Vulnerability-Lookup

Vendor	Product	Description
Ubuntu	Ubuntu	Ubuntu 16.04 ESM
Ubuntu	Ubuntu	Ubuntu 24.04 LTS
Ubuntu	Ubuntu	Ubuntu 18.04 ESM
Ubuntu	Ubuntu	Ubuntu 20.04 LTS
Ubuntu	Ubuntu	Ubuntu 24.10
Ubuntu	Ubuntu	Ubuntu 14.04 ESM
Ubuntu	Ubuntu	Ubuntu 22.04 LTS

CVE-2024-57908 (GCVE-0-2024-57908)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-11-03 20:55

Title

iio: imu: kmx61: fix information leak in triggered buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: imu: kmx61: fix information leak in triggered buffer The 'buffer' local array is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the array to zero before using it to avoid pushing uninitialized information to userspace.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0871eb8d700b33dd7…
	https://git.kernel.org/stable/c/a386d9d2dc6635f2e…
	https://git.kernel.org/stable/c/a07f698084412a3ef…
	https://git.kernel.org/stable/c/6985ba4467e4b15b8…
	https://git.kernel.org/stable/c/cde312e257b59ecaa…
	https://git.kernel.org/stable/c/565814cbbaa674d29…
	https://git.kernel.org/stable/c/6ae053113f6a226a2…

Impacted products

Vendor

Product

Version

Linux

Affected: c3a23ecc0901f624b681bbfbc4829766c5aa3070 , < 0871eb8d700b33dd7fa86c80630d62ddaef58c2c (git)
Affected: c3a23ecc0901f624b681bbfbc4829766c5aa3070 , < a386d9d2dc6635f2ec210b8199cfb3acf4d31305 (git)
Affected: c3a23ecc0901f624b681bbfbc4829766c5aa3070 , < a07f698084412a3ef5e950fcac1d6b0f53289efd (git)
Affected: c3a23ecc0901f624b681bbfbc4829766c5aa3070 , < 6985ba4467e4b15b809043fa7740d1fb23a1897b (git)
Affected: c3a23ecc0901f624b681bbfbc4829766c5aa3070 , < cde312e257b59ecaa0fad3af9ec7e2370bb24639 (git)
Affected: c3a23ecc0901f624b681bbfbc4829766c5aa3070 , < 565814cbbaa674d2901428796801de49a611e59d (git)
Affected: c3a23ecc0901f624b681bbfbc4829766c5aa3070 , < 6ae053113f6a226a2303caa4936a4c37f3bfff7b (git)

Linux

Affected: 4.0
Unaffected: 0 , < 4.0 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57908",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:53:36.338739Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:16.393Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:36.947Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/imu/kmx61.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0871eb8d700b33dd7fa86c80630d62ddaef58c2c",
              "status": "affected",
              "version": "c3a23ecc0901f624b681bbfbc4829766c5aa3070",
              "versionType": "git"
            },
            {
              "lessThan": "a386d9d2dc6635f2ec210b8199cfb3acf4d31305",
              "status": "affected",
              "version": "c3a23ecc0901f624b681bbfbc4829766c5aa3070",
              "versionType": "git"
            },
            {
              "lessThan": "a07f698084412a3ef5e950fcac1d6b0f53289efd",
              "status": "affected",
              "version": "c3a23ecc0901f624b681bbfbc4829766c5aa3070",
              "versionType": "git"
            },
            {
              "lessThan": "6985ba4467e4b15b809043fa7740d1fb23a1897b",
              "status": "affected",
              "version": "c3a23ecc0901f624b681bbfbc4829766c5aa3070",
              "versionType": "git"
            },
            {
              "lessThan": "cde312e257b59ecaa0fad3af9ec7e2370bb24639",
              "status": "affected",
              "version": "c3a23ecc0901f624b681bbfbc4829766c5aa3070",
              "versionType": "git"
            },
            {
              "lessThan": "565814cbbaa674d2901428796801de49a611e59d",
              "status": "affected",
              "version": "c3a23ecc0901f624b681bbfbc4829766c5aa3070",
              "versionType": "git"
            },
            {
              "lessThan": "6ae053113f6a226a2303caa4936a4c37f3bfff7b",
              "status": "affected",
              "version": "c3a23ecc0901f624b681bbfbc4829766c5aa3070",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/imu/kmx61.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: kmx61: fix information leak in triggered buffer\n\nThe \u0027buffer\u0027 local array is used to push data to user space from a\ntriggered buffer, but it does not set values for inactive channels, as\nit only uses iio_for_each_active_channel() to assign new values.\n\nInitialize the array to zero before using it to avoid pushing\nuninitialized information to userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:24.304Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0871eb8d700b33dd7fa86c80630d62ddaef58c2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a386d9d2dc6635f2ec210b8199cfb3acf4d31305"
        },
        {
          "url": "https://git.kernel.org/stable/c/a07f698084412a3ef5e950fcac1d6b0f53289efd"
        },
        {
          "url": "https://git.kernel.org/stable/c/6985ba4467e4b15b809043fa7740d1fb23a1897b"
        },
        {
          "url": "https://git.kernel.org/stable/c/cde312e257b59ecaa0fad3af9ec7e2370bb24639"
        },
        {
          "url": "https://git.kernel.org/stable/c/565814cbbaa674d2901428796801de49a611e59d"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ae053113f6a226a2303caa4936a4c37f3bfff7b"
        }
      ],
      "title": "iio: imu: kmx61: fix information leak in triggered buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57908",
    "datePublished": "2025-01-19T11:52:31.714Z",
    "dateReserved": "2025-01-19T11:50:08.373Z",
    "dateUpdated": "2025-11-03T20:55:36.947Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56626 (GCVE-0-2024-56626)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-11-03 20:51

Title

ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write An offset from client could be a negative value, It could allows to write data outside the bounds of the allocated buffer. Note that this issue is coming when setting 'vfs objects = streams_xattr parameter' in ksmbd.conf.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1aea5c9470be2c712…
	https://git.kernel.org/stable/c/8cd7490fc0f268883…
	https://git.kernel.org/stable/c/164d3597d26d9acff…
	https://git.kernel.org/stable/c/c5797f195c67132d0…
	https://git.kernel.org/stable/c/313dab082289e4603…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 1aea5c9470be2c7129704fb1b9562b1e3e0576f8 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 8cd7490fc0f268883e86e840cda5311257af69ca (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 164d3597d26d9acff5d5b8bc3208bdcca942dd6a (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < c5797f195c67132d061d29c57a7c6d30530686f0 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 313dab082289e460391c82d855430ec8a28ddf81 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56626",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:00:52.752066Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:12.560Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:15.360Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1aea5c9470be2c7129704fb1b9562b1e3e0576f8",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "8cd7490fc0f268883e86e840cda5311257af69ca",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "164d3597d26d9acff5d5b8bc3208bdcca942dd6a",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "c5797f195c67132d061d29c57a7c6d30530686f0",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "313dab082289e460391c82d855430ec8a28ddf81",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write\n\nAn offset from client could be a negative value, It could allows\nto write data outside the bounds of the allocated buffer.\nNote that this issue is coming when setting\n\u0027vfs objects = streams_xattr parameter\u0027 in ksmbd.conf."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:16.260Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1aea5c9470be2c7129704fb1b9562b1e3e0576f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/8cd7490fc0f268883e86e840cda5311257af69ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/164d3597d26d9acff5d5b8bc3208bdcca942dd6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5797f195c67132d061d29c57a7c6d30530686f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/313dab082289e460391c82d855430ec8a28ddf81"
        }
      ],
      "title": "ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56626",
    "datePublished": "2024-12-27T14:51:29.078Z",
    "dateReserved": "2024-12-27T14:03:06.017Z",
    "dateUpdated": "2025-11-03T20:51:15.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56599 (GCVE-0-2024-56599)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-11-03 20:50

Title

wifi: ath10k: avoid NULL pointer error during sdio remove

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: avoid NULL pointer error during sdio remove When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON is set to yes, kernel panic will happen: Call trace: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c This is because during 'rmmod ath10k', ath10k_sdio_remove() will call ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release() will finally be called in ath10k_core_destroy(). This function will free struct cfg80211_registered_device *rdev and all its members, including wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON. After device release, destroy_workqueue() will use NULL pointer then the kernel panic happen. Call trace: ath10k_sdio_remove ->ath10k_core_unregister …… ->ath10k_core_stop ->ath10k_hif_stop ->ath10k_sdio_irq_disable ->ath10k_hif_power_down ->del_timer_sync(&ar_sdio->sleep_timer) ->ath10k_core_destroy ->ath10k_mac_destroy ->ieee80211_free_hw ->wiphy_free …… ->wiphy_dev_release ->destroy_workqueue Need to call destroy_workqueue() before ath10k_core_destroy(), free the work queue buffer first and then free pointer of work queue by ath10k_core_destroy(). This order matches the error path order in ath10k_sdio_probe(). No work will be queued on sdio workqueue between it is destroyed and ath10k_core_destroy() is called. Based on the call_stack above, the reason is: Only ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and ath10k_sdio_irq_disable() will queue work on sdio workqueue. Sleep timer will be deleted before ath10k_core_destroy() in ath10k_hif_power_down(). ath10k_sdio_irq_disable() only be called in ath10k_hif_stop(). ath10k_core_unregister() will call ath10k_hif_power_down() to stop hif bus, so ath10k_sdio_hif_tx_sg() won't be called anymore. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/27d5d217ae7ffb99d…
	https://git.kernel.org/stable/c/27fda36eedad9e4ec…
	https://git.kernel.org/stable/c/6e5dbd1c04abf2c19…
	https://git.kernel.org/stable/c/b35de9e01fc79c7ba…
	https://git.kernel.org/stable/c/543c0924d446b21f3…
	https://git.kernel.org/stable/c/95c38953cb1ecf403…

Impacted products

Vendor

Product

Version

Linux

Affected: 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 , < 27d5d217ae7ffb99dd623375a17a7d3418d9c755 (git)
Affected: 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 , < 27fda36eedad9e4ec795dc481f307901d1885112 (git)
Affected: 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 , < 6e5dbd1c04abf2c19b2282915e6fa48b6ccc6921 (git)
Affected: 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 , < b35de9e01fc79c7baac666fb2dcb4ba7698a1d97 (git)
Affected: 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 , < 543c0924d446b21f35701ca084d7feca09511220 (git)
Affected: 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 , < 95c38953cb1ecf40399a676a1f85dfe2b5780a9a (git)

Linux

Affected: 3.11
Unaffected: 0 , < 3.11 (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.127 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:35.314Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath10k/sdio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "27d5d217ae7ffb99dd623375a17a7d3418d9c755",
              "status": "affected",
              "version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
              "versionType": "git"
            },
            {
              "lessThan": "27fda36eedad9e4ec795dc481f307901d1885112",
              "status": "affected",
              "version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
              "versionType": "git"
            },
            {
              "lessThan": "6e5dbd1c04abf2c19b2282915e6fa48b6ccc6921",
              "status": "affected",
              "version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
              "versionType": "git"
            },
            {
              "lessThan": "b35de9e01fc79c7baac666fb2dcb4ba7698a1d97",
              "status": "affected",
              "version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
              "versionType": "git"
            },
            {
              "lessThan": "543c0924d446b21f35701ca084d7feca09511220",
              "status": "affected",
              "version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
              "versionType": "git"
            },
            {
              "lessThan": "95c38953cb1ecf40399a676a1f85dfe2b5780a9a",
              "status": "affected",
              "version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath10k/sdio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.11"
            },
            {
              "lessThan": "3.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: avoid NULL pointer error during sdio remove\n\nWhen running \u0027rmmod ath10k\u0027, ath10k_sdio_remove() will free sdio\nworkqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON\nis set to yes, kernel panic will happen:\nCall trace:\n destroy_workqueue+0x1c/0x258\n ath10k_sdio_remove+0x84/0x94\n sdio_bus_remove+0x50/0x16c\n device_release_driver_internal+0x188/0x25c\n device_driver_detach+0x20/0x2c\n\nThis is because during \u0027rmmod ath10k\u0027, ath10k_sdio_remove() will call\nath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release()\nwill finally be called in ath10k_core_destroy(). This function will free\nstruct cfg80211_registered_device *rdev and all its members, including\nwiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio\nworkqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON.\n\nAfter device release, destroy_workqueue() will use NULL pointer then the\nkernel panic happen.\n\nCall trace:\nath10k_sdio_remove\n  -\u003eath10k_core_unregister\n    \u2026\u2026\n    -\u003eath10k_core_stop\n      -\u003eath10k_hif_stop\n        -\u003eath10k_sdio_irq_disable\n    -\u003eath10k_hif_power_down\n      -\u003edel_timer_sync(\u0026ar_sdio-\u003esleep_timer)\n  -\u003eath10k_core_destroy\n    -\u003eath10k_mac_destroy\n      -\u003eieee80211_free_hw\n        -\u003ewiphy_free\n    \u2026\u2026\n          -\u003ewiphy_dev_release\n  -\u003edestroy_workqueue\n\nNeed to call destroy_workqueue() before ath10k_core_destroy(), free\nthe work queue buffer first and then free pointer of work queue by\nath10k_core_destroy(). This order matches the error path order in\nath10k_sdio_probe().\n\nNo work will be queued on sdio workqueue between it is destroyed and\nath10k_core_destroy() is called. Based on the call_stack above, the\nreason is:\nOnly ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and\nath10k_sdio_irq_disable() will queue work on sdio workqueue.\nSleep timer will be deleted before ath10k_core_destroy() in\nath10k_hif_power_down().\nath10k_sdio_irq_disable() only be called in ath10k_hif_stop().\nath10k_core_unregister() will call ath10k_hif_power_down() to stop hif\nbus, so ath10k_sdio_hif_tx_sg() won\u0027t be called anymore.\n\nTested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-15T12:14:27.498Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/27d5d217ae7ffb99dd623375a17a7d3418d9c755"
        },
        {
          "url": "https://git.kernel.org/stable/c/27fda36eedad9e4ec795dc481f307901d1885112"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e5dbd1c04abf2c19b2282915e6fa48b6ccc6921"
        },
        {
          "url": "https://git.kernel.org/stable/c/b35de9e01fc79c7baac666fb2dcb4ba7698a1d97"
        },
        {
          "url": "https://git.kernel.org/stable/c/543c0924d446b21f35701ca084d7feca09511220"
        },
        {
          "url": "https://git.kernel.org/stable/c/95c38953cb1ecf40399a676a1f85dfe2b5780a9a"
        }
      ],
      "title": "wifi: ath10k: avoid NULL pointer error during sdio remove",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56599",
    "datePublished": "2024-12-27T14:51:05.866Z",
    "dateReserved": "2024-12-27T14:03:06.011Z",
    "dateUpdated": "2025-11-03T20:50:35.314Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57805 (GCVE-0-2024-57805)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:39 – Updated: 2025-05-04 13:01

Title

ASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP The linkDMA should not be released on stop trigger since a stream re-start might happen without closing of the stream. This leaves a short time for other streams to 'steal' the linkDMA since it has been released. This issue is not easy to reproduce under normal conditions as usually after stop the stream is closed, or the same stream is restarted, but if another stream got in between the stop and start, like this: aplay -Dhw:0,3 -c2 -r48000 -fS32_LE /dev/zero -d 120 CTRL+z aplay -Dhw:0,0 -c2 -r48000 -fS32_LE /dev/zero -d 120 then the link DMA channels will be mixed up, resulting firmware error or crash.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/909ecf15cb70f78cd…
	https://git.kernel.org/stable/c/e8d0ba147d901022b…

Impacted products

Vendor

Product

Version

Linux

Affected: ab5593793e9088abcddce30ba8e376e31b7285fd , < 909ecf15cb70f78cdb5c930f58df01db039a0ff8 (git)
Affected: ab5593793e9088abcddce30ba8e376e31b7285fd , < e8d0ba147d901022bcb69da8d8fd817f84e9f3ca (git)
Affected: ec0c7735dd014e54e55bc3bf4ed2e73d56bb00b3 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.8 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/sof/intel/hda-dai.c",
            "sound/soc/sof/intel/hda.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "909ecf15cb70f78cdb5c930f58df01db039a0ff8",
              "status": "affected",
              "version": "ab5593793e9088abcddce30ba8e376e31b7285fd",
              "versionType": "git"
            },
            {
              "lessThan": "e8d0ba147d901022bcb69da8d8fd817f84e9f3ca",
              "status": "affected",
              "version": "ab5593793e9088abcddce30ba8e376e31b7285fd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ec0c7735dd014e54e55bc3bf4ed2e73d56bb00b3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/sof/intel/hda-dai.c",
            "sound/soc/sof/intel/hda.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP\n\nThe linkDMA should not be released on stop trigger since a stream re-start\nmight happen without closing of the stream. This leaves a short time for\nother streams to \u0027steal\u0027 the linkDMA since it has been released.\n\nThis issue is not easy to reproduce under normal conditions as usually\nafter stop the stream is closed, or the same stream is restarted, but if\nanother stream got in between the stop and start, like this:\naplay -Dhw:0,3 -c2 -r48000 -fS32_LE /dev/zero -d 120\nCTRL+z\naplay -Dhw:0,0 -c2 -r48000 -fS32_LE /dev/zero -d 120\n\nthen the link DMA channels will be mixed up, resulting firmware error or\ncrash."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:25.275Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/909ecf15cb70f78cdb5c930f58df01db039a0ff8"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8d0ba147d901022bcb69da8d8fd817f84e9f3ca"
        }
      ],
      "title": "ASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57805",
    "datePublished": "2025-01-11T12:39:51.798Z",
    "dateReserved": "2025-01-11T12:32:49.459Z",
    "dateUpdated": "2025-05-04T13:01:25.275Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56776 (GCVE-0-2024-56776)

Vulnerability from cvelistv5 – Published: 2025-01-08 17:49 – Updated: 2025-11-03 20:54

Title

drm/sti: avoid potential dereference of error pointers

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/sti: avoid potential dereference of error pointers The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e98ff67f5a6811480…
	https://git.kernel.org/stable/c/40725c5fabee804fe…
	https://git.kernel.org/stable/c/8ab73ac97c0fa528f…
	https://git.kernel.org/stable/c/f67786293193cf01e…
	https://git.kernel.org/stable/c/831214f77037de02a…

Impacted products

Vendor

Product

Version

Linux

Affected: dd86dc2f9ae1102f46115be1f1422265c15540f1 , < e98ff67f5a68114804607de549c2350d27628fc7 (git)
Affected: dd86dc2f9ae1102f46115be1f1422265c15540f1 , < 40725c5fabee804fecce41d4d5c5bae80c45e1c4 (git)
Affected: dd86dc2f9ae1102f46115be1f1422265c15540f1 , < 8ab73ac97c0fa528f66eeccd9bb53eb6eb7d20dc (git)
Affected: dd86dc2f9ae1102f46115be1f1422265c15540f1 , < f67786293193cf01ebcc6fdbcbd1587b24f52679 (git)
Affected: dd86dc2f9ae1102f46115be1f1422265c15540f1 , < 831214f77037de02afc287eae93ce97f218d8c04 (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56776",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:38.325414Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-754",
                "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:24.587Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:11.160Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/sti/sti_cursor.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e98ff67f5a68114804607de549c2350d27628fc7",
              "status": "affected",
              "version": "dd86dc2f9ae1102f46115be1f1422265c15540f1",
              "versionType": "git"
            },
            {
              "lessThan": "40725c5fabee804fecce41d4d5c5bae80c45e1c4",
              "status": "affected",
              "version": "dd86dc2f9ae1102f46115be1f1422265c15540f1",
              "versionType": "git"
            },
            {
              "lessThan": "8ab73ac97c0fa528f66eeccd9bb53eb6eb7d20dc",
              "status": "affected",
              "version": "dd86dc2f9ae1102f46115be1f1422265c15540f1",
              "versionType": "git"
            },
            {
              "lessThan": "f67786293193cf01ebcc6fdbcbd1587b24f52679",
              "status": "affected",
              "version": "dd86dc2f9ae1102f46115be1f1422265c15540f1",
              "versionType": "git"
            },
            {
              "lessThan": "831214f77037de02afc287eae93ce97f218d8c04",
              "status": "affected",
              "version": "dd86dc2f9ae1102f46115be1f1422265c15540f1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/sti/sti_cursor.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sti: avoid potential dereference of error pointers\n\nThe return value of drm_atomic_get_crtc_state() needs to be\nchecked. To avoid use of error pointer \u0027crtc_state\u0027 in case\nof the failure."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:28.672Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e98ff67f5a68114804607de549c2350d27628fc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/40725c5fabee804fecce41d4d5c5bae80c45e1c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ab73ac97c0fa528f66eeccd9bb53eb6eb7d20dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/f67786293193cf01ebcc6fdbcbd1587b24f52679"
        },
        {
          "url": "https://git.kernel.org/stable/c/831214f77037de02afc287eae93ce97f218d8c04"
        }
      ],
      "title": "drm/sti: avoid potential dereference of error pointers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56776",
    "datePublished": "2025-01-08T17:49:14.622Z",
    "dateReserved": "2024-12-29T11:26:39.766Z",
    "dateUpdated": "2025-11-03T20:54:11.160Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21634 (GCVE-0-2025-21634)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:17 – Updated: 2025-10-01 19:57

Title

cgroup/cpuset: remove kernfs active break

Summary

In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: remove kernfs active break A warning was found: WARNING: CPU: 10 PID: 3486953 at fs/kernfs/file.c:828 CPU: 10 PID: 3486953 Comm: rmdir Kdump: loaded Tainted: G RIP: 0010:kernfs_should_drain_open_files+0x1a1/0x1b0 RSP: 0018:ffff8881107ef9e0 EFLAGS: 00010202 RAX: 0000000080000002 RBX: ffff888154738c00 RCX: dffffc0000000000 RDX: 0000000000000007 RSI: 0000000000000004 RDI: ffff888154738c04 RBP: ffff888154738c04 R08: ffffffffaf27fa15 R09: ffffed102a8e7180 R10: ffff888154738c07 R11: 0000000000000000 R12: ffff888154738c08 R13: ffff888750f8c000 R14: ffff888750f8c0e8 R15: ffff888154738ca0 FS: 00007f84cd0be740(0000) GS:ffff8887ddc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555f9fbe00c8 CR3: 0000000153eec001 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kernfs_drain+0x15e/0x2f0 __kernfs_remove+0x165/0x300 kernfs_remove_by_name_ns+0x7b/0xc0 cgroup_rm_file+0x154/0x1c0 cgroup_addrm_files+0x1c2/0x1f0 css_clear_dir+0x77/0x110 kill_css+0x4c/0x1b0 cgroup_destroy_locked+0x194/0x380 cgroup_rmdir+0x2a/0x140 It can be explained by: rmdir echo 1 > cpuset.cpus kernfs_fop_write_iter // active=0 cgroup_rm_file kernfs_remove_by_name_ns kernfs_get_active // active=1 __kernfs_remove // active=0x80000002 kernfs_drain cpuset_write_resmask wait_event //waiting (active == 0x80000001) kernfs_break_active_protection // active = 0x80000001 // continue kernfs_unbreak_active_protection // active = 0x80000002 ... kernfs_should_drain_open_files // warning occurs kernfs_put_active This warning is caused by 'kernfs_break_active_protection' when it is writing to cpuset.cpus, and the cgroup is removed concurrently. The commit 3a5a6d0c2b03 ("cpuset: don't nest cgroup_mutex inside get_online_cpus()") made cpuset_hotplug_workfn asynchronous, This change involves calling flush_work(), which can create a multiple processes circular locking dependency that involve cgroup_mutex, potentially leading to a deadlock. To avoid deadlock. the commit 76bb5ab8f6e3 ("cpuset: break kernfs active protection in cpuset_write_resmask()") added 'kernfs_break_active_protection' in the cpuset_write_resmask. This could lead to this warning. After the commit 2125c0034c5d ("cgroup/cpuset: Make cpuset hotplug processing synchronous"), the cpuset_write_resmask no longer needs to wait the hotplug to finish, which means that concurrent hotplug and cpuset operations are no longer possible. Therefore, the deadlock doesn't exist anymore and it does not have to 'break active protection' now. To fix this warning, just remove kernfs_break_active_protection operation in the 'cpuset_write_resmask'.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - Improper Locking

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/11cb1d643a74665a4…
	https://git.kernel.org/stable/c/3cb97a927fffe443e…

Impacted products

Vendor

Product

Version

Linux

Affected: 76bb5ab8f6e3e7bebdcefec4146ff305e7d0b465 , < 11cb1d643a74665a4e14749414f48f82cbc15c64 (git)
Affected: 76bb5ab8f6e3e7bebdcefec4146ff305e7d0b465 , < 3cb97a927fffe443e1e7e8eddbfebfdb062e86ed (git)

Linux

Affected: 3.16
Unaffected: 0 , < 3.16 (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21634",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:20.155595Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-667",
                "description": "CWE-667 Improper Locking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:18.437Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/cgroup/cpuset.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "11cb1d643a74665a4e14749414f48f82cbc15c64",
              "status": "affected",
              "version": "76bb5ab8f6e3e7bebdcefec4146ff305e7d0b465",
              "versionType": "git"
            },
            {
              "lessThan": "3cb97a927fffe443e1e7e8eddbfebfdb062e86ed",
              "status": "affected",
              "version": "76bb5ab8f6e3e7bebdcefec4146ff305e7d0b465",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/cgroup/cpuset.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: remove kernfs active break\n\nA warning was found:\n\nWARNING: CPU: 10 PID: 3486953 at fs/kernfs/file.c:828\nCPU: 10 PID: 3486953 Comm: rmdir Kdump: loaded Tainted: G\nRIP: 0010:kernfs_should_drain_open_files+0x1a1/0x1b0\nRSP: 0018:ffff8881107ef9e0 EFLAGS: 00010202\nRAX: 0000000080000002 RBX: ffff888154738c00 RCX: dffffc0000000000\nRDX: 0000000000000007 RSI: 0000000000000004 RDI: ffff888154738c04\nRBP: ffff888154738c04 R08: ffffffffaf27fa15 R09: ffffed102a8e7180\nR10: ffff888154738c07 R11: 0000000000000000 R12: ffff888154738c08\nR13: ffff888750f8c000 R14: ffff888750f8c0e8 R15: ffff888154738ca0\nFS:  00007f84cd0be740(0000) GS:ffff8887ddc00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555f9fbe00c8 CR3: 0000000153eec001 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n kernfs_drain+0x15e/0x2f0\n __kernfs_remove+0x165/0x300\n kernfs_remove_by_name_ns+0x7b/0xc0\n cgroup_rm_file+0x154/0x1c0\n cgroup_addrm_files+0x1c2/0x1f0\n css_clear_dir+0x77/0x110\n kill_css+0x4c/0x1b0\n cgroup_destroy_locked+0x194/0x380\n cgroup_rmdir+0x2a/0x140\n\nIt can be explained by:\nrmdir \t\t\t\techo 1 \u003e cpuset.cpus\n\t\t\t\tkernfs_fop_write_iter // active=0\ncgroup_rm_file\nkernfs_remove_by_name_ns\tkernfs_get_active // active=1\n__kernfs_remove\t\t\t\t\t  // active=0x80000002\nkernfs_drain\t\t\tcpuset_write_resmask\nwait_event\n//waiting (active == 0x80000001)\n\t\t\t\tkernfs_break_active_protection\n\t\t\t\t// active = 0x80000001\n// continue\n\t\t\t\tkernfs_unbreak_active_protection\n\t\t\t\t// active = 0x80000002\n...\nkernfs_should_drain_open_files\n// warning occurs\n\t\t\t\tkernfs_put_active\n\nThis warning is caused by \u0027kernfs_break_active_protection\u0027 when it is\nwriting to cpuset.cpus, and the cgroup is removed concurrently.\n\nThe commit 3a5a6d0c2b03 (\"cpuset: don\u0027t nest cgroup_mutex inside\nget_online_cpus()\") made cpuset_hotplug_workfn asynchronous, This change\ninvolves calling flush_work(), which can create a multiple processes\ncircular locking dependency that involve cgroup_mutex, potentially leading\nto a deadlock. To avoid deadlock. the commit 76bb5ab8f6e3 (\"cpuset: break\nkernfs active protection in cpuset_write_resmask()\") added\n\u0027kernfs_break_active_protection\u0027 in the cpuset_write_resmask. This could\nlead to this warning.\n\nAfter the commit 2125c0034c5d (\"cgroup/cpuset: Make cpuset hotplug\nprocessing synchronous\"), the cpuset_write_resmask no longer needs to\nwait the hotplug to finish, which means that concurrent hotplug and cpuset\noperations are no longer possible. Therefore, the deadlock doesn\u0027t exist\nanymore and it does not have to \u0027break active protection\u0027 now. To fix this\nwarning, just remove kernfs_break_active_protection operation in the\n\u0027cpuset_write_resmask\u0027."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:17:55.268Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/11cb1d643a74665a4e14749414f48f82cbc15c64"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cb97a927fffe443e1e7e8eddbfebfdb062e86ed"
        }
      ],
      "title": "cgroup/cpuset: remove kernfs active break",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21634",
    "datePublished": "2025-01-19T10:17:52.983Z",
    "dateReserved": "2024-12-29T08:45:45.726Z",
    "dateUpdated": "2025-10-01T19:57:18.437Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56568 (GCVE-0-2024-56568)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-11-03 20:49

Title

iommu/arm-smmu: Defer probe of clients after smmu device bound

Summary

In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Defer probe of clients after smmu device bound Null pointer dereference occurs due to a race between smmu driver probe and client driver probe, when of_dma_configure() for client is called after the iommu_device_register() for smmu driver probe has executed but before the driver_bound() for smmu driver has been called. Following is how the race occurs: T1:Smmu device probe T2: Client device probe really_probe() arm_smmu_device_probe() iommu_device_register() really_probe() platform_dma_configure() of_dma_configure() of_dma_configure_id() of_iommu_configure() iommu_probe_device() iommu_init_device() arm_smmu_probe_device() arm_smmu_get_by_fwnode() driver_find_device_by_fwnode() driver_find_device() next_device() klist_next() /* null ptr assigned to smmu */ /* null ptr dereference while smmu->streamid_mask */ driver_bound() klist_add_tail() When this null smmu pointer is dereferenced later in arm_smmu_probe_device, the device crashes. Fix this by deferring the probe of the client device until the smmu device has bound to the arm smmu driver. [will: Add comment]

Severity ?

4.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c2527d07c7e9cda2c…
	https://git.kernel.org/stable/c/dc02407ea952e20c5…
	https://git.kernel.org/stable/c/f8f794f387ad21c46…
	https://git.kernel.org/stable/c/4a9485918a042e311…
	https://git.kernel.org/stable/c/5018696b19bc6c021…
	https://git.kernel.org/stable/c/229e6ee43d2a160a1…

Impacted products

Vendor

Product

Version

Linux

Affected: 021bb8420d44cf56102d44fca9af628625e75482 , < c2527d07c7e9cda2c6165d5edccf74752baac1b0 (git)
Affected: 021bb8420d44cf56102d44fca9af628625e75482 , < dc02407ea952e20c544a078a6be2e6f008327973 (git)
Affected: 021bb8420d44cf56102d44fca9af628625e75482 , < f8f794f387ad21c4696e5cd0626cb6f8a5f6aea5 (git)
Affected: 021bb8420d44cf56102d44fca9af628625e75482 , < 4a9485918a042e3114890dfbe19839a1897f8b2c (git)
Affected: 021bb8420d44cf56102d44fca9af628625e75482 , < 5018696b19bc6c021e934a8a59f4b1dd8c0ac9f8 (git)
Affected: 021bb8420d44cf56102d44fca9af628625e75482 , < 229e6ee43d2a160a1592b83aad620d6027084aad (git)

Linux

Affected: 4.9
Unaffected: 0 , < 4.9 (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56568",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:02:09.885077Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:15.959Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:49:37.672Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/arm/arm-smmu/arm-smmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c2527d07c7e9cda2c6165d5edccf74752baac1b0",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            },
            {
              "lessThan": "dc02407ea952e20c544a078a6be2e6f008327973",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            },
            {
              "lessThan": "f8f794f387ad21c4696e5cd0626cb6f8a5f6aea5",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            },
            {
              "lessThan": "4a9485918a042e3114890dfbe19839a1897f8b2c",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            },
            {
              "lessThan": "5018696b19bc6c021e934a8a59f4b1dd8c0ac9f8",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            },
            {
              "lessThan": "229e6ee43d2a160a1592b83aad620d6027084aad",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/arm/arm-smmu/arm-smmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Defer probe of clients after smmu device bound\n\nNull pointer dereference occurs due to a race between smmu\ndriver probe and client driver probe, when of_dma_configure()\nfor client is called after the iommu_device_register() for smmu driver\nprobe has executed but before the driver_bound() for smmu driver\nhas been called.\n\nFollowing is how the race occurs:\n\nT1:Smmu device probe\t\tT2: Client device probe\n\nreally_probe()\narm_smmu_device_probe()\niommu_device_register()\n\t\t\t\t\treally_probe()\n\t\t\t\t\tplatform_dma_configure()\n\t\t\t\t\tof_dma_configure()\n\t\t\t\t\tof_dma_configure_id()\n\t\t\t\t\tof_iommu_configure()\n\t\t\t\t\tiommu_probe_device()\n\t\t\t\t\tiommu_init_device()\n\t\t\t\t\tarm_smmu_probe_device()\n\t\t\t\t\tarm_smmu_get_by_fwnode()\n\t\t\t\t\t\tdriver_find_device_by_fwnode()\n\t\t\t\t\t\tdriver_find_device()\n\t\t\t\t\t\tnext_device()\n\t\t\t\t\t\tklist_next()\n\t\t\t\t\t\t    /* null ptr\n\t\t\t\t\t\t       assigned to smmu */\n\t\t\t\t\t/* null ptr dereference\n\t\t\t\t\t   while smmu-\u003estreamid_mask */\ndriver_bound()\n\tklist_add_tail()\n\nWhen this null smmu pointer is dereferenced later in\narm_smmu_probe_device, the device crashes.\n\nFix this by deferring the probe of the client device\nuntil the smmu device has bound to the arm smmu driver.\n\n[will: Add comment]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:34.224Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c2527d07c7e9cda2c6165d5edccf74752baac1b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc02407ea952e20c544a078a6be2e6f008327973"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8f794f387ad21c4696e5cd0626cb6f8a5f6aea5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a9485918a042e3114890dfbe19839a1897f8b2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5018696b19bc6c021e934a8a59f4b1dd8c0ac9f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/229e6ee43d2a160a1592b83aad620d6027084aad"
        }
      ],
      "title": "iommu/arm-smmu: Defer probe of clients after smmu device bound",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56568",
    "datePublished": "2024-12-27T14:23:11.733Z",
    "dateReserved": "2024-12-27T14:03:05.996Z",
    "dateUpdated": "2025-11-03T20:49:37.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56670 (GCVE-0-2024-56670)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2025-11-03 20:52

Title

usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Considering that in some extreme cases, when u_serial driver is accessed by multiple threads, Thread A is executing the open operation and calling the gs_open, Thread B is executing the disconnect operation and calling the gserial_disconnect function,The port->port_usb pointer will be set to NULL. E.g. Thread A Thread B gs_open() gadget_unbind_driver() gs_start_io() composite_disconnect() gs_start_rx() gserial_disconnect() ... ... spin_unlock(&port->port_lock) status = usb_ep_queue() spin_lock(&port->port_lock) spin_lock(&port->port_lock) port->port_usb = NULL gs_free_requests(port->port_usb->in) spin_unlock(&port->port_lock) Crash This causes thread A to access a null pointer (port->port_usb is null) when calling the gs_free_requests function, causing a crash. If port_usb is NULL, the release request will be skipped as it will be done by gserial_disconnect. So add a null pointer check to gs_start_io before attempting to access the value of the pointer port->port_usb. Call trace: gs_start_io+0x164/0x25c gs_open+0x108/0x13c tty_open+0x314/0x638 chrdev_open+0x1b8/0x258 do_dentry_open+0x2c4/0x700 vfs_open+0x2c/0x3c path_openat+0xa64/0xc60 do_filp_open+0xb8/0x164 do_sys_openat2+0x84/0xf0 __arm64_sys_openat+0x70/0x9c invoke_syscall+0x58/0x114 el0_svc_common+0x80/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x38/0x68

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4efdfdc32d8d6307f…
	https://git.kernel.org/stable/c/28b3c03a6790de1f6…
	https://git.kernel.org/stable/c/1247e1df086aa6c17…
	https://git.kernel.org/stable/c/c83213b6649d22656…
	https://git.kernel.org/stable/c/8ca07a3d18f39b166…
	https://git.kernel.org/stable/c/dd6b0ca6025f64ccb…
	https://git.kernel.org/stable/c/4cfbca86f6a8b801f…

Impacted products

Vendor

Product

Version

Linux

Affected: c1dca562be8ada614ef193aa246c6f8705bcd6b9 , < 4efdfdc32d8d6307f968cd99f1db64468471bab1 (git)
Affected: c1dca562be8ada614ef193aa246c6f8705bcd6b9 , < 28b3c03a6790de1f6f2683919ad657840f0f0f58 (git)
Affected: c1dca562be8ada614ef193aa246c6f8705bcd6b9 , < 1247e1df086aa6c17ab53cd1bedce70dd7132765 (git)
Affected: c1dca562be8ada614ef193aa246c6f8705bcd6b9 , < c83213b6649d22656b3a4e92544ceeea8a2c6c07 (git)
Affected: c1dca562be8ada614ef193aa246c6f8705bcd6b9 , < 8ca07a3d18f39b1669927ef536e485787e856df6 (git)
Affected: c1dca562be8ada614ef193aa246c6f8705bcd6b9 , < dd6b0ca6025f64ccb465a6a3460c5b0307ed9c44 (git)
Affected: c1dca562be8ada614ef193aa246c6f8705bcd6b9 , < 4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b (git)

Linux

Affected: 2.6.27
Unaffected: 0 , < 2.6.27 (semver)
Unaffected: 5.4.288 , ≤ 5.4.* (semver)
Unaffected: 5.10.232 , ≤ 5.10.* (semver)
Unaffected: 5.15.175 , ≤ 5.15.* (semver)
Unaffected: 6.1.121 , ≤ 6.1.* (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56670",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:59:37.791870Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:09.242Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:52:17.369Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/u_serial.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4efdfdc32d8d6307f968cd99f1db64468471bab1",
              "status": "affected",
              "version": "c1dca562be8ada614ef193aa246c6f8705bcd6b9",
              "versionType": "git"
            },
            {
              "lessThan": "28b3c03a6790de1f6f2683919ad657840f0f0f58",
              "status": "affected",
              "version": "c1dca562be8ada614ef193aa246c6f8705bcd6b9",
              "versionType": "git"
            },
            {
              "lessThan": "1247e1df086aa6c17ab53cd1bedce70dd7132765",
              "status": "affected",
              "version": "c1dca562be8ada614ef193aa246c6f8705bcd6b9",
              "versionType": "git"
            },
            {
              "lessThan": "c83213b6649d22656b3a4e92544ceeea8a2c6c07",
              "status": "affected",
              "version": "c1dca562be8ada614ef193aa246c6f8705bcd6b9",
              "versionType": "git"
            },
            {
              "lessThan": "8ca07a3d18f39b1669927ef536e485787e856df6",
              "status": "affected",
              "version": "c1dca562be8ada614ef193aa246c6f8705bcd6b9",
              "versionType": "git"
            },
            {
              "lessThan": "dd6b0ca6025f64ccb465a6a3460c5b0307ed9c44",
              "status": "affected",
              "version": "c1dca562be8ada614ef193aa246c6f8705bcd6b9",
              "versionType": "git"
            },
            {
              "lessThan": "4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b",
              "status": "affected",
              "version": "c1dca562be8ada614ef193aa246c6f8705bcd6b9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/u_serial.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.27"
            },
            {
              "lessThan": "2.6.27",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.288",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.232",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.288",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.232",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.175",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.121",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer\n\nConsidering that in some extreme cases,\nwhen u_serial driver is accessed by multiple threads,\nThread A is executing the open operation and calling the gs_open,\nThread B is executing the disconnect operation and calling the\ngserial_disconnect function,The port-\u003eport_usb pointer will be set to NULL.\n\nE.g.\n    Thread A                                 Thread B\n    gs_open()                                gadget_unbind_driver()\n    gs_start_io()                            composite_disconnect()\n    gs_start_rx()                            gserial_disconnect()\n    ...                                      ...\n    spin_unlock(\u0026port-\u003eport_lock)\n    status = usb_ep_queue()                  spin_lock(\u0026port-\u003eport_lock)\n    spin_lock(\u0026port-\u003eport_lock)              port-\u003eport_usb = NULL\n    gs_free_requests(port-\u003eport_usb-\u003ein)     spin_unlock(\u0026port-\u003eport_lock)\n    Crash\n\nThis causes thread A to access a null pointer (port-\u003eport_usb is null)\nwhen calling the gs_free_requests function, causing a crash.\n\nIf port_usb is NULL, the release request will be skipped as it\nwill be done by gserial_disconnect.\n\nSo add a null pointer check to gs_start_io before attempting\nto access the value of the pointer port-\u003eport_usb.\n\nCall trace:\n gs_start_io+0x164/0x25c\n gs_open+0x108/0x13c\n tty_open+0x314/0x638\n chrdev_open+0x1b8/0x258\n do_dentry_open+0x2c4/0x700\n vfs_open+0x2c/0x3c\n path_openat+0xa64/0xc60\n do_filp_open+0xb8/0x164\n do_sys_openat2+0x84/0xf0\n __arm64_sys_openat+0x70/0x9c\n invoke_syscall+0x58/0x114\n el0_svc_common+0x80/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x38/0x68"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:01:40.207Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4efdfdc32d8d6307f968cd99f1db64468471bab1"
        },
        {
          "url": "https://git.kernel.org/stable/c/28b3c03a6790de1f6f2683919ad657840f0f0f58"
        },
        {
          "url": "https://git.kernel.org/stable/c/1247e1df086aa6c17ab53cd1bedce70dd7132765"
        },
        {
          "url": "https://git.kernel.org/stable/c/c83213b6649d22656b3a4e92544ceeea8a2c6c07"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ca07a3d18f39b1669927ef536e485787e856df6"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd6b0ca6025f64ccb465a6a3460c5b0307ed9c44"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b"
        }
      ],
      "title": "usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56670",
    "datePublished": "2024-12-27T15:06:31.611Z",
    "dateReserved": "2024-12-27T15:00:39.844Z",
    "dateUpdated": "2025-11-03T20:52:17.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56777 (GCVE-0-2024-56777)

Vulnerability from cvelistv5 – Published: 2025-01-08 17:49 – Updated: 2025-11-03 20:54

Title

drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f5804567cf9605d6e…
	https://git.kernel.org/stable/c/b79612ed6bc1a184c…
	https://git.kernel.org/stable/c/997b64c3f4c1827c5…
	https://git.kernel.org/stable/c/3cf2e7c448e246f7e…
	https://git.kernel.org/stable/c/e965e771b069421c2…

Impacted products

Vendor

Product

Version

Linux

Affected: dd86dc2f9ae1102f46115be1f1422265c15540f1 , < f5804567cf9605d6e5ec46c0bb786f7d50f18c13 (git)
Affected: dd86dc2f9ae1102f46115be1f1422265c15540f1 , < b79612ed6bc1a184c45427105c851b5b2d4342ca (git)
Affected: dd86dc2f9ae1102f46115be1f1422265c15540f1 , < 997b64c3f4c1827c5cfda8ae7f5d13f78d28b541 (git)
Affected: dd86dc2f9ae1102f46115be1f1422265c15540f1 , < 3cf2e7c448e246f7e700c7aa47450d1e27579559 (git)
Affected: dd86dc2f9ae1102f46115be1f1422265c15540f1 , < e965e771b069421c233d674c3c8cd8c7f7245f42 (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56777",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:35.251436Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-754",
                "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:24.441Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:12.562Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/sti/sti_gdp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f5804567cf9605d6e5ec46c0bb786f7d50f18c13",
              "status": "affected",
              "version": "dd86dc2f9ae1102f46115be1f1422265c15540f1",
              "versionType": "git"
            },
            {
              "lessThan": "b79612ed6bc1a184c45427105c851b5b2d4342ca",
              "status": "affected",
              "version": "dd86dc2f9ae1102f46115be1f1422265c15540f1",
              "versionType": "git"
            },
            {
              "lessThan": "997b64c3f4c1827c5cfda8ae7f5d13f78d28b541",
              "status": "affected",
              "version": "dd86dc2f9ae1102f46115be1f1422265c15540f1",
              "versionType": "git"
            },
            {
              "lessThan": "3cf2e7c448e246f7e700c7aa47450d1e27579559",
              "status": "affected",
              "version": "dd86dc2f9ae1102f46115be1f1422265c15540f1",
              "versionType": "git"
            },
            {
              "lessThan": "e965e771b069421c233d674c3c8cd8c7f7245f42",
              "status": "affected",
              "version": "dd86dc2f9ae1102f46115be1f1422265c15540f1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/sti/sti_gdp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check\n\nThe return value of drm_atomic_get_crtc_state() needs to be\nchecked. To avoid use of error pointer \u0027crtc_state\u0027 in case\nof the failure."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:29.866Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f5804567cf9605d6e5ec46c0bb786f7d50f18c13"
        },
        {
          "url": "https://git.kernel.org/stable/c/b79612ed6bc1a184c45427105c851b5b2d4342ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/997b64c3f4c1827c5cfda8ae7f5d13f78d28b541"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cf2e7c448e246f7e700c7aa47450d1e27579559"
        },
        {
          "url": "https://git.kernel.org/stable/c/e965e771b069421c233d674c3c8cd8c7f7245f42"
        }
      ],
      "title": "drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56777",
    "datePublished": "2025-01-08T17:49:15.483Z",
    "dateReserved": "2024-12-29T11:26:39.766Z",
    "dateUpdated": "2025-11-03T20:54:12.562Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56640 (GCVE-0-2024-56640)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51

Title

net/smc: fix LGR and link use-after-free issue

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix LGR and link use-after-free issue We encountered a LGR/link use-after-free issue, which manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140 Workqueue: events smc_lgr_terminate_work [smc] Call trace: refcount_warn_saturate+0x9c/0x140 __smc_lgr_terminate.part.45+0x2a8/0x370 [smc] smc_lgr_terminate_work+0x28/0x30 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 or refcount_t: underflow; use-after-free. WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140 Workqueue: smc_hs_wq smc_listen_work [smc] Call trace: refcount_warn_saturate+0xf0/0x140 smcr_link_put+0x1cc/0x1d8 [smc] smc_conn_free+0x110/0x1b0 [smc] smc_conn_abort+0x50/0x60 [smc] smc_listen_find_device+0x75c/0x790 [smc] smc_listen_work+0x368/0x8a0 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 It is caused by repeated release of LGR/link refcnt. One suspect is that smc_conn_free() is called repeatedly because some smc_conn_free() from server listening path are not protected by sock lock. e.g. Calls under socklock | smc_listen_work ------------------------------------------------------- lock_sock(sk) | smc_conn_abort smc_conn_free | \- smc_conn_free \- smcr_link_put | \- smcr_link_put (duplicated) release_sock(sk) So here add sock lock protection in smc_listen_work() path, making it exclusive with other connection operations.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f502a88fdd415647a…
	https://git.kernel.org/stable/c/0cf598548a6c36d90…
	https://git.kernel.org/stable/c/673d606683ac70bc0…
	https://git.kernel.org/stable/c/6f0ae06a234a78ae1…
	https://git.kernel.org/stable/c/2c7f14ed9c19ec0f1…

