors. In nfsd4_free_stateid() under the ...

CVE-2024-50114

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unregister redistributor for failed vCPU creation Alex reports that syzkaller has managed to trigger a use-after-free whentearing down a VM: BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c...

CVE-2024-50190

In the Linux kernel, the following vulnerability has been resolved: ice: fix memleak in ice_init_tx_topology() Fix leak of the FW blob (DDP pkg). Make ice_cfg_tx_topo() const-correct, so ice_init_tx_topology() can avoidcopying whole FW blob. Copy just the topology section, and only whenneeded. Reus...

CVE-2024-50214

In the Linux kernel, the following vulnerability has been resolved: drm/connector: hdmi: Fix memory leak in drm_display_mode_from_cea_vic() modprobe drm_connector_test and then rmmod drm_connector_test,the following memory leak occurs. The mode allocated in drm_mode_duplicate() called bydrm_display...

CVE-2024-50227

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan() KASAN reported following issue: BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt]Read of size 4 at addr ffff88810111fc1c by t...

CVE-2024-50119

In the Linux kernel, the following vulnerability has been resolved: cifs: fix warning when destroy 'cifs_io_request_pool' There's a issue as follows:WARNING: CPU: 1 PID: 27826 at mm/slub.c:4698 free_large_kmalloc+0xac/0xe0RIP: 0010:free_large_kmalloc+0xac/0xe0Call Trace:<TASK>? __warn+0xea/0x...

CVE-2024-50213

In the Linux kernel, the following vulnerability has been resolved: drm/tests: hdmi: Fix memory leaks in drm_display_mode_from_cea_vic() modprobe drm_hdmi_state_helper_test and then rmmod it, the followingmemory leak occurs. The mode allocated in drm_mode_duplicate() called bydrm_display_mode_from_...

CVE-2024-50241

In the Linux kernel, the following vulnerability has been resolved: NFSD: Initialize struct nfsd4_copy earlier Ensure the refcount and async_copies fields are initialized early.cleanup_async_copy() will reference these fields if an error occursin nfsd4_copy(). If they are not correctly initialized,...

CVE-2024-50260

In the Linux kernel, the following vulnerability has been resolved: sock_map: fix a NULL pointer dereference in sock_map_link_update_prog() The following race condition could trigger a NULL pointer dereference: sock_map_link_detach(): sock_map_link_update_prog():mutex_lock(&sockmap_mutex);...sockma...

CVE-2024-50298

In the Linux kernel, the following vulnerability has been resolved: net: enetc: allocate vf_state during PF probes In the previous implementation, vf_state is allocated memory only when VFis enabled. However, net_device_ops::ndo_set_vf_mac() may be called beforeVF is enabled to configure the MAC ad...

CVE-2024-50037

In the Linux kernel, the following vulnerability has been resolved: drm/fbdev-dma: Only cleanup deferred I/O if necessary Commit 5a498d4d06d6 ("drm/fbdev-dma: Only install deferred I/O ifnecessary") initializes deferred I/O only if it is used.drm_fbdev_dma_fb_destroy() however calls fb_deferred_io_...

CVE-2024-50100

In the Linux kernel, the following vulnerability has been resolved: USB: gadget: dummy-hcd: Fix "task hung" problem The syzbot fuzzer has been encountering "task hung" problems eversince the dummy-hcd driver was changed to use hrtimers instead ofregular timers. It turns out that the problems are ca...

CVE-2024-50149

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't free job in TDR Freeing job in TDR is not safe as TDR can pass the run_job threadresulting in UAF. It is only safe for free job to naturally be called bythe scheduler. Rather free job in TDR, add to pending list. (che...

CVE-2024-50173

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix access to uninitialized variable in tick_ctx_cleanup() The group variable can't be used to retrieve ptdev in our second loop,because it points to the previously iterated list_head, not a validgroup. Get the ptdev o...

CVE-2024-49943

In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc_submit: add missing locking in wedged_fini Any non-wedged queue can have a zero refcount here and can be runningconcurrently with an async queue destroy, therefore dereferencing thequeue ptr to check wedge status after t...

CVE-2024-50092

In the Linux kernel, the following vulnerability has been resolved: net: netconsole: fix wrong warning A warning is triggered when there is insufficient space in the bufferfor userdata. However, this is not an issue since userdata will be sentin the next iteration. Current warning message: --------...

CVE-2024-50113

In the Linux kernel, the following vulnerability has been resolved: firewire: core: fix invalid port index for parent device In a commit 24b7f8e5cd65 ("firewire: core: use helper functions for selfID sequence"), the enumeration over self ID sequence was refactored withsome helper functions with KUn...

CVE-2024-50144

In the Linux kernel, the following vulnerability has been resolved: drm/xe: fix unbalanced rpm put() with fence_fini() Currently we can call fence_fini() twice if something goes wrong whensending the GuC CT for the tlb request, since we signal the fence andreturn an error, leading to the caller als...

CVE-2024-50284

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix the missing xa_store error check xa_store() can fail, it return xa_err(-EINVAL) if the entry cannotbe stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed,so check error for xa_store() to fix it.

CVE-2024-53080

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Lock XArray when getting entries for the VM Similar to commit cac075706f29 ("drm/panthor: Fix race when convertinggroup handle to group object") we need to use the XArray's internallocking when retrieving a vm pointer ...

CVE-2024-50094

In the Linux kernel, the following vulnerability has been resolved: sfc: Don't invoke xdp_do_flush() from netpoll. Yury reported a crash in the sfc driver originated fromnetpoll_send_udp(). The netconsole sends a message and then netpollinvokes the driver's NAPI function with a budget of zero. It i...

CVE-2024-50204

In the Linux kernel, the following vulnerability has been resolved: fs: don't try and remove empty rbtree node When copying a namespace we won't have added the new copy into thenamespace rbtree until after the copy succeeded. Calling free_mnt_ns()will try to remove the copy from the rbtree which is...