Impacted products

Vendor

Product

Version

Linux

Affected: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 , < f502a88fdd415647a1f2dc45fac71b9c522a052b (git)
Affected: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 , < 0cf598548a6c36d90681d53c6b77d52363f2f295 (git)
Affected: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 , < 673d606683ac70bc074ca6676b938bff18635226 (git)
Affected: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 , < 6f0ae06a234a78ae137064f2c89135ac078a00eb (git)
Affected: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 , < 2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7 (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56640",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:51.231757Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:22.074Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:40.000Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f502a88fdd415647a1f2dc45fac71b9c522a052b",
              "status": "affected",
              "version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
              "versionType": "git"
            },
            {
              "lessThan": "0cf598548a6c36d90681d53c6b77d52363f2f295",
              "status": "affected",
              "version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
              "versionType": "git"
            },
            {
              "lessThan": "673d606683ac70bc074ca6676b938bff18635226",
              "status": "affected",
              "version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
              "versionType": "git"
            },
            {
              "lessThan": "6f0ae06a234a78ae137064f2c89135ac078a00eb",
              "status": "affected",
              "version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
              "versionType": "git"
            },
            {
              "lessThan": "2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7",
              "status": "affected",
              "version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix LGR and link use-after-free issue\n\nWe encountered a LGR/link use-after-free issue, which manifested as\nthe LGR/link refcnt reaching 0 early and entering the clear process,\nmaking resource access unsafe.\n\n refcount_t: addition on 0; use-after-free.\n WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140\n Workqueue: events smc_lgr_terminate_work [smc]\n Call trace:\n  refcount_warn_saturate+0x9c/0x140\n  __smc_lgr_terminate.part.45+0x2a8/0x370 [smc]\n  smc_lgr_terminate_work+0x28/0x30 [smc]\n  process_one_work+0x1b8/0x420\n  worker_thread+0x158/0x510\n  kthread+0x114/0x118\n\nor\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140\n Workqueue: smc_hs_wq smc_listen_work [smc]\n Call trace:\n  refcount_warn_saturate+0xf0/0x140\n  smcr_link_put+0x1cc/0x1d8 [smc]\n  smc_conn_free+0x110/0x1b0 [smc]\n  smc_conn_abort+0x50/0x60 [smc]\n  smc_listen_find_device+0x75c/0x790 [smc]\n  smc_listen_work+0x368/0x8a0 [smc]\n  process_one_work+0x1b8/0x420\n  worker_thread+0x158/0x510\n  kthread+0x114/0x118\n\nIt is caused by repeated release of LGR/link refcnt. One suspect is that\nsmc_conn_free() is called repeatedly because some smc_conn_free() from\nserver listening path are not protected by sock lock.\n\ne.g.\n\nCalls under socklock        | smc_listen_work\n-------------------------------------------------------\nlock_sock(sk)               | smc_conn_abort\nsmc_conn_free               | \\- smc_conn_free\n\\- smcr_link_put            |    \\- smcr_link_put (duplicated)\nrelease_sock(sk)\n\nSo here add sock lock protection in smc_listen_work() path, making it\nexclusive with other connection operations."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:47.260Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f502a88fdd415647a1f2dc45fac71b9c522a052b"
        },
        {
          "url": "https://git.kernel.org/stable/c/0cf598548a6c36d90681d53c6b77d52363f2f295"
        },
        {
          "url": "https://git.kernel.org/stable/c/673d606683ac70bc074ca6676b938bff18635226"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f0ae06a234a78ae137064f2c89135ac078a00eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7"
        }
      ],
      "title": "net/smc: fix LGR and link use-after-free issue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56640",
    "datePublished": "2024-12-27T15:02:42.253Z",
    "dateReserved": "2024-12-27T15:00:39.839Z",
    "dateUpdated": "2025-11-03T20:51:40.000Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-52332 (GCVE-0-2024-52332)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2025-11-03 20:45

Title

igb: Fix potential invalid memory access in igb_init_module()

Summary

In the Linux kernel, the following vulnerability has been resolved: igb: Fix potential invalid memory access in igb_init_module() The pci_register_driver() can fail and when this happened, the dca_notifier needs to be unregistered, otherwise the dca_notifier can be called when igb fails to install, resulting to invalid memory access.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4458046617dfadc35…
	https://git.kernel.org/stable/c/e0155b1b1509d0ef4…
	https://git.kernel.org/stable/c/4fe517643f529e805…
	https://git.kernel.org/stable/c/8009cdcc493fa30d4…
	https://git.kernel.org/stable/c/f309733a8c9da7d42…
	https://git.kernel.org/stable/c/992fd34122de377b4…
	https://git.kernel.org/stable/c/0566f83d206c7a864…

Impacted products

Vendor

Product

Version

Linux

Affected: bbd98fe48a43464b4a044bc4cbeefad284d6aa80 , < 4458046617dfadc351162dbaea1945c57eebdf36 (git)
Affected: bbd98fe48a43464b4a044bc4cbeefad284d6aa80 , < e0155b1b1509d0ef4799bd1cd73309ca466df3f3 (git)
Affected: bbd98fe48a43464b4a044bc4cbeefad284d6aa80 , < 4fe517643f529e805bb6b890a4331c100e8f2484 (git)
Affected: bbd98fe48a43464b4a044bc4cbeefad284d6aa80 , < 8009cdcc493fa30d4572016daf2d6999da4d6c54 (git)
Affected: bbd98fe48a43464b4a044bc4cbeefad284d6aa80 , < f309733a8c9da7d4266a8a3755020b738a570cae (git)
Affected: bbd98fe48a43464b4a044bc4cbeefad284d6aa80 , < 992fd34122de377b45cb75b64fc7f17fc1e6ed2f (git)
Affected: bbd98fe48a43464b4a044bc4cbeefad284d6aa80 , < 0566f83d206c7a864abcd741fe39d6e0ae5eef29 (git)

Linux

Affected: 2.6.29
Unaffected: 0 , < 2.6.29 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:45:31.870Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/igb/igb_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4458046617dfadc351162dbaea1945c57eebdf36",
              "status": "affected",
              "version": "bbd98fe48a43464b4a044bc4cbeefad284d6aa80",
              "versionType": "git"
            },
            {
              "lessThan": "e0155b1b1509d0ef4799bd1cd73309ca466df3f3",
              "status": "affected",
              "version": "bbd98fe48a43464b4a044bc4cbeefad284d6aa80",
              "versionType": "git"
            },
            {
              "lessThan": "4fe517643f529e805bb6b890a4331c100e8f2484",
              "status": "affected",
              "version": "bbd98fe48a43464b4a044bc4cbeefad284d6aa80",
              "versionType": "git"
            },
            {
              "lessThan": "8009cdcc493fa30d4572016daf2d6999da4d6c54",
              "status": "affected",
              "version": "bbd98fe48a43464b4a044bc4cbeefad284d6aa80",
              "versionType": "git"
            },
            {
              "lessThan": "f309733a8c9da7d4266a8a3755020b738a570cae",
              "status": "affected",
              "version": "bbd98fe48a43464b4a044bc4cbeefad284d6aa80",
              "versionType": "git"
            },
            {
              "lessThan": "992fd34122de377b45cb75b64fc7f17fc1e6ed2f",
              "status": "affected",
              "version": "bbd98fe48a43464b4a044bc4cbeefad284d6aa80",
              "versionType": "git"
            },
            {
              "lessThan": "0566f83d206c7a864abcd741fe39d6e0ae5eef29",
              "status": "affected",
              "version": "bbd98fe48a43464b4a044bc4cbeefad284d6aa80",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/igb/igb_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix potential invalid memory access in igb_init_module()\n\nThe pci_register_driver() can fail and when this happened, the dca_notifier\nneeds to be unregistered, otherwise the dca_notifier can be called when\nigb fails to install, resulting to invalid memory access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:51:22.265Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4458046617dfadc351162dbaea1945c57eebdf36"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0155b1b1509d0ef4799bd1cd73309ca466df3f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/4fe517643f529e805bb6b890a4331c100e8f2484"
        },
        {
          "url": "https://git.kernel.org/stable/c/8009cdcc493fa30d4572016daf2d6999da4d6c54"
        },
        {
          "url": "https://git.kernel.org/stable/c/f309733a8c9da7d4266a8a3755020b738a570cae"
        },
        {
          "url": "https://git.kernel.org/stable/c/992fd34122de377b45cb75b64fc7f17fc1e6ed2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0566f83d206c7a864abcd741fe39d6e0ae5eef29"
        }
      ],
      "title": "igb: Fix potential invalid memory access in igb_init_module()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-52332",
    "datePublished": "2025-01-11T12:25:21.014Z",
    "dateReserved": "2025-01-09T09:50:31.799Z",
    "dateUpdated": "2025-11-03T20:45:31.870Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56624 (GCVE-0-2024-56624)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-05-04 10:00

Title

iommufd: Fix out_fput in iommufd_fault_alloc()

Summary

In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix out_fput in iommufd_fault_alloc() As fput() calls the file->f_op->release op, where fault obj and ictx are getting released, there is no need to release these two after fput() one more time, which would result in imbalanced refcounts: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 48 PID: 2369 at lib/refcount.c:31 refcount_warn_saturate+0x60/0x230 Call trace: refcount_warn_saturate+0x60/0x230 (P) refcount_warn_saturate+0x60/0x230 (L) iommufd_fault_fops_release+0x9c/0xe0 [iommufd] ... VFS: Close: file count is 0 (f_op=iommufd_fops [iommufd]) WARNING: CPU: 48 PID: 2369 at fs/open.c:1507 filp_flush+0x3c/0xf0 Call trace: filp_flush+0x3c/0xf0 (P) filp_flush+0x3c/0xf0 (L) __arm64_sys_close+0x34/0x98 ... imbalanced put on file reference count WARNING: CPU: 48 PID: 2369 at fs/file.c:74 __file_ref_put+0x100/0x138 Call trace: __file_ref_put+0x100/0x138 (P) __file_ref_put+0x100/0x138 (L) __fput_sync+0x4c/0xd0 Drop those two lines to fix the warnings above.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2b3f30c8edbf9a122…
	https://git.kernel.org/stable/c/af7f4780514f85032…

Impacted products

Vendor

Product

Version

Linux

Affected: 07838f7fd529c8a6de44b601d4b7057e6c8d36ed , < 2b3f30c8edbf9a122ce01f13f0f41fbca5f1d41d (git)
Affected: 07838f7fd529c8a6de44b601d4b7057e6c8d36ed , < af7f4780514f850322b2959032ecaa96e4b26472 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommufd/fault.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2b3f30c8edbf9a122ce01f13f0f41fbca5f1d41d",
              "status": "affected",
              "version": "07838f7fd529c8a6de44b601d4b7057e6c8d36ed",
              "versionType": "git"
            },
            {
              "lessThan": "af7f4780514f850322b2959032ecaa96e4b26472",
              "status": "affected",
              "version": "07838f7fd529c8a6de44b601d4b7057e6c8d36ed",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommufd/fault.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix out_fput in iommufd_fault_alloc()\n\nAs fput() calls the file-\u003ef_op-\u003erelease op, where fault obj and ictx are\ngetting released, there is no need to release these two after fput() one\nmore time, which would result in imbalanced refcounts:\n  refcount_t: decrement hit 0; leaking memory.\n  WARNING: CPU: 48 PID: 2369 at lib/refcount.c:31 refcount_warn_saturate+0x60/0x230\n  Call trace:\n   refcount_warn_saturate+0x60/0x230 (P)\n   refcount_warn_saturate+0x60/0x230 (L)\n   iommufd_fault_fops_release+0x9c/0xe0 [iommufd]\n  ...\n  VFS: Close: file count is 0 (f_op=iommufd_fops [iommufd])\n  WARNING: CPU: 48 PID: 2369 at fs/open.c:1507 filp_flush+0x3c/0xf0\n  Call trace:\n   filp_flush+0x3c/0xf0 (P)\n   filp_flush+0x3c/0xf0 (L)\n   __arm64_sys_close+0x34/0x98\n  ...\n  imbalanced put on file reference count\n  WARNING: CPU: 48 PID: 2369 at fs/file.c:74 __file_ref_put+0x100/0x138\n  Call trace:\n   __file_ref_put+0x100/0x138 (P)\n   __file_ref_put+0x100/0x138 (L)\n   __fput_sync+0x4c/0xd0\n\nDrop those two lines to fix the warnings above."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:13.375Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2b3f30c8edbf9a122ce01f13f0f41fbca5f1d41d"
        },
        {
          "url": "https://git.kernel.org/stable/c/af7f4780514f850322b2959032ecaa96e4b26472"
        }
      ],
      "title": "iommufd: Fix out_fput in iommufd_fault_alloc()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56624",
    "datePublished": "2024-12-27T14:51:27.318Z",
    "dateReserved": "2024-12-27T14:03:06.017Z",
    "dateUpdated": "2025-05-04T10:00:13.375Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57872 (GCVE-0-2024-57872)

Vulnerability from cvelistv5 – Published: 2025-01-11 14:31 – Updated: 2025-10-01 19:57

Title

scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove()

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove() This will ensure that the scsi host is cleaned up properly using scsi_host_dev_release(). Otherwise, it may lead to memory leaks.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cd188519d2467ab4c…
	https://git.kernel.org/stable/c/897df60c16d54ad51…

Impacted products

Vendor

Product

Version

Linux

Affected: 03b1781aa978aab345b5a85d8596f8615281ba89 , < cd188519d2467ab4c2141587b0551ba030abff0e (git)
Affected: 03b1781aa978aab345b5a85d8596f8615281ba89 , < 897df60c16d54ad515a3d0887edab5c63da06d1f (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57872",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:55:03.209181Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:20.086Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/host/ufshcd-pltfrm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cd188519d2467ab4c2141587b0551ba030abff0e",
              "status": "affected",
              "version": "03b1781aa978aab345b5a85d8596f8615281ba89",
              "versionType": "git"
            },
            {
              "lessThan": "897df60c16d54ad515a3d0887edab5c63da06d1f",
              "status": "affected",
              "version": "03b1781aa978aab345b5a85d8596f8615281ba89",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/host/ufshcd-pltfrm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove()\n\nThis will ensure that the scsi host is cleaned up properly using\nscsi_host_dev_release(). Otherwise, it may lead to memory leaks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:34.298Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cd188519d2467ab4c2141587b0551ba030abff0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/897df60c16d54ad515a3d0887edab5c63da06d1f"
        }
      ],
      "title": "scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57872",
    "datePublished": "2025-01-11T14:31:00.610Z",
    "dateReserved": "2025-01-11T12:34:02.656Z",
    "dateUpdated": "2025-10-01T19:57:20.086Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56558 (GCVE-0-2024-56558)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-11-03 20:49

Title

nfsd: make sure exp active before svc_export_show

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: make sure exp active before svc_export_show The function `e_show` was called with protection from RCU. This only ensures that `exp` will not be freed. Therefore, the reference count for `exp` can drop to zero, which will trigger a refcount use-after-free warning when `exp_get` is called. To resolve this issue, use `cache_get_rcu` to ensure that `exp` remains active. ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 819 at lib/refcount.c:25 refcount_warn_saturate+0xb1/0x120 CPU: 3 UID: 0 PID: 819 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb1/0x120 ... Call Trace: <TASK> e_show+0x20b/0x230 [nfsd] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e2fa0d0e327279a8d…
	https://git.kernel.org/stable/c/7fd29d284b55c2274…
	https://git.kernel.org/stable/c/6cefcadd34e3c71c8…
	https://git.kernel.org/stable/c/7d8f7816bebcd2e74…
	https://git.kernel.org/stable/c/1cecfdbc6bfc89c51…
	https://git.kernel.org/stable/c/7365d1f8de63cffdb…
	https://git.kernel.org/stable/c/be8f982c369c965fa…

Impacted products

Vendor

Product

Version

Linux

Affected: bf18f163e89c52e09c96534db45c4274273a0b34 , < e2fa0d0e327279a8defb87b263cd0bf288fd9261 (git)
Affected: bf18f163e89c52e09c96534db45c4274273a0b34 , < 7fd29d284b55c2274f7a748e6c5f25b4758b8da5 (git)
Affected: bf18f163e89c52e09c96534db45c4274273a0b34 , < 6cefcadd34e3c71c81ea64b899a0daa86314a51a (git)
Affected: bf18f163e89c52e09c96534db45c4274273a0b34 , < 7d8f7816bebcd2e7400bb4d786eccb8f33c9f9ec (git)
Affected: bf18f163e89c52e09c96534db45c4274273a0b34 , < 1cecfdbc6bfc89c516d286884c7f29267b95de2b (git)
Affected: bf18f163e89c52e09c96534db45c4274273a0b34 , < 7365d1f8de63cffdbbaa2287ce0205438e1a922f (git)
Affected: bf18f163e89c52e09c96534db45c4274273a0b34 , < be8f982c369c965faffa198b46060f8853e0f1f0 (git)

Linux

Affected: 3.17
Unaffected: 0 , < 3.17 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56558",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:42:49.247633Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:24.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:49:29.154Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/export.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e2fa0d0e327279a8defb87b263cd0bf288fd9261",
              "status": "affected",
              "version": "bf18f163e89c52e09c96534db45c4274273a0b34",
              "versionType": "git"
            },
            {
              "lessThan": "7fd29d284b55c2274f7a748e6c5f25b4758b8da5",
              "status": "affected",
              "version": "bf18f163e89c52e09c96534db45c4274273a0b34",
              "versionType": "git"
            },
            {
              "lessThan": "6cefcadd34e3c71c81ea64b899a0daa86314a51a",
              "status": "affected",
              "version": "bf18f163e89c52e09c96534db45c4274273a0b34",
              "versionType": "git"
            },
            {
              "lessThan": "7d8f7816bebcd2e7400bb4d786eccb8f33c9f9ec",
              "status": "affected",
              "version": "bf18f163e89c52e09c96534db45c4274273a0b34",
              "versionType": "git"
            },
            {
              "lessThan": "1cecfdbc6bfc89c516d286884c7f29267b95de2b",
              "status": "affected",
              "version": "bf18f163e89c52e09c96534db45c4274273a0b34",
              "versionType": "git"
            },
            {
              "lessThan": "7365d1f8de63cffdbbaa2287ce0205438e1a922f",
              "status": "affected",
              "version": "bf18f163e89c52e09c96534db45c4274273a0b34",
              "versionType": "git"
            },
            {
              "lessThan": "be8f982c369c965faffa198b46060f8853e0f1f0",
              "status": "affected",
              "version": "bf18f163e89c52e09c96534db45c4274273a0b34",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/export.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: make sure exp active before svc_export_show\n\nThe function `e_show` was called with protection from RCU. This only\nensures that `exp` will not be freed. Therefore, the reference count for\n`exp` can drop to zero, which will trigger a refcount use-after-free\nwarning when `exp_get` is called. To resolve this issue, use\n`cache_get_rcu` to ensure that `exp` remains active.\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 3 PID: 819 at lib/refcount.c:25\nrefcount_warn_saturate+0xb1/0x120\nCPU: 3 UID: 0 PID: 819 Comm: cat Not tainted 6.12.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xb1/0x120\n...\nCall Trace:\n \u003cTASK\u003e\n e_show+0x20b/0x230 [nfsd]\n seq_read_iter+0x589/0x770\n seq_read+0x1e5/0x270\n vfs_read+0x125/0x530\n ksys_read+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:18.903Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e2fa0d0e327279a8defb87b263cd0bf288fd9261"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fd29d284b55c2274f7a748e6c5f25b4758b8da5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cefcadd34e3c71c81ea64b899a0daa86314a51a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d8f7816bebcd2e7400bb4d786eccb8f33c9f9ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cecfdbc6bfc89c516d286884c7f29267b95de2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/7365d1f8de63cffdbbaa2287ce0205438e1a922f"
        },
        {
          "url": "https://git.kernel.org/stable/c/be8f982c369c965faffa198b46060f8853e0f1f0"
        }
      ],
      "title": "nfsd: make sure exp active before svc_export_show",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56558",
    "datePublished": "2024-12-27T14:23:03.902Z",
    "dateReserved": "2024-12-27T14:03:05.992Z",
    "dateUpdated": "2025-11-03T20:49:29.154Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-55639 (GCVE-0-2024-55639)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:29 – Updated: 2025-05-04 09:57

Title

net: renesas: rswitch: avoid use-after-put for a device tree node

Summary

In the Linux kernel, the following vulnerability has been resolved: net: renesas: rswitch: avoid use-after-put for a device tree node The device tree node saved in the rswitch_device structure is used at several driver locations. So passing this node to of_node_put() after the first use is wrong. Move of_node_put() for this node to exit paths.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bf8c6755f02029d1e…
	https://git.kernel.org/stable/c/92007a28f95413058…
	https://git.kernel.org/stable/c/66b7e9f85b8459c82…

Impacted products

Vendor

Product

Version

Linux

Affected: b46f1e5793298c67efc2f1b917350a2cefacf9d6 , < bf8c6755f02029d1eddc3ff19b870240f054afc7 (git)
Affected: b46f1e5793298c67efc2f1b917350a2cefacf9d6 , < 92007a28f95413058a7268dc84e5f44b700165d1 (git)
Affected: b46f1e5793298c67efc2f1b917350a2cefacf9d6 , < 66b7e9f85b8459c823b11e9af69dbf4be5eb6be8 (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/renesas/rswitch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bf8c6755f02029d1eddc3ff19b870240f054afc7",
              "status": "affected",
              "version": "b46f1e5793298c67efc2f1b917350a2cefacf9d6",
              "versionType": "git"
            },
            {
              "lessThan": "92007a28f95413058a7268dc84e5f44b700165d1",
              "status": "affected",
              "version": "b46f1e5793298c67efc2f1b917350a2cefacf9d6",
              "versionType": "git"
            },
            {
              "lessThan": "66b7e9f85b8459c823b11e9af69dbf4be5eb6be8",
              "status": "affected",
              "version": "b46f1e5793298c67efc2f1b917350a2cefacf9d6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/renesas/rswitch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: renesas: rswitch: avoid use-after-put for a device tree node\n\nThe device tree node saved in the rswitch_device structure is used at\nseveral driver locations. So passing this node to of_node_put() after\nthe first use is wrong.\n\nMove of_node_put() for this node to exit paths."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:57:11.827Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bf8c6755f02029d1eddc3ff19b870240f054afc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/92007a28f95413058a7268dc84e5f44b700165d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/66b7e9f85b8459c823b11e9af69dbf4be5eb6be8"
        }
      ],
      "title": "net: renesas: rswitch: avoid use-after-put for a device tree node",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-55639",
    "datePublished": "2025-01-11T12:29:55.309Z",
    "dateReserved": "2025-01-09T09:51:32.415Z",
    "dateUpdated": "2025-05-04T09:57:11.827Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57887 (GCVE-0-2024-57887)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-11-03 20:54

Title

drm: adv7511: Fix use-after-free in adv7533_attach_dsi()

Summary

In the Linux kernel, the following vulnerability has been resolved: drm: adv7511: Fix use-after-free in adv7533_attach_dsi() The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove().

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/acec80d9f126cd3fa…
	https://git.kernel.org/stable/c/d208571943ffddc43…
	https://git.kernel.org/stable/c/1f49aaf55652580ae…
	https://git.kernel.org/stable/c/ca9d077350fa21897…
	https://git.kernel.org/stable/c/81adbd3ff21c1182e…

Impacted products

Vendor

Product

Version

Linux

Affected: 1e4d58cd7f888522d16f221d628356befbb08468 , < acec80d9f126cd3fa764bbe3d96bc0cb5cd2b087 (git)
Affected: 1e4d58cd7f888522d16f221d628356befbb08468 , < d208571943ffddc438a7ce533d5d0b9219806242 (git)
Affected: 1e4d58cd7f888522d16f221d628356befbb08468 , < 1f49aaf55652580ae63ab83d67211fe6a55d83dc (git)
Affected: 1e4d58cd7f888522d16f221d628356befbb08468 , < ca9d077350fa21897de8bf64cba23b198740aab5 (git)
Affected: 1e4d58cd7f888522d16f221d628356befbb08468 , < 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57887",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:02.098939Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:19.886Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:56.908Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/bridge/adv7511/adv7511_drv.c",
            "drivers/gpu/drm/bridge/adv7511/adv7533.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "acec80d9f126cd3fa764bbe3d96bc0cb5cd2b087",
              "status": "affected",
              "version": "1e4d58cd7f888522d16f221d628356befbb08468",
              "versionType": "git"
            },
            {
              "lessThan": "d208571943ffddc438a7ce533d5d0b9219806242",
              "status": "affected",
              "version": "1e4d58cd7f888522d16f221d628356befbb08468",
              "versionType": "git"
            },
            {
              "lessThan": "1f49aaf55652580ae63ab83d67211fe6a55d83dc",
              "status": "affected",
              "version": "1e4d58cd7f888522d16f221d628356befbb08468",
              "versionType": "git"
            },
            {
              "lessThan": "ca9d077350fa21897de8bf64cba23b198740aab5",
              "status": "affected",
              "version": "1e4d58cd7f888522d16f221d628356befbb08468",
              "versionType": "git"
            },
            {
              "lessThan": "81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8",
              "status": "affected",
              "version": "1e4d58cd7f888522d16f221d628356befbb08468",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/bridge/adv7511/adv7511_drv.c",
            "drivers/gpu/drm/bridge/adv7511/adv7533.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: adv7511: Fix use-after-free in adv7533_attach_dsi()\n\nThe host_node pointer was assigned and freed in adv7533_parse_dt(), and\nlater, adv7533_attach_dsi() uses the same. Fix this use-after-free issue\nby\u00a0dropping of_node_put() in adv7533_parse_dt() and calling of_node_put()\nin error path of probe() and also in the remove()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:54.824Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/acec80d9f126cd3fa764bbe3d96bc0cb5cd2b087"
        },
        {
          "url": "https://git.kernel.org/stable/c/d208571943ffddc438a7ce533d5d0b9219806242"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f49aaf55652580ae63ab83d67211fe6a55d83dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca9d077350fa21897de8bf64cba23b198740aab5"
        },
        {
          "url": "https://git.kernel.org/stable/c/81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8"
        }
      ],
      "title": "drm: adv7511: Fix use-after-free in adv7533_attach_dsi()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57887",
    "datePublished": "2025-01-15T13:05:39.933Z",
    "dateReserved": "2025-01-11T14:45:42.027Z",
    "dateUpdated": "2025-11-03T20:54:56.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56768 (GCVE-0-2024-56768)

Vulnerability from cvelistv5 – Published: 2025-01-06 16:20 – Updated: 2025-10-01 20:07

Title

bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP On x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP disabled can trigger the following bug, as pcpu_hot is unavailable: [ 8.471774] BUG: unable to handle page fault for address: 00000000936a290c [ 8.471849] #PF: supervisor read access in kernel mode [ 8.471881] #PF: error_code(0x0000) - not-present page Fix by inlining a return 0 in the !CONFIG_SMP case.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f4ab7d74247b01505…
	https://git.kernel.org/stable/c/23579010cf0a12476…

Impacted products

Vendor

Product

Version

Linux

Affected: 1ae6921009e5d72787e07ccc04754514ccf6bc99 , < f4ab7d74247b0150547cf909b3f6f24ee85183df (git)
Affected: 1ae6921009e5d72787e07ccc04754514ccf6bc99 , < 23579010cf0a12476e96a5f1acdf78a9c5843657 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.8 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56768",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:58.055142Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:00.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f4ab7d74247b0150547cf909b3f6f24ee85183df",
              "status": "affected",
              "version": "1ae6921009e5d72787e07ccc04754514ccf6bc99",
              "versionType": "git"
            },
            {
              "lessThan": "23579010cf0a12476e96a5f1acdf78a9c5843657",
              "status": "affected",
              "version": "1ae6921009e5d72787e07ccc04754514ccf6bc99",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP\n\nOn x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP\ndisabled can trigger the following bug, as pcpu_hot is unavailable:\n\n [    8.471774] BUG: unable to handle page fault for address: 00000000936a290c\n [    8.471849] #PF: supervisor read access in kernel mode\n [    8.471881] #PF: error_code(0x0000) - not-present page\n\nFix by inlining a return 0 in the !CONFIG_SMP case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:16.289Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f4ab7d74247b0150547cf909b3f6f24ee85183df"
        },
        {
          "url": "https://git.kernel.org/stable/c/23579010cf0a12476e96a5f1acdf78a9c5843657"
        }
      ],
      "title": "bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56768",
    "datePublished": "2025-01-06T16:20:46.133Z",
    "dateReserved": "2024-12-29T11:26:39.762Z",
    "dateUpdated": "2025-10-01T20:07:00.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56372 (GCVE-0-2024-56372)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:35 – Updated: 2025-05-04 09:57

Title

net: tun: fix tun_napi_alloc_frags()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: tun: fix tun_napi_alloc_frags() syzbot reported the following crash [1] Issue came with the blamed commit. Instead of going through all the iov components, we keep using the first one and end up with a malformed skb. [1] kernel BUG at net/core/skbuff.c:2849 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848 Code: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90004cbef30 EFLAGS: 00010293 RAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00 RDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000 RBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c R10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50 R13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80 FS: 00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284 tipc_aead_decrypt net/tipc/crypto.c:894 [inline] tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844 tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109 tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668 __netif_receive_skb_list_ptype net/core/dev.c:5720 [inline] __netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762 __netif_receive_skb_list net/core/dev.c:5814 [inline] netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905 gro_normal_list include/net/gro.h:515 [inline] napi_complete_done+0x2b5/0x870 net/core/dev.c:6256 napi_complete include/linux/netdevice.h:567 [inline] tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_writev+0x1b6/0x360 fs/read_write.c:1096 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/efe74dd58a72bd987…
	https://git.kernel.org/stable/c/4f393ea1e2f9c3b64…
	https://git.kernel.org/stable/c/429fde2d81bcef0eb…

Impacted products

Vendor

Product

Version

Linux

Affected: de4f5fed3f231a8ff4790bf52975f847b95b85ea , < efe74dd58a72bd987b158142c904b7ef2ad132e2 (git)
Affected: de4f5fed3f231a8ff4790bf52975f847b95b85ea , < 4f393ea1e2f9c3b646d00572dd92c48b1869c65f (git)
Affected: de4f5fed3f231a8ff4790bf52975f847b95b85ea , < 429fde2d81bcef0ebab002215358955704586457 (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.68 , ≤ 6.6.* (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/tun.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "efe74dd58a72bd987b158142c904b7ef2ad132e2",
              "status": "affected",
              "version": "de4f5fed3f231a8ff4790bf52975f847b95b85ea",
              "versionType": "git"
            },
            {
              "lessThan": "4f393ea1e2f9c3b646d00572dd92c48b1869c65f",
              "status": "affected",
              "version": "de4f5fed3f231a8ff4790bf52975f847b95b85ea",
              "versionType": "git"
            },
            {
              "lessThan": "429fde2d81bcef0ebab002215358955704586457",
              "status": "affected",
              "version": "de4f5fed3f231a8ff4790bf52975f847b95b85ea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/tun.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: fix tun_napi_alloc_frags()\n\nsyzbot reported the following crash [1]\n\nIssue came with the blamed commit. Instead of going through\nall the iov components, we keep using the first one\nand end up with a malformed skb.\n\n[1]\n\nkernel BUG at net/core/skbuff.c:2849 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\n RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848\nCode: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 \u003c0f\u003e 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffc90004cbef30 EFLAGS: 00010293\nRAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00\nRDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000\nRBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c\nR10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50\nR13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80\nFS:  00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n  skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284\n  tipc_aead_decrypt net/tipc/crypto.c:894 [inline]\n  tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844\n  tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109\n  tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668\n  __netif_receive_skb_list_ptype net/core/dev.c:5720 [inline]\n  __netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762\n  __netif_receive_skb_list net/core/dev.c:5814 [inline]\n  netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905\n  gro_normal_list include/net/gro.h:515 [inline]\n  napi_complete_done+0x2b5/0x870 net/core/dev.c:6256\n  napi_complete include/linux/netdevice.h:567 [inline]\n  tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982\n  tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057\n do_iter_readv_writev+0x600/0x880\n  vfs_writev+0x376/0xba0 fs/read_write.c:1050\n  do_writev+0x1b6/0x360 fs/read_write.c:1096\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:57:24.432Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/efe74dd58a72bd987b158142c904b7ef2ad132e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f393ea1e2f9c3b646d00572dd92c48b1869c65f"
        },
        {
          "url": "https://git.kernel.org/stable/c/429fde2d81bcef0ebab002215358955704586457"
        }
      ],
      "title": "net: tun: fix tun_napi_alloc_frags()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56372",
    "datePublished": "2025-01-11T12:35:47.256Z",
    "dateReserved": "2025-01-11T12:34:02.635Z",
    "dateUpdated": "2025-05-04T09:57:24.432Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53682 (GCVE-0-2024-53682)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:29 – Updated: 2025-05-04 09:56

Title

regulator: axp20x: AXP717: set ramp_delay

Summary

In the Linux kernel, the following vulnerability has been resolved: regulator: axp20x: AXP717: set ramp_delay AXP717 datasheet says that regulator ramp delay is 15.625 us/step, which is 10mV in our case. Add a AXP_DESC_RANGES_DELAY macro and update AXP_DESC_RANGES macro to expand to AXP_DESC_RANGES_DELAY with ramp_delay = 0 For DCDC4, steps is 100mv Add a AXP_DESC_DELAY macro and update AXP_DESC macro to expand to AXP_DESC_DELAY with ramp_delay = 0 This patch fix crashes when using CPU DVFS.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/10eb845a87193ef92…
	https://git.kernel.org/stable/c/f07ae52f5cf6a5584…

Impacted products

Vendor

Product

Version

Linux

Affected: d2ac3df75c3a995064cfac0171e082a30d8c4c66 , < 10eb845a87193ef922cd002e0ff4f4759c1e918d (git)
Affected: d2ac3df75c3a995064cfac0171e082a30d8c4c66 , < f07ae52f5cf6a5584fdf7c8c652f027d90bc8b74 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/regulator/axp20x-regulator.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "10eb845a87193ef922cd002e0ff4f4759c1e918d",
              "status": "affected",
              "version": "d2ac3df75c3a995064cfac0171e082a30d8c4c66",
              "versionType": "git"
            },
            {
              "lessThan": "f07ae52f5cf6a5584fdf7c8c652f027d90bc8b74",
              "status": "affected",
              "version": "d2ac3df75c3a995064cfac0171e082a30d8c4c66",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/regulator/axp20x-regulator.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: axp20x: AXP717: set ramp_delay\n\nAXP717 datasheet says that regulator ramp delay is 15.625 us/step,\nwhich is 10mV in our case.\n\nAdd a AXP_DESC_RANGES_DELAY macro and update AXP_DESC_RANGES macro to\nexpand to AXP_DESC_RANGES_DELAY with ramp_delay = 0\n\nFor DCDC4, steps is 100mv\n\nAdd a AXP_DESC_DELAY macro and update AXP_DESC macro to\nexpand to AXP_DESC_DELAY with ramp_delay = 0\n\nThis patch fix crashes when using CPU DVFS."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:56:53.446Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/10eb845a87193ef922cd002e0ff4f4759c1e918d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f07ae52f5cf6a5584fdf7c8c652f027d90bc8b74"
        }
      ],
      "title": "regulator: axp20x: AXP717: set ramp_delay",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53682",
    "datePublished": "2025-01-11T12:29:49.692Z",
    "dateReserved": "2025-01-09T09:50:31.747Z",
    "dateUpdated": "2025-05-04T09:56:53.446Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56652 (GCVE-0-2024-56652)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2025-05-04 10:01

Title

drm/xe/reg_sr: Remove register pool

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/xe/reg_sr: Remove register pool That pool implementation doesn't really work: if the krealloc happens to move the memory and return another address, the entries in the xarray become invalid, leading to use-after-free later: BUG: KASAN: slab-use-after-free in xe_reg_sr_apply_mmio+0x570/0x760 [xe] Read of size 4 at addr ffff8881244b2590 by task modprobe/2753 Allocated by task 2753: kasan_save_stack+0x39/0x70 kasan_save_track+0x14/0x40 kasan_save_alloc_info+0x37/0x60 __kasan_kmalloc+0xc3/0xd0 __kmalloc_node_track_caller_noprof+0x200/0x6d0 krealloc_noprof+0x229/0x380 Simplify the code to fix the bug. A better pooling strategy may be added back later if needed. (cherry picked from commit e5283bd4dfecbd3335f43b62a68e24dae23f59e4)

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b0193a31a0ca5a0f9…
	https://git.kernel.org/stable/c/d7b028656c29b22fc…

Impacted products

Vendor

Product

Version

Linux

Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < b0193a31a0ca5a0f9e60bb4a86537d46b98111b8 (git)
Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < d7b028656c29b22fcde1c6ee1df5b28fbba987b5 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56652",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:38.610298Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:21.406Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_reg_sr.c",
            "drivers/gpu/drm/xe/xe_reg_sr_types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b0193a31a0ca5a0f9e60bb4a86537d46b98111b8",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            },
            {
              "lessThan": "d7b028656c29b22fcde1c6ee1df5b28fbba987b5",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_reg_sr.c",
            "drivers/gpu/drm/xe/xe_reg_sr_types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/reg_sr: Remove register pool\n\nThat pool implementation doesn\u0027t really work: if the krealloc happens to\nmove the memory and return another address, the entries in the xarray\nbecome invalid, leading to use-after-free later:\n\n\tBUG: KASAN: slab-use-after-free in xe_reg_sr_apply_mmio+0x570/0x760 [xe]\n\tRead of size 4 at addr ffff8881244b2590 by task modprobe/2753\n\n\tAllocated by task 2753:\n\t kasan_save_stack+0x39/0x70\n\t kasan_save_track+0x14/0x40\n\t kasan_save_alloc_info+0x37/0x60\n\t __kasan_kmalloc+0xc3/0xd0\n\t __kmalloc_node_track_caller_noprof+0x200/0x6d0\n\t krealloc_noprof+0x229/0x380\n\nSimplify the code to fix the bug. A better pooling strategy may be added\nback later if needed.\n\n(cherry picked from commit e5283bd4dfecbd3335f43b62a68e24dae23f59e4)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:01:06.499Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b0193a31a0ca5a0f9e60bb4a86537d46b98111b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7b028656c29b22fcde1c6ee1df5b28fbba987b5"
        }
      ],
      "title": "drm/xe/reg_sr: Remove register pool",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56652",
    "datePublished": "2024-12-27T15:06:16.454Z",
    "dateReserved": "2024-12-27T15:00:39.841Z",
    "dateUpdated": "2025-05-04T10:01:06.499Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56602 (GCVE-0-2024-56602)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2026-01-05 10:56

Title

net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() sock_init_data() attaches the allocated sk object to the provided sock object. If ieee802154_create() fails later, the allocated sk object is freed, but the dangling pointer remains in the provided sock object, which may allow use-after-free. Clear the sk pointer in the sock object on error.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1d5fe782c0ff068d8…
	https://git.kernel.org/stable/c/14959fd7538b3be6d…
	https://git.kernel.org/stable/c/2b46994a6e76c8cc5…
	https://git.kernel.org/stable/c/e8bd6c5f5dc2234b4…
	https://git.kernel.org/stable/c/b4982fbf13042e3bb…
	https://git.kernel.org/stable/c/03caa9bfb9fde97fb…
	https://git.kernel.org/stable/c/b4fcd63f6ef79c73c…

Impacted products

Vendor

Product

Version

Linux

Affected: 9ec7671603573ede31207eb5b0b3e1aa211b2854 , < 1d5fe782c0ff068d80933f9cfd0fd39d5434bbc9 (git)
Affected: 9ec7671603573ede31207eb5b0b3e1aa211b2854 , < 14959fd7538b3be6d7617d9e60e404d6a8d4fd1f (git)
Affected: 9ec7671603573ede31207eb5b0b3e1aa211b2854 , < 2b46994a6e76c8cc5556772932b9b60d03a55cd8 (git)
Affected: 9ec7671603573ede31207eb5b0b3e1aa211b2854 , < e8bd6c5f5dc2234b4ea714380aedeea12a781754 (git)
Affected: 9ec7671603573ede31207eb5b0b3e1aa211b2854 , < b4982fbf13042e3bb33e04eddfea8b1506b5ea65 (git)
Affected: 9ec7671603573ede31207eb5b0b3e1aa211b2854 , < 03caa9bfb9fde97fb53d33decd7364514e6825cb (git)
Affected: 9ec7671603573ede31207eb5b0b3e1aa211b2854 , < b4fcd63f6ef79c73cafae8cf4a114def5fc3d80d (git)

Linux

Affected: 2.6.31
Unaffected: 0 , < 2.6.31 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56602",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:42:21.145830Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:23.837Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:43.809Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ieee802154/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1d5fe782c0ff068d80933f9cfd0fd39d5434bbc9",
              "status": "affected",
              "version": "9ec7671603573ede31207eb5b0b3e1aa211b2854",
              "versionType": "git"
            },
            {
              "lessThan": "14959fd7538b3be6d7617d9e60e404d6a8d4fd1f",
              "status": "affected",
              "version": "9ec7671603573ede31207eb5b0b3e1aa211b2854",
              "versionType": "git"
            },
            {
              "lessThan": "2b46994a6e76c8cc5556772932b9b60d03a55cd8",
              "status": "affected",
              "version": "9ec7671603573ede31207eb5b0b3e1aa211b2854",
              "versionType": "git"
            },
            {
              "lessThan": "e8bd6c5f5dc2234b4ea714380aedeea12a781754",
              "status": "affected",
              "version": "9ec7671603573ede31207eb5b0b3e1aa211b2854",
              "versionType": "git"
            },
            {
              "lessThan": "b4982fbf13042e3bb33e04eddfea8b1506b5ea65",
              "status": "affected",
              "version": "9ec7671603573ede31207eb5b0b3e1aa211b2854",
              "versionType": "git"
            },
            {
              "lessThan": "03caa9bfb9fde97fb53d33decd7364514e6825cb",
              "status": "affected",
              "version": "9ec7671603573ede31207eb5b0b3e1aa211b2854",
              "versionType": "git"
            },
            {
              "lessThan": "b4fcd63f6ef79c73cafae8cf4a114def5fc3d80d",
              "status": "affected",
              "version": "9ec7671603573ede31207eb5b0b3e1aa211b2854",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ieee802154/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.31"
            },
            {
              "lessThan": "2.6.31",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ieee802154: do not leave a dangling sk pointer in ieee802154_create()\n\nsock_init_data() attaches the allocated sk object to the provided sock\nobject. If ieee802154_create() fails later, the allocated sk object is\nfreed, but the dangling pointer remains in the provided sock object, which\nmay allow use-after-free.\n\nClear the sk pointer in the sock object on error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:56:04.215Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1d5fe782c0ff068d80933f9cfd0fd39d5434bbc9"
        },
        {
          "url": "https://git.kernel.org/stable/c/14959fd7538b3be6d7617d9e60e404d6a8d4fd1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b46994a6e76c8cc5556772932b9b60d03a55cd8"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8bd6c5f5dc2234b4ea714380aedeea12a781754"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4982fbf13042e3bb33e04eddfea8b1506b5ea65"
        },
        {
          "url": "https://git.kernel.org/stable/c/03caa9bfb9fde97fb53d33decd7364514e6825cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4fcd63f6ef79c73cafae8cf4a114def5fc3d80d"
        }
      ],
      "title": "net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56602",
    "datePublished": "2024-12-27T14:51:08.174Z",
    "dateReserved": "2024-12-27T14:03:06.011Z",
    "dateUpdated": "2026-01-05T10:56:04.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-50051 (GCVE-0-2024-50051)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2025-11-03 20:43

Title

spi: mpc52xx: Add cancel_work_sync before module remove

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: Add cancel_work_sync before module remove If we remove the module which will call mpc52xx_spi_remove it will free 'ms' through spi_unregister_controller. while the work ms->work will be used. The sequence of operations that may lead to a UAF bug. Fix it by ensuring that the work is canceled before proceeding with the cleanup in mpc52xx_spi_remove.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d0cde3911cf24e1bc…
	https://git.kernel.org/stable/c/e0c6ce8424095c2da…
	https://git.kernel.org/stable/c/cd5106c77d6d6828a…
	https://git.kernel.org/stable/c/373d55a47dc662e5e…
	https://git.kernel.org/stable/c/f65d85bc1ffd8a2c1…
	https://git.kernel.org/stable/c/90b72189de2cddacb…
	https://git.kernel.org/stable/c/984836621aad98802…

Impacted products

Vendor

Product

Version

Linux

Affected: ca632f556697d45d67ed5cada7cedf3ddfe0db4b , < d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1 (git)
Affected: ca632f556697d45d67ed5cada7cedf3ddfe0db4b , < e0c6ce8424095c2da32a063d3fc027494c689817 (git)
Affected: ca632f556697d45d67ed5cada7cedf3ddfe0db4b , < cd5106c77d6d6828aa82449f01f4eb436d602a21 (git)
Affected: ca632f556697d45d67ed5cada7cedf3ddfe0db4b , < 373d55a47dc662e5e30d12ad5d334312f757c1f1 (git)
Affected: ca632f556697d45d67ed5cada7cedf3ddfe0db4b , < f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59 (git)
Affected: ca632f556697d45d67ed5cada7cedf3ddfe0db4b , < 90b72189de2cddacb26250579da0510b29a8b82b (git)
Affected: ca632f556697d45d67ed5cada7cedf3ddfe0db4b , < 984836621aad98802d92c4a3047114cf518074c8 (git)

Linux

Affected: 3.1
Unaffected: 0 , < 3.1 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-50051",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:12:07.926078Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:21:06.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:43:19.203Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-mpc52xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1",
              "status": "affected",
              "version": "ca632f556697d45d67ed5cada7cedf3ddfe0db4b",
              "versionType": "git"
            },
            {
              "lessThan": "e0c6ce8424095c2da32a063d3fc027494c689817",
              "status": "affected",
              "version": "ca632f556697d45d67ed5cada7cedf3ddfe0db4b",
              "versionType": "git"
            },
            {
              "lessThan": "cd5106c77d6d6828aa82449f01f4eb436d602a21",
              "status": "affected",
              "version": "ca632f556697d45d67ed5cada7cedf3ddfe0db4b",
              "versionType": "git"
            },
            {
              "lessThan": "373d55a47dc662e5e30d12ad5d334312f757c1f1",
              "status": "affected",
              "version": "ca632f556697d45d67ed5cada7cedf3ddfe0db4b",
              "versionType": "git"
            },
            {
              "lessThan": "f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59",
              "status": "affected",
              "version": "ca632f556697d45d67ed5cada7cedf3ddfe0db4b",
              "versionType": "git"
            },
            {
              "lessThan": "90b72189de2cddacb26250579da0510b29a8b82b",
              "status": "affected",
              "version": "ca632f556697d45d67ed5cada7cedf3ddfe0db4b",
              "versionType": "git"
            },
            {
              "lessThan": "984836621aad98802d92c4a3047114cf518074c8",
              "status": "affected",
              "version": "ca632f556697d45d67ed5cada7cedf3ddfe0db4b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-mpc52xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.1"
            },
            {
              "lessThan": "3.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: mpc52xx: Add cancel_work_sync before module remove\n\nIf we remove the module which will call mpc52xx_spi_remove\nit will free \u0027ms\u0027 through spi_unregister_controller.\nwhile the work ms-\u003ework will be used. The sequence of operations\nthat may lead to a UAF bug.\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in mpc52xx_spi_remove."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:44:49.213Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0c6ce8424095c2da32a063d3fc027494c689817"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd5106c77d6d6828aa82449f01f4eb436d602a21"
        },
        {
          "url": "https://git.kernel.org/stable/c/373d55a47dc662e5e30d12ad5d334312f757c1f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59"
        },
        {
          "url": "https://git.kernel.org/stable/c/90b72189de2cddacb26250579da0510b29a8b82b"
        },
        {
          "url": "https://git.kernel.org/stable/c/984836621aad98802d92c4a3047114cf518074c8"
        }
      ],
      "title": "spi: mpc52xx: Add cancel_work_sync before module remove",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50051",
    "datePublished": "2025-01-11T12:25:20.277Z",
    "dateReserved": "2025-01-09T09:50:31.785Z",
    "dateUpdated": "2025-11-03T20:43:19.203Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56718 (GCVE-0-2024-56718)

Vulnerability from cvelistv5 – Published: 2024-12-29 08:48 – Updated: 2025-11-03 20:53

Title

net/smc: protect link down work from execute after lgr freed

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: protect link down work from execute after lgr freed link down work may be scheduled before lgr freed but execute after lgr freed, which may result in crash. So it is need to hold a reference before shedule link down work, and put the reference after work executed or canceled. The relevant crash call stack as follows: list_del corruption. prev->next should be ffffb638c9c0fe20, but was 0000000000000000 ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:51! invalid opcode: 0000 [#1] SMP NOPTI CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1 Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014 Workqueue: events smc_link_down_work [smc] RIP: 0010:__list_del_entry_valid.cold+0x31/0x47 RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086 RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000 RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38 R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002 R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0 FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: rwsem_down_write_slowpath+0x17e/0x470 smc_link_down_work+0x3c/0x60 [smc] process_one_work+0x1ac/0x350 worker_thread+0x49/0x2f0 ? rescuer_thread+0x360/0x360 kthread+0x118/0x140 ? __kthread_bind_mask+0x60/0x60 ret_from_fork+0x1f/0x30

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bec2f52866d511e94…
	https://git.kernel.org/stable/c/2627c3e8646932dfc…
	https://git.kernel.org/stable/c/841b1824750d3b8d1…
	https://git.kernel.org/stable/c/2b33eb8f1b3e8c2f8…

Impacted products

Vendor

Product

Version

Linux

Affected: 541afa10c126b6c22c2a805a559c70cc41fd156e , < bec2f52866d511e94c1c37cd962e4382b1b1a299 (git)
Affected: 541afa10c126b6c22c2a805a559c70cc41fd156e , < 2627c3e8646932dfc7b9722c88c2e1ffcf7a9fb2 (git)
Affected: 541afa10c126b6c22c2a805a559c70cc41fd156e , < 841b1824750d3b8d1dc0a96b14db4418b952abbc (git)
Affected: 541afa10c126b6c22c2a805a559c70cc41fd156e , < 2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 6.1.122 , ≤ 6.1.* (semver)
Unaffected: 6.6.68 , ≤ 6.6.* (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56718",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:58:28.250334Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:06.436Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:53:09.586Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bec2f52866d511e94c1c37cd962e4382b1b1a299",
              "status": "affected",
              "version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
              "versionType": "git"
            },
            {
              "lessThan": "2627c3e8646932dfc7b9722c88c2e1ffcf7a9fb2",
              "status": "affected",
              "version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
              "versionType": "git"
            },
            {
              "lessThan": "841b1824750d3b8d1dc0a96b14db4418b952abbc",
              "status": "affected",
              "version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
              "versionType": "git"
            },
            {
              "lessThan": "2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec",
              "status": "affected",
              "version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: protect link down work from execute after lgr freed\n\nlink down work may be scheduled before lgr freed but execute\nafter lgr freed, which may result in crash. So it is need to\nhold a reference before shedule link down work, and put the\nreference after work executed or canceled.\n\nThe relevant crash call stack as follows:\n list_del corruption. prev-\u003enext should be ffffb638c9c0fe20,\n    but was 0000000000000000\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:51!\n invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1\n Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014\n Workqueue: events smc_link_down_work [smc]\n RIP: 0010:__list_del_entry_valid.cold+0x31/0x47\n RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086\n RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000\n RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80\n RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38\n R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002\n R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0\n FS:  0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n  rwsem_down_write_slowpath+0x17e/0x470\n  smc_link_down_work+0x3c/0x60 [smc]\n  process_one_work+0x1ac/0x350\n  worker_thread+0x49/0x2f0\n  ? rescuer_thread+0x360/0x360\n  kthread+0x118/0x140\n  ? __kthread_bind_mask+0x60/0x60\n  ret_from_fork+0x1f/0x30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:03:15.766Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bec2f52866d511e94c1c37cd962e4382b1b1a299"
        },
        {
          "url": "https://git.kernel.org/stable/c/2627c3e8646932dfc7b9722c88c2e1ffcf7a9fb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/841b1824750d3b8d1dc0a96b14db4418b952abbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec"
        }
      ],
      "title": "net/smc: protect link down work from execute after lgr freed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56718",
    "datePublished": "2024-12-29T08:48:50.740Z",
    "dateReserved": "2024-12-27T15:00:39.858Z",
    "dateUpdated": "2025-11-03T20:53:09.586Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56711 (GCVE-0-2024-56711)

Vulnerability from cvelistv5 – Published: 2024-12-29 08:48 – Updated: 2025-10-01 20:07

Title

drm/panel: himax-hx83102: Add a check to prevent NULL pointer dereference

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/panel: himax-hx83102: Add a check to prevent NULL pointer dereference drm_mode_duplicate() could return NULL due to lack of memory, which will then call NULL pointer dereference. Add a check to prevent it.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/747547972e6475098…
	https://git.kernel.org/stable/c/e1e1af9148dc4c866…

Impacted products

Vendor

Product

Version

Linux

Affected: 0ef94554dc40fbdb7e57ff90cd1e7fa71e1e89fd , < 747547972e647509815ad8530ff09d62220a56c2 (git)
Affected: 0ef94554dc40fbdb7e57ff90cd1e7fa71e1e89fd , < e1e1af9148dc4c866eda3fb59cd6ec3c7ea34b1d (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56711",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:58:41.010359Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:07.015Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panel/panel-himax-hx83102.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "747547972e647509815ad8530ff09d62220a56c2",
              "status": "affected",
              "version": "0ef94554dc40fbdb7e57ff90cd1e7fa71e1e89fd",
              "versionType": "git"
            },
            {
              "lessThan": "e1e1af9148dc4c866eda3fb59cd6ec3c7ea34b1d",
              "status": "affected",
              "version": "0ef94554dc40fbdb7e57ff90cd1e7fa71e1e89fd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panel/panel-himax-hx83102.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: himax-hx83102: Add a check to prevent NULL pointer dereference\n\ndrm_mode_duplicate() could return NULL due to lack of memory,\nwhich will then call NULL pointer dereference. Add a check to\nprevent it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:03:05.019Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/747547972e647509815ad8530ff09d62220a56c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1e1af9148dc4c866eda3fb59cd6ec3c7ea34b1d"
        }
      ],
      "title": "drm/panel: himax-hx83102: Add a check to prevent NULL pointer dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56711",
    "datePublished": "2024-12-29T08:48:45.347Z",
    "dateReserved": "2024-12-27T15:00:39.857Z",
    "dateUpdated": "2025-10-01T20:07:07.015Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57880 (GCVE-0-2024-57880)

Vulnerability from cvelistv5 – Published: 2025-01-11 15:05 – Updated: 2025-05-04 10:05

Title

ASoC: Intel: sof_sdw: Add space for a terminator into DAIs array

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw: Add space for a terminator into DAIs array The code uses the initialised member of the asoc_sdw_dailink struct to determine if a member of the array is in use. However in the case the array is completely full this will lead to an access 1 past the end of the array, expand the array by one entry to include a space for a terminator.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b21a849764a4111b0…
	https://git.kernel.org/stable/c/255cc582e6e16191a…

Impacted products

Vendor

Product

Version

Linux

Affected: 27fd36aefa0013bea1cf6948e2e825e9b8cff97a , < b21a849764a4111b0bc14a5ffe987a0582419de2 (git)
Affected: 27fd36aefa0013bea1cf6948e2e825e9b8cff97a , < 255cc582e6e16191a20d54bcdbca6c91d3e90c5e (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/intel/boards/sof_sdw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b21a849764a4111b0bc14a5ffe987a0582419de2",
              "status": "affected",
              "version": "27fd36aefa0013bea1cf6948e2e825e9b8cff97a",
              "versionType": "git"
            },
            {
              "lessThan": "255cc582e6e16191a20d54bcdbca6c91d3e90c5e",
              "status": "affected",
              "version": "27fd36aefa0013bea1cf6948e2e825e9b8cff97a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/intel/boards/sof_sdw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: sof_sdw: Add space for a terminator into DAIs array\n\nThe code uses the initialised member of the asoc_sdw_dailink struct to\ndetermine if a member of the array is in use. However in the case the\narray is completely full this will lead to an access 1 past the end of\nthe array, expand the array by one entry to include a space for a\nterminator."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:44.559Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b21a849764a4111b0bc14a5ffe987a0582419de2"
        },
        {
          "url": "https://git.kernel.org/stable/c/255cc582e6e16191a20d54bcdbca6c91d3e90c5e"
        }
      ],
      "title": "ASoC: Intel: sof_sdw: Add space for a terminator into DAIs array",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57880",
    "datePublished": "2025-01-11T15:05:28.763Z",
    "dateReserved": "2025-01-11T14:45:42.023Z",
    "dateUpdated": "2025-05-04T10:05:44.559Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57929 (GCVE-0-2024-57929)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-11-03 20:55

Title

dm array: fix releasing a faulty array block twice in dm_array_cursor_end

Summary

In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in dm_array_cursor_end When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller of dm_bm_read_lock() should not operate on this invalid dm_block pointer, or it will lead to undefined result. For example, the dm_array_cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put(). Reproduce steps: 1. initialize a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. wipe the second array block offline dmsteup remove cache cmeta cdata corig mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try reopen the cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: get_ablock failed device-mapper: cache metadata: dm_array_cursor_next for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638! Fix by setting the cached block pointer to NULL on errors. In addition to the reproducer described above, this fix can be verified using the "array_cursor/damaged" test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9c7c03d0e926762ad…
	https://git.kernel.org/stable/c/fc1ef07c3522e257e…
	https://git.kernel.org/stable/c/738994872d77e189b…
	https://git.kernel.org/stable/c/e477021d252c007f0…
	https://git.kernel.org/stable/c/6002bec5354f86d1a…
	https://git.kernel.org/stable/c/017c4470bff535853…
	https://git.kernel.org/stable/c/f2893c0804d86230f…

Impacted products

Vendor

Product

Version

Linux

Affected: fdd1315aa5f022fe6574efdc2d9535f75a0ee255 , < 9c7c03d0e926762adf3a3a0ba86156fb5e19538b (git)
Affected: fdd1315aa5f022fe6574efdc2d9535f75a0ee255 , < fc1ef07c3522e257e32702954f265debbcb096a7 (git)
Affected: fdd1315aa5f022fe6574efdc2d9535f75a0ee255 , < 738994872d77e189b2d13c501a1d145e95d98f46 (git)
Affected: fdd1315aa5f022fe6574efdc2d9535f75a0ee255 , < e477021d252c007f0c6d45b5d13d341efed03979 (git)
Affected: fdd1315aa5f022fe6574efdc2d9535f75a0ee255 , < 6002bec5354f86d1a2df21468f68e3ec03ede9da (git)
Affected: fdd1315aa5f022fe6574efdc2d9535f75a0ee255 , < 017c4470bff53585370028fec9341247bad358ff (git)
Affected: fdd1315aa5f022fe6574efdc2d9535f75a0ee255 , < f2893c0804d86230ffb8f1c8703fdbb18648abc8 (git)

Linux

Affected: 4.9
Unaffected: 0 , < 4.9 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:57.853Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/persistent-data/dm-array.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9c7c03d0e926762adf3a3a0ba86156fb5e19538b",
              "status": "affected",
              "version": "fdd1315aa5f022fe6574efdc2d9535f75a0ee255",
              "versionType": "git"
            },
            {
              "lessThan": "fc1ef07c3522e257e32702954f265debbcb096a7",
              "status": "affected",
              "version": "fdd1315aa5f022fe6574efdc2d9535f75a0ee255",
              "versionType": "git"
            },
            {
              "lessThan": "738994872d77e189b2d13c501a1d145e95d98f46",
              "status": "affected",
              "version": "fdd1315aa5f022fe6574efdc2d9535f75a0ee255",
              "versionType": "git"
            },
            {
              "lessThan": "e477021d252c007f0c6d45b5d13d341efed03979",
              "status": "affected",
              "version": "fdd1315aa5f022fe6574efdc2d9535f75a0ee255",
              "versionType": "git"
            },
            {
              "lessThan": "6002bec5354f86d1a2df21468f68e3ec03ede9da",
              "status": "affected",
              "version": "fdd1315aa5f022fe6574efdc2d9535f75a0ee255",
              "versionType": "git"
            },
            {
              "lessThan": "017c4470bff53585370028fec9341247bad358ff",
              "status": "affected",
              "version": "fdd1315aa5f022fe6574efdc2d9535f75a0ee255",
              "versionType": "git"
            },
            {
              "lessThan": "f2893c0804d86230ffb8f1c8703fdbb18648abc8",
              "status": "affected",
              "version": "fdd1315aa5f022fe6574efdc2d9535f75a0ee255",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/persistent-data/dm-array.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm array: fix releasing a faulty array block twice in dm_array_cursor_end\n\nWhen dm_bm_read_lock() fails due to locking or checksum errors, it\nreleases the faulty block implicitly while leaving an invalid output\npointer behind. The caller of dm_bm_read_lock() should not operate on\nthis invalid dm_block pointer, or it will lead to undefined result.\nFor example, the dm_array_cursor incorrectly caches the invalid pointer\non reading a faulty array block, causing a double release in\ndm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put().\n\nReproduce steps:\n\n1. initialize a cache device\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc $262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1\ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\n\n2. wipe the second array block offline\n\ndmsteup remove cache cmeta cdata corig\nmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\\n2\u003e/dev/null | hexdump -e \u00271/8 \"%u\\n\"\u0027)\nablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\\n2\u003e/dev/null | hexdump -e \u00271/8 \"%u\\n\"\u0027)\ndd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock\n\n3. try reopen the cache device\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc $262144\"\ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\n\nKernel logs:\n\n(snip)\ndevice-mapper: array: array_block_check failed: blocknr 0 != wanted 10\ndevice-mapper: block manager: array validator check failed for block 10\ndevice-mapper: array: get_ablock failed\ndevice-mapper: cache metadata: dm_array_cursor_next for mapping failed\n------------[ cut here ]------------\nkernel BUG at drivers/md/dm-bufio.c:638!\n\nFix by setting the cached block pointer to NULL on errors.\n\nIn addition to the reproducer described above, this fix can be\nverified using the \"array_cursor/damaged\" test in dm-unit:\n  dm-unit run /pdata/array_cursor/damaged --kernel-dir \u003cKERNEL_DIR\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:51.929Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9c7c03d0e926762adf3a3a0ba86156fb5e19538b"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc1ef07c3522e257e32702954f265debbcb096a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/738994872d77e189b2d13c501a1d145e95d98f46"
        },
        {
          "url": "https://git.kernel.org/stable/c/e477021d252c007f0c6d45b5d13d341efed03979"
        },
        {
          "url": "https://git.kernel.org/stable/c/6002bec5354f86d1a2df21468f68e3ec03ede9da"
        },
        {
          "url": "https://git.kernel.org/stable/c/017c4470bff53585370028fec9341247bad358ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2893c0804d86230ffb8f1c8703fdbb18648abc8"
        }
      ],
      "title": "dm array: fix releasing a faulty array block twice in dm_array_cursor_end",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57929",
    "datePublished": "2025-01-19T11:52:46.096Z",
    "dateReserved": "2025-01-19T11:50:08.376Z",
    "dateUpdated": "2025-11-03T20:55:57.853Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56573 (GCVE-0-2024-56573)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-05-04 09:58

Title

efi/libstub: Free correct pointer on failure

Summary

In the Linux kernel, the following vulnerability has been resolved: efi/libstub: Free correct pointer on failure cmdline_ptr is an out parameter, which is not allocated by the function itself, and likely points into the caller's stack. cmdline refers to the pool allocation that should be freed when cleaning up after a failure, so pass this instead to free_pool().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d173aee5709bd0994…
	https://git.kernel.org/stable/c/eaafbcf0a5782ae41…
	https://git.kernel.org/stable/c/06d39d79cbd5a91a3…

Impacted products

Vendor

Product

Version

Linux

Affected: 42c8ea3dca094ab82776ca706fb7a9cbe8ac3dc9 , < d173aee5709bd0994d216d60589ec67f8b11376a (git)
Affected: 42c8ea3dca094ab82776ca706fb7a9cbe8ac3dc9 , < eaafbcf0a5782ae412ca7de12ef83fc48ccea4cf (git)
Affected: 42c8ea3dca094ab82776ca706fb7a9cbe8ac3dc9 , < 06d39d79cbd5a91a33707951ebf2512d0e759847 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/efi/libstub/efi-stub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d173aee5709bd0994d216d60589ec67f8b11376a",
              "status": "affected",
              "version": "42c8ea3dca094ab82776ca706fb7a9cbe8ac3dc9",
              "versionType": "git"
            },
            {
              "lessThan": "eaafbcf0a5782ae412ca7de12ef83fc48ccea4cf",
              "status": "affected",
              "version": "42c8ea3dca094ab82776ca706fb7a9cbe8ac3dc9",
              "versionType": "git"
            },
            {
              "lessThan": "06d39d79cbd5a91a33707951ebf2512d0e759847",
              "status": "affected",
              "version": "42c8ea3dca094ab82776ca706fb7a9cbe8ac3dc9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/efi/libstub/efi-stub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/libstub: Free correct pointer on failure\n\ncmdline_ptr is an out parameter, which is not allocated by the function\nitself, and likely points into the caller\u0027s stack.\n\ncmdline refers to the pool allocation that should be freed when cleaning\nup after a failure, so pass this instead to free_pool()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:40.379Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d173aee5709bd0994d216d60589ec67f8b11376a"
        },
        {
          "url": "https://git.kernel.org/stable/c/eaafbcf0a5782ae412ca7de12ef83fc48ccea4cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/06d39d79cbd5a91a33707951ebf2512d0e759847"
        }
      ],
      "title": "efi/libstub: Free correct pointer on failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56573",
    "datePublished": "2024-12-27T14:23:16.231Z",
    "dateReserved": "2024-12-27T14:03:05.998Z",
    "dateUpdated": "2025-05-04T09:58:40.379Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57913 (GCVE-0-2024-57913)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-11-03 20:55

Title

usb: gadget: f_fs: Remove WARN_ON in functionfs_bind

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Remove WARN_ON in functionfs_bind This commit addresses an issue related to below kernel panic where panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON in functionsfs_bind, which easily leads to the following scenarios. 1.adb_write in adbd 2. UDC write via configfs ================= ===================== ->usb_ffs_open_thread() ->UDC write ->open_functionfs() ->configfs_write_iter() ->adb_open() ->gadget_dev_desc_UDC_store() ->adb_write() ->usb_gadget_register_driver_owner ->driver_register() ->StartMonitor() ->bus_add_driver() ->adb_read() ->gadget_bind_driver() <times-out without BIND event> ->configfs_composite_bind() ->usb_add_function() ->open_functionfs() ->ffs_func_bind() ->adb_open() ->functionfs_bind() <ffs->state !=FFS_ACTIVE> The adb_open, adb_read, and adb_write operations are invoked from the daemon, but trying to bind the function is a process that is invoked by UDC write through configfs, which opens up the possibility of a race condition between the two paths. In this race scenario, the kernel panic occurs due to the WARN_ON from functionfs_bind when panic_on_warn is enabled. This commit fixes the kernel panic by removing the unnecessary WARN_ON. Kernel panic - not syncing: kernel: panic_on_warn set ... [ 14.542395] Call trace: [ 14.542464] ffs_func_bind+0x1c8/0x14a8 [ 14.542468] usb_add_function+0xcc/0x1f0 [ 14.542473] configfs_composite_bind+0x468/0x588 [ 14.542478] gadget_bind_driver+0x108/0x27c [ 14.542483] really_probe+0x190/0x374 [ 14.542488] __driver_probe_device+0xa0/0x12c [ 14.542492] driver_probe_device+0x3c/0x220 [ 14.542498] __driver_attach+0x11c/0x1fc [ 14.542502] bus_for_each_dev+0x104/0x160 [ 14.542506] driver_attach+0x24/0x34 [ 14.542510] bus_add_driver+0x154/0x270 [ 14.542514] driver_register+0x68/0x104 [ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4 [ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144 [ 14.542526] configfs_write_iter+0xf0/0x138

Severity ?

4.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bfe60030fcd976e35…
	https://git.kernel.org/stable/c/3e4d32cc145955d5c…
	https://git.kernel.org/stable/c/19fc1c83454ca9d56…
	https://git.kernel.org/stable/c/82f60f3600aecd9ff…
	https://git.kernel.org/stable/c/ea6a1498742430eb2…
	https://git.kernel.org/stable/c/a8b6a18b9b66cc4c0…
	https://git.kernel.org/stable/c/dfc51e48bca475bbe…

Impacted products

Vendor

Product

Version

Linux

Affected: ddf8abd2599491cbad959c700b90ba72a5dce8d0 , < bfe60030fcd976e3546e1f73d6d0eb3fea26442e (git)
Affected: ddf8abd2599491cbad959c700b90ba72a5dce8d0 , < 3e4d32cc145955d5c56c5498a3ff057e4aafa9d1 (git)
Affected: ddf8abd2599491cbad959c700b90ba72a5dce8d0 , < 19fc1c83454ca9d5699e39633ec79ce26355251c (git)
Affected: ddf8abd2599491cbad959c700b90ba72a5dce8d0 , < 82f60f3600aecd9ffcd0fbc4e193694511c85b47 (git)
Affected: ddf8abd2599491cbad959c700b90ba72a5dce8d0 , < ea6a1498742430eb2effce0d1439ff29ef37dd7d (git)
Affected: ddf8abd2599491cbad959c700b90ba72a5dce8d0 , < a8b6a18b9b66cc4c016d63132b59ce5383f7cdd2 (git)
Affected: ddf8abd2599491cbad959c700b90ba72a5dce8d0 , < dfc51e48bca475bbee984e90f33fdc537ce09699 (git)

Linux

Affected: 2.6.35
Unaffected: 0 , < 2.6.35 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57913",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:53:20.371926Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-362",
                "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:15.449Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:48.145Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bfe60030fcd976e3546e1f73d6d0eb3fea26442e",
              "status": "affected",
              "version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
              "versionType": "git"
            },
            {
              "lessThan": "3e4d32cc145955d5c56c5498a3ff057e4aafa9d1",
              "status": "affected",
              "version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
              "versionType": "git"
            },
            {
              "lessThan": "19fc1c83454ca9d5699e39633ec79ce26355251c",
              "status": "affected",
              "version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
              "versionType": "git"
            },
            {
              "lessThan": "82f60f3600aecd9ffcd0fbc4e193694511c85b47",
              "status": "affected",
              "version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
              "versionType": "git"
            },
            {
              "lessThan": "ea6a1498742430eb2effce0d1439ff29ef37dd7d",
              "status": "affected",
              "version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
              "versionType": "git"
            },
            {
              "lessThan": "a8b6a18b9b66cc4c016d63132b59ce5383f7cdd2",
              "status": "affected",
              "version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
              "versionType": "git"
            },
            {
              "lessThan": "dfc51e48bca475bbee984e90f33fdc537ce09699",
              "status": "affected",
              "version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.35"
            },
            {
              "lessThan": "2.6.35",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Remove WARN_ON in functionfs_bind\n\nThis commit addresses an issue related to below kernel panic where\npanic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON\nin functionsfs_bind, which easily leads to the following scenarios.\n\n1.adb_write in adbd               2. UDC write via configfs\n  =================\t             =====================\n\n-\u003eusb_ffs_open_thread()           -\u003eUDC write\n -\u003eopen_functionfs()               -\u003econfigfs_write_iter()\n  -\u003eadb_open()                      -\u003egadget_dev_desc_UDC_store()\n   -\u003eadb_write()                     -\u003eusb_gadget_register_driver_owner\n                                      -\u003edriver_register()\n-\u003eStartMonitor()                       -\u003ebus_add_driver()\n -\u003eadb_read()                           -\u003egadget_bind_driver()\n\u003ctimes-out without BIND event\u003e           -\u003econfigfs_composite_bind()\n                                          -\u003eusb_add_function()\n-\u003eopen_functionfs()                        -\u003effs_func_bind()\n -\u003eadb_open()                               -\u003efunctionfs_bind()\n                                       \u003cffs-\u003estate !=FFS_ACTIVE\u003e\n\nThe adb_open, adb_read, and adb_write operations are invoked from the\ndaemon, but trying to bind the function is a process that is invoked by\nUDC write through configfs, which opens up the possibility of a race\ncondition between the two paths. In this race scenario, the kernel panic\noccurs due to the WARN_ON from functionfs_bind when panic_on_warn is\nenabled. This commit fixes the kernel panic by removing the unnecessary\nWARN_ON.\n\nKernel panic - not syncing: kernel: panic_on_warn set ...\n[   14.542395] Call trace:\n[   14.542464]  ffs_func_bind+0x1c8/0x14a8\n[   14.542468]  usb_add_function+0xcc/0x1f0\n[   14.542473]  configfs_composite_bind+0x468/0x588\n[   14.542478]  gadget_bind_driver+0x108/0x27c\n[   14.542483]  really_probe+0x190/0x374\n[   14.542488]  __driver_probe_device+0xa0/0x12c\n[   14.542492]  driver_probe_device+0x3c/0x220\n[   14.542498]  __driver_attach+0x11c/0x1fc\n[   14.542502]  bus_for_each_dev+0x104/0x160\n[   14.542506]  driver_attach+0x24/0x34\n[   14.542510]  bus_add_driver+0x154/0x270\n[   14.542514]  driver_register+0x68/0x104\n[   14.542518]  usb_gadget_register_driver_owner+0x48/0xf4\n[   14.542523]  gadget_dev_desc_UDC_store+0xf8/0x144\n[   14.542526]  configfs_write_iter+0xf0/0x138"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:31.910Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bfe60030fcd976e3546e1f73d6d0eb3fea26442e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e4d32cc145955d5c56c5498a3ff057e4aafa9d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/19fc1c83454ca9d5699e39633ec79ce26355251c"
        },
        {
          "url": "https://git.kernel.org/stable/c/82f60f3600aecd9ffcd0fbc4e193694511c85b47"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea6a1498742430eb2effce0d1439ff29ef37dd7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8b6a18b9b66cc4c016d63132b59ce5383f7cdd2"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfc51e48bca475bbee984e90f33fdc537ce09699"
        }
      ],
      "title": "usb: gadget: f_fs: Remove WARN_ON in functionfs_bind",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57913",
    "datePublished": "2025-01-19T11:52:35.149Z",
    "dateReserved": "2025-01-19T11:50:08.374Z",
    "dateUpdated": "2025-11-03T20:55:48.145Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57799 (GCVE-0-2024-57799)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:39 – Updated: 2025-10-01 19:57

Title

phy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM

Summary

In the Linux kernel, the following vulnerability has been resolved: phy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM In some cases, rk_hdptx_phy_runtime_resume() may be invoked before platform_set_drvdata() is executed in ->probe(), leading to a NULL pointer dereference when using the return of dev_get_drvdata(). Ensure platform_set_drvdata() is called before devm_pm_runtime_enable().

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7061849a4a1752a06…
	https://git.kernel.org/stable/c/9d23e48654620fdcc…

Impacted products

Vendor

Product

Version

Linux

Affected: 553be2830c5f33308483e8118de748a2c69fe593 , < 7061849a4a1752a06944a819dd1f7bfd58df7383 (git)
Affected: 553be2830c5f33308483e8118de748a2c69fe593 , < 9d23e48654620fdccfcc74cc2cef04eaf7353d07 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.8 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57799",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:55:14.362592Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:20.542Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7061849a4a1752a06944a819dd1f7bfd58df7383",
              "status": "affected",
              "version": "553be2830c5f33308483e8118de748a2c69fe593",
              "versionType": "git"
            },
            {
              "lessThan": "9d23e48654620fdccfcc74cc2cef04eaf7353d07",
              "status": "affected",
              "version": "553be2830c5f33308483e8118de748a2c69fe593",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM\n\nIn some cases, rk_hdptx_phy_runtime_resume() may be invoked before\nplatform_set_drvdata() is executed in -\u003eprobe(), leading to a NULL\npointer dereference when using the return of dev_get_drvdata().\n\nEnsure platform_set_drvdata() is called before devm_pm_runtime_enable()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:00.042Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7061849a4a1752a06944a819dd1f7bfd58df7383"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d23e48654620fdccfcc74cc2cef04eaf7353d07"
        }
      ],
      "title": "phy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57799",
    "datePublished": "2025-01-11T12:39:48.936Z",
    "dateReserved": "2025-01-11T12:32:49.498Z",
    "dateUpdated": "2025-10-01T19:57:20.542Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57921 (GCVE-0-2024-57921)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-05-04 10:06

Title

drm/amdgpu: Add a lock when accessing the buddy trim function

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Add a lock when accessing the buddy trim function When running YouTube videos and Steam games simultaneously, the tester found a system hang / race condition issue with the multi-display configuration setting. Adding a lock to the buddy allocator's trim function would be the solution. <log snip> [ 7197.250436] general protection fault, probably for non-canonical address 0xdead000000000108 [ 7197.250447] RIP: 0010:__alloc_range+0x8b/0x340 [amddrm_buddy] [ 7197.250470] Call Trace: [ 7197.250472] <TASK> [ 7197.250475] ? show_regs+0x6d/0x80 [ 7197.250481] ? die_addr+0x37/0xa0 [ 7197.250483] ? exc_general_protection+0x1db/0x480 [ 7197.250488] ? drm_suballoc_new+0x13c/0x93d [drm_suballoc_helper] [ 7197.250493] ? asm_exc_general_protection+0x27/0x30 [ 7197.250498] ? __alloc_range+0x8b/0x340 [amddrm_buddy] [ 7197.250501] ? __alloc_range+0x109/0x340 [amddrm_buddy] [ 7197.250506] amddrm_buddy_block_trim+0x1b5/0x260 [amddrm_buddy] [ 7197.250511] amdgpu_vram_mgr_new+0x4f5/0x590 [amdgpu] [ 7197.250682] amdttm_resource_alloc+0x46/0xb0 [amdttm] [ 7197.250689] ttm_bo_alloc_resource+0xe4/0x370 [amdttm] [ 7197.250696] amdttm_bo_validate+0x9d/0x180 [amdttm] [ 7197.250701] amdgpu_bo_pin+0x15a/0x2f0 [amdgpu] [ 7197.250831] amdgpu_dm_plane_helper_prepare_fb+0xb2/0x360 [amdgpu] [ 7197.251025] ? try_wait_for_completion+0x59/0x70 [ 7197.251030] drm_atomic_helper_prepare_planes.part.0+0x2f/0x1e0 [ 7197.251035] drm_atomic_helper_prepare_planes+0x5d/0x70 [ 7197.251037] drm_atomic_helper_commit+0x84/0x160 [ 7197.251040] drm_atomic_nonblocking_commit+0x59/0x70 [ 7197.251043] drm_mode_atomic_ioctl+0x720/0x850 [ 7197.251047] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [ 7197.251049] drm_ioctl_kernel+0xb9/0x120 [ 7197.251053] ? srso_alias_return_thunk+0x5/0xfbef5 [ 7197.251056] drm_ioctl+0x2d4/0x550 [ 7197.251058] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [ 7197.251063] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu] [ 7197.251186] __x64_sys_ioctl+0xa0/0xf0 [ 7197.251190] x64_sys_call+0x143b/0x25c0 [ 7197.251193] do_syscall_64+0x7f/0x180 [ 7197.251197] ? srso_alias_return_thunk+0x5/0xfbef5 [ 7197.251199] ? amdgpu_display_user_framebuffer_create+0x215/0x320 [amdgpu] [ 7197.251329] ? drm_internal_framebuffer_create+0xb7/0x1a0 [ 7197.251332] ? srso_alias_return_thunk+0x5/0xfbef5 (cherry picked from commit 3318ba94e56b9183d0304577c74b33b6b01ce516)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/758e3c3054b65336c…
	https://git.kernel.org/stable/c/75c8b703e5bded1e3…

Impacted products

Vendor

Product

Version

Linux

Affected: 4a5ad08f537703c35cf7cc29845381805c891d9b , < 758e3c3054b65336cf0c5f240221f63b4fb98478 (git)
Affected: 4a5ad08f537703c35cf7cc29845381805c891d9b , < 75c8b703e5bded1e33b08fb09b829e7c2c1ed50a (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "758e3c3054b65336cf0c5f240221f63b4fb98478",
              "status": "affected",
              "version": "4a5ad08f537703c35cf7cc29845381805c891d9b",
              "versionType": "git"
            },
            {
              "lessThan": "75c8b703e5bded1e33b08fb09b829e7c2c1ed50a",
              "status": "affected",
              "version": "4a5ad08f537703c35cf7cc29845381805c891d9b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Add a lock when accessing the buddy trim function\n\nWhen running YouTube videos and Steam games simultaneously,\nthe tester found a system hang / race condition issue with\nthe multi-display configuration setting. Adding a lock to\nthe buddy allocator\u0027s trim function would be the solution.\n\n\u003clog snip\u003e\n[ 7197.250436] general protection fault, probably for non-canonical address 0xdead000000000108\n[ 7197.250447] RIP: 0010:__alloc_range+0x8b/0x340 [amddrm_buddy]\n[ 7197.250470] Call Trace:\n[ 7197.250472]  \u003cTASK\u003e\n[ 7197.250475]  ? show_regs+0x6d/0x80\n[ 7197.250481]  ? die_addr+0x37/0xa0\n[ 7197.250483]  ? exc_general_protection+0x1db/0x480\n[ 7197.250488]  ? drm_suballoc_new+0x13c/0x93d [drm_suballoc_helper]\n[ 7197.250493]  ? asm_exc_general_protection+0x27/0x30\n[ 7197.250498]  ? __alloc_range+0x8b/0x340 [amddrm_buddy]\n[ 7197.250501]  ? __alloc_range+0x109/0x340 [amddrm_buddy]\n[ 7197.250506]  amddrm_buddy_block_trim+0x1b5/0x260 [amddrm_buddy]\n[ 7197.250511]  amdgpu_vram_mgr_new+0x4f5/0x590 [amdgpu]\n[ 7197.250682]  amdttm_resource_alloc+0x46/0xb0 [amdttm]\n[ 7197.250689]  ttm_bo_alloc_resource+0xe4/0x370 [amdttm]\n[ 7197.250696]  amdttm_bo_validate+0x9d/0x180 [amdttm]\n[ 7197.250701]  amdgpu_bo_pin+0x15a/0x2f0 [amdgpu]\n[ 7197.250831]  amdgpu_dm_plane_helper_prepare_fb+0xb2/0x360 [amdgpu]\n[ 7197.251025]  ? try_wait_for_completion+0x59/0x70\n[ 7197.251030]  drm_atomic_helper_prepare_planes.part.0+0x2f/0x1e0\n[ 7197.251035]  drm_atomic_helper_prepare_planes+0x5d/0x70\n[ 7197.251037]  drm_atomic_helper_commit+0x84/0x160\n[ 7197.251040]  drm_atomic_nonblocking_commit+0x59/0x70\n[ 7197.251043]  drm_mode_atomic_ioctl+0x720/0x850\n[ 7197.251047]  ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n[ 7197.251049]  drm_ioctl_kernel+0xb9/0x120\n[ 7197.251053]  ? srso_alias_return_thunk+0x5/0xfbef5\n[ 7197.251056]  drm_ioctl+0x2d4/0x550\n[ 7197.251058]  ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n[ 7197.251063]  amdgpu_drm_ioctl+0x4e/0x90 [amdgpu]\n[ 7197.251186]  __x64_sys_ioctl+0xa0/0xf0\n[ 7197.251190]  x64_sys_call+0x143b/0x25c0\n[ 7197.251193]  do_syscall_64+0x7f/0x180\n[ 7197.251197]  ? srso_alias_return_thunk+0x5/0xfbef5\n[ 7197.251199]  ? amdgpu_display_user_framebuffer_create+0x215/0x320 [amdgpu]\n[ 7197.251329]  ? drm_internal_framebuffer_create+0xb7/0x1a0\n[ 7197.251332]  ? srso_alias_return_thunk+0x5/0xfbef5\n\n(cherry picked from commit 3318ba94e56b9183d0304577c74b33b6b01ce516)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:40.783Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/758e3c3054b65336cf0c5f240221f63b4fb98478"
        },
        {
          "url": "https://git.kernel.org/stable/c/75c8b703e5bded1e33b08fb09b829e7c2c1ed50a"
        }
      ],
      "title": "drm/amdgpu: Add a lock when accessing the buddy trim function",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57921",
    "datePublished": "2025-01-19T11:52:40.516Z",
    "dateReserved": "2025-01-19T11:50:08.375Z",
    "dateUpdated": "2025-05-04T10:06:40.783Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57910 (GCVE-0-2024-57910)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-11-03 20:55

Title

iio: light: vcnl4035: fix information leak in triggered buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: light: vcnl4035: fix information leak in triggered buffer The 'buffer' local array is used to push data to userspace from a triggered buffer, but it does not set an initial value for the single data element, which is an u16 aligned to 8 bytes. That leaves at least 4 bytes uninitialized even after writing an integer value with regmap_read(). Initialize the array to zero before using it to avoid pushing uninitialized information to userspace.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/13e56229fc81051a4…
	https://git.kernel.org/stable/c/b0e9c11c762e42867…
	https://git.kernel.org/stable/c/cb488706cdec0d6d1…
	https://git.kernel.org/stable/c/47d245be86492974d…
	https://git.kernel.org/stable/c/a15ea87d4337479c9…
	https://git.kernel.org/stable/c/f6fb1c59776b42636…
	https://git.kernel.org/stable/c/47b43e53c0a0edf55…

Impacted products

Vendor

Product

Version

Linux

Affected: da8ef748fec2d55db0ae424ab40eee0c737564aa , < 13e56229fc81051a42731046e200493c4a7c28ff (git)
Affected: 49739675048d372946c1ef136c466d5675eba9f0 , < b0e9c11c762e4286732d80e66c08c2cb3157b06b (git)
Affected: ec90b52c07c0403a6db60d752484ec08d605ead0 , < cb488706cdec0d6d13f2895bcdf0c32b283a7cc7 (git)
Affected: ec90b52c07c0403a6db60d752484ec08d605ead0 , < 47d245be86492974db3aeb048609542167f56518 (git)
Affected: ec90b52c07c0403a6db60d752484ec08d605ead0 , < a15ea87d4337479c9446b5d71616f4668337afed (git)
Affected: ec90b52c07c0403a6db60d752484ec08d605ead0 , < f6fb1c59776b4263634c472a5be8204c906ffc2c (git)
Affected: ec90b52c07c0403a6db60d752484ec08d605ead0 , < 47b43e53c0a0edf5578d5d12f5fc71c019649279 (git)
Affected: d69f0d132563a63688efb0afb4dfeaa74a217306 (git)
Affected: 4637815d7922c4bce3bacb13dd1fb5e9a7d167d8 (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57910",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:53:29.860211Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:16.077Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:39.753Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/light/vcnl4035.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "13e56229fc81051a42731046e200493c4a7c28ff",
              "status": "affected",
              "version": "da8ef748fec2d55db0ae424ab40eee0c737564aa",
              "versionType": "git"
            },
            {
              "lessThan": "b0e9c11c762e4286732d80e66c08c2cb3157b06b",
              "status": "affected",
              "version": "49739675048d372946c1ef136c466d5675eba9f0",
              "versionType": "git"
            },
            {
              "lessThan": "cb488706cdec0d6d13f2895bcdf0c32b283a7cc7",
              "status": "affected",
              "version": "ec90b52c07c0403a6db60d752484ec08d605ead0",
              "versionType": "git"
            },
            {
              "lessThan": "47d245be86492974db3aeb048609542167f56518",
              "status": "affected",
              "version": "ec90b52c07c0403a6db60d752484ec08d605ead0",
              "versionType": "git"
            },
            {
              "lessThan": "a15ea87d4337479c9446b5d71616f4668337afed",
              "status": "affected",
              "version": "ec90b52c07c0403a6db60d752484ec08d605ead0",
              "versionType": "git"
            },
            {
              "lessThan": "f6fb1c59776b4263634c472a5be8204c906ffc2c",
              "status": "affected",
              "version": "ec90b52c07c0403a6db60d752484ec08d605ead0",
              "versionType": "git"
            },
            {
              "lessThan": "47b43e53c0a0edf5578d5d12f5fc71c019649279",
              "status": "affected",
              "version": "ec90b52c07c0403a6db60d752484ec08d605ead0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d69f0d132563a63688efb0afb4dfeaa74a217306",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4637815d7922c4bce3bacb13dd1fb5e9a7d167d8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/light/vcnl4035.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "5.4.132",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.10.50",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.12.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: vcnl4035: fix information leak in triggered buffer\n\nThe \u0027buffer\u0027 local array is used to push data to userspace from a\ntriggered buffer, but it does not set an initial value for the single\ndata element, which is an u16 aligned to 8 bytes. That leaves at least\n4 bytes uninitialized even after writing an integer value with\nregmap_read().\n\nInitialize the array to zero before using it to avoid pushing\nuninitialized information to userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:40.485Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/13e56229fc81051a42731046e200493c4a7c28ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0e9c11c762e4286732d80e66c08c2cb3157b06b"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb488706cdec0d6d13f2895bcdf0c32b283a7cc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/47d245be86492974db3aeb048609542167f56518"
        },
        {
          "url": "https://git.kernel.org/stable/c/a15ea87d4337479c9446b5d71616f4668337afed"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6fb1c59776b4263634c472a5be8204c906ffc2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/47b43e53c0a0edf5578d5d12f5fc71c019649279"
        }
      ],
      "title": "iio: light: vcnl4035: fix information leak in triggered buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57910",
    "datePublished": "2025-01-19T11:52:33.140Z",
    "dateReserved": "2025-01-19T11:50:08.373Z",
    "dateUpdated": "2025-11-03T20:55:39.753Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-55641 (GCVE-0-2024-55641)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:29 – Updated: 2025-05-04 09:57

Title

xfs: unlock inodes when erroring out of xfs_trans_alloc_dir

Summary

In the Linux kernel, the following vulnerability has been resolved: xfs: unlock inodes when erroring out of xfs_trans_alloc_dir Debugging a filesystem patch with generic/475 caused the system to hang after observing the following sequences in dmesg: XFS (dm-0): metadata I/O error in "xfs_imap_to_bp+0x61/0xe0 [xfs]" at daddr 0x491520 len 32 error 5 XFS (dm-0): metadata I/O error in "xfs_btree_read_buf_block+0xba/0x160 [xfs]" at daddr 0x3445608 len 8 error 5 XFS (dm-0): metadata I/O error in "xfs_imap_to_bp+0x61/0xe0 [xfs]" at daddr 0x138e1c0 len 32 error 5 XFS (dm-0): log I/O error -5 XFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ea/0x4b0 [xfs] (fs/xfs/xfs_trans_buf.c:311). Shutting down filesystem. XFS (dm-0): Please unmount the filesystem and rectify the problem(s) XFS (dm-0): Internal error dqp->q_ino.reserved < dqp->q_ino.count at line 869 of file fs/xfs/xfs_trans_dquot.c. Caller xfs_trans_dqresv+0x236/0x440 [xfs] XFS (dm-0): Corruption detected. Unmount and run xfs_repair XFS (dm-0): Unmounting Filesystem be6bcbcc-9921-4deb-8d16-7cc94e335fa7 The system is stuck in unmount trying to lock a couple of inodes so that they can be purged. The dquot corruption notice above is a clue to what happened -- a link() call tried to set up a transaction to link a child into a directory. Quota reservation for the transaction failed after IO errors shut down the filesystem, but then we forgot to unlock the inodes on our way out. Fix that.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6aefe5d97ae57b134…
	https://git.kernel.org/stable/c/53b001a21c9dff73b…

Impacted products

Vendor

Product

Version

Linux

Affected: bd5562111d58392298a3c3b93caad71dff681b4b , < 6aefe5d97ae57b1343dc60d8bb6a4ed070e5bcea (git)
Affected: bd5562111d58392298a3c3b93caad71dff681b4b , < 53b001a21c9dff73b64e8c909c41991f01d5d00f (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/xfs_trans.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6aefe5d97ae57b1343dc60d8bb6a4ed070e5bcea",
              "status": "affected",
              "version": "bd5562111d58392298a3c3b93caad71dff681b4b",
              "versionType": "git"
            },
            {
              "lessThan": "53b001a21c9dff73b64e8c909c41991f01d5d00f",
              "status": "affected",
              "version": "bd5562111d58392298a3c3b93caad71dff681b4b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/xfs_trans.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: unlock inodes when erroring out of xfs_trans_alloc_dir\n\nDebugging a filesystem patch with generic/475 caused the system to hang\nafter observing the following sequences in dmesg:\n\n XFS (dm-0): metadata I/O error in \"xfs_imap_to_bp+0x61/0xe0 [xfs]\" at daddr 0x491520 len 32 error 5\n XFS (dm-0): metadata I/O error in \"xfs_btree_read_buf_block+0xba/0x160 [xfs]\" at daddr 0x3445608 len 8 error 5\n XFS (dm-0): metadata I/O error in \"xfs_imap_to_bp+0x61/0xe0 [xfs]\" at daddr 0x138e1c0 len 32 error 5\n XFS (dm-0): log I/O error -5\n XFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ea/0x4b0 [xfs] (fs/xfs/xfs_trans_buf.c:311).  Shutting down filesystem.\n XFS (dm-0): Please unmount the filesystem and rectify the problem(s)\n XFS (dm-0): Internal error dqp-\u003eq_ino.reserved \u003c dqp-\u003eq_ino.count at line 869 of file fs/xfs/xfs_trans_dquot.c.  Caller xfs_trans_dqresv+0x236/0x440 [xfs]\n XFS (dm-0): Corruption detected. Unmount and run xfs_repair\n XFS (dm-0): Unmounting Filesystem be6bcbcc-9921-4deb-8d16-7cc94e335fa7\n\nThe system is stuck in unmount trying to lock a couple of inodes so that\nthey can be purged.  The dquot corruption notice above is a clue to what\nhappened -- a link() call tried to set up a transaction to link a child\ninto a directory.  Quota reservation for the transaction failed after IO\nerrors shut down the filesystem, but then we forgot to unlock the inodes\non our way out.  Fix that."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:57:13.136Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6aefe5d97ae57b1343dc60d8bb6a4ed070e5bcea"
        },
        {
          "url": "https://git.kernel.org/stable/c/53b001a21c9dff73b64e8c909c41991f01d5d00f"
        }
      ],
      "title": "xfs: unlock inodes when erroring out of xfs_trans_alloc_dir",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-55641",
    "datePublished": "2025-01-11T12:29:56.052Z",
    "dateReserved": "2025-01-09T09:51:32.506Z",
    "dateUpdated": "2025-05-04T09:57:13.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56649 (GCVE-0-2024-56649)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-10-01 20:07

Title

net: enetc: Do not configure preemptible TCs if SIs do not support

Summary

In the Linux kernel, the following vulnerability has been resolved: net: enetc: Do not configure preemptible TCs if SIs do not support Both ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure MQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs() to configure preemptible TCs. However, only PF is able to configure preemptible TCs. Because only PF has related registers, while VF does not have these registers. So for VF, its hw->port pointer is NULL. Therefore, VF will access an invalid pointer when accessing a non-existent register, which will cause a crash issue. The simplified log is as follows. root@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \ mqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1 [ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00 [ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400 [ 187.511140] Call trace: [ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.518918] enetc_setup_tc_mqprio+0x180/0x214 [ 187.523374] enetc_vf_setup_tc+0x1c/0x30 [ 187.527306] mqprio_enable_offload+0x144/0x178 [ 187.531766] mqprio_init+0x3ec/0x668 [ 187.535351] qdisc_create+0x15c/0x488 [ 187.539023] tc_modify_qdisc+0x398/0x73c [ 187.542958] rtnetlink_rcv_msg+0x128/0x378 [ 187.547064] netlink_rcv_skb+0x60/0x130 [ 187.550910] rtnetlink_rcv+0x18/0x24 [ 187.554492] netlink_unicast+0x300/0x36c [ 187.558425] netlink_sendmsg+0x1a8/0x420 [ 187.606759] ---[ end trace 0000000000000000 ]--- In addition, some PFs also do not support configuring preemptible TCs, such as eno1 and eno3 on LS1028A. It won't crash like it does for VFs, but we should prevent these PFs from accessing these unimplemented registers.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/66127f0d1ecf00604…
	https://git.kernel.org/stable/c/b718b68a9964181e2…
	https://git.kernel.org/stable/c/b2420b8c81ec67455…

Impacted products

Vendor

Product

Version

Linux

Affected: 827145392a4aad635b93e5235b7d7fecc2fa31c7 , < 66127f0d1ecf00604aeab71132bde398fd9ec7c9 (git)
Affected: 827145392a4aad635b93e5235b7d7fecc2fa31c7 , < b718b68a9964181e24d15138a09ce95785a19002 (git)
Affected: 827145392a4aad635b93e5235b7d7fecc2fa31c7 , < b2420b8c81ec674552d00c55d46245e5c184b260 (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56649",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:00:25.888929Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:11.282Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/freescale/enetc/enetc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "66127f0d1ecf00604aeab71132bde398fd9ec7c9",
              "status": "affected",
              "version": "827145392a4aad635b93e5235b7d7fecc2fa31c7",
              "versionType": "git"
            },
            {
              "lessThan": "b718b68a9964181e24d15138a09ce95785a19002",
              "status": "affected",
              "version": "827145392a4aad635b93e5235b7d7fecc2fa31c7",
              "versionType": "git"
            },
            {
              "lessThan": "b2420b8c81ec674552d00c55d46245e5c184b260",
              "status": "affected",
              "version": "827145392a4aad635b93e5235b7d7fecc2fa31c7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/freescale/enetc/enetc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: Do not configure preemptible TCs if SIs do not support\n\nBoth ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure\nMQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs()\nto configure preemptible TCs. However, only PF is able to configure\npreemptible TCs. Because only PF has related registers, while VF does not\nhave these registers. So for VF, its hw-\u003eport pointer is NULL. Therefore,\nVF will access an invalid pointer when accessing a non-existent register,\nwhich will cause a crash issue. The simplified log is as follows.\n\nroot@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \\\nmqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1\n[  187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00\n[  187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400\n[  187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400\n[  187.511140] Call trace:\n[  187.513588]  enetc_mm_commit_preemptible_tcs+0x1c4/0x400\n[  187.518918]  enetc_setup_tc_mqprio+0x180/0x214\n[  187.523374]  enetc_vf_setup_tc+0x1c/0x30\n[  187.527306]  mqprio_enable_offload+0x144/0x178\n[  187.531766]  mqprio_init+0x3ec/0x668\n[  187.535351]  qdisc_create+0x15c/0x488\n[  187.539023]  tc_modify_qdisc+0x398/0x73c\n[  187.542958]  rtnetlink_rcv_msg+0x128/0x378\n[  187.547064]  netlink_rcv_skb+0x60/0x130\n[  187.550910]  rtnetlink_rcv+0x18/0x24\n[  187.554492]  netlink_unicast+0x300/0x36c\n[  187.558425]  netlink_sendmsg+0x1a8/0x420\n[  187.606759] ---[ end trace 0000000000000000 ]---\n\nIn addition, some PFs also do not support configuring preemptible TCs,\nsuch as eno1 and eno3 on LS1028A. It won\u0027t crash like it does for VFs,\nbut we should prevent these PFs from accessing these unimplemented\nregisters."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:01:01.604Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/66127f0d1ecf00604aeab71132bde398fd9ec7c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/b718b68a9964181e24d15138a09ce95785a19002"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2420b8c81ec674552d00c55d46245e5c184b260"
        }
      ],
      "title": "net: enetc: Do not configure preemptible TCs if SIs do not support",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56649",
    "datePublished": "2024-12-27T15:02:49.412Z",
    "dateReserved": "2024-12-27T15:00:39.840Z",
    "dateUpdated": "2025-10-01T20:07:11.282Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57925 (GCVE-0-2024-57925)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-11-03 20:55

Title

ksmbd: fix a missing return value check bug

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix a missing return value check bug In the smb2_send_interim_resp(), if ksmbd_alloc_work_struct() fails to allocate a node, it returns a NULL pointer to the in_work pointer. This can lead to an illegal memory write of in_work->response_buf when allocate_interim_rsp_buf() attempts to perform a kzalloc() on it. To address this issue, incorporating a check for the return value of ksmbd_alloc_work_struct() ensures that the function returns immediately upon allocation failure, thereby preventing the aforementioned illegal memory access.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/781c743e18bfd9b7d…
	https://git.kernel.org/stable/c/ee7e40f7fb17f08a8…
	https://git.kernel.org/stable/c/271ae0edbfc942795…
	https://git.kernel.org/stable/c/2976e91a3e569cf2c…
	https://git.kernel.org/stable/c/4c16e1cadcbcaf3c8…

Impacted products

Vendor

Product

Version

Linux

Affected: 6f0207218c4c125f5bf32055ac4220b4ef3b7e67 , < 781c743e18bfd9b7dc0383f036ae952bd1486f21 (git)
Affected: f8cf1ebb7de62c7d807707ce4abb69d483629263 , < ee7e40f7fb17f08a8cbae50553e5c2e10ae32fce (git)
Affected: 041bba4414cda37d00063952c9bff9c3d5812a19 , < 271ae0edbfc942795c162e6cf20d2bc02bd7fde4 (git)
Affected: 041bba4414cda37d00063952c9bff9c3d5812a19 , < 2976e91a3e569cf2c92c9f71512c0ab1312fe965 (git)
Affected: 041bba4414cda37d00063952c9bff9c3d5812a19 , < 4c16e1cadcbcaf3c82d5fc310fbd34d0f5d0db7c (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57925",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:53:03.932205Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:14.579Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:55.097Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "781c743e18bfd9b7dc0383f036ae952bd1486f21",
              "status": "affected",
              "version": "6f0207218c4c125f5bf32055ac4220b4ef3b7e67",
              "versionType": "git"
            },
            {
              "lessThan": "ee7e40f7fb17f08a8cbae50553e5c2e10ae32fce",
              "status": "affected",
              "version": "f8cf1ebb7de62c7d807707ce4abb69d483629263",
              "versionType": "git"
            },
            {
              "lessThan": "271ae0edbfc942795c162e6cf20d2bc02bd7fde4",
              "status": "affected",
              "version": "041bba4414cda37d00063952c9bff9c3d5812a19",
              "versionType": "git"
            },
            {
              "lessThan": "2976e91a3e569cf2c92c9f71512c0ab1312fe965",
              "status": "affected",
              "version": "041bba4414cda37d00063952c9bff9c3d5812a19",
              "versionType": "git"
            },
            {
              "lessThan": "4c16e1cadcbcaf3c82d5fc310fbd34d0f5d0db7c",
              "status": "affected",
              "version": "041bba4414cda37d00063952c9bff9c3d5812a19",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.15.145",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "6.1.71",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix a missing return value check bug\n\nIn the smb2_send_interim_resp(), if ksmbd_alloc_work_struct()\nfails to allocate a node, it returns a NULL pointer to the\nin_work pointer. This can lead to an illegal memory write of\nin_work-\u003eresponse_buf when allocate_interim_rsp_buf() attempts\nto perform a kzalloc() on it.\n\nTo address this issue, incorporating a check for the return\nvalue of ksmbd_alloc_work_struct() ensures that the function\nreturns immediately upon allocation failure, thereby preventing\nthe aforementioned illegal memory access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:46.206Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/781c743e18bfd9b7dc0383f036ae952bd1486f21"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee7e40f7fb17f08a8cbae50553e5c2e10ae32fce"
        },
        {
          "url": "https://git.kernel.org/stable/c/271ae0edbfc942795c162e6cf20d2bc02bd7fde4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2976e91a3e569cf2c92c9f71512c0ab1312fe965"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c16e1cadcbcaf3c82d5fc310fbd34d0f5d0db7c"
        }
      ],
      "title": "ksmbd: fix a missing return value check bug",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57925",
    "datePublished": "2025-01-19T11:52:43.244Z",
    "dateReserved": "2025-01-19T11:50:08.376Z",
    "dateUpdated": "2025-11-03T20:55:55.097Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21662 (GCVE-0-2025-21662)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-11-03 20:58

Title

net/mlx5: Fix variable not being completed when function returns

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix variable not being completed when function returns When cmd_alloc_index(), fails cmd_work_handler() needs to complete ent->slotted before returning early. Otherwise the task which issued the command may hang: mlx5_core 0000:01:00.0: cmd_work_handler:877:(pid 3880418): failed to allocate command entry INFO: task kworker/13:2:4055883 blocked for more than 120 seconds. Not tainted 4.19.90-25.44.v2101.ky10.aarch64 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/13:2 D 0 4055883 2 0x00000228 Workqueue: events mlx5e_tx_dim_work [mlx5_core] Call trace: __switch_to+0xe8/0x150 __schedule+0x2a8/0x9b8 schedule+0x2c/0x88 schedule_timeout+0x204/0x478 wait_for_common+0x154/0x250 wait_for_completion+0x28/0x38 cmd_exec+0x7a0/0xa00 [mlx5_core] mlx5_cmd_exec+0x54/0x80 [mlx5_core] mlx5_core_modify_cq+0x6c/0x80 [mlx5_core] mlx5_core_modify_cq_moderation+0xa0/0xb8 [mlx5_core] mlx5e_tx_dim_work+0x54/0x68 [mlx5_core] process_one_work+0x1b0/0x448 worker_thread+0x54/0x468 kthread+0x134/0x138 ret_from_fork+0x10/0x18

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f0a2808767ac39f64…
	https://git.kernel.org/stable/c/229cc10284373fbe7…
	https://git.kernel.org/stable/c/36124081f6ffd9dfa…
	https://git.kernel.org/stable/c/0e2909c6bec9048f4…

Impacted products

Vendor

Product

Version

Linux

Affected: 4baae687a20ef2b82fde12de3c04461e6f2521d6 , < f0a2808767ac39f64b1d9a0ff865c255073cf3d4 (git)
Affected: f9caccdd42e999b74303c9b0643300073ed5d319 , < 229cc10284373fbe754e623b7033dca7e7470ec8 (git)
Affected: 485d65e1357123a697c591a5aeb773994b247ad7 , < 36124081f6ffd9dfaad48830bdf106bb82a9457d (git)
Affected: 485d65e1357123a697c591a5aeb773994b247ad7 , < 0e2909c6bec9048f49d0c8e16887c63b50b14647 (git)
Affected: 2d0962d05c93de391ce85f6e764df895f47c8918 (git)
Affected: 94024332a129c6e4275569d85c0c1bfb2ae2d71b (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:37.583Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/cmd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f0a2808767ac39f64b1d9a0ff865c255073cf3d4",
              "status": "affected",
              "version": "4baae687a20ef2b82fde12de3c04461e6f2521d6",
              "versionType": "git"
            },
            {
              "lessThan": "229cc10284373fbe754e623b7033dca7e7470ec8",
              "status": "affected",
              "version": "f9caccdd42e999b74303c9b0643300073ed5d319",
              "versionType": "git"
            },
            {
              "lessThan": "36124081f6ffd9dfaad48830bdf106bb82a9457d",
              "status": "affected",
              "version": "485d65e1357123a697c591a5aeb773994b247ad7",
              "versionType": "git"
            },
            {
              "lessThan": "0e2909c6bec9048f49d0c8e16887c63b50b14647",
              "status": "affected",
              "version": "485d65e1357123a697c591a5aeb773994b247ad7",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2d0962d05c93de391ce85f6e764df895f47c8918",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "94024332a129c6e4275569d85c0c1bfb2ae2d71b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/cmd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "6.1.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.9.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix variable not being completed when function returns\n\nWhen cmd_alloc_index(), fails cmd_work_handler() needs\nto complete ent-\u003eslotted before returning early.\nOtherwise the task which issued the command may hang:\n\n   mlx5_core 0000:01:00.0: cmd_work_handler:877:(pid 3880418): failed to allocate command entry\n   INFO: task kworker/13:2:4055883 blocked for more than 120 seconds.\n         Not tainted 4.19.90-25.44.v2101.ky10.aarch64 #1\n   \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n   kworker/13:2    D    0 4055883      2 0x00000228\n   Workqueue: events mlx5e_tx_dim_work [mlx5_core]\n   Call trace:\n      __switch_to+0xe8/0x150\n      __schedule+0x2a8/0x9b8\n      schedule+0x2c/0x88\n      schedule_timeout+0x204/0x478\n      wait_for_common+0x154/0x250\n      wait_for_completion+0x28/0x38\n      cmd_exec+0x7a0/0xa00 [mlx5_core]\n      mlx5_cmd_exec+0x54/0x80 [mlx5_core]\n      mlx5_core_modify_cq+0x6c/0x80 [mlx5_core]\n      mlx5_core_modify_cq_moderation+0xa0/0xb8 [mlx5_core]\n      mlx5e_tx_dim_work+0x54/0x68 [mlx5_core]\n      process_one_work+0x1b0/0x448\n      worker_thread+0x54/0x468\n      kthread+0x134/0x138\n      ret_from_fork+0x10/0x18"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:13.866Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f0a2808767ac39f64b1d9a0ff865c255073cf3d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/229cc10284373fbe754e623b7033dca7e7470ec8"
        },
        {
          "url": "https://git.kernel.org/stable/c/36124081f6ffd9dfaad48830bdf106bb82a9457d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e2909c6bec9048f49d0c8e16887c63b50b14647"
        }
      ],
      "title": "net/mlx5: Fix variable not being completed when function returns",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21662",
    "datePublished": "2025-01-21T12:18:17.674Z",
    "dateReserved": "2024-12-29T08:45:45.732Z",
    "dateUpdated": "2025-11-03T20:58:37.583Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57857 (GCVE-0-2024-57857)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:10 – Updated: 2025-05-04 10:05

Title

RDMA/siw: Remove direct link to net_device

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Remove direct link to net_device Do not manage a per device direct link to net_device. Rely on associated ib_devices net_device management, not doubling the effort locally. A badly managed local link to net_device was causing a 'KASAN: slab-use-after-free' exception during siw_query_port() call.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4eafeb4f021c50d13…
	https://git.kernel.org/stable/c/16b87037b48889d21…

Impacted products

Vendor

Product

Version

Linux

Affected: bdcf26bf9b3acb03c8f90387cfc6474fc8ac5521 , < 4eafeb4f021c50d13f199239d913b37de3c83135 (git)
Affected: bdcf26bf9b3acb03c8f90387cfc6474fc8ac5521 , < 16b87037b48889d21854c8e97aec8a1baf2642b3 (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57857",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T13:56:36.478008Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-13T14:04:27.319Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/siw/siw.h",
            "drivers/infiniband/sw/siw/siw_cm.c",
            "drivers/infiniband/sw/siw/siw_main.c",
            "drivers/infiniband/sw/siw/siw_verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4eafeb4f021c50d13f199239d913b37de3c83135",
              "status": "affected",
              "version": "bdcf26bf9b3acb03c8f90387cfc6474fc8ac5521",
              "versionType": "git"
            },
            {
              "lessThan": "16b87037b48889d21854c8e97aec8a1baf2642b3",
              "status": "affected",
              "version": "bdcf26bf9b3acb03c8f90387cfc6474fc8ac5521",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/siw/siw.h",
            "drivers/infiniband/sw/siw/siw_cm.c",
            "drivers/infiniband/sw/siw/siw_main.c",
            "drivers/infiniband/sw/siw/siw_verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Remove direct link to net_device\n\nDo not manage a per device direct link to net_device. Rely\non associated ib_devices net_device management, not doubling\nthe effort locally. A badly managed local link to net_device\nwas causing a \u0027KASAN: slab-use-after-free\u0027 exception during\nsiw_query_port() call."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:32.785Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4eafeb4f021c50d13f199239d913b37de3c83135"
        },
        {
          "url": "https://git.kernel.org/stable/c/16b87037b48889d21854c8e97aec8a1baf2642b3"
        }
      ],
      "title": "RDMA/siw: Remove direct link to net_device",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57857",
    "datePublished": "2025-01-15T13:10:28.613Z",
    "dateReserved": "2025-01-15T13:08:59.681Z",
    "dateUpdated": "2025-05-04T10:05:32.785Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57874 (GCVE-0-2024-57874)

Vulnerability from cvelistv5 – Published: 2025-01-11 14:47 – Updated: 2025-11-03 20:54

Title

arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL Currently tagged_addr_ctrl_set() doesn't initialize the temporary 'ctrl' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently tagged_addr_ctrl_set() will consume an arbitrary value, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. As set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and rejects other values, a partial SETREGSET attempt will randomly succeed or fail depending on the value of the uninitialized value, and the exposure is significantly limited. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing value of the tagged address ctrl will be retained. The NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the user_aarch64_view used by a native AArch64 task to manipulate another native AArch64 task. As get_tagged_addr_ctrl() only returns an error value when called for a compat task, tagged_addr_ctrl_get() and tagged_addr_ctrl_set() should never observe an error value from get_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that such an error would be unexpected, and error handlnig is not missing in either case.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1152dd13845efde55…
	https://git.kernel.org/stable/c/1c176f5155ee6161f…
	https://git.kernel.org/stable/c/1370cf3eb5495d70e…
	https://git.kernel.org/stable/c/96035c0093db25897…
	https://git.kernel.org/stable/c/abd614bbfcee73247…
	https://git.kernel.org/stable/c/ca62d90085f4af36d…

Impacted products

Vendor

Product

Version

Linux

Affected: 2200aa7154cb7ef76bac93e98326883ba64bfa2e , < 1152dd13845efde5554f80c7e1233bae1d26bd3e (git)
Affected: 2200aa7154cb7ef76bac93e98326883ba64bfa2e , < 1c176f5155ee6161fee6f416b64aa50394d3f220 (git)
Affected: 2200aa7154cb7ef76bac93e98326883ba64bfa2e , < 1370cf3eb5495d70e00547598583a4cd45b40b99 (git)
Affected: 2200aa7154cb7ef76bac93e98326883ba64bfa2e , < 96035c0093db258975b8887676afe59a64c34a72 (git)
Affected: 2200aa7154cb7ef76bac93e98326883ba64bfa2e , < abd614bbfcee73247495bd9472da8f85ac83546e (git)
Affected: 2200aa7154cb7ef76bac93e98326883ba64bfa2e , < ca62d90085f4af36de745883faab9f8a7cbb45d3 (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57874",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:58.776587Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:19.943Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:48.472Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/ptrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1152dd13845efde5554f80c7e1233bae1d26bd3e",
              "status": "affected",
              "version": "2200aa7154cb7ef76bac93e98326883ba64bfa2e",
              "versionType": "git"
            },
            {
              "lessThan": "1c176f5155ee6161fee6f416b64aa50394d3f220",
              "status": "affected",
              "version": "2200aa7154cb7ef76bac93e98326883ba64bfa2e",
              "versionType": "git"
            },
            {
              "lessThan": "1370cf3eb5495d70e00547598583a4cd45b40b99",
              "status": "affected",
              "version": "2200aa7154cb7ef76bac93e98326883ba64bfa2e",
              "versionType": "git"
            },
            {
              "lessThan": "96035c0093db258975b8887676afe59a64c34a72",
              "status": "affected",
              "version": "2200aa7154cb7ef76bac93e98326883ba64bfa2e",
              "versionType": "git"
            },
            {
              "lessThan": "abd614bbfcee73247495bd9472da8f85ac83546e",
              "status": "affected",
              "version": "2200aa7154cb7ef76bac93e98326883ba64bfa2e",
              "versionType": "git"
            },
            {
              "lessThan": "ca62d90085f4af36de745883faab9f8a7cbb45d3",
              "status": "affected",
              "version": "2200aa7154cb7ef76bac93e98326883ba64bfa2e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/ptrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL\n\nCurrently tagged_addr_ctrl_set() doesn\u0027t initialize the temporary \u0027ctrl\u0027\nvariable, and a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently tagged_addr_ctrl_set() will consume an\narbitrary value, potentially leaking up to 64 bits of memory from the\nkernel stack. The read is limited to a specific slot on the stack, and\nthe issue does not provide a write mechanism.\n\nAs set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and\nrejects other values, a partial SETREGSET attempt will randomly succeed\nor fail depending on the value of the uninitialized value, and the\nexposure is significantly limited.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\nvalue of the tagged address ctrl will be retained.\n\nThe NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the\nuser_aarch64_view used by a native AArch64 task to manipulate another\nnative AArch64 task. As get_tagged_addr_ctrl() only returns an error\nvalue when called for a compat task, tagged_addr_ctrl_get() and\ntagged_addr_ctrl_set() should never observe an error value from\nget_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that\nsuch an error would be unexpected, and error handlnig is not missing in\neither case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:35.803Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1152dd13845efde5554f80c7e1233bae1d26bd3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c176f5155ee6161fee6f416b64aa50394d3f220"
        },
        {
          "url": "https://git.kernel.org/stable/c/1370cf3eb5495d70e00547598583a4cd45b40b99"
        },
        {
          "url": "https://git.kernel.org/stable/c/96035c0093db258975b8887676afe59a64c34a72"
        },
        {
          "url": "https://git.kernel.org/stable/c/abd614bbfcee73247495bd9472da8f85ac83546e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca62d90085f4af36de745883faab9f8a7cbb45d3"
        }
      ],
      "title": "arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57874",
    "datePublished": "2025-01-11T14:47:10.665Z",
    "dateReserved": "2025-01-11T14:45:42.022Z",
    "dateUpdated": "2025-11-03T20:54:48.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56780 (GCVE-0-2024-56780)

Vulnerability from cvelistv5 – Published: 2025-01-08 17:49 – Updated: 2025-11-03 20:54

Title

quota: flush quota_release_work upon quota writeback

Summary

In the Linux kernel, the following vulnerability has been resolved: quota: flush quota_release_work upon quota writeback One of the paths quota writeback is called from is: freeze_super() sync_filesystem() ext4_sync_fs() dquot_writeback_dquots() Since we currently don't always flush the quota_release_work queue in this path, we can end up with the following race: 1. dquot are added to releasing_dquots list during regular operations. 2. FS Freeze starts, however, this does not flush the quota_release_work queue. 3. Freeze completes. 4. Kernel eventually tries to flush the workqueue while FS is frozen which hits a WARN_ON since transaction gets started during frozen state: ext4_journal_check_start+0x28/0x110 [ext4] (unreliable) __ext4_journal_start_sb+0x64/0x1c0 [ext4] ext4_release_dquot+0x90/0x1d0 [ext4] quota_release_workfn+0x43c/0x4d0 Which is the following line: WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE); Which ultimately results in generic/390 failing due to dmesg noise. This was detected on powerpc machine 15 cores. To avoid this, make sure to flush the workqueue during dquot_writeback_dquots() so we dont have any pending workitems after freeze.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a5abba5e0e586e258…
	https://git.kernel.org/stable/c/6f3821acd7c314314…
	https://git.kernel.org/stable/c/ab6cfcf8ed2c7496f…
	https://git.kernel.org/stable/c/3e6ff207cd5bd924a…
	https://git.kernel.org/stable/c/bcacb52a985f1b6d2…
	https://git.kernel.org/stable/c/8ea87e34792258825…
	https://git.kernel.org/stable/c/ac6f420291b3fee11…

Impacted products

Vendor

Product

Version

Linux

Affected: d40c192e119892799dd4ddf94f5cea6fa93775ef , < a5abba5e0e586e258ded3e798fe5f69c66fec198 (git)
Affected: 86d89987f0998c98f57d641e308b40452a994045 , < 6f3821acd7c3143145999248087de5fb4b48cf26 (git)
Affected: 89602de9a2d7080b7a4029d5c1bf8f78d295ff5f , < ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb (git)
Affected: 3027e200dd58d5b437f16634dbbd355b29ffe0a6 , < 3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb (git)
Affected: dabc8b20756601b9e1cc85a81d47d3f98ed4d13a , < bcacb52a985f1b6d280f698a470b873dfe52728a (git)
Affected: dabc8b20756601b9e1cc85a81d47d3f98ed4d13a , < 8ea87e34792258825d290f4dc5216276e91cb224 (git)
Affected: dabc8b20756601b9e1cc85a81d47d3f98ed4d13a , < ac6f420291b3fee1113f21d612fa88b628afab5b (git)
Affected: f3e9a2bbdeb8987508dd6bb2b701dea911d4daec (git)
Affected: 903fc5d8cb48b0d2de7095ef40e39fd32bb27bd0 (git)
Affected: 31bed65eecbc5ce57592cfe31947eaa64e3d678e (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56780",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:25.354258Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:23.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:19.790Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/quota/dquot.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a5abba5e0e586e258ded3e798fe5f69c66fec198",
              "status": "affected",
              "version": "d40c192e119892799dd4ddf94f5cea6fa93775ef",
              "versionType": "git"
            },
            {
              "lessThan": "6f3821acd7c3143145999248087de5fb4b48cf26",
              "status": "affected",
              "version": "86d89987f0998c98f57d641e308b40452a994045",
              "versionType": "git"
            },
            {
              "lessThan": "ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb",
              "status": "affected",
              "version": "89602de9a2d7080b7a4029d5c1bf8f78d295ff5f",
              "versionType": "git"
            },
            {
              "lessThan": "3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb",
              "status": "affected",
              "version": "3027e200dd58d5b437f16634dbbd355b29ffe0a6",
              "versionType": "git"
            },
            {
              "lessThan": "bcacb52a985f1b6d280f698a470b873dfe52728a",
              "status": "affected",
              "version": "dabc8b20756601b9e1cc85a81d47d3f98ed4d13a",
              "versionType": "git"
            },
            {
              "lessThan": "8ea87e34792258825d290f4dc5216276e91cb224",
              "status": "affected",
              "version": "dabc8b20756601b9e1cc85a81d47d3f98ed4d13a",
              "versionType": "git"
            },
            {
              "lessThan": "ac6f420291b3fee1113f21d612fa88b628afab5b",
              "status": "affected",
              "version": "dabc8b20756601b9e1cc85a81d47d3f98ed4d13a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f3e9a2bbdeb8987508dd6bb2b701dea911d4daec",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "903fc5d8cb48b0d2de7095ef40e39fd32bb27bd0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "31bed65eecbc5ce57592cfe31947eaa64e3d678e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/quota/dquot.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "5.4.257",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.10.195",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.15.132",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "6.1.53",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.295",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: flush quota_release_work upon quota writeback\n\nOne of the paths quota writeback is called from is:\n\nfreeze_super()\n  sync_filesystem()\n    ext4_sync_fs()\n      dquot_writeback_dquots()\n\nSince we currently don\u0027t always flush the quota_release_work queue in\nthis path, we can end up with the following race:\n\n 1. dquot are added to releasing_dquots list during regular operations.\n 2. FS Freeze starts, however, this does not flush the quota_release_work queue.\n 3. Freeze completes.\n 4. Kernel eventually tries to flush the workqueue while FS is frozen which\n    hits a WARN_ON since transaction gets started during frozen state:\n\n  ext4_journal_check_start+0x28/0x110 [ext4] (unreliable)\n  __ext4_journal_start_sb+0x64/0x1c0 [ext4]\n  ext4_release_dquot+0x90/0x1d0 [ext4]\n  quota_release_workfn+0x43c/0x4d0\n\nWhich is the following line:\n\n  WARN_ON(sb-\u003es_writers.frozen == SB_FREEZE_COMPLETE);\n\nWhich ultimately results in generic/390 failing due to dmesg\nnoise. This was detected on powerpc machine 15 cores.\n\nTo avoid this, make sure to flush the workqueue during\ndquot_writeback_dquots() so we dont have any pending workitems after\nfreeze."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:23.140Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a5abba5e0e586e258ded3e798fe5f69c66fec198"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f3821acd7c3143145999248087de5fb4b48cf26"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/bcacb52a985f1b6d280f698a470b873dfe52728a"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ea87e34792258825d290f4dc5216276e91cb224"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac6f420291b3fee1113f21d612fa88b628afab5b"
        }
      ],
      "title": "quota: flush quota_release_work upon quota writeback",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56780",
    "datePublished": "2025-01-08T17:49:17.889Z",
    "dateReserved": "2024-12-29T11:26:39.768Z",
    "dateUpdated": "2025-11-03T20:54:19.790Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57912 (GCVE-0-2024-57912)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-11-03 20:55

Title

iio: pressure: zpa2326: fix information leak in triggered buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: pressure: zpa2326: fix information leak in triggered buffer The 'sample' local struct is used to push data to user space from a triggered buffer, but it has a hole between the temperature and the timestamp (u32 pressure, u16 temperature, GAP, u64 timestamp). This hole is never initialized. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9629ff1a86823269b…
	https://git.kernel.org/stable/c/d25f1fc2736702714…
	https://git.kernel.org/stable/c/64a989aa7475b8e76…
	https://git.kernel.org/stable/c/b7849f62e61242e0e…
	https://git.kernel.org/stable/c/fefb88a4da961a0b9…
	https://git.kernel.org/stable/c/979a0db76ceda8fe1…
	https://git.kernel.org/stable/c/6007d10c5262f6f71…

Impacted products

Vendor

Product

Version

Linux

Affected: 03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1 , < 9629ff1a86823269b12fb1ba9ca4efa945906287 (git)
Affected: 03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1 , < d25f1fc273670271412a52a1efbdaf5dcf274ed8 (git)
Affected: 03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1 , < 64a989aa7475b8e76e69b9ec86819ea293e53bab (git)
Affected: 03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1 , < b7849f62e61242e0e02c776e1109eb81e59c567c (git)
Affected: 03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1 , < fefb88a4da961a0b9c2473cbdcfce1a942fcfa9a (git)
Affected: 03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1 , < 979a0db76ceda8fe1f2f85a116bfe97620ebbadf (git)
Affected: 03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1 , < 6007d10c5262f6f71479627c1216899ea7f09073 (git)

Linux

Affected: 4.9
Unaffected: 0 , < 4.9 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57912",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:53:23.510909Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:15.627Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:45.380Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/pressure/zpa2326.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9629ff1a86823269b12fb1ba9ca4efa945906287",
              "status": "affected",
              "version": "03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1",
              "versionType": "git"
            },
            {
              "lessThan": "d25f1fc273670271412a52a1efbdaf5dcf274ed8",
              "status": "affected",
              "version": "03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1",
              "versionType": "git"
            },
            {
              "lessThan": "64a989aa7475b8e76e69b9ec86819ea293e53bab",
              "status": "affected",
              "version": "03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1",
              "versionType": "git"
            },
            {
              "lessThan": "b7849f62e61242e0e02c776e1109eb81e59c567c",
              "status": "affected",
              "version": "03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1",
              "versionType": "git"
            },
            {
              "lessThan": "fefb88a4da961a0b9c2473cbdcfce1a942fcfa9a",
              "status": "affected",
              "version": "03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1",
              "versionType": "git"
            },
            {
              "lessThan": "979a0db76ceda8fe1f2f85a116bfe97620ebbadf",
              "status": "affected",
              "version": "03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1",
              "versionType": "git"
            },
            {
              "lessThan": "6007d10c5262f6f71479627c1216899ea7f09073",
              "status": "affected",
              "version": "03b262f2bbf43b82eaef82ffb3bc671d5b5c8da1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/pressure/zpa2326.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: pressure: zpa2326: fix information leak in triggered buffer\n\nThe \u0027sample\u0027 local struct is used to push data to user space from a\ntriggered buffer, but it has a hole between the temperature and the\ntimestamp (u32 pressure, u16 temperature, GAP, u64 timestamp).\nThis hole is never initialized.\n\nInitialize the struct to zero before using it to avoid pushing\nuninitialized information to userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:30.441Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9629ff1a86823269b12fb1ba9ca4efa945906287"
        },
        {
          "url": "https://git.kernel.org/stable/c/d25f1fc273670271412a52a1efbdaf5dcf274ed8"
        },
        {
          "url": "https://git.kernel.org/stable/c/64a989aa7475b8e76e69b9ec86819ea293e53bab"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7849f62e61242e0e02c776e1109eb81e59c567c"
        },
        {
          "url": "https://git.kernel.org/stable/c/fefb88a4da961a0b9c2473cbdcfce1a942fcfa9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/979a0db76ceda8fe1f2f85a116bfe97620ebbadf"
        },
        {
          "url": "https://git.kernel.org/stable/c/6007d10c5262f6f71479627c1216899ea7f09073"
        }
      ],
      "title": "iio: pressure: zpa2326: fix information leak in triggered buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57912",
    "datePublished": "2025-01-19T11:52:34.490Z",
    "dateReserved": "2025-01-19T11:50:08.373Z",
    "dateUpdated": "2025-11-03T20:55:45.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56631 (GCVE-0-2024-56631)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51

Title

scsi: sg: Fix slab-use-after-free read in sg_release()

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Fix slab-use-after-free read in sg_release() Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5838 __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912 sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407 In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is called before releasing the open_rel_lock mutex. The kref_put() call may decrement the reference count of sfp to zero, triggering its cleanup through sg_remove_sfp(). This cleanup includes scheduling deferred work via sg_remove_sfp_usercontext(), which ultimately frees sfp. After kref_put(), sg_release() continues to unlock open_rel_lock and may reference sfp or sdp. If sfp has already been freed, this results in a slab-use-after-free error. Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the open_rel_lock mutex. This ensures: - No references to sfp or sdp occur after the reference count is decremented. - Cleanup functions such as sg_remove_sfp() and sg_remove_sfp_usercontext() can safely execute without impacting the mutex handling in sg_release(). The fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures proper sequencing of resource cleanup and mutex operations, eliminating the risk of use-after-free errors in sg_release().

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e19acb1926c4a1f30…
	https://git.kernel.org/stable/c/285ce1f89f8d414e7…
	https://git.kernel.org/stable/c/198b89dd5a595ee3f…
	https://git.kernel.org/stable/c/275b8347e21ab8193…
	https://git.kernel.org/stable/c/59b30afa578637169…
	https://git.kernel.org/stable/c/1f5e2f1ca5875728f…
	https://git.kernel.org/stable/c/f10593ad9bc36921f…

Impacted products

Vendor

Product

Version

Linux

Affected: cc833acbee9db5ca8c6162b015b4c93863c6f821 , < e19acb1926c4a1f30ee1ec84d8afba2d975bd534 (git)
Affected: cc833acbee9db5ca8c6162b015b4c93863c6f821 , < 285ce1f89f8d414e7eecab5ef5118cd512596318 (git)
Affected: cc833acbee9db5ca8c6162b015b4c93863c6f821 , < 198b89dd5a595ee3f96e5ce5c448b0484cd0e53c (git)
Affected: cc833acbee9db5ca8c6162b015b4c93863c6f821 , < 275b8347e21ab8193e93223a8394a806e4ba8918 (git)
Affected: cc833acbee9db5ca8c6162b015b4c93863c6f821 , < 59b30afa578637169e2819536bb66459fdddc39d (git)
Affected: cc833acbee9db5ca8c6162b015b4c93863c6f821 , < 1f5e2f1ca5875728fcf62bc1a054707444ab4960 (git)
Affected: cc833acbee9db5ca8c6162b015b4c93863c6f821 , < f10593ad9bc36921f623361c9e3dd96bd52d85ee (git)
Affected: 3a27c0defb0315760100f8b1adc7c4acbe04c884 (git)

Linux

Affected: 3.17
Unaffected: 0 , < 3.17 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.127 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56631",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:55.376597Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:22.241Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:27.036Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/sg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e19acb1926c4a1f30ee1ec84d8afba2d975bd534",
              "status": "affected",
              "version": "cc833acbee9db5ca8c6162b015b4c93863c6f821",
              "versionType": "git"
            },
            {
              "lessThan": "285ce1f89f8d414e7eecab5ef5118cd512596318",
              "status": "affected",
              "version": "cc833acbee9db5ca8c6162b015b4c93863c6f821",
              "versionType": "git"
            },
            {
              "lessThan": "198b89dd5a595ee3f96e5ce5c448b0484cd0e53c",
              "status": "affected",
              "version": "cc833acbee9db5ca8c6162b015b4c93863c6f821",
              "versionType": "git"
            },
            {
              "lessThan": "275b8347e21ab8193e93223a8394a806e4ba8918",
              "status": "affected",
              "version": "cc833acbee9db5ca8c6162b015b4c93863c6f821",
              "versionType": "git"
            },
            {
              "lessThan": "59b30afa578637169e2819536bb66459fdddc39d",
              "status": "affected",
              "version": "cc833acbee9db5ca8c6162b015b4c93863c6f821",
              "versionType": "git"
            },
            {
              "lessThan": "1f5e2f1ca5875728fcf62bc1a054707444ab4960",
              "status": "affected",
              "version": "cc833acbee9db5ca8c6162b015b4c93863c6f821",
              "versionType": "git"
            },
            {
              "lessThan": "f10593ad9bc36921f623361c9e3dd96bd52d85ee",
              "status": "affected",
              "version": "cc833acbee9db5ca8c6162b015b4c93863c6f821",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3a27c0defb0315760100f8b1adc7c4acbe04c884",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/sg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.85",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sg: Fix slab-use-after-free read in sg_release()\n\nFix a use-after-free bug in sg_release(), detected by syzbot with KASAN:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30\nkernel/locking/lockdep.c:5838\n__mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912\nsg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407\n\nIn sg_release(), the function kref_put(\u0026sfp-\u003ef_ref, sg_remove_sfp) is\ncalled before releasing the open_rel_lock mutex. The kref_put() call may\ndecrement the reference count of sfp to zero, triggering its cleanup\nthrough sg_remove_sfp(). This cleanup includes scheduling deferred work\nvia sg_remove_sfp_usercontext(), which ultimately frees sfp.\n\nAfter kref_put(), sg_release() continues to unlock open_rel_lock and may\nreference sfp or sdp. If sfp has already been freed, this results in a\nslab-use-after-free error.\n\nMove the kref_put(\u0026sfp-\u003ef_ref, sg_remove_sfp) call after unlocking the\nopen_rel_lock mutex. This ensures:\n\n - No references to sfp or sdp occur after the reference count is\n   decremented.\n\n - Cleanup functions such as sg_remove_sfp() and\n   sg_remove_sfp_usercontext() can safely execute without impacting the\n   mutex handling in sg_release().\n\nThe fix has been tested and validated by syzbot. This patch closes the\nbug reported at the following syzkaller link and ensures proper\nsequencing of resource cleanup and mutex operations, eliminating the\nrisk of use-after-free errors in sg_release()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:55.836Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e19acb1926c4a1f30ee1ec84d8afba2d975bd534"
        },
        {
          "url": "https://git.kernel.org/stable/c/285ce1f89f8d414e7eecab5ef5118cd512596318"
        },
        {
          "url": "https://git.kernel.org/stable/c/198b89dd5a595ee3f96e5ce5c448b0484cd0e53c"
        },
        {
          "url": "https://git.kernel.org/stable/c/275b8347e21ab8193e93223a8394a806e4ba8918"
        },
        {
          "url": "https://git.kernel.org/stable/c/59b30afa578637169e2819536bb66459fdddc39d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f5e2f1ca5875728fcf62bc1a054707444ab4960"
        },
        {
          "url": "https://git.kernel.org/stable/c/f10593ad9bc36921f623361c9e3dd96bd52d85ee"
        }
      ],
      "title": "scsi: sg: Fix slab-use-after-free read in sg_release()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56631",
    "datePublished": "2024-12-27T15:02:29.428Z",
    "dateReserved": "2024-12-27T15:00:39.838Z",
    "dateUpdated": "2025-11-03T20:51:27.036Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-55881 (GCVE-0-2024-55881)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:35 – Updated: 2025-11-03 20:48

Title

KVM: x86: Play nice with protected guests in complete_hypercall_exit()

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Play nice with protected guests in complete_hypercall_exit() Use is_64_bit_hypercall() instead of is_64_bit_mode() to detect a 64-bit hypercall when completing said hypercall. For guests with protected state, e.g. SEV-ES and SEV-SNP, KVM must assume the hypercall was made in 64-bit mode as the vCPU state needed to detect 64-bit mode is unavailable. Hacking the sev_smoke_test selftest to generate a KVM_HC_MAP_GPA_RANGE hypercall via VMGEXIT trips the WARN: ------------[ cut here ]------------ WARNING: CPU: 273 PID: 326626 at arch/x86/kvm/x86.h:180 complete_hypercall_exit+0x44/0xe0 [kvm] Modules linked in: kvm_amd kvm ... [last unloaded: kvm] CPU: 273 UID: 0 PID: 326626 Comm: sev_smoke_test Not tainted 6.12.0-smp--392e932fa0f3-feat #470 Hardware name: Google Astoria/astoria, BIOS 0.20240617.0-0 06/17/2024 RIP: 0010:complete_hypercall_exit+0x44/0xe0 [kvm] Call Trace: <TASK> kvm_arch_vcpu_ioctl_run+0x2400/0x2720 [kvm] kvm_vcpu_ioctl+0x54f/0x630 [kvm] __se_sys_ioctl+0x6b/0xc0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0840d360a8909c722…
	https://git.kernel.org/stable/c/7ed4db315094963de…
	https://git.kernel.org/stable/c/3d2634ec0d1dbe8f4…
	https://git.kernel.org/stable/c/22b5c2acd65dbe949…
	https://git.kernel.org/stable/c/9b42d1e8e4fe9dc63…

Impacted products

Vendor

Product

Version

Linux

Affected: 5969e2435cbd7f0ce8c28d717bfc39987ee8d8f1 , < 0840d360a8909c722fb62459f42836afe32ededb (git)
Affected: b5aead0064f33ae5e693a364e3204fe1c0ac9af2 , < 7ed4db315094963de0678a8adfd43c46471b9349 (git)
Affected: b5aead0064f33ae5e693a364e3204fe1c0ac9af2 , < 3d2634ec0d1dbe8f4b511cf5261f327c6a76f4b6 (git)
Affected: b5aead0064f33ae5e693a364e3204fe1c0ac9af2 , < 22b5c2acd65dbe949032f619d4758a35a82fffc3 (git)
Affected: b5aead0064f33ae5e693a364e3204fe1c0ac9af2 , < 9b42d1e8e4fe9dc631162c04caa69b0d1860b0f0 (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.122 , ≤ 6.1.* (semver)
Unaffected: 6.6.68 , ≤ 6.6.* (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:48:49.526Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0840d360a8909c722fb62459f42836afe32ededb",
              "status": "affected",
              "version": "5969e2435cbd7f0ce8c28d717bfc39987ee8d8f1",
              "versionType": "git"
            },
            {
              "lessThan": "7ed4db315094963de0678a8adfd43c46471b9349",
              "status": "affected",
              "version": "b5aead0064f33ae5e693a364e3204fe1c0ac9af2",
              "versionType": "git"
            },
            {
              "lessThan": "3d2634ec0d1dbe8f4b511cf5261f327c6a76f4b6",
              "status": "affected",
              "version": "b5aead0064f33ae5e693a364e3204fe1c0ac9af2",
              "versionType": "git"
            },
            {
              "lessThan": "22b5c2acd65dbe949032f619d4758a35a82fffc3",
              "status": "affected",
              "version": "b5aead0064f33ae5e693a364e3204fe1c0ac9af2",
              "versionType": "git"
            },
            {
              "lessThan": "9b42d1e8e4fe9dc631162c04caa69b0d1860b0f0",
              "status": "affected",
              "version": "b5aead0064f33ae5e693a364e3204fe1c0ac9af2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.15.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Play nice with protected guests in complete_hypercall_exit()\n\nUse is_64_bit_hypercall() instead of is_64_bit_mode() to detect a 64-bit\nhypercall when completing said hypercall.  For guests with protected state,\ne.g. SEV-ES and SEV-SNP, KVM must assume the hypercall was made in 64-bit\nmode as the vCPU state needed to detect 64-bit mode is unavailable.\n\nHacking the sev_smoke_test selftest to generate a KVM_HC_MAP_GPA_RANGE\nhypercall via VMGEXIT trips the WARN:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 273 PID: 326626 at arch/x86/kvm/x86.h:180 complete_hypercall_exit+0x44/0xe0 [kvm]\n  Modules linked in: kvm_amd kvm ... [last unloaded: kvm]\n  CPU: 273 UID: 0 PID: 326626 Comm: sev_smoke_test Not tainted 6.12.0-smp--392e932fa0f3-feat #470\n  Hardware name: Google Astoria/astoria, BIOS 0.20240617.0-0 06/17/2024\n  RIP: 0010:complete_hypercall_exit+0x44/0xe0 [kvm]\n  Call Trace:\n   \u003cTASK\u003e\n   kvm_arch_vcpu_ioctl_run+0x2400/0x2720 [kvm]\n   kvm_vcpu_ioctl+0x54f/0x630 [kvm]\n   __se_sys_ioctl+0x6b/0xc0\n   do_syscall_64+0x83/0x160\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   \u003c/TASK\u003e\n  ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:57:17.376Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0840d360a8909c722fb62459f42836afe32ededb"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ed4db315094963de0678a8adfd43c46471b9349"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d2634ec0d1dbe8f4b511cf5261f327c6a76f4b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/22b5c2acd65dbe949032f619d4758a35a82fffc3"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b42d1e8e4fe9dc631162c04caa69b0d1860b0f0"
        }
      ],
      "title": "KVM: x86: Play nice with protected guests in complete_hypercall_exit()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-55881",
    "datePublished": "2025-01-11T12:35:44.019Z",
    "dateReserved": "2025-01-09T09:51:32.450Z",
    "dateUpdated": "2025-11-03T20:48:49.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56621 (GCVE-0-2024-56621)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-05-04 10:00

Title

scsi: ufs: core: Cancel RTC work during ufshcd_remove()

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Cancel RTC work during ufshcd_remove() Currently, RTC work is only cancelled during __ufshcd_wl_suspend(). When ufshcd is removed in ufshcd_remove(), RTC work is not cancelled. Due to this, any further trigger of the RTC work after ufshcd_remove() would result in a NULL pointer dereference as below: Unable to handle kernel NULL pointer dereference at virtual address 00000000000002a4 Workqueue: events ufshcd_rtc_work Call trace: _raw_spin_lock_irqsave+0x34/0x8c pm_runtime_get_if_active+0x24/0xb4 ufshcd_rtc_work+0x124/0x19c process_scheduled_works+0x18c/0x2d8 worker_thread+0x144/0x280 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Since RTC work accesses the ufshcd internal structures, it should be cancelled when ufshcd is removed. So do that in ufshcd_remove(), as per the order in ufshcd_init().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/57479e37d3f69efee…
	https://git.kernel.org/stable/c/2e7a3bb0331efb292…
	https://git.kernel.org/stable/c/1695c4361d35b7bda…

Impacted products

Vendor

Product

Version

Linux

Affected: 06701a545e9a3c4e007cff6872a074bf97c40619 , < 57479e37d3f69efee2f0678568274db773284bc8 (git)
Affected: 6bf999e0eb41850d5c857102535d5c53b2ede224 , < 2e7a3bb0331efb292e0fb022c36bc592137f0520 (git)
Affected: 6bf999e0eb41850d5c857102535d5c53b2ede224 , < 1695c4361d35b7bdadd7b34f99c9c07741e181e5 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufshcd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "57479e37d3f69efee2f0678568274db773284bc8",
              "status": "affected",
              "version": "06701a545e9a3c4e007cff6872a074bf97c40619",
              "versionType": "git"
            },
            {
              "lessThan": "2e7a3bb0331efb292e0fb022c36bc592137f0520",
              "status": "affected",
              "version": "6bf999e0eb41850d5c857102535d5c53b2ede224",
              "versionType": "git"
            },
            {
              "lessThan": "1695c4361d35b7bdadd7b34f99c9c07741e181e5",
              "status": "affected",
              "version": "6bf999e0eb41850d5c857102535d5c53b2ede224",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufshcd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Cancel RTC work during ufshcd_remove()\n\nCurrently, RTC work is only cancelled during __ufshcd_wl_suspend(). When\nufshcd is removed in ufshcd_remove(), RTC work is not cancelled. Due to\nthis, any further trigger of the RTC work after ufshcd_remove() would\nresult in a NULL pointer dereference as below:\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000002a4\nWorkqueue: events ufshcd_rtc_work\nCall trace:\n _raw_spin_lock_irqsave+0x34/0x8c\n pm_runtime_get_if_active+0x24/0xb4\n ufshcd_rtc_work+0x124/0x19c\n process_scheduled_works+0x18c/0x2d8\n worker_thread+0x144/0x280\n kthread+0x11c/0x128\n ret_from_fork+0x10/0x20\n\nSince RTC work accesses the ufshcd internal structures, it should be cancelled\nwhen ufshcd is removed. So do that in ufshcd_remove(), as per the order in\nufshcd_init()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:08.838Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/57479e37d3f69efee2f0678568274db773284bc8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e7a3bb0331efb292e0fb022c36bc592137f0520"
        },
        {
          "url": "https://git.kernel.org/stable/c/1695c4361d35b7bdadd7b34f99c9c07741e181e5"
        }
      ],
      "title": "scsi: ufs: core: Cancel RTC work during ufshcd_remove()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56621",
    "datePublished": "2024-12-27T14:51:24.948Z",
    "dateReserved": "2024-12-27T14:03:06.016Z",
    "dateUpdated": "2025-05-04T10:00:08.838Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-47143 (GCVE-0-2024-47143)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2026-01-05 10:53

Title

dma-debug: fix a possible deadlock on radix_lock

Summary

In the Linux kernel, the following vulnerability has been resolved: dma-debug: fix a possible deadlock on radix_lock radix_lock() shouldn't be held while holding dma_hash_entry[idx].lock otherwise, there's a possible deadlock scenario when dma debug API is called holding rq_lock(): CPU0 CPU1 CPU2 dma_free_attrs() check_unmap() add_dma_entry() __schedule() //out (A) rq_lock() get_hash_bucket() (A) dma_entry_hash check_sync() (A) radix_lock() (W) dma_entry_hash dma_entry_free() (W) radix_lock() // CPU2's one (W) rq_lock() CPU1 situation can happen when it extending radix tree and it tries to wake up kswapd via wake_all_kswapd(). CPU2 situation can happen while perf_event_task_sched_out() (i.e. dma sync operation is called while deleting perf_event using etm and etr tmc which are Arm Coresight hwtracing driver backends). To remove this possible situation, call dma_entry_free() after put_hash_bucket() in check_unmap().

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - Improper Locking

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3ccce34a5c3f5c954…
	https://git.kernel.org/stable/c/efe1b9bbf356357fd…
	https://git.kernel.org/stable/c/8c1b4fea8d62285f5…
	https://git.kernel.org/stable/c/c212d91070beca0d0…
	https://git.kernel.org/stable/c/f2b95248a16c5186d…
	https://git.kernel.org/stable/c/7543c3e3b9b88212f…

Impacted products

Vendor

Product

Version

Linux

Affected: 0abdd7a81b7e3fd781d7fabcca49501852bba17e , < 3ccce34a5c3f5c9541108a451657ade621524b32 (git)
Affected: 0abdd7a81b7e3fd781d7fabcca49501852bba17e , < efe1b9bbf356357fdff0399af361133d6e3ba18e (git)
Affected: 0abdd7a81b7e3fd781d7fabcca49501852bba17e , < 8c1b4fea8d62285f5e1a8194889b39661608bd8a (git)
Affected: 0abdd7a81b7e3fd781d7fabcca49501852bba17e , < c212d91070beca0d03fef7bf988baf4ff4b3eee4 (git)
Affected: 0abdd7a81b7e3fd781d7fabcca49501852bba17e , < f2b95248a16c5186d1c658fc0aeb2f3bd95e5259 (git)
Affected: 0abdd7a81b7e3fd781d7fabcca49501852bba17e , < 7543c3e3b9b88212fcd0aaf5cab5588797bdc7de (git)

Linux

Affected: 3.14
Unaffected: 0 , < 3.14 (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-47143",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:55:51.622689Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-667",
                "description": "CWE-667 Improper Locking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:22.563Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:39:31.851Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/dma/debug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3ccce34a5c3f5c9541108a451657ade621524b32",
              "status": "affected",
              "version": "0abdd7a81b7e3fd781d7fabcca49501852bba17e",
              "versionType": "git"
            },
            {
              "lessThan": "efe1b9bbf356357fdff0399af361133d6e3ba18e",
              "status": "affected",
              "version": "0abdd7a81b7e3fd781d7fabcca49501852bba17e",
              "versionType": "git"
            },
            {
              "lessThan": "8c1b4fea8d62285f5e1a8194889b39661608bd8a",
              "status": "affected",
              "version": "0abdd7a81b7e3fd781d7fabcca49501852bba17e",
              "versionType": "git"
            },
            {
              "lessThan": "c212d91070beca0d03fef7bf988baf4ff4b3eee4",
              "status": "affected",
              "version": "0abdd7a81b7e3fd781d7fabcca49501852bba17e",
              "versionType": "git"
            },
            {
              "lessThan": "f2b95248a16c5186d1c658fc0aeb2f3bd95e5259",
              "status": "affected",
              "version": "0abdd7a81b7e3fd781d7fabcca49501852bba17e",
              "versionType": "git"
            },
            {
              "lessThan": "7543c3e3b9b88212fcd0aaf5cab5588797bdc7de",
              "status": "affected",
              "version": "0abdd7a81b7e3fd781d7fabcca49501852bba17e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/dma/debug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.14"
            },
            {
              "lessThan": "3.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-debug: fix a possible deadlock on radix_lock\n\nradix_lock() shouldn\u0027t be held while holding dma_hash_entry[idx].lock\notherwise, there\u0027s a possible deadlock scenario when\ndma debug API is called holding rq_lock():\n\nCPU0                   CPU1                       CPU2\ndma_free_attrs()\ncheck_unmap()          add_dma_entry()            __schedule() //out\n                                                  (A) rq_lock()\nget_hash_bucket()\n(A) dma_entry_hash\n                                                  check_sync()\n                       (A) radix_lock()           (W) dma_entry_hash\ndma_entry_free()\n(W) radix_lock()\n                       // CPU2\u0027s one\n                       (W) rq_lock()\n\nCPU1 situation can happen when it extending radix tree and\nit tries to wake up kswapd via wake_all_kswapd().\n\nCPU2 situation can happen while perf_event_task_sched_out()\n(i.e. dma sync operation is called while deleting perf_event using\n etm and etr tmc which are Arm Coresight hwtracing driver backends).\n\nTo remove this possible situation, call dma_entry_free() after\nput_hash_bucket() in check_unmap()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:53:43.155Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3ccce34a5c3f5c9541108a451657ade621524b32"
        },
        {
          "url": "https://git.kernel.org/stable/c/efe1b9bbf356357fdff0399af361133d6e3ba18e"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c1b4fea8d62285f5e1a8194889b39661608bd8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c212d91070beca0d03fef7bf988baf4ff4b3eee4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2b95248a16c5186d1c658fc0aeb2f3bd95e5259"
        },
        {
          "url": "https://git.kernel.org/stable/c/7543c3e3b9b88212fcd0aaf5cab5588797bdc7de"
        }
      ],
      "title": "dma-debug: fix a possible deadlock on radix_lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-47143",
    "datePublished": "2025-01-11T12:25:13.561Z",
    "dateReserved": "2025-01-09T09:49:29.749Z",
    "dateUpdated": "2026-01-05T10:53:43.155Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57918 (GCVE-0-2024-57918)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-05-04 10:06

Title

drm/amd/display: fix page fault due to max surface definition mismatch

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix page fault due to max surface definition mismatch DC driver is using two different values to define the maximum number of surfaces: MAX_SURFACES and MAX_SURFACE_NUM. Consolidate MAX_SURFACES as the unique definition for surface updates across DC. It fixes page fault faced by Cosmic users on AMD display versions that support two overlay planes, since the introduction of cursor overlay mode. [Nov26 21:33] BUG: unable to handle page fault for address: 0000000051d0f08b [ +0.000015] #PF: supervisor read access in kernel mode [ +0.000006] #PF: error_code(0x0000) - not-present page [ +0.000005] PGD 0 P4D 0 [ +0.000007] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000006] CPU: 4 PID: 71 Comm: kworker/u32:6 Not tainted 6.10.0+ #300 [ +0.000006] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 [ +0.000007] Workqueue: events_unbound commit_work [drm_kms_helper] [ +0.000040] RIP: 0010:copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu] [ +0.000847] Code: 8b 10 49 89 94 24 f8 00 00 00 48 8b 50 08 49 89 94 24 00 01 00 00 8b 40 10 41 89 84 24 08 01 00 00 49 8b 45 78 48 85 c0 74 0b <0f> b6 00 41 88 84 24 90 64 00 00 49 8b 45 60 48 85 c0 74 3b 48 8b [ +0.000010] RSP: 0018:ffffc203802f79a0 EFLAGS: 00010206 [ +0.000009] RAX: 0000000051d0f08b RBX: 0000000000000004 RCX: ffff9f964f0a8070 [ +0.000004] RDX: ffff9f9710f90e40 RSI: ffff9f96600c8000 RDI: ffff9f964f000000 [ +0.000004] RBP: ffffc203802f79f8 R08: 0000000000000000 R09: 0000000000000000 [ +0.000005] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9f96600c8000 [ +0.000004] R13: ffff9f9710f90e40 R14: ffff9f964f000000 R15: ffff9f96600c8000 [ +0.000004] FS: 0000000000000000(0000) GS:ffff9f9970000000(0000) knlGS:0000000000000000 [ +0.000005] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000005] CR2: 0000000051d0f08b CR3: 00000002e6a20000 CR4: 0000000000350ef0 [ +0.000005] Call Trace: [ +0.000011] <TASK> [ +0.000010] ? __die_body.cold+0x19/0x27 [ +0.000012] ? page_fault_oops+0x15a/0x2d0 [ +0.000014] ? exc_page_fault+0x7e/0x180 [ +0.000009] ? asm_exc_page_fault+0x26/0x30 [ +0.000013] ? copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu] [ +0.000739] ? dc_commit_state_no_check+0xd6c/0xe70 [amdgpu] [ +0.000470] update_planes_and_stream_state+0x49b/0x4f0 [amdgpu] [ +0.000450] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? commit_minimal_transition_state+0x239/0x3d0 [amdgpu] [ +0.000446] update_planes_and_stream_v2+0x24a/0x590 [amdgpu] [ +0.000464] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? sort+0x31/0x50 [ +0.000007] ? amdgpu_dm_atomic_commit_tail+0x159f/0x3a30 [amdgpu] [ +0.000508] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? amdgpu_crtc_get_scanout_position+0x28/0x40 [amdgpu] [ +0.000377] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? drm_crtc_vblank_helper_get_vblank_timestamp_internal+0x160/0x390 [drm] [ +0.000058] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? dma_fence_default_wait+0x8c/0x260 [ +0.000010] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? wait_for_completion_timeout+0x13b/0x170 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? dma_fence_wait_timeout+0x108/0x140 [ +0.000010] ? commit_tail+0x94/0x130 [drm_kms_helper] [ +0.000024] ? process_one_work+0x177/0x330 [ +0.000008] ? worker_thread+0x266/0x3a0 [ +0.000006] ? __pfx_worker_thread+0x10/0x10 [ +0.000004] ? kthread+0xd2/0x100 [ +0.000006] ? __pfx_kthread+0x10/0x10 [ +0.000006] ? ret_from_fork+0x34/0x50 [ +0.000004] ? __pfx_kthread+0x10/0x10 [ +0.000005] ? ret_from_fork_asm+0x1a/0x30 [ +0.000011] </TASK> (cherry picked from commit 1c86c81a86c60f9b15d3e3f43af0363cf56063e7)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/37b8de96ae48c7bb1…
	https://git.kernel.org/stable/c/7de8d5c90be9ad9f6…

Impacted products

Vendor

Product

Version

Linux

Affected: 1b04dcca4fb10dd3834893a60de74edd99f2bfaf , < 37b8de96ae48c7bb1a17cd5585195c43fcacbe94 (git)
Affected: 1b04dcca4fb10dd3834893a60de74edd99f2bfaf , < 7de8d5c90be9ad9f6575e818a674801db2ada794 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc.c",
            "drivers/gpu/drm/amd/display/dc/core/dc_state.c",
            "drivers/gpu/drm/amd/display/dc/dc.h",
            "drivers/gpu/drm/amd/display/dc/dc_stream.h",
            "drivers/gpu/drm/amd/display/dc/dc_types.h",
            "drivers/gpu/drm/amd/display/dc/dml2/dml2_mall_phantom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "37b8de96ae48c7bb1a17cd5585195c43fcacbe94",
              "status": "affected",
              "version": "1b04dcca4fb10dd3834893a60de74edd99f2bfaf",
              "versionType": "git"
            },
            {
              "lessThan": "7de8d5c90be9ad9f6575e818a674801db2ada794",
              "status": "affected",
              "version": "1b04dcca4fb10dd3834893a60de74edd99f2bfaf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc.c",
            "drivers/gpu/drm/amd/display/dc/core/dc_state.c",
            "drivers/gpu/drm/amd/display/dc/dc.h",
            "drivers/gpu/drm/amd/display/dc/dc_stream.h",
            "drivers/gpu/drm/amd/display/dc/dc_types.h",
            "drivers/gpu/drm/amd/display/dc/dml2/dml2_mall_phantom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix page fault due to max surface definition mismatch\n\nDC driver is using two different values to define the maximum number of\nsurfaces: MAX_SURFACES and MAX_SURFACE_NUM. Consolidate MAX_SURFACES as\nthe unique definition for surface updates across DC.\n\nIt fixes page fault faced by Cosmic users on AMD display versions that\nsupport two overlay planes, since the introduction of cursor overlay\nmode.\n\n[Nov26 21:33] BUG: unable to handle page fault for address: 0000000051d0f08b\n[  +0.000015] #PF: supervisor read access in kernel mode\n[  +0.000006] #PF: error_code(0x0000) - not-present page\n[  +0.000005] PGD 0 P4D 0\n[  +0.000007] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n[  +0.000006] CPU: 4 PID: 71 Comm: kworker/u32:6 Not tainted 6.10.0+ #300\n[  +0.000006] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024\n[  +0.000007] Workqueue: events_unbound commit_work [drm_kms_helper]\n[  +0.000040] RIP: 0010:copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]\n[  +0.000847] Code: 8b 10 49 89 94 24 f8 00 00 00 48 8b 50 08 49 89 94 24 00 01 00 00 8b 40 10 41 89 84 24 08 01 00 00 49 8b 45 78 48 85 c0 74 0b \u003c0f\u003e b6 00 41 88 84 24 90 64 00 00 49 8b 45 60 48 85 c0 74 3b 48 8b\n[  +0.000010] RSP: 0018:ffffc203802f79a0 EFLAGS: 00010206\n[  +0.000009] RAX: 0000000051d0f08b RBX: 0000000000000004 RCX: ffff9f964f0a8070\n[  +0.000004] RDX: ffff9f9710f90e40 RSI: ffff9f96600c8000 RDI: ffff9f964f000000\n[  +0.000004] RBP: ffffc203802f79f8 R08: 0000000000000000 R09: 0000000000000000\n[  +0.000005] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9f96600c8000\n[  +0.000004] R13: ffff9f9710f90e40 R14: ffff9f964f000000 R15: ffff9f96600c8000\n[  +0.000004] FS:  0000000000000000(0000) GS:ffff9f9970000000(0000) knlGS:0000000000000000\n[  +0.000005] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000005] CR2: 0000000051d0f08b CR3: 00000002e6a20000 CR4: 0000000000350ef0\n[  +0.000005] Call Trace:\n[  +0.000011]  \u003cTASK\u003e\n[  +0.000010]  ? __die_body.cold+0x19/0x27\n[  +0.000012]  ? page_fault_oops+0x15a/0x2d0\n[  +0.000014]  ? exc_page_fault+0x7e/0x180\n[  +0.000009]  ? asm_exc_page_fault+0x26/0x30\n[  +0.000013]  ? copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]\n[  +0.000739]  ? dc_commit_state_no_check+0xd6c/0xe70 [amdgpu]\n[  +0.000470]  update_planes_and_stream_state+0x49b/0x4f0 [amdgpu]\n[  +0.000450]  ? srso_return_thunk+0x5/0x5f\n[  +0.000009]  ? commit_minimal_transition_state+0x239/0x3d0 [amdgpu]\n[  +0.000446]  update_planes_and_stream_v2+0x24a/0x590 [amdgpu]\n[  +0.000464]  ? srso_return_thunk+0x5/0x5f\n[  +0.000009]  ? sort+0x31/0x50\n[  +0.000007]  ? amdgpu_dm_atomic_commit_tail+0x159f/0x3a30 [amdgpu]\n[  +0.000508]  ? srso_return_thunk+0x5/0x5f\n[  +0.000009]  ? amdgpu_crtc_get_scanout_position+0x28/0x40 [amdgpu]\n[  +0.000377]  ? srso_return_thunk+0x5/0x5f\n[  +0.000009]  ? drm_crtc_vblank_helper_get_vblank_timestamp_internal+0x160/0x390 [drm]\n[  +0.000058]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? dma_fence_default_wait+0x8c/0x260\n[  +0.000010]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? wait_for_completion_timeout+0x13b/0x170\n[  +0.000006]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? dma_fence_wait_timeout+0x108/0x140\n[  +0.000010]  ? commit_tail+0x94/0x130 [drm_kms_helper]\n[  +0.000024]  ? process_one_work+0x177/0x330\n[  +0.000008]  ? worker_thread+0x266/0x3a0\n[  +0.000006]  ? __pfx_worker_thread+0x10/0x10\n[  +0.000004]  ? kthread+0xd2/0x100\n[  +0.000006]  ? __pfx_kthread+0x10/0x10\n[  +0.000006]  ? ret_from_fork+0x34/0x50\n[  +0.000004]  ? __pfx_kthread+0x10/0x10\n[  +0.000005]  ? ret_from_fork_asm+0x1a/0x30\n[  +0.000011]  \u003c/TASK\u003e\n\n(cherry picked from commit 1c86c81a86c60f9b15d3e3f43af0363cf56063e7)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:37.315Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/37b8de96ae48c7bb1a17cd5585195c43fcacbe94"
        },
        {
          "url": "https://git.kernel.org/stable/c/7de8d5c90be9ad9f6575e818a674801db2ada794"
        }
      ],
      "title": "drm/amd/display: fix page fault due to max surface definition mismatch",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57918",
    "datePublished": "2025-01-19T11:52:38.535Z",
    "dateReserved": "2025-01-19T11:50:08.375Z",
    "dateUpdated": "2025-05-04T10:06:37.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57945 (GCVE-0-2024-57945)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-11-03 19:32

Title

riscv: mm: Fix the out of bound issue of vmemmap address

Summary

In the Linux kernel, the following vulnerability has been resolved: riscv: mm: Fix the out of bound issue of vmemmap address In sparse vmemmap model, the virtual address of vmemmap is calculated as: ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)). And the struct page's va can be calculated with an offset: (vmemmap + (pfn)). However, when initializing struct pages, kernel actually starts from the first page from the same section that phys_ram_base belongs to. If the first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then we get an va below VMEMMAP_START when calculating va for it's struct page. For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the first page in the same section is actually pfn 0x80000. During init_unavailable_range(), we will initialize struct page for pfn 0x80000 with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is below VMEMMAP_START as well as PCI_IO_END. This commit fixes this bug by introducing a new variable 'vmemmap_start_pfn' which is aligned with memory section size and using it to calculate vmemmap address instead of phys_ram_base.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/92f08673d3f189319…
	https://git.kernel.org/stable/c/a4a7ac3d266008018…
	https://git.kernel.org/stable/c/d2bd51954ac8377c2…
	https://git.kernel.org/stable/c/f754f27e98f88428a…

Impacted products

Vendor

Product

Version

Linux

Affected: 8310080799b40fd9f2a8b808c657269678c149af , < 92f08673d3f1893191323572f60e3c62f2e57c2f (git)
Affected: a278d5c60f21aa15d540abb2f2da6e6d795c3e6e , < a4a7ac3d266008018f05fae53060fcb331151a14 (git)
Affected: a11dd49dcb9376776193e15641f84fcc1e5980c9 , < d2bd51954ac8377c2f1eb1813e694788998add66 (git)
Affected: a11dd49dcb9376776193e15641f84fcc1e5980c9 , < f754f27e98f88428aaf6be6e00f5cbce97f62d4b (git)
Affected: 8af1c121b0102041809bc137ec600d1865eaeedd (git)
Affected: 5941a90c55d3bfba732b32208d58d997600b44ef (git)
Affected: 2a1728c15ec4f45ed9248ae22f626541c179bfbe (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.1.140 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:32:46.584Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/page.h",
            "arch/riscv/include/asm/pgtable.h",
            "arch/riscv/mm/init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "92f08673d3f1893191323572f60e3c62f2e57c2f",
              "status": "affected",
              "version": "8310080799b40fd9f2a8b808c657269678c149af",
              "versionType": "git"
            },
            {
              "lessThan": "a4a7ac3d266008018f05fae53060fcb331151a14",
              "status": "affected",
              "version": "a278d5c60f21aa15d540abb2f2da6e6d795c3e6e",
              "versionType": "git"
            },
            {
              "lessThan": "d2bd51954ac8377c2f1eb1813e694788998add66",
              "status": "affected",
              "version": "a11dd49dcb9376776193e15641f84fcc1e5980c9",
              "versionType": "git"
            },
            {
              "lessThan": "f754f27e98f88428aaf6be6e00f5cbce97f62d4b",
              "status": "affected",
              "version": "a11dd49dcb9376776193e15641f84fcc1e5980c9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8af1c121b0102041809bc137ec600d1865eaeedd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5941a90c55d3bfba732b32208d58d997600b44ef",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2a1728c15ec4f45ed9248ae22f626541c179bfbe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/page.h",
            "arch/riscv/include/asm/pgtable.h",
            "arch/riscv/mm/init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.140",
                  "versionStartIncluding": "6.1.81",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.6.21",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.212",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.151",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Fix the out of bound issue of vmemmap address\n\nIn sparse vmemmap model, the virtual address of vmemmap is calculated as:\n((struct page *)VMEMMAP_START - (phys_ram_base \u003e\u003e PAGE_SHIFT)).\nAnd the struct page\u0027s va can be calculated with an offset:\n(vmemmap + (pfn)).\n\nHowever, when initializing struct pages, kernel actually starts from the\nfirst page from the same section that phys_ram_base belongs to. If the\nfirst page\u0027s physical address is not (phys_ram_base \u003e\u003e PAGE_SHIFT), then\nwe get an va below VMEMMAP_START when calculating va for it\u0027s struct page.\n\nFor example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the\nfirst page in the same section is actually pfn 0x80000. During\ninit_unavailable_range(), we will initialize struct page for pfn 0x80000\nwith virtual address ((struct page *)VMEMMAP_START - 0x2000), which is\nbelow VMEMMAP_START as well as PCI_IO_END.\n\nThis commit fixes this bug by introducing a new variable\n\u0027vmemmap_start_pfn\u0027 which is aligned with memory section size and using\nit to calculate vmemmap address instead of phys_ram_base."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-22T12:40:03.484Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/92f08673d3f1893191323572f60e3c62f2e57c2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4a7ac3d266008018f05fae53060fcb331151a14"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2bd51954ac8377c2f1eb1813e694788998add66"
        },
        {
          "url": "https://git.kernel.org/stable/c/f754f27e98f88428aaf6be6e00f5cbce97f62d4b"
        }
      ],
      "title": "riscv: mm: Fix the out of bound issue of vmemmap address",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57945",
    "datePublished": "2025-01-21T12:18:12.548Z",
    "dateReserved": "2025-01-19T11:50:08.380Z",
    "dateUpdated": "2025-11-03T19:32:46.584Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21636 (GCVE-0-2025-21636)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:17 – Updated: 2025-11-03 20:58

Title

sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is used.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1dc5da6c4178f3e4b…
	https://git.kernel.org/stable/c/44ee8635922b6eb94…
	https://git.kernel.org/stable/c/284a221f8fa503628…
	https://git.kernel.org/stable/c/bcf8c60074e81ed2a…
	https://git.kernel.org/stable/c/6259d2484d0ceff42…

Impacted products

Vendor

Product

Version

Linux

Affected: d1e462a7a5f359cbb9a0e8fbfafcfb6657034105 , < 1dc5da6c4178f3e4b95c631418f72de9f86c0449 (git)
Affected: d1e462a7a5f359cbb9a0e8fbfafcfb6657034105 , < 44ee8635922b6eb940faddb961a8347c6857d722 (git)
Affected: d1e462a7a5f359cbb9a0e8fbfafcfb6657034105 , < 284a221f8fa503628432c7bb5108277c688c6ffa (git)
Affected: d1e462a7a5f359cbb9a0e8fbfafcfb6657034105 , < bcf8c60074e81ed2ac2d35130917175a3949c917 (git)
Affected: d1e462a7a5f359cbb9a0e8fbfafcfb6657034105 , < 6259d2484d0ceff42245d1f09cc8cb6ee72d847a (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21636",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:13.852333Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:17.956Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:13.639Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1dc5da6c4178f3e4b95c631418f72de9f86c0449",
              "status": "affected",
              "version": "d1e462a7a5f359cbb9a0e8fbfafcfb6657034105",
              "versionType": "git"
            },
            {
              "lessThan": "44ee8635922b6eb940faddb961a8347c6857d722",
              "status": "affected",
              "version": "d1e462a7a5f359cbb9a0e8fbfafcfb6657034105",
              "versionType": "git"
            },
            {
              "lessThan": "284a221f8fa503628432c7bb5108277c688c6ffa",
              "status": "affected",
              "version": "d1e462a7a5f359cbb9a0e8fbfafcfb6657034105",
              "versionType": "git"
            },
            {
              "lessThan": "bcf8c60074e81ed2ac2d35130917175a3949c917",
              "status": "affected",
              "version": "d1e462a7a5f359cbb9a0e8fbfafcfb6657034105",
              "versionType": "git"
            },
            {
              "lessThan": "6259d2484d0ceff42245d1f09cc8cb6ee72d847a",
              "status": "affected",
              "version": "d1e462a7a5f359cbb9a0e8fbfafcfb6657034105",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: plpmtud_probe_interval: avoid using current-\u003ensproxy\n\nAs mentioned in a previous commit of this series, using the \u0027net\u0027\nstructure via \u0027current\u0027 is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader\u0027s/writer\u0027s netns vs only\n  from the opener\u0027s netns.\n\n- current-\u003ensproxy can be NULL in some cases, resulting in an \u0027Oops\u0027\n  (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n  syzbot [1] using acct(2).\n\nThe \u0027net\u0027 structure can be obtained from the table-\u003edata using\ncontainer_of().\n\nNote that table-\u003edata could also be used directly, as this is the only\nmember needed from the \u0027net\u0027 structure, but that would increase the size\nof this fix, to use \u0027*data\u0027 everywhere \u0027net-\u003esctp.probe_interval\u0027 is\nused."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:17:57.588Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1dc5da6c4178f3e4b95c631418f72de9f86c0449"
        },
        {
          "url": "https://git.kernel.org/stable/c/44ee8635922b6eb940faddb961a8347c6857d722"
        },
        {
          "url": "https://git.kernel.org/stable/c/284a221f8fa503628432c7bb5108277c688c6ffa"
        },
        {
          "url": "https://git.kernel.org/stable/c/bcf8c60074e81ed2ac2d35130917175a3949c917"
        },
        {
          "url": "https://git.kernel.org/stable/c/6259d2484d0ceff42245d1f09cc8cb6ee72d847a"
        }
      ],
      "title": "sctp: sysctl: plpmtud_probe_interval: avoid using current-\u003ensproxy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21636",
    "datePublished": "2025-01-19T10:17:54.576Z",
    "dateReserved": "2024-12-29T08:45:45.726Z",
    "dateUpdated": "2025-11-03T20:58:13.639Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56637 (GCVE-0-2024-56637)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51

Title

netfilter: ipset: Hold module reference while requesting a module

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: Hold module reference while requesting a module User space may unload ip_set.ko while it is itself requesting a set type backend module, leading to a kernel crash. The race condition may be provoked by inserting an mdelay() right after the nfnl_unlock() call.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e5e2d3024753fdaca…
	https://git.kernel.org/stable/c/6099b5d3e37145484…
	https://git.kernel.org/stable/c/0e67805e805c1f3ed…
	https://git.kernel.org/stable/c/5bae60a933ba5d16e…
	https://git.kernel.org/stable/c/90bf312a6b6b3d601…
	https://git.kernel.org/stable/c/ba5e070f36682d07c…
	https://git.kernel.org/stable/c/456f010bfaefde84d…

Impacted products

Vendor

Product

Version

Linux

Affected: a7b4f989a629493bb4ec4a354def784d440b32c4 , < e5e2d3024753fdaca818b822e3827614bacbdccf (git)
Affected: a7b4f989a629493bb4ec4a354def784d440b32c4 , < 6099b5d3e37145484fac4b8b4070c3f1abfb3519 (git)
Affected: a7b4f989a629493bb4ec4a354def784d440b32c4 , < 0e67805e805c1f3edd6f43adbe08ea14b552694b (git)
Affected: a7b4f989a629493bb4ec4a354def784d440b32c4 , < 5bae60a933ba5d16eed55c6b279be51bcbbc79b0 (git)
Affected: a7b4f989a629493bb4ec4a354def784d440b32c4 , < 90bf312a6b6b3d6012137f6776a4052ee85e0340 (git)
Affected: a7b4f989a629493bb4ec4a354def784d440b32c4 , < ba5e070f36682d07ca7ad2a953e6c9d96be19dca (git)
Affected: a7b4f989a629493bb4ec4a354def784d440b32c4 , < 456f010bfaefde84d3390c755eedb1b0a5857c3c (git)

Linux

Affected: 2.6.39
Unaffected: 0 , < 2.6.39 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:38.620Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipset/ip_set_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e5e2d3024753fdaca818b822e3827614bacbdccf",
              "status": "affected",
              "version": "a7b4f989a629493bb4ec4a354def784d440b32c4",
              "versionType": "git"
            },
            {
              "lessThan": "6099b5d3e37145484fac4b8b4070c3f1abfb3519",
              "status": "affected",
              "version": "a7b4f989a629493bb4ec4a354def784d440b32c4",
              "versionType": "git"
            },
            {
              "lessThan": "0e67805e805c1f3edd6f43adbe08ea14b552694b",
              "status": "affected",
              "version": "a7b4f989a629493bb4ec4a354def784d440b32c4",
              "versionType": "git"
            },
            {
              "lessThan": "5bae60a933ba5d16eed55c6b279be51bcbbc79b0",
              "status": "affected",
              "version": "a7b4f989a629493bb4ec4a354def784d440b32c4",
              "versionType": "git"
            },
            {
              "lessThan": "90bf312a6b6b3d6012137f6776a4052ee85e0340",
              "status": "affected",
              "version": "a7b4f989a629493bb4ec4a354def784d440b32c4",
              "versionType": "git"
            },
            {
              "lessThan": "ba5e070f36682d07ca7ad2a953e6c9d96be19dca",
              "status": "affected",
              "version": "a7b4f989a629493bb4ec4a354def784d440b32c4",
              "versionType": "git"
            },
            {
              "lessThan": "456f010bfaefde84d3390c755eedb1b0a5857c3c",
              "status": "affected",
              "version": "a7b4f989a629493bb4ec4a354def784d440b32c4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipset/ip_set_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.39"
            },
            {
              "lessThan": "2.6.39",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Hold module reference while requesting a module\n\nUser space may unload ip_set.ko while it is itself requesting a set type\nbackend module, leading to a kernel crash. The race condition may be\nprovoked by inserting an mdelay() right after the nfnl_unlock() call."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:42.586Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e5e2d3024753fdaca818b822e3827614bacbdccf"
        },
        {
          "url": "https://git.kernel.org/stable/c/6099b5d3e37145484fac4b8b4070c3f1abfb3519"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e67805e805c1f3edd6f43adbe08ea14b552694b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5bae60a933ba5d16eed55c6b279be51bcbbc79b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/90bf312a6b6b3d6012137f6776a4052ee85e0340"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba5e070f36682d07ca7ad2a953e6c9d96be19dca"
        },
        {
          "url": "https://git.kernel.org/stable/c/456f010bfaefde84d3390c755eedb1b0a5857c3c"
        }
      ],
      "title": "netfilter: ipset: Hold module reference while requesting a module",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56637",
    "datePublished": "2024-12-27T15:02:39.876Z",
    "dateReserved": "2024-12-27T15:00:39.839Z",
    "dateUpdated": "2025-11-03T20:51:38.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57878 (GCVE-0-2024-57878)

Vulnerability from cvelistv5 – Published: 2025-01-11 14:49 – Updated: 2025-10-01 19:57

Title

arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing contents of FPMR will be retained. Before this patch: | # ./fpmr-test | Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Attempting to write NT_ARM_FPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0xffff800083963d50 After this patch: | # ./fpmr-test | Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Attempting to write NT_ARM_FPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8ab73c34e3c5b5807…
	https://git.kernel.org/stable/c/f5d71291841aecfe5…

Impacted products

Vendor

Product

Version

Linux

Affected: 4035c22ef7d43a6c00d6a6584c60e902b95b46af , < 8ab73c34e3c5b580721696665eabd799346bc50b (git)
Affected: 4035c22ef7d43a6c00d6a6584c60e902b95b46af , < f5d71291841aecfe5d8435da2dfa7f58ccd18bc8 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57878",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:50.581552Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:19.658Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/ptrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8ab73c34e3c5b580721696665eabd799346bc50b",
              "status": "affected",
              "version": "4035c22ef7d43a6c00d6a6584c60e902b95b46af",
              "versionType": "git"
            },
            {
              "lessThan": "f5d71291841aecfe5d8435da2dfa7f58ccd18bc8",
              "status": "affected",
              "version": "4035c22ef7d43a6c00d6a6584c60e902b95b46af",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/ptrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR\n\nCurrently fpmr_set() doesn\u0027t initialize the temporary \u0027fpmr\u0027 variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget-\u003ethread.uw.fpmr, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of FPMR will be retained.\n\nBefore this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50\n\nAfter this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:41.552Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8ab73c34e3c5b580721696665eabd799346bc50b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5d71291841aecfe5d8435da2dfa7f58ccd18bc8"
        }
      ],
      "title": "arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57878",
    "datePublished": "2025-01-11T14:49:04.088Z",
    "dateReserved": "2025-01-11T14:45:42.023Z",
    "dateUpdated": "2025-10-01T19:57:19.658Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56605 (GCVE-0-2024-56605)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2026-01-05 10:56

Title

Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f6ad641646b67f29c…
	https://git.kernel.org/stable/c/daa13175a6dea312a…
	https://git.kernel.org/stable/c/a8677028dd5123e5e…
	https://git.kernel.org/stable/c/bb2f2342a6ddf7c04…
	https://git.kernel.org/stable/c/8ad09ddc63ace3950…
	https://git.kernel.org/stable/c/61686abc2f3c2c678…
	https://git.kernel.org/stable/c/7c4f78cdb8e7501e9…

Impacted products

Vendor

Product

Version

Linux

Affected: 49dfbb9129c4edb318578de35cc45c555df37884 , < f6ad641646b67f29c7578dcd6c25813c7dcbf51e (git)
Affected: 49dfbb9129c4edb318578de35cc45c555df37884 , < daa13175a6dea312a76099066cb4cbd4fc959a84 (git)
Affected: 49dfbb9129c4edb318578de35cc45c555df37884 , < a8677028dd5123e5e525b8195483994d87123de4 (git)
Affected: 49dfbb9129c4edb318578de35cc45c555df37884 , < bb2f2342a6ddf7c04f9aefbbfe86104cd138e629 (git)
Affected: 49dfbb9129c4edb318578de35cc45c555df37884 , < 8ad09ddc63ace3950ac43db6fbfe25b40f589dd6 (git)
Affected: 49dfbb9129c4edb318578de35cc45c555df37884 , < 61686abc2f3c2c67822aa23ce6f160467ec83d35 (git)
Affected: 49dfbb9129c4edb318578de35cc45c555df37884 , < 7c4f78cdb8e7501e9f92d291a7d956591bf73be9 (git)

Linux

Affected: 3.6
Unaffected: 0 , < 3.6 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56605",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:42:08.177341Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:22.950Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:51.126Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f6ad641646b67f29c7578dcd6c25813c7dcbf51e",
              "status": "affected",
              "version": "49dfbb9129c4edb318578de35cc45c555df37884",
              "versionType": "git"
            },
            {
              "lessThan": "daa13175a6dea312a76099066cb4cbd4fc959a84",
              "status": "affected",
              "version": "49dfbb9129c4edb318578de35cc45c555df37884",
              "versionType": "git"
            },
            {
              "lessThan": "a8677028dd5123e5e525b8195483994d87123de4",
              "status": "affected",
              "version": "49dfbb9129c4edb318578de35cc45c555df37884",
              "versionType": "git"
            },
            {
              "lessThan": "bb2f2342a6ddf7c04f9aefbbfe86104cd138e629",
              "status": "affected",
              "version": "49dfbb9129c4edb318578de35cc45c555df37884",
              "versionType": "git"
            },
            {
              "lessThan": "8ad09ddc63ace3950ac43db6fbfe25b40f589dd6",
              "status": "affected",
              "version": "49dfbb9129c4edb318578de35cc45c555df37884",
              "versionType": "git"
            },
            {
              "lessThan": "61686abc2f3c2c67822aa23ce6f160467ec83d35",
              "status": "affected",
              "version": "49dfbb9129c4edb318578de35cc45c555df37884",
              "versionType": "git"
            },
            {
              "lessThan": "7c4f78cdb8e7501e9f92d291a7d956591bf73be9",
              "status": "affected",
              "version": "49dfbb9129c4edb318578de35cc45c555df37884",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.6"
            },
            {
              "lessThan": "3.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()\n\nbt_sock_alloc() allocates the sk object and attaches it to the provided\nsock object. On error l2cap_sock_alloc() frees the sk object, but the\ndangling pointer is still attached to the sock object, which may create\nuse-after-free in other code."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:56:13.204Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f6ad641646b67f29c7578dcd6c25813c7dcbf51e"
        },
        {
          "url": "https://git.kernel.org/stable/c/daa13175a6dea312a76099066cb4cbd4fc959a84"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8677028dd5123e5e525b8195483994d87123de4"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb2f2342a6ddf7c04f9aefbbfe86104cd138e629"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ad09ddc63ace3950ac43db6fbfe25b40f589dd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/61686abc2f3c2c67822aa23ce6f160467ec83d35"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c4f78cdb8e7501e9f92d291a7d956591bf73be9"
        }
      ],
      "title": "Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56605",
    "datePublished": "2024-12-27T14:51:10.344Z",
    "dateReserved": "2024-12-27T14:03:06.013Z",
    "dateUpdated": "2026-01-05T10:56:13.204Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21643 (GCVE-0-2025-21643)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:17 – Updated: 2025-05-04 07:18

Title

netfs: Fix kernel async DIO

Summary

In the Linux kernel, the following vulnerability has been resolved: netfs: Fix kernel async DIO Netfslib needs to be able to handle kernel-initiated asynchronous DIO that is supplied with a bio_vec[] array. Currently, because of the async flag, this gets passed to netfs_extract_user_iter() which throws a warning and fails because it only handles IOVEC and UBUF iterators. This can be triggered through a combination of cifs and a loopback blockdev with something like: mount //my/cifs/share /foo dd if=/dev/zero of=/foo/m0 bs=4K count=1K losetup --sector-size 4096 --direct-io=on /dev/loop2046 /foo/m0 echo hello >/dev/loop2046 This causes the following to appear in syslog: WARNING: CPU: 2 PID: 109 at fs/netfs/iterator.c:50 netfs_extract_user_iter+0x170/0x250 [netfs] and the write to fail. Fix this by removing the check in netfs_unbuffered_write_iter_locked() that causes async kernel DIO writes to be handled as userspace writes. Note that this change relies on the kernel caller maintaining the existence of the bio_vec array (or kvec[] or folio_queue) until the op is complete.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9f3a265836844eda3…
	https://git.kernel.org/stable/c/3f6bc9e3ab9b12717…

Impacted products

Vendor

Product

Version

Linux

Affected: 153a9961b551101cd38e94e26cd92fbfd198b19b , < 9f3a265836844eda30bf34c2584b8011fd4f0f49 (git)
Affected: 153a9961b551101cd38e94e26cd92fbfd198b19b , < 3f6bc9e3ab9b127171d39f9ac6eca1abb693b731 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/direct_write.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9f3a265836844eda30bf34c2584b8011fd4f0f49",
              "status": "affected",
              "version": "153a9961b551101cd38e94e26cd92fbfd198b19b",
              "versionType": "git"
            },
            {
              "lessThan": "3f6bc9e3ab9b127171d39f9ac6eca1abb693b731",
              "status": "affected",
              "version": "153a9961b551101cd38e94e26cd92fbfd198b19b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/direct_write.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix kernel async DIO\n\nNetfslib needs to be able to handle kernel-initiated asynchronous DIO that\nis supplied with a bio_vec[] array.  Currently, because of the async flag,\nthis gets passed to netfs_extract_user_iter() which throws a warning and\nfails because it only handles IOVEC and UBUF iterators.  This can be\ntriggered through a combination of cifs and a loopback blockdev with\nsomething like:\n\n        mount //my/cifs/share /foo\n        dd if=/dev/zero of=/foo/m0 bs=4K count=1K\n        losetup --sector-size 4096 --direct-io=on /dev/loop2046 /foo/m0\n        echo hello \u003e/dev/loop2046\n\nThis causes the following to appear in syslog:\n\n        WARNING: CPU: 2 PID: 109 at fs/netfs/iterator.c:50 netfs_extract_user_iter+0x170/0x250 [netfs]\n\nand the write to fail.\n\nFix this by removing the check in netfs_unbuffered_write_iter_locked() that\ncauses async kernel DIO writes to be handled as userspace writes.  Note\nthat this change relies on the kernel caller maintaining the existence of\nthe bio_vec array (or kvec[] or folio_queue) until the op is complete."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:06.741Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9f3a265836844eda30bf34c2584b8011fd4f0f49"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f6bc9e3ab9b127171d39f9ac6eca1abb693b731"
        }
      ],
      "title": "netfs: Fix kernel async DIO",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21643",
    "datePublished": "2025-01-19T10:17:59.820Z",
    "dateReserved": "2024-12-29T08:45:45.727Z",
    "dateUpdated": "2025-05-04T07:18:06.741Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56715 (GCVE-0-2024-56715)

Vulnerability from cvelistv5 – Published: 2024-12-29 08:48 – Updated: 2025-11-03 20:53

Title

ionic: Fix netdev notifier unregister on failure

Summary

In the Linux kernel, the following vulnerability has been resolved: ionic: Fix netdev notifier unregister on failure If register_netdev() fails, then the driver leaks the netdev notifier. Fix this by calling ionic_lif_unregister() on register_netdev() failure. This will also call ionic_lif_unregister_phc() if it has already been registered.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/87847938f5708b250…
	https://git.kernel.org/stable/c/da93a12876f8b969d…
	https://git.kernel.org/stable/c/da5736f516a664a9e…
	https://git.kernel.org/stable/c/ee2e931b2b46de9af…
	https://git.kernel.org/stable/c/9590d32e090ea2751…

Impacted products

Vendor

Product

Version

Linux

Affected: 30b87ab4c0b30e0f681cb7dfaab6c642dd17e454 , < 87847938f5708b2509b279369c96572254bcf2ba (git)
Affected: 30b87ab4c0b30e0f681cb7dfaab6c642dd17e454 , < da93a12876f8b969df7316dc93aac7e725f88252 (git)
Affected: 30b87ab4c0b30e0f681cb7dfaab6c642dd17e454 , < da5736f516a664a9e1ff74902663c64c423045d2 (git)
Affected: 30b87ab4c0b30e0f681cb7dfaab6c642dd17e454 , < ee2e931b2b46de9af7f681258e8ec8e2cd81cfc6 (git)
Affected: 30b87ab4c0b30e0f681cb7dfaab6c642dd17e454 , < 9590d32e090ea2751e131ae5273859ca22f5ac14 (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.122 , ≤ 6.1.* (semver)
Unaffected: 6.6.68 , ≤ 6.6.* (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56715",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:58:37.829177Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:06.875Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:53:03.632Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/pensando/ionic/ionic_lif.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "87847938f5708b2509b279369c96572254bcf2ba",
              "status": "affected",
              "version": "30b87ab4c0b30e0f681cb7dfaab6c642dd17e454",
              "versionType": "git"
            },
            {
              "lessThan": "da93a12876f8b969df7316dc93aac7e725f88252",
              "status": "affected",
              "version": "30b87ab4c0b30e0f681cb7dfaab6c642dd17e454",
              "versionType": "git"
            },
            {
              "lessThan": "da5736f516a664a9e1ff74902663c64c423045d2",
              "status": "affected",
              "version": "30b87ab4c0b30e0f681cb7dfaab6c642dd17e454",
              "versionType": "git"
            },
            {
              "lessThan": "ee2e931b2b46de9af7f681258e8ec8e2cd81cfc6",
              "status": "affected",
              "version": "30b87ab4c0b30e0f681cb7dfaab6c642dd17e454",
              "versionType": "git"
            },
            {
              "lessThan": "9590d32e090ea2751e131ae5273859ca22f5ac14",
              "status": "affected",
              "version": "30b87ab4c0b30e0f681cb7dfaab6c642dd17e454",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/pensando/ionic/ionic_lif.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: Fix netdev notifier unregister on failure\n\nIf register_netdev() fails, then the driver leaks the netdev notifier.\nFix this by calling ionic_lif_unregister() on register_netdev()\nfailure. This will also call ionic_lif_unregister_phc() if it has\nalready been registered."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:03:11.148Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/87847938f5708b2509b279369c96572254bcf2ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/da93a12876f8b969df7316dc93aac7e725f88252"
        },
        {
          "url": "https://git.kernel.org/stable/c/da5736f516a664a9e1ff74902663c64c423045d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee2e931b2b46de9af7f681258e8ec8e2cd81cfc6"
        },
        {
          "url": "https://git.kernel.org/stable/c/9590d32e090ea2751e131ae5273859ca22f5ac14"
        }
      ],
      "title": "ionic: Fix netdev notifier unregister on failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56715",
    "datePublished": "2024-12-29T08:48:48.433Z",
    "dateReserved": "2024-12-27T15:00:39.857Z",
    "dateUpdated": "2025-11-03T20:53:03.632Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56635 (GCVE-0-2024-56635)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-05-04 10:00

Title

net: avoid potential UAF in default_operstate()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: avoid potential UAF in default_operstate() syzbot reported an UAF in default_operstate() [1] Issue is a race between device and netns dismantles. After calling __rtnl_unlock() from netdev_run_todo(), we can not assume the netns of each device is still alive. Make sure the device is not in NETREG_UNREGISTERED state, and add an ASSERT_RTNL() before the call to __dev_get_by_index(). We might move this ASSERT_RTNL() in __dev_get_by_index() in the future. [1] BUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 Read of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339 CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 default_operstate net/core/link_watch.c:51 [inline] rfc2863_policy+0x224/0x300 net/core/link_watch.c:67 linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170 netdev_run_todo+0x461/0x1000 net/core/dev.c:10894 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock include/linux/rtnetlink.h:133 [inline] rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a3cb80809 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008 RBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8 </TASK> Allocated by task 5339: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kmalloc_array_noprof include/linux/slab.h:945 [inline] netdev_create_hash net/core/dev.c:11870 [inline] netdev_init+0x10c/0x250 net/core/dev.c:11890 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3314 __do_sys_unshare kernel/fork.c:3385 [inline] __se_sys_unshare kernel/fork.c:3383 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x8 ---truncated---

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3265aab0736f78bb2…
	https://git.kernel.org/stable/c/316183d58319f191e…
	https://git.kernel.org/stable/c/750e51603395e7555…

Impacted products

Vendor

Product

Version

Linux

Affected: 8c55facecd7ade835287298ce325f930d888d8ec , < 3265aab0736f78bb218200b06b1abb525c316269 (git)
Affected: 8c55facecd7ade835287298ce325f930d888d8ec , < 316183d58319f191e16503bc2dffa156c4442df2 (git)
Affected: 8c55facecd7ade835287298ce325f930d888d8ec , < 750e51603395e755537da08f745864c93e3ce741 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56635",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:12:40.278798Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:21:08.285Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/link_watch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3265aab0736f78bb218200b06b1abb525c316269",
              "status": "affected",
              "version": "8c55facecd7ade835287298ce325f930d888d8ec",
              "versionType": "git"
            },
            {
              "lessThan": "316183d58319f191e16503bc2dffa156c4442df2",
              "status": "affected",
              "version": "8c55facecd7ade835287298ce325f930d888d8ec",
              "versionType": "git"
            },
            {
              "lessThan": "750e51603395e755537da08f745864c93e3ce741",
              "status": "affected",
              "version": "8c55facecd7ade835287298ce325f930d888d8ec",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/link_watch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential UAF in default_operstate()\n\nsyzbot reported an UAF in default_operstate() [1]\n\nIssue is a race between device and netns dismantles.\n\nAfter calling __rtnl_unlock() from netdev_run_todo(),\nwe can not assume the netns of each device is still alive.\n\nMake sure the device is not in NETREG_UNREGISTERED state,\nand add an ASSERT_RTNL() before the call to\n__dev_get_by_index().\n\nWe might move this ASSERT_RTNL() in __dev_get_by_index()\nin the future.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\nRead of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339\n\nCPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:489\n  kasan_report+0x143/0x180 mm/kasan/report.c:602\n  __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\n  default_operstate net/core/link_watch.c:51 [inline]\n  rfc2863_policy+0x224/0x300 net/core/link_watch.c:67\n  linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170\n  netdev_run_todo+0x461/0x1000 net/core/dev.c:10894\n  rtnl_unlock net/core/rtnetlink.c:152 [inline]\n  rtnl_net_unlock include/linux/rtnetlink.h:133 [inline]\n  rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520\n  rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541\n  netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n  netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n  sock_sendmsg_nosec net/socket.c:711 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:726\n  ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n  ___sys_sendmsg net/socket.c:2637 [inline]\n  __sys_sendmsg+0x269/0x350 net/socket.c:2669\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2a3cb80809\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809\nRDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008\nRBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8\n \u003c/TASK\u003e\n\nAllocated by task 5339:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n  kasan_kmalloc include/linux/kasan.h:260 [inline]\n  __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n  kmalloc_noprof include/linux/slab.h:901 [inline]\n  kmalloc_array_noprof include/linux/slab.h:945 [inline]\n  netdev_create_hash net/core/dev.c:11870 [inline]\n  netdev_init+0x10c/0x250 net/core/dev.c:11890\n  ops_init+0x31e/0x590 net/core/net_namespace.c:138\n  setup_net+0x287/0x9e0 net/core/net_namespace.c:362\n  copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500\n  create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110\n  unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228\n  ksys_unshare+0x57d/0xa70 kernel/fork.c:3314\n  __do_sys_unshare kernel/fork.c:3385 [inline]\n  __se_sys_unshare kernel/fork.c:3383 [inline]\n  __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x8\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:39.813Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3265aab0736f78bb218200b06b1abb525c316269"
        },
        {
          "url": "https://git.kernel.org/stable/c/316183d58319f191e16503bc2dffa156c4442df2"
        },
        {
          "url": "https://git.kernel.org/stable/c/750e51603395e755537da08f745864c93e3ce741"
        }
      ],
      "title": "net: avoid potential UAF in default_operstate()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56635",
    "datePublished": "2024-12-27T15:02:38.213Z",
    "dateReserved": "2024-12-27T15:00:39.838Z",
    "dateUpdated": "2025-05-04T10:00:39.813Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21646 (GCVE-0-2025-21646)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:18 – Updated: 2025-11-03 20:58

Title

afs: Fix the maximum cell name length

Summary

In the Linux kernel, the following vulnerability has been resolved: afs: Fix the maximum cell name length The kafs filesystem limits the maximum length of a cell to 256 bytes, but a problem occurs if someone actually does that: kafs tries to create a directory under /proc/net/afs/ with the name of the cell, but that fails with a warning: WARNING: CPU: 0 PID: 9 at fs/proc/generic.c:405 because procfs limits the maximum filename length to 255. However, the DNS limits the maximum lookup length and, by extension, the maximum cell name, to 255 less two (length count and trailing NUL). Fix this by limiting the maximum acceptable cellname length to 253. This also allows us to be sure we can create the "/afs/.<cell>/" mountpoint too. Further, split the YFS VL record cell name maximum to be the 256 allowed by the protocol and ignore the record retrieved by YFSVL.GetCellName if it exceeds 253.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9340385468d056bb7…
	https://git.kernel.org/stable/c/7cb3e77e9b4e6ffa3…
	https://git.kernel.org/stable/c/aabe47cf5ac5e1db2…
	https://git.kernel.org/stable/c/7673030efe0f8ca10…
	https://git.kernel.org/stable/c/7922b1f058fe24a93…
	https://git.kernel.org/stable/c/8fd56ad6e7c90ac2b…

Impacted products

Vendor

Product

Version

Linux

Affected: c3e9f888263bb4df11cbd623ceced02081cb2f9f , < 9340385468d056bb700b8f28df236b81fc86a079 (git)
Affected: c3e9f888263bb4df11cbd623ceced02081cb2f9f , < 7cb3e77e9b4e6ffa325a5559393d3283c9af3d01 (git)
Affected: c3e9f888263bb4df11cbd623ceced02081cb2f9f , < aabe47cf5ac5e1db2ae0635f189d836f67024904 (git)
Affected: c3e9f888263bb4df11cbd623ceced02081cb2f9f , < 7673030efe0f8ca1056d3849d61784c6caa052af (git)
Affected: c3e9f888263bb4df11cbd623ceced02081cb2f9f , < 7922b1f058fe24a93730511dd0ae2e1630920096 (git)
Affected: c3e9f888263bb4df11cbd623ceced02081cb2f9f , < 8fd56ad6e7c90ac2bddb0741c6b248c8c5d56ac8 (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:26.381Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/afs/afs.h",
            "fs/afs/afs_vl.h",
            "fs/afs/vl_alias.c",
            "fs/afs/vlclient.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9340385468d056bb700b8f28df236b81fc86a079",
              "status": "affected",
              "version": "c3e9f888263bb4df11cbd623ceced02081cb2f9f",
              "versionType": "git"
            },
            {
              "lessThan": "7cb3e77e9b4e6ffa325a5559393d3283c9af3d01",
              "status": "affected",
              "version": "c3e9f888263bb4df11cbd623ceced02081cb2f9f",
              "versionType": "git"
            },
            {
              "lessThan": "aabe47cf5ac5e1db2ae0635f189d836f67024904",
              "status": "affected",
              "version": "c3e9f888263bb4df11cbd623ceced02081cb2f9f",
              "versionType": "git"
            },
            {
              "lessThan": "7673030efe0f8ca1056d3849d61784c6caa052af",
              "status": "affected",
              "version": "c3e9f888263bb4df11cbd623ceced02081cb2f9f",
              "versionType": "git"
            },
            {
              "lessThan": "7922b1f058fe24a93730511dd0ae2e1630920096",
              "status": "affected",
              "version": "c3e9f888263bb4df11cbd623ceced02081cb2f9f",
              "versionType": "git"
            },
            {
              "lessThan": "8fd56ad6e7c90ac2bddb0741c6b248c8c5d56ac8",
              "status": "affected",
              "version": "c3e9f888263bb4df11cbd623ceced02081cb2f9f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/afs/afs.h",
            "fs/afs/afs_vl.h",
            "fs/afs/vl_alias.c",
            "fs/afs/vlclient.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix the maximum cell name length\n\nThe kafs filesystem limits the maximum length of a cell to 256 bytes, but a\nproblem occurs if someone actually does that: kafs tries to create a\ndirectory under /proc/net/afs/ with the name of the cell, but that fails\nwith a warning:\n\n        WARNING: CPU: 0 PID: 9 at fs/proc/generic.c:405\n\nbecause procfs limits the maximum filename length to 255.\n\nHowever, the DNS limits the maximum lookup length and, by extension, the\nmaximum cell name, to 255 less two (length count and trailing NUL).\n\nFix this by limiting the maximum acceptable cellname length to 253.  This\nalso allows us to be sure we can create the \"/afs/.\u003ccell\u003e/\" mountpoint too.\n\nFurther, split the YFS VL record cell name maximum to be the 256 allowed by\nthe protocol and ignore the record retrieved by YFSVL.GetCellName if it\nexceeds 253."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:10.155Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9340385468d056bb700b8f28df236b81fc86a079"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cb3e77e9b4e6ffa325a5559393d3283c9af3d01"
        },
        {
          "url": "https://git.kernel.org/stable/c/aabe47cf5ac5e1db2ae0635f189d836f67024904"
        },
        {
          "url": "https://git.kernel.org/stable/c/7673030efe0f8ca1056d3849d61784c6caa052af"
        },
        {
          "url": "https://git.kernel.org/stable/c/7922b1f058fe24a93730511dd0ae2e1630920096"
        },
        {
          "url": "https://git.kernel.org/stable/c/8fd56ad6e7c90ac2bddb0741c6b248c8c5d56ac8"
        }
      ],
      "title": "afs: Fix the maximum cell name length",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21646",
    "datePublished": "2025-01-19T10:18:02.776Z",
    "dateReserved": "2024-12-29T08:45:45.728Z",
    "dateUpdated": "2025-11-03T20:58:26.381Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56775 (GCVE-0-2024-56775)

Vulnerability from cvelistv5 – Published: 2025-01-08 17:49 – Updated: 2025-10-01 19:57

Title

drm/amd/display: Fix handling of plane refcount

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix handling of plane refcount [Why] The mechanism to backup and restore plane states doesn't maintain refcount, which can cause issues if the refcount of the plane changes in between backup and restore operations, such as memory leaks if the refcount was supposed to go down, or double frees / invalid memory accesses if the refcount was supposed to go up. [How] Cache and re-apply current refcount when restoring plane states.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-415 - Double Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8cb2f6793845f135b…
	https://git.kernel.org/stable/c/27227a234c1487cb7…

Impacted products

Vendor

Product

Version

Linux

Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 8cb2f6793845f135b28361ba8e96901cae3e5790 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 27227a234c1487cb7a684615f0749c455218833a (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56775",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:42.047459Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-415",
                "description": "CWE-415 Double Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:24.727Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8cb2f6793845f135b28361ba8e96901cae3e5790",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "27227a234c1487cb7a684615f0749c455218833a",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix handling of plane refcount\n\n[Why]\nThe mechanism to backup and restore plane states doesn\u0027t maintain\nrefcount, which can cause issues if the refcount of the plane changes\nin between backup and restore operations, such as memory leaks if the\nrefcount was supposed to go down, or double frees / invalid memory\naccesses if the refcount was supposed to go up.\n\n[How]\nCache and re-apply current refcount when restoring plane states."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T17:21:36.442Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8cb2f6793845f135b28361ba8e96901cae3e5790"
        },
        {
          "url": "https://git.kernel.org/stable/c/27227a234c1487cb7a684615f0749c455218833a"
        }
      ],
      "title": "drm/amd/display: Fix handling of plane refcount",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56775",
    "datePublished": "2025-01-08T17:49:13.907Z",
    "dateReserved": "2024-12-29T11:26:39.766Z",
    "dateUpdated": "2025-10-01T19:57:24.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21653 (GCVE-0-2025-21653)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:18 – Updated: 2025-11-03 20:58

Title

net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute syzbot found that TCA_FLOW_RSHIFT attribute was not validated. Right shitfing a 32bit integer is undefined for large shift values. UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1771 [inline] tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 sfb_classify net/sched/sch_sfb.c:260 [inline] sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 __dev_xmit_skb net/core/dev.c:3889 [inline] __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 geneve_xmit_skb drivers/net/geneve.c:916 [inline] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9858f4afeb2e59506…
	https://git.kernel.org/stable/c/43658e4a5f2770ad9…
	https://git.kernel.org/stable/c/a313d6e6d5f3a631c…
	https://git.kernel.org/stable/c/2011749ca96460386…
	https://git.kernel.org/stable/c/e54beb9aed2a90ddd…
	https://git.kernel.org/stable/c/6fde663f732141899…
	https://git.kernel.org/stable/c/a039e54397c6a75b7…

Impacted products

Vendor

Product

Version

Linux

Affected: e5dfb815181fcb186d6080ac3a091eadff2d98fe , < 9858f4afeb2e59506e714176bd3e135539a3eeec (git)
Affected: e5dfb815181fcb186d6080ac3a091eadff2d98fe , < 43658e4a5f2770ad94e93362885ff51c10cf3179 (git)
Affected: e5dfb815181fcb186d6080ac3a091eadff2d98fe , < a313d6e6d5f3a631cae5a241c392c28868aa5c5e (git)
Affected: e5dfb815181fcb186d6080ac3a091eadff2d98fe , < 2011749ca96460386844dfc7e0fde53ebee96f3c (git)
Affected: e5dfb815181fcb186d6080ac3a091eadff2d98fe , < e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61 (git)
Affected: e5dfb815181fcb186d6080ac3a091eadff2d98fe , < 6fde663f7321418996645ee602a473457640542f (git)
Affected: e5dfb815181fcb186d6080ac3a091eadff2d98fe , < a039e54397c6a75b713b9ce7894a62e06956aa92 (git)

Linux

Affected: 2.6.25
Unaffected: 0 , < 2.6.25 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:33.343Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/cls_flow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9858f4afeb2e59506e714176bd3e135539a3eeec",
              "status": "affected",
              "version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe",
              "versionType": "git"
            },
            {
              "lessThan": "43658e4a5f2770ad94e93362885ff51c10cf3179",
              "status": "affected",
              "version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe",
              "versionType": "git"
            },
            {
              "lessThan": "a313d6e6d5f3a631cae5a241c392c28868aa5c5e",
              "status": "affected",
              "version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe",
              "versionType": "git"
            },
            {
              "lessThan": "2011749ca96460386844dfc7e0fde53ebee96f3c",
              "status": "affected",
              "version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe",
              "versionType": "git"
            },
            {
              "lessThan": "e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61",
              "status": "affected",
              "version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe",
              "versionType": "git"
            },
            {
              "lessThan": "6fde663f7321418996645ee602a473457640542f",
              "status": "affected",
              "version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe",
              "versionType": "git"
            },
            {
              "lessThan": "a039e54397c6a75b713b9ce7894a62e06956aa92",
              "status": "affected",
              "version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/cls_flow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute\n\nsyzbot found that TCA_FLOW_RSHIFT attribute was not validated.\nRight shitfing a 32bit integer is undefined for large shift values.\n\nUBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23\nshift exponent 9445 is too large for 32-bit type \u0027u32\u0027 (aka \u0027unsigned int\u0027)\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: ipv6_addrconf addrconf_dad_work\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:231 [inline]\n  __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468\n  flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329\n  tc_classify include/net/tc_wrapper.h:197 [inline]\n  __tcf_classify net/sched/cls_api.c:1771 [inline]\n  tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867\n  sfb_classify net/sched/sch_sfb.c:260 [inline]\n  sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318\n  dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793\n  __dev_xmit_skb net/core/dev.c:3889 [inline]\n  __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400\n  dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n  neigh_hh_output include/net/neighbour.h:523 [inline]\n  neigh_output include/net/neighbour.h:537 [inline]\n  ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236\n  iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82\n  udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173\n  geneve_xmit_skb drivers/net/geneve.c:916 [inline]\n  geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039\n  __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n  netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n  xmit_one net/core/dev.c:3590 [inline]\n  dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606\n  __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:18.365Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9858f4afeb2e59506e714176bd3e135539a3eeec"
        },
        {
          "url": "https://git.kernel.org/stable/c/43658e4a5f2770ad94e93362885ff51c10cf3179"
        },
        {
          "url": "https://git.kernel.org/stable/c/a313d6e6d5f3a631cae5a241c392c28868aa5c5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2011749ca96460386844dfc7e0fde53ebee96f3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fde663f7321418996645ee602a473457640542f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a039e54397c6a75b713b9ce7894a62e06956aa92"
        }
      ],
      "title": "net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21653",
    "datePublished": "2025-01-19T10:18:10.354Z",
    "dateReserved": "2024-12-29T08:45:45.729Z",
    "dateUpdated": "2025-11-03T20:58:33.343Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57843 (GCVE-0-2024-57843)

Vulnerability from cvelistv5 – Published: 2025-01-11 14:30 – Updated: 2026-01-05 10:56

Title

virtio-net: fix overflow inside virtnet_rq_alloc

Summary

In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix overflow inside virtnet_rq_alloc When the frag just got a page, then may lead to regression on VM. Specially if the sysctl net.core.high_order_alloc_disable value is 1, then the frag always get a page when do refill. Which could see reliable crashes or scp failure (scp a file 100M in size to VM). The issue is that the virtnet_rq_dma takes up 16 bytes at the beginning of a new frag. When the frag size is larger than PAGE_SIZE, everything is fine. However, if the frag is only one page and the total size of the buffer and virtnet_rq_dma is larger than one page, an overflow may occur. The commit f9dac92ba908 ("virtio_ring: enable premapped mode whatever use_dma_api") introduced this problem. And we reverted some commits to fix this in last linux version. Now we try to enable it and fix this bug directly. Here, when the frag size is not enough, we reduce the buffer len to fix this problem.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a8f7d6963768b114e…
	https://git.kernel.org/stable/c/67a11de8965c2ab19…
	https://git.kernel.org/stable/c/6aacd1484468361d1…

Impacted products

Vendor

Product

Version

Linux

Affected: 295525e29a5b5694a6e96864f0c1365f79639863 , < a8f7d6963768b114ec9644ff0148dde4c104e84b (git)
Affected: 295525e29a5b5694a6e96864f0c1365f79639863 , < 67a11de8965c2ab19e215fb6651d44847e068614 (git)
Affected: 295525e29a5b5694a6e96864f0c1365f79639863 , < 6aacd1484468361d1d04badfe75f264fa5314864 (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/virtio_net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a8f7d6963768b114ec9644ff0148dde4c104e84b",
              "status": "affected",
              "version": "295525e29a5b5694a6e96864f0c1365f79639863",
              "versionType": "git"
            },
            {
              "lessThan": "67a11de8965c2ab19e215fb6651d44847e068614",
              "status": "affected",
              "version": "295525e29a5b5694a6e96864f0c1365f79639863",
              "versionType": "git"
            },
            {
              "lessThan": "6aacd1484468361d1d04badfe75f264fa5314864",
              "status": "affected",
              "version": "295525e29a5b5694a6e96864f0c1365f79639863",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/virtio_net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix overflow inside virtnet_rq_alloc\n\nWhen the frag just got a page, then may lead to regression on VM.\nSpecially if the sysctl net.core.high_order_alloc_disable value is 1,\nthen the frag always get a page when do refill.\n\nWhich could see reliable crashes or scp failure (scp a file 100M in size\nto VM).\n\nThe issue is that the virtnet_rq_dma takes up 16 bytes at the beginning\nof a new frag. When the frag size is larger than PAGE_SIZE,\neverything is fine. However, if the frag is only one page and the\ntotal size of the buffer and virtnet_rq_dma is larger than one page, an\noverflow may occur.\n\nThe commit f9dac92ba908 (\"virtio_ring: enable premapped mode whatever\nuse_dma_api\") introduced this problem. And we reverted some commits to\nfix this in last linux version. Now we try to enable it and fix this\nbug directly.\n\nHere, when the frag size is not enough, we reduce the buffer len to fix\nthis problem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:56:28.521Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a8f7d6963768b114ec9644ff0148dde4c104e84b"
        },
        {
          "url": "https://git.kernel.org/stable/c/67a11de8965c2ab19e215fb6651d44847e068614"
        },
        {
          "url": "https://git.kernel.org/stable/c/6aacd1484468361d1d04badfe75f264fa5314864"
        }
      ],
      "title": "virtio-net: fix overflow inside virtnet_rq_alloc",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57843",
    "datePublished": "2025-01-11T14:30:57.255Z",
    "dateReserved": "2025-01-11T12:32:49.621Z",
    "dateUpdated": "2026-01-05T10:56:28.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56770 (GCVE-0-2024-56770)

Vulnerability from cvelistv5 – Published: 2025-01-08 16:36 – Updated: 2025-11-03 20:54

Title

net/sched: netem: account for backlog updates from child qdisc

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: netem: account for backlog updates from child qdisc In general, 'qlen' of any classful qdisc should keep track of the number of packets that the qdisc itself and all of its children holds. In case of netem, 'qlen' only accounts for the packets in its internal tfifo. When netem is used with a child qdisc, the child qdisc can use 'qdisc_tree_reduce_backlog' to inform its parent, netem, about created or dropped SKBs. This function updates 'qlen' and the backlog statistics of netem, but netem does not account for changes made by a child qdisc. 'qlen' then indicates the wrong number of packets in the tfifo. If a child qdisc creates new SKBs during enqueue and informs its parent about this, netem's 'qlen' value is increased. When netem dequeues the newly created SKBs from the child, the 'qlen' in netem is not updated. If 'qlen' reaches the configured sch->limit, the enqueue function stops working, even though the tfifo is not full. Reproduce the bug: Ensure that the sender machine has GSO enabled. Configure netem as root qdisc and tbf as its child on the outgoing interface of the machine as follows: $ tc qdisc add dev <oif> root handle 1: netem delay 100ms limit 100 $ tc qdisc add dev <oif> parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms Send bulk TCP traffic out via this interface, e.g., by running an iPerf3 client on the machine. Check the qdisc statistics: $ tc -s qdisc show dev <oif> Statistics after 10s of iPerf3 TCP test before the fix (note that netem's backlog > limit, netem stopped accepting packets): qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0) backlog 4294528236b 1155p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0) backlog 0b 0p requeues 0 Statistics after the fix: qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0) backlog 0b 0p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0) backlog 0b 0p requeues 0 tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'. The interface fully stops transferring packets and "locks". In this case, the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at its limit and no more packets are accepted. This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is only decreased when a packet is returned by its dequeue function, and not during enqueuing into the child qdisc. External updates to 'qlen' are thus accounted for and only the behavior of the backlog statistics changes. As in other qdiscs, 'qlen' then keeps track of how many packets are held in netem and all of its children. As before, sch->limit remains as the maximum number of packets in the tfifo. The same applies to netem's backlog statistics.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/83c6ab12f08dcc09d…
	https://git.kernel.org/stable/c/216509dda290f6db9…
	https://git.kernel.org/stable/c/c2047b0e216c8edce…
	https://git.kernel.org/stable/c/10df49cfca73dfbbd…
	https://git.kernel.org/stable/c/3824c5fad18eeb7ab…
	https://git.kernel.org/stable/c/356078a5c55ec8d20…
	https://git.kernel.org/stable/c/f8d4bc455047cf390…

Impacted products

Vendor

Product

Version

Linux

Affected: 50612537e9ab29693122fab20fc1eed235054ffe , < 83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31 (git)
Affected: 50612537e9ab29693122fab20fc1eed235054ffe , < 216509dda290f6db92c816dd54b83c1df9da9e76 (git)
Affected: 50612537e9ab29693122fab20fc1eed235054ffe , < c2047b0e216c8edce227d7c42f99ac2877dad0e4 (git)
Affected: 50612537e9ab29693122fab20fc1eed235054ffe , < 10df49cfca73dfbbdb6c4150d859f7e8926ae427 (git)
Affected: 50612537e9ab29693122fab20fc1eed235054ffe , < 3824c5fad18eeb7abe0c4fc966f29959552dca3e (git)
Affected: 50612537e9ab29693122fab20fc1eed235054ffe , < 356078a5c55ec8d2061fcc009fb8599f5b0527f9 (git)
Affected: 50612537e9ab29693122fab20fc1eed235054ffe , < f8d4bc455047cf3903cd6f85f49978987dbb3027 (git)

Linux

Affected: 3.3
Unaffected: 0 , < 3.3 (semver)
Unaffected: 5.4.288 , ≤ 5.4.* (semver)
Unaffected: 5.10.232 , ≤ 5.10.* (semver)
Unaffected: 5.15.175 , ≤ 5.15.* (semver)
Unaffected: 6.1.121 , ≤ 6.1.* (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56770",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:54.954468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:25.208Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:08.397Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_netem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "216509dda290f6db92c816dd54b83c1df9da9e76",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "c2047b0e216c8edce227d7c42f99ac2877dad0e4",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "10df49cfca73dfbbdb6c4150d859f7e8926ae427",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "3824c5fad18eeb7abe0c4fc966f29959552dca3e",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "356078a5c55ec8d2061fcc009fb8599f5b0527f9",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "f8d4bc455047cf3903cd6f85f49978987dbb3027",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_netem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "lessThan": "3.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.288",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.232",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.288",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.232",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.175",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.121",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: netem: account for backlog updates from child qdisc\n\nIn general, \u0027qlen\u0027 of any classful qdisc should keep track of the\nnumber of packets that the qdisc itself and all of its children holds.\nIn case of netem, \u0027qlen\u0027 only accounts for the packets in its internal\ntfifo. When netem is used with a child qdisc, the child qdisc can use\n\u0027qdisc_tree_reduce_backlog\u0027 to inform its parent, netem, about created\nor dropped SKBs. This function updates \u0027qlen\u0027 and the backlog statistics\nof netem, but netem does not account for changes made by a child qdisc.\n\u0027qlen\u0027 then indicates the wrong number of packets in the tfifo.\nIf a child qdisc creates new SKBs during enqueue and informs its parent\nabout this, netem\u0027s \u0027qlen\u0027 value is increased. When netem dequeues the\nnewly created SKBs from the child, the \u0027qlen\u0027 in netem is not updated.\nIf \u0027qlen\u0027 reaches the configured sch-\u003elimit, the enqueue function stops\nworking, even though the tfifo is not full.\n\nReproduce the bug:\nEnsure that the sender machine has GSO enabled. Configure netem as root\nqdisc and tbf as its child on the outgoing interface of the machine\nas follows:\n$ tc qdisc add dev \u003coif\u003e root handle 1: netem delay 100ms limit 100\n$ tc qdisc add dev \u003coif\u003e parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms\n\nSend bulk TCP traffic out via this interface, e.g., by running an iPerf3\nclient on the machine. Check the qdisc statistics:\n$ tc -s qdisc show dev \u003coif\u003e\n\nStatistics after 10s of iPerf3 TCP test before the fix (note that\nnetem\u0027s backlog \u003e limit, netem stopped accepting packets):\nqdisc netem 1: root refcnt 2 limit 1000 delay 100ms\n Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0)\n backlog 4294528236b 1155p requeues 0\nqdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms\n Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0)\n backlog 0b 0p requeues 0\n\nStatistics after the fix:\nqdisc netem 1: root refcnt 2 limit 1000 delay 100ms\n Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0)\n backlog 0b 0p requeues 0\nqdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms\n Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0)\n backlog 0b 0p requeues 0\n\ntbf segments the GSO SKBs (tbf_segment) and updates the netem\u0027s \u0027qlen\u0027.\nThe interface fully stops transferring packets and \"locks\". In this case,\nthe child qdisc and tfifo are empty, but \u0027qlen\u0027 indicates the tfifo is at\nits limit and no more packets are accepted.\n\nThis patch adds a counter for the entries in the tfifo. Netem\u0027s \u0027qlen\u0027 is\nonly decreased when a packet is returned by its dequeue function, and not\nduring enqueuing into the child qdisc. External updates to \u0027qlen\u0027 are thus\naccounted for and only the behavior of the backlog statistics changes. As\nin other qdiscs, \u0027qlen\u0027 then keeps track of  how many packets are held in\nnetem and all of its children. As before, sch-\u003elimit remains as the\nmaximum number of packets in the tfifo. The same applies to netem\u0027s\nbacklog statistics."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:19.387Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31"
        },
        {
          "url": "https://git.kernel.org/stable/c/216509dda290f6db92c816dd54b83c1df9da9e76"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2047b0e216c8edce227d7c42f99ac2877dad0e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/10df49cfca73dfbbdb6c4150d859f7e8926ae427"
        },
        {
          "url": "https://git.kernel.org/stable/c/3824c5fad18eeb7abe0c4fc966f29959552dca3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/356078a5c55ec8d2061fcc009fb8599f5b0527f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8d4bc455047cf3903cd6f85f49978987dbb3027"
        }
      ],
      "title": "net/sched: netem: account for backlog updates from child qdisc",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56770",
    "datePublished": "2025-01-08T16:36:59.315Z",
    "dateReserved": "2024-12-29T11:26:39.763Z",
    "dateUpdated": "2025-11-03T20:54:08.397Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-53680 (GCVE-0-2024-53680)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2025-11-03 20:48

Title

ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() Under certain kernel configurations when building with Clang/LLVM, the compiler does not generate a return or jump as the terminator instruction for ip_vs_protocol_init(), triggering the following objtool warning during build time: vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6() At runtime, this either causes an oops when trying to load the ipvs module or a boot-time panic if ipvs is built-in. This same issue has been reported by the Intel kernel test robot previously. Digging deeper into both LLVM and the kernel code reveals this to be a undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer of 64 chars to store the registered protocol names and leaves it uninitialized after definition. The function calls strnlen() when concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE strnlen() performs an extra step to check whether the last byte of the input char buffer is a null character (commit 3009f891bb9f ("fortify: Allow strlen() and strnlen() to pass compile-time known lengths")). This, together with possibly other configurations, cause the following IR to be generated: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 { %1 = alloca [64 x i8], align 16 ... 14: ; preds = %11 %15 = getelementptr inbounds i8, ptr %1, i64 63 %16 = load i8, ptr %15, align 1 %17 = tail call i1 @llvm.is.constant.i8(i8 %16) %18 = icmp eq i8 %16, 0 %19 = select i1 %17, i1 %18, i1 false br i1 %19, label %20, label %23 20: ; preds = %14 %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23 ... 23: ; preds = %14, %11, %20 %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24 ... } The above code calculates the address of the last char in the buffer (value %15) and then loads from it (value %16). Because the buffer is never initialized, the LLVM GVN pass marks value %16 as undefined: %13 = getelementptr inbounds i8, ptr %1, i64 63 br i1 undef, label %14, label %17 This gives later passes (SCCP, in particular) more DCE opportunities by propagating the undef value further, and eventually removes everything after the load on the uninitialized stack location: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section ".init.text" align 16 !kcfi_type !11 { %1 = alloca [64 x i8], align 16 ... 12: ; preds = %11 %13 = getelementptr inbounds i8, ptr %1, i64 63 unreachable } In this way, the generated native code will just fall through to the next function, as LLVM does not generate any code for the unreachable IR instruction and leaves the function without a terminator. Zero the on-stack buffer to avoid this possible UB.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/31d1ddc1ce8e8d3f1…
	https://git.kernel.org/stable/c/0b2cbed82b7c6504a…
	https://git.kernel.org/stable/c/d6e1776f51c958271…
	https://git.kernel.org/stable/c/664d0feab92495b6a…
	https://git.kernel.org/stable/c/124834133b32f9386…
	https://git.kernel.org/stable/c/48130002e64fd191b…
	https://git.kernel.org/stable/c/146b6f1112eb30a19…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 31d1ddc1ce8e8d3f101a679243abb42a313ee88a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b2cbed82b7c6504a8a0fbd181f92dd56b432c12 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d6e1776f51c95827142f1d7064118e255e2deec1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 664d0feab92495b6a27edc3d1119e232c0fe8b2b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 124834133b32f9386bb2d8581d9ab92f65e951e4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 48130002e64fd191b7d18efeb4d253fcc23e4688 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 146b6f1112eb30a19776d6c323c994e9d67790db (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:48:17.936Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_proto.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "31d1ddc1ce8e8d3f101a679243abb42a313ee88a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0b2cbed82b7c6504a8a0fbd181f92dd56b432c12",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d6e1776f51c95827142f1d7064118e255e2deec1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "664d0feab92495b6a27edc3d1119e232c0fe8b2b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "124834133b32f9386bb2d8581d9ab92f65e951e4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "48130002e64fd191b7d18efeb4d253fcc23e4688",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "146b6f1112eb30a19776d6c323c994e9d67790db",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_proto.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()\n\nUnder certain kernel configurations when building with Clang/LLVM, the\ncompiler does not generate a return or jump as the terminator\ninstruction for ip_vs_protocol_init(), triggering the following objtool\nwarning during build time:\n\n  vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6()\n\nAt runtime, this either causes an oops when trying to load the ipvs\nmodule or a boot-time panic if ipvs is built-in. This same issue has\nbeen reported by the Intel kernel test robot previously.\n\nDigging deeper into both LLVM and the kernel code reveals this to be a\nundefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer\nof 64 chars to store the registered protocol names and leaves it\nuninitialized after definition. The function calls strnlen() when\nconcatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE\nstrnlen() performs an extra step to check whether the last byte of the\ninput char buffer is a null character (commit 3009f891bb9f (\"fortify:\nAllow strlen() and strnlen() to pass compile-time known lengths\")).\nThis, together with possibly other configurations, cause the following\nIR to be generated:\n\n  define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section \".init.text\" align 16 !kcfi_type !29 {\n    %1 = alloca [64 x i8], align 16\n    ...\n\n  14:                                               ; preds = %11\n    %15 = getelementptr inbounds i8, ptr %1, i64 63\n    %16 = load i8, ptr %15, align 1\n    %17 = tail call i1 @llvm.is.constant.i8(i8 %16)\n    %18 = icmp eq i8 %16, 0\n    %19 = select i1 %17, i1 %18, i1 false\n    br i1 %19, label %20, label %23\n\n  20:                                               ; preds = %14\n    %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23\n    ...\n\n  23:                                               ; preds = %14, %11, %20\n    %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24\n    ...\n  }\n\nThe above code calculates the address of the last char in the buffer\n(value %15) and then loads from it (value %16). Because the buffer is\nnever initialized, the LLVM GVN pass marks value %16 as undefined:\n\n  %13 = getelementptr inbounds i8, ptr %1, i64 63\n  br i1 undef, label %14, label %17\n\nThis gives later passes (SCCP, in particular) more DCE opportunities by\npropagating the undef value further, and eventually removes everything\nafter the load on the uninitialized stack location:\n\n  define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section \".init.text\" align 16 !kcfi_type !11 {\n    %1 = alloca [64 x i8], align 16\n    ...\n\n  12:                                               ; preds = %11\n    %13 = getelementptr inbounds i8, ptr %1, i64 63\n    unreachable\n  }\n\nIn this way, the generated native code will just fall through to the\nnext function, as LLVM does not generate any code for the unreachable IR\ninstruction and leaves the function without a terminator.\n\nZero the on-stack buffer to avoid this possible UB."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:56:50.317Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/31d1ddc1ce8e8d3f101a679243abb42a313ee88a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b2cbed82b7c6504a8a0fbd181f92dd56b432c12"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6e1776f51c95827142f1d7064118e255e2deec1"
        },
        {
          "url": "https://git.kernel.org/stable/c/664d0feab92495b6a27edc3d1119e232c0fe8b2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/124834133b32f9386bb2d8581d9ab92f65e951e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/48130002e64fd191b7d18efeb4d253fcc23e4688"
        },
        {
          "url": "https://git.kernel.org/stable/c/146b6f1112eb30a19776d6c323c994e9d67790db"
        }
      ],
      "title": "ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53680",
    "datePublished": "2025-01-11T12:25:21.794Z",
    "dateReserved": "2025-01-09T09:49:29.723Z",
    "dateUpdated": "2025-11-03T20:48:17.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57907 (GCVE-0-2024-57907)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-11-03 20:55

Title

iio: adc: rockchip_saradc: fix information leak in triggered buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: adc: rockchip_saradc: fix information leak in triggered buffer The 'data' local struct is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/85a9c98a5e0f22d91…
	https://git.kernel.org/stable/c/7a07fb80ea886e913…
	https://git.kernel.org/stable/c/64b79afdca7b27a76…
	https://git.kernel.org/stable/c/5a95fbbecec7a34bb…
	https://git.kernel.org/stable/c/8193941bc4fe7247f…
	https://git.kernel.org/stable/c/38724591364e1e3b2…

Impacted products

Vendor

Product

Version

Linux

Affected: 4e130dc7b41348b13684f0758c26cc6cf72a3449 , < 85a9c98a5e0f22d911b00077d751e34fff1401aa (git)
Affected: 4e130dc7b41348b13684f0758c26cc6cf72a3449 , < 7a07fb80ea886e9134284a27d0155cca7649e293 (git)
Affected: 4e130dc7b41348b13684f0758c26cc6cf72a3449 , < 64b79afdca7b27a768c7d3716b7f4deb1d6b955c (git)
Affected: 4e130dc7b41348b13684f0758c26cc6cf72a3449 , < 5a95fbbecec7a34bbad5dcc3156700b8711d53c4 (git)
Affected: 4e130dc7b41348b13684f0758c26cc6cf72a3449 , < 8193941bc4fe7247ff13233f328aea709f574554 (git)
Affected: 4e130dc7b41348b13684f0758c26cc6cf72a3449 , < 38724591364e1e3b278b4053f102b49ea06ee17c (git)

Linux

Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.127 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57907",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:53:39.759871Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:16.532Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:34.143Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/adc/rockchip_saradc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "85a9c98a5e0f22d911b00077d751e34fff1401aa",
              "status": "affected",
              "version": "4e130dc7b41348b13684f0758c26cc6cf72a3449",
              "versionType": "git"
            },
            {
              "lessThan": "7a07fb80ea886e9134284a27d0155cca7649e293",
              "status": "affected",
              "version": "4e130dc7b41348b13684f0758c26cc6cf72a3449",
              "versionType": "git"
            },
            {
              "lessThan": "64b79afdca7b27a768c7d3716b7f4deb1d6b955c",
              "status": "affected",
              "version": "4e130dc7b41348b13684f0758c26cc6cf72a3449",
              "versionType": "git"
            },
            {
              "lessThan": "5a95fbbecec7a34bbad5dcc3156700b8711d53c4",
              "status": "affected",
              "version": "4e130dc7b41348b13684f0758c26cc6cf72a3449",
              "versionType": "git"
            },
            {
              "lessThan": "8193941bc4fe7247ff13233f328aea709f574554",
              "status": "affected",
              "version": "4e130dc7b41348b13684f0758c26cc6cf72a3449",
              "versionType": "git"
            },
            {
              "lessThan": "38724591364e1e3b278b4053f102b49ea06ee17c",
              "status": "affected",
              "version": "4e130dc7b41348b13684f0758c26cc6cf72a3449",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/adc/rockchip_saradc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: rockchip_saradc: fix information leak in triggered buffer\n\nThe \u0027data\u0027 local struct is used to push data to user space from a\ntriggered buffer, but it does not set values for inactive channels, as\nit only uses iio_for_each_active_channel() to assign new values.\n\nInitialize the struct to zero before using it to avoid pushing\nuninitialized information to userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:22.907Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/85a9c98a5e0f22d911b00077d751e34fff1401aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a07fb80ea886e9134284a27d0155cca7649e293"
        },
        {
          "url": "https://git.kernel.org/stable/c/64b79afdca7b27a768c7d3716b7f4deb1d6b955c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a95fbbecec7a34bbad5dcc3156700b8711d53c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/8193941bc4fe7247ff13233f328aea709f574554"
        },
        {
          "url": "https://git.kernel.org/stable/c/38724591364e1e3b278b4053f102b49ea06ee17c"
        }
      ],
      "title": "iio: adc: rockchip_saradc: fix information leak in triggered buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57907",
    "datePublished": "2025-01-19T11:52:31.039Z",
    "dateReserved": "2025-01-19T11:50:08.372Z",
    "dateUpdated": "2025-11-03T20:55:34.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56593 (GCVE-0-2024-56593)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2026-01-05 10:55

Title

wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw() This patch fixes a NULL pointer dereference bug in brcmfmac that occurs when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs are sent from the pkt queue. The problem is the number of entries in the pre-allocated sgtable, it is nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1. Given the default [rt]xglom_size=32 it's actually 35 which is too small. Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB is added for each original SKB if tailroom isn't enough to hold tail_pad. At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop" in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return NULL and this causes the oops. The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle the worst-case. Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464 additional bytes of memory.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/342f87d263462c267…
	https://git.kernel.org/stable/c/7522d7d745d13fbef…
	https://git.kernel.org/stable/c/dfb3f9d3f602602de…
	https://git.kernel.org/stable/c/67a25ea28f8ec1da8…
	https://git.kernel.org/stable/c/07c020c6d14d29e5a…
	https://git.kernel.org/stable/c/34941321b516bd7c6…
	https://git.kernel.org/stable/c/857282b819cbaa067…

Impacted products

Vendor

Product

Version

Linux

Affected: af1fa210f4fc6e304b859b386a3c8a266b1110ab , < 342f87d263462c2670b77ea9a32074cab2ac6fa1 (git)
Affected: af1fa210f4fc6e304b859b386a3c8a266b1110ab , < 7522d7d745d13fbeff3350fe6aa56c8dae263571 (git)
Affected: af1fa210f4fc6e304b859b386a3c8a266b1110ab , < dfb3f9d3f602602de208da7bdcc0f6d5ee74af68 (git)
Affected: af1fa210f4fc6e304b859b386a3c8a266b1110ab , < 67a25ea28f8ec1da8894f2f115d01d3becf67dc7 (git)
Affected: af1fa210f4fc6e304b859b386a3c8a266b1110ab , < 07c020c6d14d29e5a3ea4e4576b8ecf956a80834 (git)
Affected: af1fa210f4fc6e304b859b386a3c8a266b1110ab , < 34941321b516bd7c6103bd01287d71a1804d19d3 (git)
Affected: af1fa210f4fc6e304b859b386a3c8a266b1110ab , < 857282b819cbaa0675aaab1e7542e2c0579f52d7 (git)

Linux

Affected: 3.15
Unaffected: 0 , < 3.15 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56593",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:01:39.392025Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:14.320Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:17.021Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "342f87d263462c2670b77ea9a32074cab2ac6fa1",
              "status": "affected",
              "version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
              "versionType": "git"
            },
            {
              "lessThan": "7522d7d745d13fbeff3350fe6aa56c8dae263571",
              "status": "affected",
              "version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
              "versionType": "git"
            },
            {
              "lessThan": "dfb3f9d3f602602de208da7bdcc0f6d5ee74af68",
              "status": "affected",
              "version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
              "versionType": "git"
            },
            {
              "lessThan": "67a25ea28f8ec1da8894f2f115d01d3becf67dc7",
              "status": "affected",
              "version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
              "versionType": "git"
            },
            {
              "lessThan": "07c020c6d14d29e5a3ea4e4576b8ecf956a80834",
              "status": "affected",
              "version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
              "versionType": "git"
            },
            {
              "lessThan": "34941321b516bd7c6103bd01287d71a1804d19d3",
              "status": "affected",
              "version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
              "versionType": "git"
            },
            {
              "lessThan": "857282b819cbaa0675aaab1e7542e2c0579f52d7",
              "status": "affected",
              "version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.15"
            },
            {
              "lessThan": "3.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()\n\nThis patch fixes a NULL pointer dereference bug in brcmfmac that occurs\nwhen a high \u0027sd_sgentry_align\u0027 value applies (e.g. 512) and a lot of queued SKBs\nare sent from the pkt queue.\n\nThe problem is the number of entries in the pre-allocated sgtable, it is\nnents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) \u003e\u003e 4 + 1.\nGiven the default [rt]xglom_size=32 it\u0027s actually 35 which is too small.\nWorst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB\nis added for each original SKB if tailroom isn\u0027t enough to hold tail_pad.\nAt least one sg entry is needed for each SKB. So, eventually the \"skb_queue_walk loop\"\nin brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return\nNULL and this causes the oops.\n\nThe patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle\nthe worst-case.\nBtw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464\nadditional bytes of memory."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:55:56.242Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/342f87d263462c2670b77ea9a32074cab2ac6fa1"
        },
        {
          "url": "https://git.kernel.org/stable/c/7522d7d745d13fbeff3350fe6aa56c8dae263571"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfb3f9d3f602602de208da7bdcc0f6d5ee74af68"
        },
        {
          "url": "https://git.kernel.org/stable/c/67a25ea28f8ec1da8894f2f115d01d3becf67dc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/07c020c6d14d29e5a3ea4e4576b8ecf956a80834"
        },
        {
          "url": "https://git.kernel.org/stable/c/34941321b516bd7c6103bd01287d71a1804d19d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/857282b819cbaa0675aaab1e7542e2c0579f52d7"
        }
      ],
      "title": "wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56593",
    "datePublished": "2024-12-27T14:51:00.466Z",
    "dateReserved": "2024-12-27T14:03:06.003Z",
    "dateUpdated": "2026-01-05T10:55:56.242Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56669 (GCVE-0-2024-56669)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2025-05-04 10:01

Title

iommu/vt-d: Remove cache tags before disabling ATS

Summary

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Remove cache tags before disabling ATS The current implementation removes cache tags after disabling ATS, leading to potential memory leaks and kernel crashes. Specifically, CACHE_TAG_DEVTLB type cache tags may still remain in the list even after the domain is freed, causing a use-after-free condition. This issue really shows up when multiple VFs from different PFs passed through to a single user-space process via vfio-pci. In such cases, the kernel may crash with kernel messages like: BUG: kernel NULL pointer dereference, address: 0000000000000014 PGD 19036a067 P4D 1940a3067 PUD 136c9b067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 74 UID: 0 PID: 3183 Comm: testCli Not tainted 6.11.9 #2 RIP: 0010:cache_tag_flush_range+0x9b/0x250 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x163/0x590 ? exc_page_fault+0x72/0x190 ? asm_exc_page_fault+0x22/0x30 ? cache_tag_flush_range+0x9b/0x250 ? cache_tag_flush_range+0x5d/0x250 intel_iommu_tlb_sync+0x29/0x40 intel_iommu_unmap_pages+0xfe/0x160 __iommu_unmap+0xd8/0x1a0 vfio_unmap_unpin+0x182/0x340 [vfio_iommu_type1] vfio_remove_dma+0x2a/0xb0 [vfio_iommu_type1] vfio_iommu_type1_ioctl+0xafa/0x18e0 [vfio_iommu_type1] Move cache_tag_unassign_domain() before iommu_disable_pci_caps() to fix it.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9a0a72d3ed919ebe6…
	https://git.kernel.org/stable/c/1f2557e08a617a4b5…

Impacted products

Vendor

Product

Version

Linux

Affected: 3b1d9e2b2d6856eabf5faa12d20c97fef657999f , < 9a0a72d3ed919ebe6491f527630998be053151d8 (git)
Affected: 3b1d9e2b2d6856eabf5faa12d20c97fef657999f , < 1f2557e08a617a4b5e92a48a1a9a6f86621def18 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56669",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:33.499113Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:21.237Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/intel/iommu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9a0a72d3ed919ebe6491f527630998be053151d8",
              "status": "affected",
              "version": "3b1d9e2b2d6856eabf5faa12d20c97fef657999f",
              "versionType": "git"
            },
            {
              "lessThan": "1f2557e08a617a4b5e92a48a1a9a6f86621def18",
              "status": "affected",
              "version": "3b1d9e2b2d6856eabf5faa12d20c97fef657999f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/intel/iommu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Remove cache tags before disabling ATS\n\nThe current implementation removes cache tags after disabling ATS,\nleading to potential memory leaks and kernel crashes. Specifically,\nCACHE_TAG_DEVTLB type cache tags may still remain in the list even\nafter the domain is freed, causing a use-after-free condition.\n\nThis issue really shows up when multiple VFs from different PFs\npassed through to a single user-space process via vfio-pci. In such\ncases, the kernel may crash with kernel messages like:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000014\n PGD 19036a067 P4D 1940a3067 PUD 136c9b067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 74 UID: 0 PID: 3183 Comm: testCli Not tainted 6.11.9 #2\n RIP: 0010:cache_tag_flush_range+0x9b/0x250\n Call Trace:\n  \u003cTASK\u003e\n  ? __die+0x1f/0x60\n  ? page_fault_oops+0x163/0x590\n  ? exc_page_fault+0x72/0x190\n  ? asm_exc_page_fault+0x22/0x30\n  ? cache_tag_flush_range+0x9b/0x250\n  ? cache_tag_flush_range+0x5d/0x250\n  intel_iommu_tlb_sync+0x29/0x40\n  intel_iommu_unmap_pages+0xfe/0x160\n  __iommu_unmap+0xd8/0x1a0\n  vfio_unmap_unpin+0x182/0x340 [vfio_iommu_type1]\n  vfio_remove_dma+0x2a/0xb0 [vfio_iommu_type1]\n  vfio_iommu_type1_ioctl+0xafa/0x18e0 [vfio_iommu_type1]\n\nMove cache_tag_unassign_domain() before iommu_disable_pci_caps() to fix\nit."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:01:38.487Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9a0a72d3ed919ebe6491f527630998be053151d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f2557e08a617a4b5e92a48a1a9a6f86621def18"
        }
      ],
      "title": "iommu/vt-d: Remove cache tags before disabling ATS",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56669",
    "datePublished": "2024-12-27T15:06:30.792Z",
    "dateReserved": "2024-12-27T15:00:39.844Z",
    "dateUpdated": "2025-05-04T10:01:38.487Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56717 (GCVE-0-2024-56717)

Vulnerability from cvelistv5 – Published: 2024-12-29 08:48 – Updated: 2025-11-03 20:53

Title

net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic() Packets injected by the CPU should have a SRC_PORT field equal to the CPU port module index in the Analyzer block (ocelot->num_phys_ports). The blamed commit copied the ocelot_ifh_set_basic() call incorrectly from ocelot_xmit_common() in net/dsa/tag_ocelot.c. Instead of calling with "x", it calls with BIT_ULL(x), but the field is not a port mask, but rather a single port index. [ side note: this is the technical debt of code duplication :( ] The error used to be silent and doesn't appear to have other user-visible manifestations, but with new changes in the packing library, it now fails loudly as follows: ------------[ cut here ]------------ Cannot store 0x40 inside bits 46-43 - will truncate sja1105 spi2.0: xmit timed out WARNING: CPU: 1 PID: 102 at lib/packing.c:98 __pack+0x90/0x198 sja1105 spi2.0: timed out polling for tstamp CPU: 1 UID: 0 PID: 102 Comm: felix_xmit Tainted: G W N 6.13.0-rc1-00372-gf706b85d972d-dirty #2605 Call trace: __pack+0x90/0x198 (P) __pack+0x90/0x198 (L) packing+0x78/0x98 ocelot_ifh_set_basic+0x260/0x368 ocelot_port_inject_frame+0xa8/0x250 felix_port_deferred_xmit+0x14c/0x258 kthread_worker_fn+0x134/0x350 kthread+0x114/0x138 The code path pertains to the ocelot switchdev driver and to the felix secondary DSA tag protocol, ocelot-8021q. Here seen with ocelot-8021q. The messenger (packing) is not really to blame, so fix the original commit instead.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/59c4ca8d8d7918eb6…
	https://git.kernel.org/stable/c/2f3c62ffe88116cd2…
	https://git.kernel.org/stable/c/a8836eae3288c351a…
	https://git.kernel.org/stable/c/2d5df3a680ffdaf60…

Impacted products

Vendor

Product

Version

Linux

Affected: 06bcb9032e05ad717f9fd0a6e2fd3ae7f430fa31 , < 59c4ca8d8d7918eb6e2df91d2c254827264be309 (git)
Affected: ff7f554bbd75d5cbf00cded81d05147c6617e876 , < 2f3c62ffe88116cd2a39cd73e01103535599970f (git)
Affected: e1b9e80236c540fa85d76e2d510d1b38e1968c5d , < a8836eae3288c351acd3b2743d2fad2a4ee2bd56 (git)
Affected: e1b9e80236c540fa85d76e2d510d1b38e1968c5d , < 2d5df3a680ffdaf606baa10636bdb1daf757832e (git)
Affected: be3a532167dd562ec38900c846e7ae6cc39aa2f1 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.1.122 , ≤ 6.1.* (semver)
Unaffected: 6.6.68 , ≤ 6.6.* (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56717",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:58:31.484052Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:06.591Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:53:08.192Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mscc/ocelot.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "59c4ca8d8d7918eb6e2df91d2c254827264be309",
              "status": "affected",
              "version": "06bcb9032e05ad717f9fd0a6e2fd3ae7f430fa31",
              "versionType": "git"
            },
            {
              "lessThan": "2f3c62ffe88116cd2a39cd73e01103535599970f",
              "status": "affected",
              "version": "ff7f554bbd75d5cbf00cded81d05147c6617e876",
              "versionType": "git"
            },
            {
              "lessThan": "a8836eae3288c351acd3b2743d2fad2a4ee2bd56",
              "status": "affected",
              "version": "e1b9e80236c540fa85d76e2d510d1b38e1968c5d",
              "versionType": "git"
            },
            {
              "lessThan": "2d5df3a680ffdaf606baa10636bdb1daf757832e",
              "status": "affected",
              "version": "e1b9e80236c540fa85d76e2d510d1b38e1968c5d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "be3a532167dd562ec38900c846e7ae6cc39aa2f1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mscc/ocelot.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "versionStartIncluding": "6.1.107",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "6.6.48",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic()\n\nPackets injected by the CPU should have a SRC_PORT field equal to the\nCPU port module index in the Analyzer block (ocelot-\u003enum_phys_ports).\n\nThe blamed commit copied the ocelot_ifh_set_basic() call incorrectly\nfrom ocelot_xmit_common() in net/dsa/tag_ocelot.c. Instead of calling\nwith \"x\", it calls with BIT_ULL(x), but the field is not a port mask,\nbut rather a single port index.\n\n[ side note: this is the technical debt of code duplication :( ]\n\nThe error used to be silent and doesn\u0027t appear to have other\nuser-visible manifestations, but with new changes in the packing\nlibrary, it now fails loudly as follows:\n\n------------[ cut here ]------------\nCannot store 0x40 inside bits 46-43 - will truncate\nsja1105 spi2.0: xmit timed out\nWARNING: CPU: 1 PID: 102 at lib/packing.c:98 __pack+0x90/0x198\nsja1105 spi2.0: timed out polling for tstamp\nCPU: 1 UID: 0 PID: 102 Comm: felix_xmit\nTainted: G        W        N 6.13.0-rc1-00372-gf706b85d972d-dirty #2605\nCall trace:\n __pack+0x90/0x198 (P)\n __pack+0x90/0x198 (L)\n packing+0x78/0x98\n ocelot_ifh_set_basic+0x260/0x368\n ocelot_port_inject_frame+0xa8/0x250\n felix_port_deferred_xmit+0x14c/0x258\n kthread_worker_fn+0x134/0x350\n kthread+0x114/0x138\n\nThe code path pertains to the ocelot switchdev driver and to the felix\nsecondary DSA tag protocol, ocelot-8021q. Here seen with ocelot-8021q.\n\nThe messenger (packing) is not really to blame, so fix the original\ncommit instead."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:16.931Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/59c4ca8d8d7918eb6e2df91d2c254827264be309"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f3c62ffe88116cd2a39cd73e01103535599970f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8836eae3288c351acd3b2743d2fad2a4ee2bd56"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d5df3a680ffdaf606baa10636bdb1daf757832e"
        }
      ],
      "title": "net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56717",
    "datePublished": "2024-12-29T08:48:49.958Z",
    "dateReserved": "2024-12-27T15:00:39.858Z",
    "dateUpdated": "2025-11-03T20:53:08.192Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57897 (GCVE-0-2024-57897)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-11-03 20:55

Title

drm/amdkfd: Correct the migration DMA map direction

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Correct the migration DMA map direction The SVM DMA device map direction should be set the same as the DMA unmap setting, otherwise the DMA core will report the following warning. Before finialize this solution, there're some discussion on the DMA mapping type(stream-based or coherent) in this KFD migration case, followed by https://lore.kernel.org/all/04d4ab32 -45a1-4b88-86ee-fb0f35a0ca40@amd.com/T/. As there's no dma_sync_single_for_*() in the DMA buffer accessed that because this migration operation should be sync properly and automatically. Give that there's might not be a performance problem in various cache sync policy of DMA sync. Therefore, in order to simplify the DMA direction setting alignment, let's set the DMA map direction as BIDIRECTIONAL. [ 150.834218] WARNING: CPU: 8 PID: 1812 at kernel/dma/debug.c:1028 check_unmap+0x1cc/0x930 [ 150.834225] Modules linked in: amdgpu(OE) amdxcp drm_exec(OE) gpu_sched drm_buddy(OE) drm_ttm_helper(OE) ttm(OE) drm_suballoc_helper(OE) drm_display_helper(OE) drm_kms_helper(OE) i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc sch_fq_codel intel_rapl_msr amd_atl intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_pci_acp6x snd_hda_codec snd_acp_config snd_hda_core snd_hwdep snd_soc_acpi kvm_amd sunrpc snd_pcm kvm binfmt_misc snd_seq_midi crct10dif_pclmul snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 snd_rawmidi nls_iso8859_1 sha256_ssse3 sha1_ssse3 snd_seq aesni_intel snd_seq_device crypto_simd snd_timer cryptd input_leds [ 150.834310] wmi_bmof serio_raw k10temp rapl snd sp5100_tco ipmi_devintf soundcore ccp ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport efi_pstore drm(OE) ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii [ 150.834354] CPU: 8 PID: 1812 Comm: rocrtst64 Tainted: G OE 6.10.0-custom #492 [ 150.834358] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021 [ 150.834360] RIP: 0010:check_unmap+0x1cc/0x930 [ 150.834363] Code: c0 4c 89 4d c8 e8 34 bf 86 00 4c 8b 4d c8 4c 8b 45 c0 48 8b 4d b8 48 89 c6 41 57 4c 89 ea 48 c7 c7 80 49 b4 84 e8 b4 81 f3 ff <0f> 0b 48 c7 c7 04 83 ac 84 e8 76 ba fc ff 41 8b 76 4c 49 8d 7e 50 [ 150.834365] RSP: 0018:ffffaac5023739e0 EFLAGS: 00010086 [ 150.834368] RAX: 0000000000000000 RBX: ffffffff8566a2e0 RCX: 0000000000000027 [ 150.834370] RDX: ffff8f6a8f621688 RSI: 0000000000000001 RDI: ffff8f6a8f621680 [ 150.834372] RBP: ffffaac502373a30 R08: 00000000000000c9 R09: ffffaac502373850 [ 150.834373] R10: ffffaac502373848 R11: ffffffff84f46328 R12: ffffaac502373a40 [ 150.834375] R13: ffff8f6741045330 R14: ffff8f6741a77700 R15: ffffffff84ac831b [ 150.834377] FS: 00007faf0fc94c00(0000) GS:ffff8f6a8f600000(0000) knlGS:0000000000000000 [ 150.834379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.834381] CR2: 00007faf0b600020 CR3: 000000010a52e000 CR4: 0000000000350ef0 [ 150.834383] Call Trace: [ 150.834385] <TASK> [ 150.834387] ? show_regs+0x6d/0x80 [ 150.834393] ? __warn+0x8c/0x140 [ 150.834397] ? check_unmap+0x1cc/0x930 [ 150.834400] ? report_bug+0x193/0x1a0 [ 150.834406] ? handle_bug+0x46/0x80 [ 150.834410] ? exc_invalid_op+0x1d/0x80 [ 150.834413] ? asm_exc_invalid_op+0x1f/0x30 [ 150.834420] ? check_unmap+0x1cc/0x930 [ 150.834425] debug_dma_unmap_page+0x86/0x90 [ 150.834431] ? srso_return_thunk+0x5/0x5f [ 150.834435] ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/22d36ad92e5703e2e…
	https://git.kernel.org/stable/c/465b18e1c518e7995…
	https://git.kernel.org/stable/c/d0fafe701c6aca785…
	https://git.kernel.org/stable/c/de39f72953953ca7a…
	https://git.kernel.org/stable/c/5c3de6b02d38eb938…

Impacted products

Vendor

Product

Version

Linux

Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 22d36ad92e5703e2e9bdf228990c0999d5d53ea3 (git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 465b18e1c518e799593797d4603f4ab76de4e1d8 (git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < d0fafe701c6aca785cc8685f9f76fdc73e662f47 (git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < de39f72953953ca7a2630f9b80ccdfef40568746 (git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 5c3de6b02d38eb9386edf50490e050bb44398e40 (git)

Linux

Affected: 3.19
Unaffected: 0 , < 3.19 (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:13.362Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_migrate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "22d36ad92e5703e2e9bdf228990c0999d5d53ea3",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "465b18e1c518e799593797d4603f4ab76de4e1d8",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "d0fafe701c6aca785cc8685f9f76fdc73e662f47",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "de39f72953953ca7a2630f9b80ccdfef40568746",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "5c3de6b02d38eb9386edf50490e050bb44398e40",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_migrate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Correct the migration DMA map direction\n\nThe SVM DMA device map direction should be set the same as\nthe DMA unmap setting, otherwise the DMA core will report\nthe following warning.\n\nBefore finialize this solution, there\u0027re some discussion on\nthe DMA mapping type(stream-based or coherent) in this KFD\nmigration case, followed by https://lore.kernel.org/all/04d4ab32\n-45a1-4b88-86ee-fb0f35a0ca40@amd.com/T/.\n\nAs there\u0027s no dma_sync_single_for_*() in the DMA buffer accessed\nthat because this migration operation should be sync properly and\nautomatically. Give that there\u0027s might not be a performance problem\nin various cache sync policy of DMA sync. Therefore, in order to\nsimplify the DMA direction setting alignment, let\u0027s set the DMA map\ndirection as BIDIRECTIONAL.\n\n[  150.834218] WARNING: CPU: 8 PID: 1812 at kernel/dma/debug.c:1028 check_unmap+0x1cc/0x930\n[  150.834225] Modules linked in: amdgpu(OE) amdxcp drm_exec(OE) gpu_sched drm_buddy(OE) drm_ttm_helper(OE) ttm(OE) drm_suballoc_helper(OE) drm_display_helper(OE) drm_kms_helper(OE) i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc sch_fq_codel intel_rapl_msr amd_atl intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_pci_acp6x snd_hda_codec snd_acp_config snd_hda_core snd_hwdep snd_soc_acpi kvm_amd sunrpc snd_pcm kvm binfmt_misc snd_seq_midi crct10dif_pclmul snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 snd_rawmidi nls_iso8859_1 sha256_ssse3 sha1_ssse3 snd_seq aesni_intel snd_seq_device crypto_simd snd_timer cryptd input_leds\n[  150.834310]  wmi_bmof serio_raw k10temp rapl snd sp5100_tco ipmi_devintf soundcore ccp ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport efi_pstore drm(OE) ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii\n[  150.834354] CPU: 8 PID: 1812 Comm: rocrtst64 Tainted: G           OE      6.10.0-custom #492\n[  150.834358] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021\n[  150.834360] RIP: 0010:check_unmap+0x1cc/0x930\n[  150.834363] Code: c0 4c 89 4d c8 e8 34 bf 86 00 4c 8b 4d c8 4c 8b 45 c0 48 8b 4d b8 48 89 c6 41 57 4c 89 ea 48 c7 c7 80 49 b4 84 e8 b4 81 f3 ff \u003c0f\u003e 0b 48 c7 c7 04 83 ac 84 e8 76 ba fc ff 41 8b 76 4c 49 8d 7e 50\n[  150.834365] RSP: 0018:ffffaac5023739e0 EFLAGS: 00010086\n[  150.834368] RAX: 0000000000000000 RBX: ffffffff8566a2e0 RCX: 0000000000000027\n[  150.834370] RDX: ffff8f6a8f621688 RSI: 0000000000000001 RDI: ffff8f6a8f621680\n[  150.834372] RBP: ffffaac502373a30 R08: 00000000000000c9 R09: ffffaac502373850\n[  150.834373] R10: ffffaac502373848 R11: ffffffff84f46328 R12: ffffaac502373a40\n[  150.834375] R13: ffff8f6741045330 R14: ffff8f6741a77700 R15: ffffffff84ac831b\n[  150.834377] FS:  00007faf0fc94c00(0000) GS:ffff8f6a8f600000(0000) knlGS:0000000000000000\n[  150.834379] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  150.834381] CR2: 00007faf0b600020 CR3: 000000010a52e000 CR4: 0000000000350ef0\n[  150.834383] Call Trace:\n[  150.834385]  \u003cTASK\u003e\n[  150.834387]  ? show_regs+0x6d/0x80\n[  150.834393]  ? __warn+0x8c/0x140\n[  150.834397]  ? check_unmap+0x1cc/0x930\n[  150.834400]  ? report_bug+0x193/0x1a0\n[  150.834406]  ? handle_bug+0x46/0x80\n[  150.834410]  ? exc_invalid_op+0x1d/0x80\n[  150.834413]  ? asm_exc_invalid_op+0x1f/0x30\n[  150.834420]  ? check_unmap+0x1cc/0x930\n[  150.834425]  debug_dma_unmap_page+0x86/0x90\n[  150.834431]  ? srso_return_thunk+0x5/0x5f\n[  150.834435] \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-16T08:02:58.372Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/22d36ad92e5703e2e9bdf228990c0999d5d53ea3"
        },
        {
          "url": "https://git.kernel.org/stable/c/465b18e1c518e799593797d4603f4ab76de4e1d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0fafe701c6aca785cc8685f9f76fdc73e662f47"
        },
        {
          "url": "https://git.kernel.org/stable/c/de39f72953953ca7a2630f9b80ccdfef40568746"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c3de6b02d38eb9386edf50490e050bb44398e40"
        }
      ],
      "title": "drm/amdkfd: Correct the migration DMA map direction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57897",
    "datePublished": "2025-01-15T13:05:49.033Z",
    "dateReserved": "2025-01-11T14:45:42.029Z",
    "dateUpdated": "2025-11-03T20:55:13.362Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56758 (GCVE-0-2024-56758)

Vulnerability from cvelistv5 – Published: 2025-01-06 16:20 – Updated: 2025-11-03 17:31

Title

btrfs: check folio mapping after unlock in relocate_one_folio()

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: check folio mapping after unlock in relocate_one_folio() When we call btrfs_read_folio() to bring a folio uptodate, we unlock the folio. The result of that is that a different thread can modify the mapping (like remove it with invalidate) before we call folio_lock(). This results in an invalid page and we need to try again. In particular, if we are relocating concurrently with aborting a transaction, this can result in a crash like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: events_unbound btrfs_reclaim_bgs_work RIP: 0010:set_page_extent_mapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x2a8/0x3a0 ? __switch_to+0x133/0x530 ? wq_worker_running+0xa/0x40 ? exc_page_fault+0x63/0x130 ? asm_exc_page_fault+0x22/0x30 ? set_page_extent_mapped+0x20/0xb0 relocate_file_extent_cluster+0x1a7/0x940 relocate_data_extent+0xaf/0x120 relocate_block_group+0x20f/0x480 btrfs_relocate_block_group+0x152/0x320 btrfs_relocate_chunk+0x3d/0x120 btrfs_reclaim_bgs_work+0x2ae/0x4e0 process_scheduled_works+0x184/0x370 worker_thread+0xc6/0x3e0 ? blk_add_timer+0xb0/0xb0 kthread+0xae/0xe0 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork+0x2f/0x40 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork_asm+0x11/0x20 </TASK> This occurs because cleanup_one_transaction() calls destroy_delalloc_inodes() which calls invalidate_inode_pages2() which takes the folio_lock before setting mapping to NULL. We fail to check this, and subsequently call set_extent_mapping(), which assumes that mapping != NULL (in fact it asserts that in debug mode) Note that the "fixes" patch here is not the one that introduced the race (the very first iteration of this code from 2009) but a more recent change that made this particular crash happen in practice.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/36679fab54fa7bcff…
	https://git.kernel.org/stable/c/c7b1bd52a031ad014…
	https://git.kernel.org/stable/c/d508e56270389b3a1…
	https://git.kernel.org/stable/c/3e74859ee35edc33a…

Impacted products

Vendor

Product

Version

Linux

Affected: 08daa38ca212d87f77beae839bc9be71079c7abf , < 36679fab54fa7bcffafd469e2c474c1fc4beaee0 (git)
Affected: e7f1326cc24e22b38afc3acd328480a1183f9e79 , < c7b1bd52a031ad0144d42eef0ba8471ce75122dd (git)
Affected: e7f1326cc24e22b38afc3acd328480a1183f9e79 , < d508e56270389b3a16f5b3cf247f4eb1bbad1578 (git)
Affected: e7f1326cc24e22b38afc3acd328480a1183f9e79 , < 3e74859ee35edc33a022c3f3971df066ea0ca6b9 (git)
Affected: 9d1e020ed9649cf140fcfafd052cfdcce9e9d67d (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.8 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:25.624Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/relocation.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "36679fab54fa7bcffafd469e2c474c1fc4beaee0",
              "status": "affected",
              "version": "08daa38ca212d87f77beae839bc9be71079c7abf",
              "versionType": "git"
            },
            {
              "lessThan": "c7b1bd52a031ad0144d42eef0ba8471ce75122dd",
              "status": "affected",
              "version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
              "versionType": "git"
            },
            {
              "lessThan": "d508e56270389b3a16f5b3cf247f4eb1bbad1578",
              "status": "affected",
              "version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
              "versionType": "git"
            },
            {
              "lessThan": "3e74859ee35edc33a022c3f3971df066ea0ca6b9",
              "status": "affected",
              "version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9d1e020ed9649cf140fcfafd052cfdcce9e9d67d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/relocation.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "6.1.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: check folio mapping after unlock in relocate_one_folio()\n\nWhen we call btrfs_read_folio() to bring a folio uptodate, we unlock the\nfolio. The result of that is that a different thread can modify the\nmapping (like remove it with invalidate) before we call folio_lock().\nThis results in an invalid page and we need to try again.\n\nIn particular, if we are relocating concurrently with aborting a\ntransaction, this can result in a crash like the following:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000000\n  PGD 0 P4D 0\n  Oops: 0000 [#1] SMP\n  CPU: 76 PID: 1411631 Comm: kworker/u322:5\n  Workqueue: events_unbound btrfs_reclaim_bgs_work\n  RIP: 0010:set_page_extent_mapped+0x20/0xb0\n  RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246\n  RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000\n  RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880\n  RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0\n  R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000\n  R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff\n  FS:  0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  PKRU: 55555554\n  Call Trace:\n  \u003cTASK\u003e\n  ? __die+0x78/0xc0\n  ? page_fault_oops+0x2a8/0x3a0\n  ? __switch_to+0x133/0x530\n  ? wq_worker_running+0xa/0x40\n  ? exc_page_fault+0x63/0x130\n  ? asm_exc_page_fault+0x22/0x30\n  ? set_page_extent_mapped+0x20/0xb0\n  relocate_file_extent_cluster+0x1a7/0x940\n  relocate_data_extent+0xaf/0x120\n  relocate_block_group+0x20f/0x480\n  btrfs_relocate_block_group+0x152/0x320\n  btrfs_relocate_chunk+0x3d/0x120\n  btrfs_reclaim_bgs_work+0x2ae/0x4e0\n  process_scheduled_works+0x184/0x370\n  worker_thread+0xc6/0x3e0\n  ? blk_add_timer+0xb0/0xb0\n  kthread+0xae/0xe0\n  ? flush_tlb_kernel_range+0x90/0x90\n  ret_from_fork+0x2f/0x40\n  ? flush_tlb_kernel_range+0x90/0x90\n  ret_from_fork_asm+0x11/0x20\n  \u003c/TASK\u003e\n\nThis occurs because cleanup_one_transaction() calls\ndestroy_delalloc_inodes() which calls invalidate_inode_pages2() which\ntakes the folio_lock before setting mapping to NULL. We fail to check\nthis, and subsequently call set_extent_mapping(), which assumes that\nmapping != NULL (in fact it asserts that in debug mode)\n\nNote that the \"fixes\" patch here is not the one that introduced the\nrace (the very first iteration of this code from 2009) but a more recent\nchange that made this particular crash happen in practice."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:21.079Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/36679fab54fa7bcffafd469e2c474c1fc4beaee0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7b1bd52a031ad0144d42eef0ba8471ce75122dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/d508e56270389b3a16f5b3cf247f4eb1bbad1578"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e74859ee35edc33a022c3f3971df066ea0ca6b9"
        }
      ],
      "title": "btrfs: check folio mapping after unlock in relocate_one_folio()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56758",
    "datePublished": "2025-01-06T16:20:38.942Z",
    "dateReserved": "2024-12-29T11:26:39.761Z",
    "dateUpdated": "2025-11-03T17:31:25.624Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21639 (GCVE-0-2025-21639)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:17 – Updated: 2025-11-03 20:58

Title

sctp: sysctl: rto_min/max: avoid using current->nsproxy

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: rto_min/max: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c8d179f3b1c1d60bf…
	https://git.kernel.org/stable/c/246428bfb9e7db15c…
	https://git.kernel.org/stable/c/0f78f09466744589e…
	https://git.kernel.org/stable/c/4059507e34aa5fe0f…
	https://git.kernel.org/stable/c/dc9d0e3cfd16f66fb…
	https://git.kernel.org/stable/c/c87f1f6ade56c711f…
	https://git.kernel.org/stable/c/9fc17b76fc7076378…

Impacted products

Vendor

Product

Version

Linux

Affected: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5 , < c8d179f3b1c1d60bf4484f50aa67b4c70f91bff9 (git)
Affected: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5 , < 246428bfb9e7db15c5cd08e1d0eca41b65af2b06 (git)
Affected: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5 , < 0f78f09466744589e420935e646ae78212a38290 (git)
Affected: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5 , < 4059507e34aa5fe0fa9fd5b2b5f0c8b26ab2d482 (git)
Affected: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5 , < dc9d0e3cfd16f66fbf0862857c6b391c8613ca9f (git)
Affected: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5 , < c87f1f6ade56c711f8736901e330685b453e420e (git)
Affected: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5 , < 9fc17b76fc70763780aa78b38fcf4742384044a5 (git)

Linux

Affected: 3.13
Unaffected: 0 , < 3.13 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21639",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:07.301315Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:17.653Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:20.727Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c8d179f3b1c1d60bf4484f50aa67b4c70f91bff9",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "246428bfb9e7db15c5cd08e1d0eca41b65af2b06",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "0f78f09466744589e420935e646ae78212a38290",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "4059507e34aa5fe0fa9fd5b2b5f0c8b26ab2d482",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "dc9d0e3cfd16f66fbf0862857c6b391c8613ca9f",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "c87f1f6ade56c711f8736901e330685b453e420e",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "9fc17b76fc70763780aa78b38fcf4742384044a5",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: rto_min/max: avoid using current-\u003ensproxy\n\nAs mentioned in a previous commit of this series, using the \u0027net\u0027\nstructure via \u0027current\u0027 is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader\u0027s/writer\u0027s netns vs only\n  from the opener\u0027s netns.\n\n- current-\u003ensproxy can be NULL in some cases, resulting in an \u0027Oops\u0027\n  (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n  syzbot [1] using acct(2).\n\nThe \u0027net\u0027 structure can be obtained from the table-\u003edata using\ncontainer_of().\n\nNote that table-\u003edata could also be used directly, as this is the only\nmember needed from the \u0027net\u0027 structure, but that would increase the size\nof this fix, to use \u0027*data\u0027 everywhere \u0027net-\u003esctp.rto_min/max\u0027 is used."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:01.510Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c8d179f3b1c1d60bf4484f50aa67b4c70f91bff9"
        },
        {
          "url": "https://git.kernel.org/stable/c/246428bfb9e7db15c5cd08e1d0eca41b65af2b06"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f78f09466744589e420935e646ae78212a38290"
        },
        {
          "url": "https://git.kernel.org/stable/c/4059507e34aa5fe0fa9fd5b2b5f0c8b26ab2d482"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc9d0e3cfd16f66fbf0862857c6b391c8613ca9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c87f1f6ade56c711f8736901e330685b453e420e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9fc17b76fc70763780aa78b38fcf4742384044a5"
        }
      ],
      "title": "sctp: sysctl: rto_min/max: avoid using current-\u003ensproxy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21639",
    "datePublished": "2025-01-19T10:17:56.828Z",
    "dateReserved": "2024-12-29T08:45:45.727Z",
    "dateUpdated": "2025-11-03T20:58:20.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56719 (GCVE-0-2024-56719)

Vulnerability from cvelistv5 – Published: 2024-12-29 08:48 – Updated: 2025-10-01 20:07

Title

net: stmmac: fix TSO DMA API usage causing oops

Summary

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix TSO DMA API usage causing oops Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s members to be later in stmmac_tso_xmit(). The buf (dma cookie) and len stored in this structure are passed to dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that the dma cookie passed to dma_unmap_single() is the same as the value returned from dma_map_single(). However, by moving the assignment later, this is not the case when priv->dma_cap.addr64 > 32 as "des" is offset by proto_hdr_len. This causes problems such as: dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed and with DMA_API_DEBUG enabled: DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes] Fix this by maintaining "des" as the original DMA cookie, and use tso_des to pass the offset DMA cookie to stmmac_tso_allocator(). Full details of the crashes can be found at: https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/db3667c9bbfbbf5de…
	https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a…
	https://git.kernel.org/stable/c/4c49f38e20a57f8ab…

Impacted products

Vendor

Product

Version

Linux

Affected: 07c9c26e37542486e34d767505e842f48f29c3f6 , < db3667c9bbfbbf5de98e6c9542f7e03fb5243286 (git)
Affected: 66600fac7a984dea4ae095411f644770b2561ede , < 9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2 (git)
Affected: 66600fac7a984dea4ae095411f644770b2561ede , < 4c49f38e20a57f8abaebdf95b369295b153d1f8e (git)
Affected: ece593fc9c00741b682869d3f3dc584d37b7c9df (git)
Affected: a3ff23f7c3f0e13f718900803e090fd3997d6bc9 (git)
Affected: 58d23d835eb498336716cca55b5714191a309286 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.6.68 , ≤ 6.6.* (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56719",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:58:24.752519Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:06.268Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "db3667c9bbfbbf5de98e6c9542f7e03fb5243286",
              "status": "affected",
              "version": "07c9c26e37542486e34d767505e842f48f29c3f6",
              "versionType": "git"
            },
            {
              "lessThan": "9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2",
              "status": "affected",
              "version": "66600fac7a984dea4ae095411f644770b2561ede",
              "versionType": "git"
            },
            {
              "lessThan": "4c49f38e20a57f8abaebdf95b369295b153d1f8e",
              "status": "affected",
              "version": "66600fac7a984dea4ae095411f644770b2561ede",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ece593fc9c00741b682869d3f3dc584d37b7c9df",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a3ff23f7c3f0e13f718900803e090fd3997d6bc9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "58d23d835eb498336716cca55b5714191a309286",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "6.6.60",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.171",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.116",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix TSO DMA API usage causing oops\n\nCommit 66600fac7a98 (\"net: stmmac: TSO: Fix unbalanced DMA map/unmap\nfor non-paged SKB data\") moved the assignment of tx_skbuff_dma[]\u0027s\nmembers to be later in stmmac_tso_xmit().\n\nThe buf (dma cookie) and len stored in this structure are passed to\ndma_unmap_single() by stmmac_tx_clean(). The DMA API requires that\nthe dma cookie passed to dma_unmap_single() is the same as the value\nreturned from dma_map_single(). However, by moving the assignment\nlater, this is not the case when priv-\u003edma_cap.addr64 \u003e 32 as \"des\"\nis offset by proto_hdr_len.\n\nThis causes problems such as:\n\n  dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed\n\nand with DMA_API_DEBUG enabled:\n\n  DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]\n\nFix this by maintaining \"des\" as the original DMA cookie, and use\ntso_des to pass the offset DMA cookie to stmmac_tso_allocator().\n\nFull details of the crashes can be found at:\nhttps://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/\nhttps://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:18.123Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/db3667c9bbfbbf5de98e6c9542f7e03fb5243286"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c49f38e20a57f8abaebdf95b369295b153d1f8e"
        }
      ],
      "title": "net: stmmac: fix TSO DMA API usage causing oops",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56719",
    "datePublished": "2024-12-29T08:48:51.495Z",
    "dateReserved": "2024-12-27T15:00:39.858Z",
    "dateUpdated": "2025-10-01T20:07:06.268Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21654 (GCVE-0-2025-21654)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:18 – Updated: 2025-05-04 07:18

Title

ovl: support encoding fid from inode with no alias

Summary

In the Linux kernel, the following vulnerability has been resolved: ovl: support encoding fid from inode with no alias Dmitry Safonov reported that a WARN_ON() assertion can be trigered by userspace when calling inotify_show_fdinfo() for an overlayfs watched inode, whose dentry aliases were discarded with drop_caches. The WARN_ON() assertion in inotify_show_fdinfo() was removed, because it is possible for encoding file handle to fail for other reason, but the impact of failing to encode an overlayfs file handle goes beyond this assertion. As shown in the LTP test case mentioned in the link below, failure to encode an overlayfs file handle from a non-aliased inode also leads to failure to report an fid with FAN_DELETE_SELF fanotify events. As Dmitry notes in his analyzis of the problem, ovl_encode_fh() fails if it cannot find an alias for the inode, but this failure can be fixed. ovl_encode_fh() seldom uses the alias and in the case of non-decodable file handles, as is often the case with fanotify fid info, ovl_encode_fh() never needs to use the alias to encode a file handle. Defer finding an alias until it is actually needed so ovl_encode_fh() will not fail in the common case of FAN_DELETE_SELF fanotify events.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f0c0ac84de17c37e6…
	https://git.kernel.org/stable/c/3c7c90274ae339e1a…
	https://git.kernel.org/stable/c/c45beebfde34aa71a…

Impacted products

Vendor

Product

Version

Linux

Affected: 16aac5ad1fa94894b798dd522c5c3a6a0628d7f0 , < f0c0ac84de17c37e6e84da65fb920f91dada55ad (git)
Affected: 16aac5ad1fa94894b798dd522c5c3a6a0628d7f0 , < 3c7c90274ae339e1ad443c9be1c67a20b80b9c76 (git)
Affected: 16aac5ad1fa94894b798dd522c5c3a6a0628d7f0 , < c45beebfde34aa71afbc48b2c54cdda623515037 (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.74 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/overlayfs/export.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f0c0ac84de17c37e6e84da65fb920f91dada55ad",
              "status": "affected",
              "version": "16aac5ad1fa94894b798dd522c5c3a6a0628d7f0",
              "versionType": "git"
            },
            {
              "lessThan": "3c7c90274ae339e1ad443c9be1c67a20b80b9c76",
              "status": "affected",
              "version": "16aac5ad1fa94894b798dd522c5c3a6a0628d7f0",
              "versionType": "git"
            },
            {
              "lessThan": "c45beebfde34aa71afbc48b2c54cdda623515037",
              "status": "affected",
              "version": "16aac5ad1fa94894b798dd522c5c3a6a0628d7f0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/overlayfs/export.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: support encoding fid from inode with no alias\n\nDmitry Safonov reported that a WARN_ON() assertion can be trigered by\nuserspace when calling inotify_show_fdinfo() for an overlayfs watched\ninode, whose dentry aliases were discarded with drop_caches.\n\nThe WARN_ON() assertion in inotify_show_fdinfo() was removed, because\nit is possible for encoding file handle to fail for other reason, but\nthe impact of failing to encode an overlayfs file handle goes beyond\nthis assertion.\n\nAs shown in the LTP test case mentioned in the link below, failure to\nencode an overlayfs file handle from a non-aliased inode also leads to\nfailure to report an fid with FAN_DELETE_SELF fanotify events.\n\nAs Dmitry notes in his analyzis of the problem, ovl_encode_fh() fails\nif it cannot find an alias for the inode, but this failure can be fixed.\novl_encode_fh() seldom uses the alias and in the case of non-decodable\nfile handles, as is often the case with fanotify fid info,\novl_encode_fh() never needs to use the alias to encode a file handle.\n\nDefer finding an alias until it is actually needed so ovl_encode_fh()\nwill not fail in the common case of FAN_DELETE_SELF fanotify events."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:19.475Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f0c0ac84de17c37e6e84da65fb920f91dada55ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c7c90274ae339e1ad443c9be1c67a20b80b9c76"
        },
        {
          "url": "https://git.kernel.org/stable/c/c45beebfde34aa71afbc48b2c54cdda623515037"
        }
      ],
      "title": "ovl: support encoding fid from inode with no alias",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21654",
    "datePublished": "2025-01-19T10:18:11.104Z",
    "dateReserved": "2024-12-29T08:45:45.729Z",
    "dateUpdated": "2025-05-04T07:18:19.475Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56552 (GCVE-0-2024-56552)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:22 – Updated: 2025-05-04 09:58

Title

drm/xe/guc_submit: fix race around suspend_pending

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc_submit: fix race around suspend_pending Currently in some testcases we can trigger: xe 0000:03:00.0: [drm] Assertion `exec_queue_destroyed(q)` failed! .... WARNING: CPU: 18 PID: 2640 at drivers/gpu/drm/xe/xe_guc_submit.c:1826 xe_guc_sched_done_handler+0xa54/0xef0 [xe] xe 0000:03:00.0: [drm] *ERROR* GT1: DEREGISTER_DONE: Unexpected engine state 0x00a1, guc_id=57 Looking at a snippet of corresponding ftrace for this GuC id we can see: 162.673311: xe_sched_msg_add: dev=0000:03:00.0, gt=1 guc_id=57, opcode=3 162.673317: xe_sched_msg_recv: dev=0000:03:00.0, gt=1 guc_id=57, opcode=3 162.673319: xe_exec_queue_scheduling_disable: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0 162.674089: xe_exec_queue_kill: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0 162.674108: xe_exec_queue_close: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0 162.674488: xe_exec_queue_scheduling_done: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0 162.678452: xe_exec_queue_deregister: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa1, flags=0x0 It looks like we try to suspend the queue (opcode=3), setting suspend_pending and triggering a disable_scheduling. The user then closes the queue. However the close will also forcefully signal the suspend fence after killing the queue, later when the G2H response for disable_scheduling comes back we have now cleared suspend_pending when signalling the suspend fence, so the disable_scheduling now incorrectly tries to also deregister the queue. This leads to warnings since the queue has yet to even be marked for destruction. We also seem to trigger errors later with trying to double unregister the same queue. To fix this tweak the ordering when handling the response to ensure we don't race with a disable_scheduling that didn't actually intend to perform an unregister. The destruction path should now also correctly wait for any pending_disable before marking as destroyed. (cherry picked from commit f161809b362f027b6d72bd998e47f8f0bad60a2e)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5ddcb50b700221fa7…
	https://git.kernel.org/stable/c/87651f31ae4e6e6e7…

Impacted products

Vendor

Product

Version

Linux

Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 5ddcb50b700221fa7d7be2adcb3d7d7afe8633dd (git)
Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 87651f31ae4e6e6e7e6c7270b9b469405e747407 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_guc_submit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5ddcb50b700221fa7d7be2adcb3d7d7afe8633dd",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            },
            {
              "lessThan": "87651f31ae4e6e6e7e6c7270b9b469405e747407",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_guc_submit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc_submit: fix race around suspend_pending\n\nCurrently in some testcases we can trigger:\n\nxe 0000:03:00.0: [drm] Assertion `exec_queue_destroyed(q)` failed!\n....\nWARNING: CPU: 18 PID: 2640 at drivers/gpu/drm/xe/xe_guc_submit.c:1826 xe_guc_sched_done_handler+0xa54/0xef0 [xe]\nxe 0000:03:00.0: [drm] *ERROR* GT1: DEREGISTER_DONE: Unexpected engine state 0x00a1, guc_id=57\n\nLooking at a snippet of corresponding ftrace for this GuC id we can see:\n\n162.673311: xe_sched_msg_add:     dev=0000:03:00.0, gt=1 guc_id=57, opcode=3\n162.673317: xe_sched_msg_recv:    dev=0000:03:00.0, gt=1 guc_id=57, opcode=3\n162.673319: xe_exec_queue_scheduling_disable: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0\n162.674089: xe_exec_queue_kill:   dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0\n162.674108: xe_exec_queue_close:  dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0\n162.674488: xe_exec_queue_scheduling_done: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0\n162.678452: xe_exec_queue_deregister: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa1, flags=0x0\n\nIt looks like we try to suspend the queue (opcode=3), setting\nsuspend_pending and triggering a disable_scheduling. The user then\ncloses the queue. However the close will also forcefully signal the\nsuspend fence after killing the queue, later when the G2H response for\ndisable_scheduling comes back we have now cleared suspend_pending when\nsignalling the suspend fence, so the disable_scheduling now incorrectly\ntries to also deregister the queue. This leads to warnings since the queue\nhas yet to even be marked for destruction. We also seem to trigger\nerrors later with trying to double unregister the same queue.\n\nTo fix this tweak the ordering when handling the response to ensure we\ndon\u0027t race with a disable_scheduling that didn\u0027t actually intend to\nperform an unregister.  The destruction path should now also correctly\nwait for any pending_disable before marking as destroyed.\n\n(cherry picked from commit f161809b362f027b6d72bd998e47f8f0bad60a2e)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:10.137Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5ddcb50b700221fa7d7be2adcb3d7d7afe8633dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/87651f31ae4e6e6e7e6c7270b9b469405e747407"
        }
      ],
      "title": "drm/xe/guc_submit: fix race around suspend_pending",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56552",
    "datePublished": "2024-12-27T14:22:54.140Z",
    "dateReserved": "2024-12-27T14:03:05.990Z",
    "dateUpdated": "2025-05-04T09:58:10.137Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57932 (GCVE-0-2024-57932)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:01 – Updated: 2025-05-04 10:06

Title

gve: guard XDP xmit NDO on existence of xdp queues

Summary

In the Linux kernel, the following vulnerability has been resolved: gve: guard XDP xmit NDO on existence of xdp queues In GVE, dedicated XDP queues only exist when an XDP program is installed and the interface is up. As such, the NDO XDP XMIT callback should return early if either of these conditions are false. In the case of no loaded XDP program, priv->num_xdp_queues=0 which can cause a divide-by-zero error, and in the case of interface down, num_xdp_queues remains untouched to persist XDP queue count for the next interface up, but the TX pointer itself would be NULL. The XDP xmit callback also needs to synchronize with a device transitioning from open to close. This synchronization will happen via the GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call, which waits for any RCU critical sections at call-time to complete.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cbe9eb2c39d09f3c8…
	https://git.kernel.org/stable/c/35f44eed5828cf1bc…
	https://git.kernel.org/stable/c/ff7c2dea9dd1a436f…

Impacted products

Vendor

Product

Version

Linux

Affected: 39a7f4aa3e4a7947614cf1d5c27abba3300adb1e , < cbe9eb2c39d09f3c8574febcfa39d8c09d0c7cb5 (git)
Affected: 39a7f4aa3e4a7947614cf1d5c27abba3300adb1e , < 35f44eed5828cf1bc7e760d1993ed8549ba41c7b (git)
Affected: 39a7f4aa3e4a7947614cf1d5c27abba3300adb1e , < ff7c2dea9dd1a436fc79d6273adffdcc4a7ffea3 (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/google/gve/gve_main.c",
            "drivers/net/ethernet/google/gve/gve_tx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cbe9eb2c39d09f3c8574febcfa39d8c09d0c7cb5",
              "status": "affected",
              "version": "39a7f4aa3e4a7947614cf1d5c27abba3300adb1e",
              "versionType": "git"
            },
            {
              "lessThan": "35f44eed5828cf1bc7e760d1993ed8549ba41c7b",
              "status": "affected",
              "version": "39a7f4aa3e4a7947614cf1d5c27abba3300adb1e",
              "versionType": "git"
            },
            {
              "lessThan": "ff7c2dea9dd1a436fc79d6273adffdcc4a7ffea3",
              "status": "affected",
              "version": "39a7f4aa3e4a7947614cf1d5c27abba3300adb1e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/google/gve/gve_main.c",
            "drivers/net/ethernet/google/gve/gve_tx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: guard XDP xmit NDO on existence of xdp queues\n\nIn GVE, dedicated XDP queues only exist when an XDP program is installed\nand the interface is up. As such, the NDO XDP XMIT callback should\nreturn early if either of these conditions are false.\n\nIn the case of no loaded XDP program, priv-\u003enum_xdp_queues=0 which can\ncause a divide-by-zero error, and in the case of interface down,\nnum_xdp_queues remains untouched to persist XDP queue count for the next\ninterface up, but the TX pointer itself would be NULL.\n\nThe XDP xmit callback also needs to synchronize with a device\ntransitioning from open to close. This synchronization will happen via\nthe GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call,\nwhich waits for any RCU critical sections at call-time to complete."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:56.476Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cbe9eb2c39d09f3c8574febcfa39d8c09d0c7cb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/35f44eed5828cf1bc7e760d1993ed8549ba41c7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff7c2dea9dd1a436fc79d6273adffdcc4a7ffea3"
        }
      ],
      "title": "gve: guard XDP xmit NDO on existence of xdp queues",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57932",
    "datePublished": "2025-01-21T12:01:29.212Z",
    "dateReserved": "2025-01-19T11:50:08.377Z",
    "dateUpdated": "2025-05-04T10:06:56.476Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56645 (GCVE-0-2024-56645)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51

Title

can: j1939: j1939_session_new(): fix skb reference counting

Summary

In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_session_new(): fix skb reference counting Since j1939_session_skb_queue() does an extra skb_get() for each new skb, do the same for the initial one in j1939_session_new() to avoid refcount underflow. [mkl: clean up commit message]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/224e606a8d8e8c7db…
	https://git.kernel.org/stable/c/b3282c2bebeeb82ce…
	https://git.kernel.org/stable/c/4199dd78a59896e09…
	https://git.kernel.org/stable/c/f117cba69cbbd496b…
	https://git.kernel.org/stable/c/426d94815e12b6bdb…
	https://git.kernel.org/stable/c/68fceb143b635cdc5…
	https://git.kernel.org/stable/c/a8c695005bfe6569a…

Impacted products

Vendor

Product

Version

Linux

Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 224e606a8d8e8c7db94036272c47a37455667313 (git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < b3282c2bebeeb82ceec492ee4972f51ee7a4a132 (git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 4199dd78a59896e091d3a7a05a77451aa7fd724d (git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < f117cba69cbbd496babb3defcdf440df4fd6fe14 (git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 426d94815e12b6bdb9a75af294fbbafb9301601d (git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 68fceb143b635cdc59fed3896d5910aff38f345e (git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < a8c695005bfe6569acd73d777ca298ddddd66105 (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:51.200Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/can/j1939/transport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "224e606a8d8e8c7db94036272c47a37455667313",
              "status": "affected",
              "version": "9d71dd0c70099914fcd063135da3c580865e924c",
              "versionType": "git"
            },
            {
              "lessThan": "b3282c2bebeeb82ceec492ee4972f51ee7a4a132",
              "status": "affected",
              "version": "9d71dd0c70099914fcd063135da3c580865e924c",
              "versionType": "git"
            },
            {
              "lessThan": "4199dd78a59896e091d3a7a05a77451aa7fd724d",
              "status": "affected",
              "version": "9d71dd0c70099914fcd063135da3c580865e924c",
              "versionType": "git"
            },
            {
              "lessThan": "f117cba69cbbd496babb3defcdf440df4fd6fe14",
              "status": "affected",
              "version": "9d71dd0c70099914fcd063135da3c580865e924c",
              "versionType": "git"
            },
            {
              "lessThan": "426d94815e12b6bdb9a75af294fbbafb9301601d",
              "status": "affected",
              "version": "9d71dd0c70099914fcd063135da3c580865e924c",
              "versionType": "git"
            },
            {
              "lessThan": "68fceb143b635cdc59fed3896d5910aff38f345e",
              "status": "affected",
              "version": "9d71dd0c70099914fcd063135da3c580865e924c",
              "versionType": "git"
            },
            {
              "lessThan": "a8c695005bfe6569acd73d777ca298ddddd66105",
              "status": "affected",
              "version": "9d71dd0c70099914fcd063135da3c580865e924c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/can/j1939/transport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: j1939_session_new(): fix skb reference counting\n\nSince j1939_session_skb_queue() does an extra skb_get() for each new\nskb, do the same for the initial one in j1939_session_new() to avoid\nrefcount underflow.\n\n[mkl: clean up commit message]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:55.403Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/224e606a8d8e8c7db94036272c47a37455667313"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3282c2bebeeb82ceec492ee4972f51ee7a4a132"
        },
        {
          "url": "https://git.kernel.org/stable/c/4199dd78a59896e091d3a7a05a77451aa7fd724d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f117cba69cbbd496babb3defcdf440df4fd6fe14"
        },
        {
          "url": "https://git.kernel.org/stable/c/426d94815e12b6bdb9a75af294fbbafb9301601d"
        },
        {
          "url": "https://git.kernel.org/stable/c/68fceb143b635cdc59fed3896d5910aff38f345e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8c695005bfe6569acd73d777ca298ddddd66105"
        }
      ],
      "title": "can: j1939: j1939_session_new(): fix skb reference counting",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56645",
    "datePublished": "2024-12-27T15:02:46.531Z",
    "dateReserved": "2024-12-27T15:00:39.840Z",
    "dateUpdated": "2025-11-03T20:51:51.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56623 (GCVE-0-2024-56623)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-11-03 20:51

Title

scsi: qla2xxx: Fix use after free on unload

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix use after free on unload System crash is observed with stack trace warning of use after free. There are 2 signals to tell dpc_thread to terminate (UNLOADING flag and kthread_stop). On setting the UNLOADING flag when dpc_thread happens to run at the time and sees the flag, this causes dpc_thread to exit and clean up itself. When kthread_stop is called for final cleanup, this causes use after free. Remove UNLOADING signal to terminate dpc_thread. Use the kthread_stop as the main signal to exit dpc_thread. [596663.812935] kernel BUG at mm/slub.c:294! [596663.812950] invalid opcode: 0000 [#1] SMP PTI [596663.812957] CPU: 13 PID: 1475935 Comm: rmmod Kdump: loaded Tainted: G IOE --------- - - 4.18.0-240.el8.x86_64 #1 [596663.812960] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 08/20/2012 [596663.812974] RIP: 0010:__slab_free+0x17d/0x360 ... [596663.813008] Call Trace: [596663.813022] ? __dentry_kill+0x121/0x170 [596663.813030] ? _cond_resched+0x15/0x30 [596663.813034] ? _cond_resched+0x15/0x30 [596663.813039] ? wait_for_completion+0x35/0x190 [596663.813048] ? try_to_wake_up+0x63/0x540 [596663.813055] free_task+0x5a/0x60 [596663.813061] kthread_stop+0xf3/0x100 [596663.813103] qla2x00_remove_one+0x284/0x440 [qla2xxx]

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/12f04fc8580eafb05…
	https://git.kernel.org/stable/c/ca36d9d53745d5ec8…
	https://git.kernel.org/stable/c/b3e6f25176f248762…
	https://git.kernel.org/stable/c/15369e774f27ec790…
	https://git.kernel.org/stable/c/6abf16d3c915b2feb…
	https://git.kernel.org/stable/c/07c903db0a2ff84b6…

Impacted products

Vendor

Product

Version

Linux

Affected: a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0 , < 12f04fc8580eafb0510f805749553eb6213f323e (git)
Affected: a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0 , < ca36d9d53745d5ec8946ef85006d4da605ea7c54 (git)
Affected: a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0 , < b3e6f25176f248762a24d25ab8cf8c5e90874f80 (git)
Affected: a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0 , < 15369e774f27ec790f207de87c0b541e3f90b22d (git)
Affected: a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0 , < 6abf16d3c915b2feb68c1c8b25fcb71b13f98478 (git)
Affected: a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0 , < 07c903db0a2ff84b68efa1a74a4de353ea591eb0 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56623",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T18:05:37.705416Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T18:05:45.283Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:12.545Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/qla2xxx/qla_os.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "12f04fc8580eafb0510f805749553eb6213f323e",
              "status": "affected",
              "version": "a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0",
              "versionType": "git"
            },
            {
              "lessThan": "ca36d9d53745d5ec8946ef85006d4da605ea7c54",
              "status": "affected",
              "version": "a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0",
              "versionType": "git"
            },
            {
              "lessThan": "b3e6f25176f248762a24d25ab8cf8c5e90874f80",
              "status": "affected",
              "version": "a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0",
              "versionType": "git"
            },
            {
              "lessThan": "15369e774f27ec790f207de87c0b541e3f90b22d",
              "status": "affected",
              "version": "a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0",
              "versionType": "git"
            },
            {
              "lessThan": "6abf16d3c915b2feb68c1c8b25fcb71b13f98478",
              "status": "affected",
              "version": "a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0",
              "versionType": "git"
            },
            {
              "lessThan": "07c903db0a2ff84b68efa1a74a4de353ea591eb0",
              "status": "affected",
              "version": "a29b3dd7aa14facc902b40b8b5c4dccbfb2ad7d0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/qla2xxx/qla_os.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix use after free on unload\n\nSystem crash is observed with stack trace warning of use after\nfree. There are 2 signals to tell dpc_thread to terminate (UNLOADING\nflag and kthread_stop).\n\nOn setting the UNLOADING flag when dpc_thread happens to run at the time\nand sees the flag, this causes dpc_thread to exit and clean up\nitself. When kthread_stop is called for final cleanup, this causes use\nafter free.\n\nRemove UNLOADING signal to terminate dpc_thread.  Use the kthread_stop\nas the main signal to exit dpc_thread.\n\n[596663.812935] kernel BUG at mm/slub.c:294!\n[596663.812950] invalid opcode: 0000 [#1] SMP PTI\n[596663.812957] CPU: 13 PID: 1475935 Comm: rmmod Kdump: loaded Tainted: G          IOE    --------- -  - 4.18.0-240.el8.x86_64 #1\n[596663.812960] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 08/20/2012\n[596663.812974] RIP: 0010:__slab_free+0x17d/0x360\n\n...\n[596663.813008] Call Trace:\n[596663.813022]  ? __dentry_kill+0x121/0x170\n[596663.813030]  ? _cond_resched+0x15/0x30\n[596663.813034]  ? _cond_resched+0x15/0x30\n[596663.813039]  ? wait_for_completion+0x35/0x190\n[596663.813048]  ? try_to_wake_up+0x63/0x540\n[596663.813055]  free_task+0x5a/0x60\n[596663.813061]  kthread_stop+0xf3/0x100\n[596663.813103]  qla2x00_remove_one+0x284/0x440 [qla2xxx]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-21T09:13:43.332Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/12f04fc8580eafb0510f805749553eb6213f323e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca36d9d53745d5ec8946ef85006d4da605ea7c54"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3e6f25176f248762a24d25ab8cf8c5e90874f80"
        },
        {
          "url": "https://git.kernel.org/stable/c/15369e774f27ec790f207de87c0b541e3f90b22d"
        },
        {
          "url": "https://git.kernel.org/stable/c/6abf16d3c915b2feb68c1c8b25fcb71b13f98478"
        },
        {
          "url": "https://git.kernel.org/stable/c/07c903db0a2ff84b68efa1a74a4de353ea591eb0"
        }
      ],
      "title": "scsi: qla2xxx: Fix use after free on unload",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56623",
    "datePublished": "2024-12-27T14:51:26.484Z",
    "dateReserved": "2024-12-27T14:03:06.017Z",
    "dateUpdated": "2025-11-03T20:51:12.545Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56760 (GCVE-0-2024-56760)

Vulnerability from cvelistv5 – Published: 2025-01-06 16:20 – Updated: 2025-10-01 20:07

Title

PCI/MSI: Handle lack of irqdomain gracefully

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI/MSI: Handle lack of irqdomain gracefully Alexandre observed a warning emitted from pci_msi_setup_msi_irqs() on a RISCV platform which does not provide PCI/MSI support: WARNING: CPU: 1 PID: 1 at drivers/pci/msi/msi.h:121 pci_msi_setup_msi_irqs+0x2c/0x32 __pci_enable_msix_range+0x30c/0x596 pci_msi_setup_msi_irqs+0x2c/0x32 pci_alloc_irq_vectors_affinity+0xb8/0xe2 RISCV uses hierarchical interrupt domains and correctly does not implement the legacy fallback. The warning triggers from the legacy fallback stub. That warning is bogus as the PCI/MSI layer knows whether a PCI/MSI parent domain is associated with the device or not. There is a check for MSI-X, which has a legacy assumption. But that legacy fallback assumption is only valid when legacy support is enabled, but otherwise the check should simply return -ENOTSUPP. Loongarch tripped over the same problem and blindly enabled legacy support without implementing the legacy fallbacks. There are weak implementations which return an error, so the problem was papered over. Correct pci_msi_domain_supports() to evaluate the legacy mode and add the missing supported check into the MSI enable path to complete it.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b1f7476e07b93d65a…
	https://git.kernel.org/stable/c/aed157301c659a48f…
	https://git.kernel.org/stable/c/a60b990798eb17433…

Impacted products

Vendor

Product

Version

Linux

Affected: d2a463b297415ca6dd4d60bb1c867dd7c931587b , < b1f7476e07b93d65a1a3643dcb4a7bed80d4328d (git)
Affected: d2a463b297415ca6dd4d60bb1c867dd7c931587b , < aed157301c659a48f5564cc4568cf0e5c8831af0 (git)
Affected: d2a463b297415ca6dd4d60bb1c867dd7c931587b , < a60b990798eb17433d0283788280422b1bd94b18 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.69 , ≤ 6.6.* (semver)
Unaffected: 6.12.8 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56760",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:57:01.453148Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:01.138Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/msi/irqdomain.c",
            "drivers/pci/msi/msi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b1f7476e07b93d65a1a3643dcb4a7bed80d4328d",
              "status": "affected",
              "version": "d2a463b297415ca6dd4d60bb1c867dd7c931587b",
              "versionType": "git"
            },
            {
              "lessThan": "aed157301c659a48f5564cc4568cf0e5c8831af0",
              "status": "affected",
              "version": "d2a463b297415ca6dd4d60bb1c867dd7c931587b",
              "versionType": "git"
            },
            {
              "lessThan": "a60b990798eb17433d0283788280422b1bd94b18",
              "status": "affected",
              "version": "d2a463b297415ca6dd4d60bb1c867dd7c931587b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/msi/irqdomain.c",
            "drivers/pci/msi/msi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.69",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.69",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/MSI: Handle lack of irqdomain gracefully\n\nAlexandre observed a warning emitted from pci_msi_setup_msi_irqs() on a\nRISCV platform which does not provide PCI/MSI support:\n\n WARNING: CPU: 1 PID: 1 at drivers/pci/msi/msi.h:121 pci_msi_setup_msi_irqs+0x2c/0x32\n __pci_enable_msix_range+0x30c/0x596\n pci_msi_setup_msi_irqs+0x2c/0x32\n pci_alloc_irq_vectors_affinity+0xb8/0xe2\n\nRISCV uses hierarchical interrupt domains and correctly does not implement\nthe legacy fallback. The warning triggers from the legacy fallback stub.\n\nThat warning is bogus as the PCI/MSI layer knows whether a PCI/MSI parent\ndomain is associated with the device or not. There is a check for MSI-X,\nwhich has a legacy assumption. But that legacy fallback assumption is only\nvalid when legacy support is enabled, but otherwise the check should simply\nreturn -ENOTSUPP.\n\nLoongarch tripped over the same problem and blindly enabled legacy support\nwithout implementing the legacy fallbacks. There are weak implementations\nwhich return an error, so the problem was papered over.\n\nCorrect pci_msi_domain_supports() to evaluate the legacy mode and add\nthe missing supported check into the MSI enable path to complete it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:06.439Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b1f7476e07b93d65a1a3643dcb4a7bed80d4328d"
        },
        {
          "url": "https://git.kernel.org/stable/c/aed157301c659a48f5564cc4568cf0e5c8831af0"
        },
        {
          "url": "https://git.kernel.org/stable/c/a60b990798eb17433d0283788280422b1bd94b18"
        }
      ],
      "title": "PCI/MSI: Handle lack of irqdomain gracefully",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56760",
    "datePublished": "2025-01-06T16:20:40.369Z",
    "dateReserved": "2024-12-29T11:26:39.761Z",
    "dateUpdated": "2025-10-01T20:07:01.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57896 (GCVE-0-2024-57896)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2026-01-05 10:56

Title

btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount During the unmount path, at close_ctree(), we first stop the cleaner kthread, using kthread_stop() which frees the associated task_struct, and then stop and destroy all the work queues. However after we stopped the cleaner we may still have a worker from the delalloc_workers queue running inode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(), which in turn tries to wake up the cleaner kthread - which was already destroyed before, resulting in a use-after-free on the task_struct. Syzbot reported this with the following stack traces: BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205 submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615 run_ordered_work fs/btrfs/async-thread.c:288 [inline] btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4104 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1113 copy_process+0x5d1/0x3d50 kernel/fork.c:2225 kernel_clone+0x223/0x870 kernel/fork.c:2807 kernel_thread+0x1bc/0x240 kernel/fork.c:2869 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:767 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 24: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kmem_cache_free+0x195/0x410 mm/slub.c:4700 put_task_struct include/linux/sched/task.h:144 [inline] delayed_put_task_struct+0x125/0x300 kernel/exit.c:227 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:943 ---truncated---

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a2718ed1eb8c3611b…
	https://git.kernel.org/stable/c/63f4b594a688bf922…
	https://git.kernel.org/stable/c/1ea629e7bb2fb4055…
	https://git.kernel.org/stable/c/35916b2f96505a18d…
	https://git.kernel.org/stable/c/d77a3a99b53d12c06…
	https://git.kernel.org/stable/c/f10bef73fb355e3fc…

Impacted products

Vendor

Product

Version

Linux

Affected: fd340d0f68cc87badfc9efcb226f23a5428826a0 , < a2718ed1eb8c3611b63f8933c7e68c8821fe2808 (git)
Affected: fd340d0f68cc87badfc9efcb226f23a5428826a0 , < 63f4b594a688bf922e8691f0784679aa7af7988c (git)
Affected: fd340d0f68cc87badfc9efcb226f23a5428826a0 , < 1ea629e7bb2fb40555e5e01a1b5095df31287017 (git)
Affected: fd340d0f68cc87badfc9efcb226f23a5428826a0 , < 35916b2f96505a18dc7242a115611b718d9de725 (git)
Affected: fd340d0f68cc87badfc9efcb226f23a5428826a0 , < d77a3a99b53d12c061c007cdc96df38825dee476 (git)
Affected: fd340d0f68cc87badfc9efcb226f23a5428826a0 , < f10bef73fb355e3fc85e63a50386798be68ff486 (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.10.233 , ≤ 5.10.* (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57896",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:40:57.951586Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:19.574Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:11.913Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/disk-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a2718ed1eb8c3611b63f8933c7e68c8821fe2808",
              "status": "affected",
              "version": "fd340d0f68cc87badfc9efcb226f23a5428826a0",
              "versionType": "git"
            },
            {
              "lessThan": "63f4b594a688bf922e8691f0784679aa7af7988c",
              "status": "affected",
              "version": "fd340d0f68cc87badfc9efcb226f23a5428826a0",
              "versionType": "git"
            },
            {
              "lessThan": "1ea629e7bb2fb40555e5e01a1b5095df31287017",
              "status": "affected",
              "version": "fd340d0f68cc87badfc9efcb226f23a5428826a0",
              "versionType": "git"
            },
            {
              "lessThan": "35916b2f96505a18dc7242a115611b718d9de725",
              "status": "affected",
              "version": "fd340d0f68cc87badfc9efcb226f23a5428826a0",
              "versionType": "git"
            },
            {
              "lessThan": "d77a3a99b53d12c061c007cdc96df38825dee476",
              "status": "affected",
              "version": "fd340d0f68cc87badfc9efcb226f23a5428826a0",
              "versionType": "git"
            },
            {
              "lessThan": "f10bef73fb355e3fc85e63a50386798be68ff486",
              "status": "affected",
              "version": "fd340d0f68cc87badfc9efcb226f23a5428826a0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/disk-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: flush delalloc workers queue before stopping cleaner kthread during unmount\n\nDuring the unmount path, at close_ctree(), we first stop the cleaner\nkthread, using kthread_stop() which frees the associated task_struct, and\nthen stop and destroy all the work queues. However after we stopped the\ncleaner we may still have a worker from the delalloc_workers queue running\ninode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(),\nwhich in turn tries to wake up the cleaner kthread - which was already\ndestroyed before, resulting in a use-after-free on the task_struct.\n\nSyzbot reported this with the following stack traces:\n\n  BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089\n  Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52\n\n  CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n  Workqueue: btrfs-delalloc btrfs_work_helper\n  Call Trace:\n   \u003cTASK\u003e\n   __dump_stack lib/dump_stack.c:94 [inline]\n   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n   print_address_description mm/kasan/report.c:378 [inline]\n   print_report+0x169/0x550 mm/kasan/report.c:489\n   kasan_report+0x143/0x180 mm/kasan/report.c:602\n   __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089\n   lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849\n   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n   _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162\n   class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\n   try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205\n   submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615\n   run_ordered_work fs/btrfs/async-thread.c:288 [inline]\n   btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324\n   process_one_work kernel/workqueue.c:3229 [inline]\n   process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310\n   worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n   kthread+0x2f0/0x390 kernel/kthread.c:389\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n   \u003c/TASK\u003e\n\n  Allocated by task 2:\n   kasan_save_stack mm/kasan/common.c:47 [inline]\n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n   unpoison_slab_object mm/kasan/common.c:319 [inline]\n   __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345\n   kasan_slab_alloc include/linux/kasan.h:250 [inline]\n   slab_post_alloc_hook mm/slub.c:4104 [inline]\n   slab_alloc_node mm/slub.c:4153 [inline]\n   kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205\n   alloc_task_struct_node kernel/fork.c:180 [inline]\n   dup_task_struct+0x57/0x8c0 kernel/fork.c:1113\n   copy_process+0x5d1/0x3d50 kernel/fork.c:2225\n   kernel_clone+0x223/0x870 kernel/fork.c:2807\n   kernel_thread+0x1bc/0x240 kernel/fork.c:2869\n   create_kthread kernel/kthread.c:412 [inline]\n   kthreadd+0x60d/0x810 kernel/kthread.c:767\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n  Freed by task 24:\n   kasan_save_stack mm/kasan/common.c:47 [inline]\n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n   kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n   poison_slab_object mm/kasan/common.c:247 [inline]\n   __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n   kasan_slab_free include/linux/kasan.h:233 [inline]\n   slab_free_hook mm/slub.c:2338 [inline]\n   slab_free mm/slub.c:4598 [inline]\n   kmem_cache_free+0x195/0x410 mm/slub.c:4700\n   put_task_struct include/linux/sched/task.h:144 [inline]\n   delayed_put_task_struct+0x125/0x300 kernel/exit.c:227\n   rcu_do_batch kernel/rcu/tree.c:2567 [inline]\n   rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823\n   handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554\n   run_ksoftirqd+0xca/0x130 kernel/softirq.c:943\n  \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:56:35.966Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a2718ed1eb8c3611b63f8933c7e68c8821fe2808"
        },
        {
          "url": "https://git.kernel.org/stable/c/63f4b594a688bf922e8691f0784679aa7af7988c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1ea629e7bb2fb40555e5e01a1b5095df31287017"
        },
        {
          "url": "https://git.kernel.org/stable/c/35916b2f96505a18dc7242a115611b718d9de725"
        },
        {
          "url": "https://git.kernel.org/stable/c/d77a3a99b53d12c061c007cdc96df38825dee476"
        },
        {
          "url": "https://git.kernel.org/stable/c/f10bef73fb355e3fc85e63a50386798be68ff486"
        }
      ],
      "title": "btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57896",
    "datePublished": "2025-01-15T13:05:48.310Z",
    "dateReserved": "2025-01-11T14:45:42.029Z",
    "dateUpdated": "2026-01-05T10:56:35.966Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56636 (GCVE-0-2024-56636)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51

Title

geneve: do not assume mac header is set in geneve_xmit_skb()

Summary

In the Linux kernel, the following vulnerability has been resolved: geneve: do not assume mac header is set in geneve_xmit_skb() We should not assume mac header is set in output path. Use skb_eth_hdr() instead of eth_hdr() to fix the issue. sysbot reported the following : WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 eth_hdr include/linux/if_ether.h:24 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit_skb drivers/net/geneve.c:898 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 Modules linked in: CPU: 0 UID: 0 PID: 11635 Comm: syz.4.1423 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_mac_header include/linux/skbuff.h:3052 [inline] RIP: 0010:eth_hdr include/linux/if_ether.h:24 [inline] RIP: 0010:geneve_xmit_skb drivers/net/geneve.c:898 [inline] RIP: 0010:geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 Code: 21 c6 02 e9 35 d4 ff ff e8 a5 48 4c fb 90 0f 0b 90 e9 fd f5 ff ff e8 97 48 4c fb 90 0f 0b 90 e9 d8 f5 ff ff e8 89 48 4c fb 90 <0f> 0b 90 e9 41 e4 ff ff e8 7b 48 4c fb 90 0f 0b 90 e9 cd e7 ff ff RSP: 0018:ffffc90003b2f870 EFLAGS: 00010283 RAX: 000000000000037a RBX: 000000000000ffff RCX: ffffc9000dc3d000 RDX: 0000000000080000 RSI: ffffffff86428417 RDI: 0000000000000003 RBP: ffffc90003b2f9f0 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff88806603c000 R13: 0000000000000000 R14: ffff8880685b2780 R15: 0000000000000e23 FS: 00007fdc2deed6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30a1dff8 CR3: 0000000056b8c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] __dev_direct_xmit+0x58a/0x720 net/core/dev.c:4490 dev_direct_xmit include/linux/netdevice.h:3181 [inline] packet_xmit+0x1e4/0x360 net/packet/af_packet.c:285 packet_snd net/packet/af_packet.c:3146 [inline] packet_sendmsg+0x2700/0x5660 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x488/0x4f0 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d9fa09ca004befe9c…
	https://git.kernel.org/stable/c/b65958284401016b9…
	https://git.kernel.org/stable/c/2ee7bdc7cb40abfe6…
	https://git.kernel.org/stable/c/97ce3a4ec55eac6b5…
	https://git.kernel.org/stable/c/177b72ed7c77b11e4…
	https://git.kernel.org/stable/c/8588c99c7d47448fc…

Impacted products

Vendor

Product

Version

Linux

Affected: a025fb5f49ad38cf749753b16fcd031d0d678f2b , < d9fa09ca004befe9cf826d6820439cb6f93cecd7 (git)
Affected: a025fb5f49ad38cf749753b16fcd031d0d678f2b , < b65958284401016b983078c68f70b047537f4aba (git)
Affected: a025fb5f49ad38cf749753b16fcd031d0d678f2b , < 2ee7bdc7cb40abfe658a71fbd10c7db2f4fc4f9a (git)
Affected: a025fb5f49ad38cf749753b16fcd031d0d678f2b , < 97ce3a4ec55eac6b5e2949ffb04028d604afda3b (git)
Affected: a025fb5f49ad38cf749753b16fcd031d0d678f2b , < 177b72ed7c77b11e46dd4336d73a87a77a5603af (git)
Affected: a025fb5f49ad38cf749753b16fcd031d0d678f2b , < 8588c99c7d47448fcae39e3227d6e2bb97aad86d (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:35.808Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/geneve.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d9fa09ca004befe9cf826d6820439cb6f93cecd7",
              "status": "affected",
              "version": "a025fb5f49ad38cf749753b16fcd031d0d678f2b",
              "versionType": "git"
            },
            {
              "lessThan": "b65958284401016b983078c68f70b047537f4aba",
              "status": "affected",
              "version": "a025fb5f49ad38cf749753b16fcd031d0d678f2b",
              "versionType": "git"
            },
            {
              "lessThan": "2ee7bdc7cb40abfe658a71fbd10c7db2f4fc4f9a",
              "status": "affected",
              "version": "a025fb5f49ad38cf749753b16fcd031d0d678f2b",
              "versionType": "git"
            },
            {
              "lessThan": "97ce3a4ec55eac6b5e2949ffb04028d604afda3b",
              "status": "affected",
              "version": "a025fb5f49ad38cf749753b16fcd031d0d678f2b",
              "versionType": "git"
            },
            {
              "lessThan": "177b72ed7c77b11e46dd4336d73a87a77a5603af",
              "status": "affected",
              "version": "a025fb5f49ad38cf749753b16fcd031d0d678f2b",
              "versionType": "git"
            },
            {
              "lessThan": "8588c99c7d47448fcae39e3227d6e2bb97aad86d",
              "status": "affected",
              "version": "a025fb5f49ad38cf749753b16fcd031d0d678f2b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/geneve.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: do not assume mac header is set in geneve_xmit_skb()\n\nWe should not assume mac header is set in output path.\n\nUse skb_eth_hdr() instead of eth_hdr() to fix the issue.\n\nsysbot reported the following :\n\n WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline]\n WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 eth_hdr include/linux/if_ether.h:24 [inline]\n WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit_skb drivers/net/geneve.c:898 [inline]\n WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039\nModules linked in:\nCPU: 0 UID: 0 PID: 11635 Comm: syz.4.1423 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:skb_mac_header include/linux/skbuff.h:3052 [inline]\n RIP: 0010:eth_hdr include/linux/if_ether.h:24 [inline]\n RIP: 0010:geneve_xmit_skb drivers/net/geneve.c:898 [inline]\n RIP: 0010:geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039\nCode: 21 c6 02 e9 35 d4 ff ff e8 a5 48 4c fb 90 0f 0b 90 e9 fd f5 ff ff e8 97 48 4c fb 90 0f 0b 90 e9 d8 f5 ff ff e8 89 48 4c fb 90 \u003c0f\u003e 0b 90 e9 41 e4 ff ff e8 7b 48 4c fb 90 0f 0b 90 e9 cd e7 ff ff\nRSP: 0018:ffffc90003b2f870 EFLAGS: 00010283\nRAX: 000000000000037a RBX: 000000000000ffff RCX: ffffc9000dc3d000\nRDX: 0000000000080000 RSI: ffffffff86428417 RDI: 0000000000000003\nRBP: ffffc90003b2f9f0 R08: 0000000000000003 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff88806603c000\nR13: 0000000000000000 R14: ffff8880685b2780 R15: 0000000000000e23\nFS:  00007fdc2deed6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b30a1dff8 CR3: 0000000056b8c000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n  __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n  netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n  __dev_direct_xmit+0x58a/0x720 net/core/dev.c:4490\n  dev_direct_xmit include/linux/netdevice.h:3181 [inline]\n  packet_xmit+0x1e4/0x360 net/packet/af_packet.c:285\n  packet_snd net/packet/af_packet.c:3146 [inline]\n  packet_sendmsg+0x2700/0x5660 net/packet/af_packet.c:3178\n  sock_sendmsg_nosec net/socket.c:711 [inline]\n  __sock_sendmsg net/socket.c:726 [inline]\n  __sys_sendto+0x488/0x4f0 net/socket.c:2197\n  __do_sys_sendto net/socket.c:2204 [inline]\n  __se_sys_sendto net/socket.c:2200 [inline]\n  __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:41.258Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d9fa09ca004befe9cf826d6820439cb6f93cecd7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b65958284401016b983078c68f70b047537f4aba"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ee7bdc7cb40abfe658a71fbd10c7db2f4fc4f9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/97ce3a4ec55eac6b5e2949ffb04028d604afda3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/177b72ed7c77b11e46dd4336d73a87a77a5603af"
        },
        {
          "url": "https://git.kernel.org/stable/c/8588c99c7d47448fcae39e3227d6e2bb97aad86d"
        }
      ],
      "title": "geneve: do not assume mac header is set in geneve_xmit_skb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56636",
    "datePublished": "2024-12-27T15:02:38.946Z",
    "dateReserved": "2024-12-27T15:00:39.839Z",
    "dateUpdated": "2025-11-03T20:51:35.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56561 (GCVE-0-2024-56561)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-05-04 13:00

Title

PCI: endpoint: Fix PCI domain ID release in pci_epc_destroy()

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix PCI domain ID release in pci_epc_destroy() pci_epc_destroy() invokes pci_bus_release_domain_nr() to release the PCI domain ID, but there are two issues: - 'epc->dev' is passed to pci_bus_release_domain_nr() which was already freed by device_unregister(), leading to a use-after-free issue. - Domain ID corresponds to the EPC device parent, so passing 'epc->dev' is also wrong. Fix these issues by passing 'epc->dev.parent' to pci_bus_release_domain_nr() and also do it before device_unregister(). [mani: reworded subject and description]

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c74a1df6c2a2df7dd…
	https://git.kernel.org/stable/c/4acc902ed3743edd4…

Impacted products

Vendor

Product

Version

Linux

Affected: 0328947c50324cf4b2d8b181bf948edb8101f59f , < c74a1df6c2a2df7dd45c3fc1a5edc29a075dcf22 (git)
Affected: 0328947c50324cf4b2d8b181bf948edb8101f59f , < 4acc902ed3743edd4ac2d3846604a99d17104359 (git)
Affected: a4934cd7a18d35fc57025f23773f6f19e2b2dbb1 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56561",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:42:44.465270Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:24.791Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/endpoint/pci-epc-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c74a1df6c2a2df7dd45c3fc1a5edc29a075dcf22",
              "status": "affected",
              "version": "0328947c50324cf4b2d8b181bf948edb8101f59f",
              "versionType": "git"
            },
            {
              "lessThan": "4acc902ed3743edd4ac2d3846604a99d17104359",
              "status": "affected",
              "version": "0328947c50324cf4b2d8b181bf948edb8101f59f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a4934cd7a18d35fc57025f23773f6f19e2b2dbb1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/endpoint/pci-epc-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix PCI domain ID release in pci_epc_destroy()\n\npci_epc_destroy() invokes pci_bus_release_domain_nr() to release the PCI\ndomain ID, but there are two issues:\n\n  - \u0027epc-\u003edev\u0027 is passed to pci_bus_release_domain_nr() which was already\n    freed by device_unregister(), leading to a use-after-free issue.\n\n  - Domain ID corresponds to the EPC device parent, so passing \u0027epc-\u003edev\u0027\n    is also wrong.\n\nFix these issues by passing \u0027epc-\u003edev.parent\u0027 to\npci_bus_release_domain_nr() and also do it before device_unregister().\n\n[mani: reworded subject and description]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:53.468Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c74a1df6c2a2df7dd45c3fc1a5edc29a075dcf22"
        },
        {
          "url": "https://git.kernel.org/stable/c/4acc902ed3743edd4ac2d3846604a99d17104359"
        }
      ],
      "title": "PCI: endpoint: Fix PCI domain ID release in pci_epc_destroy()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56561",
    "datePublished": "2024-12-27T14:23:06.288Z",
    "dateReserved": "2024-12-27T14:03:05.994Z",
    "dateUpdated": "2025-05-04T13:00:53.468Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56712 (GCVE-0-2024-56712)

Vulnerability from cvelistv5 – Published: 2024-12-29 08:48 – Updated: 2025-05-04 10:03

Title

udmabuf: fix memory leak on last export_udmabuf() error path

Summary

In the Linux kernel, the following vulnerability has been resolved: udmabuf: fix memory leak on last export_udmabuf() error path In export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a dma_buf owning the udmabuf has already been created; but the error handling in udmabuf_create() will tear down the udmabuf without doing anything about the containing dma_buf. This leaves a dma_buf in memory that contains a dangling pointer; though that doesn't seem to lead to anything bad except a memory leak. Fix it by moving the dma_buf_fd() call out of export_udmabuf() so that we can give it different error handling. Note that the shape of this code changed a lot in commit 5e72b2b41a21 ("udmabuf: convert udmabuf driver to use folios"); but the memory leak seems to have existed since the introduction of udmabuf.

Severity ?

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c9fc8428d4255c212…
	https://git.kernel.org/stable/c/f49856f525acd5bef…

Impacted products

Vendor

Product

Version

Linux

Affected: fbb0de795078190a9834b3409e4b009cfb18a6d4 , < c9fc8428d4255c2128da9c4d5cd92e554d0150cf (git)
Affected: fbb0de795078190a9834b3409e4b009cfb18a6d4 , < f49856f525acd5bef52ae28b7da2e001bbe7439e (git)

Linux

Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "LOW",
              "baseScore": 3.3,
              "baseSeverity": "LOW",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56712",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-17T20:10:27.510565Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-17T20:15:52.408Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma-buf/udmabuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c9fc8428d4255c2128da9c4d5cd92e554d0150cf",
              "status": "affected",
              "version": "fbb0de795078190a9834b3409e4b009cfb18a6d4",
              "versionType": "git"
            },
            {
              "lessThan": "f49856f525acd5bef52ae28b7da2e001bbe7439e",
              "status": "affected",
              "version": "fbb0de795078190a9834b3409e4b009cfb18a6d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma-buf/udmabuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: fix memory leak on last export_udmabuf() error path\n\nIn export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a\ndma_buf owning the udmabuf has already been created; but the error handling\nin udmabuf_create() will tear down the udmabuf without doing anything about\nthe containing dma_buf.\n\nThis leaves a dma_buf in memory that contains a dangling pointer; though\nthat doesn\u0027t seem to lead to anything bad except a memory leak.\n\nFix it by moving the dma_buf_fd() call out of export_udmabuf() so that we\ncan give it different error handling.\n\nNote that the shape of this code changed a lot in commit 5e72b2b41a21\n(\"udmabuf: convert udmabuf driver to use folios\"); but the memory leak\nseems to have existed since the introduction of udmabuf."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:03:06.710Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c9fc8428d4255c2128da9c4d5cd92e554d0150cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/f49856f525acd5bef52ae28b7da2e001bbe7439e"
        }
      ],
      "title": "udmabuf: fix memory leak on last export_udmabuf() error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56712",
    "datePublished": "2024-12-29T08:48:46.167Z",
    "dateReserved": "2024-12-27T15:00:39.857Z",
    "dateUpdated": "2025-05-04T10:03:06.710Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56766 (GCVE-0-2024-56766)

Vulnerability from cvelistv5 – Published: 2025-01-06 16:20 – Updated: 2025-11-03 20:53

Title

mtd: rawnand: fix double free in atmel_pmecc_create_user()

Summary

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fix double free in atmel_pmecc_create_user() The "user" pointer was converted from being allocated with kzalloc() to being allocated by devm_kzalloc(). Calling kfree(user) will lead to a double free.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ca9818554b0f33e87…
	https://git.kernel.org/stable/c/1562871ef613fa949…
	https://git.kernel.org/stable/c/3d825a241e65f7e30…
	https://git.kernel.org/stable/c/6ea15205d7e2b811f…
	https://git.kernel.org/stable/c/dd45c87782738715d…
	https://git.kernel.org/stable/c/d2f090ea57f8d6587…
	https://git.kernel.org/stable/c/d8e4771f99c0400a1…

Impacted products

Vendor

Product

Version

Linux

Affected: 22fbbc37edb840fd420fadf670366be9bf028426 , < ca9818554b0f33e87f38e4bfa2dac056692d46cc (git)
Affected: 54cb5fa850f9306d84e49a3db44b7a7eb5536cd1 , < 1562871ef613fa9492aa0310933eff785166a90e (git)
Affected: 5fe7709251e334cc27618473299c48340cecd3c8 , < 3d825a241e65f7e3072978729e79d735ec40b80e (git)
Affected: 24cbc37e837fd9e31e5024480b779207d1d99f1d , < 6ea15205d7e2b811fbbdf79783f686f58abfb4b7 (git)
Affected: f1290871c8aaeb13029390a2b6e5c05733a1be6f , < dd45c87782738715d5e7c167f8dabf0814a7394a (git)
Affected: 8ac19ec818c548c5788da5926dcc8af96fad4bb1 , < d2f090ea57f8d6587e09d4066f740a8617767b3d (git)
Affected: 6d734f1bfc336aaea91313a5632f2f197608fadd , < d8e4771f99c0400a1873235704b28bb803c83d17 (git)
Affected: 2014fcea19ec27df033359a0f42db0e8ed4290a8 (git)
Affected: bdd11a04d102f8310812aa7cec39545fdd6662d1 (git)

Linux

Affected: 5.4.287 , < 5.4.289 (semver)
Affected: 5.10.231 , < 5.10.233 (semver)
Affected: 5.15.174 , < 5.15.176 (semver)
Affected: 6.1.120 , < 6.1.123 (semver)
Affected: 6.6.64 , < 6.6.69 (semver)
Affected: 6.12.2 , < 6.12.8 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:53:59.612Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/nand/raw/atmel/pmecc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca9818554b0f33e87f38e4bfa2dac056692d46cc",
              "status": "affected",
              "version": "22fbbc37edb840fd420fadf670366be9bf028426",
              "versionType": "git"
            },
            {
              "lessThan": "1562871ef613fa9492aa0310933eff785166a90e",
              "status": "affected",
              "version": "54cb5fa850f9306d84e49a3db44b7a7eb5536cd1",
              "versionType": "git"
            },
            {
              "lessThan": "3d825a241e65f7e3072978729e79d735ec40b80e",
              "status": "affected",
              "version": "5fe7709251e334cc27618473299c48340cecd3c8",
              "versionType": "git"
            },
            {
              "lessThan": "6ea15205d7e2b811fbbdf79783f686f58abfb4b7",
              "status": "affected",
              "version": "24cbc37e837fd9e31e5024480b779207d1d99f1d",
              "versionType": "git"
            },
            {
              "lessThan": "dd45c87782738715d5e7c167f8dabf0814a7394a",
              "status": "affected",
              "version": "f1290871c8aaeb13029390a2b6e5c05733a1be6f",
              "versionType": "git"
            },
            {
              "lessThan": "d2f090ea57f8d6587e09d4066f740a8617767b3d",
              "status": "affected",
              "version": "8ac19ec818c548c5788da5926dcc8af96fad4bb1",
              "versionType": "git"
            },
            {
              "lessThan": "d8e4771f99c0400a1873235704b28bb803c83d17",
              "status": "affected",
              "version": "6d734f1bfc336aaea91313a5632f2f197608fadd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2014fcea19ec27df033359a0f42db0e8ed4290a8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bdd11a04d102f8310812aa7cec39545fdd6662d1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/nand/raw/atmel/pmecc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5.4.289",
              "status": "affected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThan": "5.10.233",
              "status": "affected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.176",
              "status": "affected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.123",
              "status": "affected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.69",
              "status": "affected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.8",
              "status": "affected",
              "version": "6.12.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.289",
                  "versionStartIncluding": "5.4.287",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "5.10.231",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.15.174",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.123",
                  "versionStartIncluding": "6.1.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.69",
                  "versionStartIncluding": "6.6.64",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.12.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.325",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: fix double free in atmel_pmecc_create_user()\n\nThe \"user\" pointer was converted from being allocated with kzalloc() to\nbeing allocated by devm_kzalloc().  Calling kfree(user) will lead to a\ndouble free."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:21.700Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca9818554b0f33e87f38e4bfa2dac056692d46cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/1562871ef613fa9492aa0310933eff785166a90e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d825a241e65f7e3072978729e79d735ec40b80e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ea15205d7e2b811fbbdf79783f686f58abfb4b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd45c87782738715d5e7c167f8dabf0814a7394a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2f090ea57f8d6587e09d4066f740a8617767b3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8e4771f99c0400a1873235704b28bb803c83d17"
        }
      ],
      "title": "mtd: rawnand: fix double free in atmel_pmecc_create_user()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56766",
    "datePublished": "2025-01-06T16:20:44.676Z",
    "dateReserved": "2024-12-29T11:26:39.762Z",
    "dateUpdated": "2025-11-03T20:53:59.612Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57934 (GCVE-0-2024-57934)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:01 – Updated: 2025-10-01 19:57

Title

fgraph: Add READ_ONCE() when accessing fgraph_array[]

Summary

In the Linux kernel, the following vulnerability has been resolved: fgraph: Add READ_ONCE() when accessing fgraph_array[] In __ftrace_return_to_handler(), a loop iterates over the fgraph_array[] elements, which are fgraph_ops. The loop checks if an element is a fgraph_stub to prevent using a fgraph_stub afterward. However, if the compiler reloads fgraph_array[] after this check, it might race with an update to fgraph_array[] that introduces a fgraph_stub. This could result in the stub being processed, but the stub contains a null "func_hash" field, leading to a NULL pointer dereference. To ensure that the gops compared against the fgraph_stub matches the gops processed later, add a READ_ONCE(). A similar patch appears in commit 63a8dfb ("function_graph: Add READ_ONCE() when accessing fgraph_array[]").

Severity ?

4.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b68b2a3fbacc7be72…
	https://git.kernel.org/stable/c/d65474033740ded0a…

Impacted products

Vendor

Product

Version

Linux

Affected: 37238abe3cb47b8daaa8706c9949f67b2a705cf1 , < b68b2a3fbacc7be720ef589d489bcacdd05c6d38 (git)
Affected: 37238abe3cb47b8daaa8706c9949f67b2a705cf1 , < d65474033740ded0a4fe9a097fce72328655b41d (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57934",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:52:53.039611Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:14.140Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/fgraph.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b68b2a3fbacc7be720ef589d489bcacdd05c6d38",
              "status": "affected",
              "version": "37238abe3cb47b8daaa8706c9949f67b2a705cf1",
              "versionType": "git"
            },
            {
              "lessThan": "d65474033740ded0a4fe9a097fce72328655b41d",
              "status": "affected",
              "version": "37238abe3cb47b8daaa8706c9949f67b2a705cf1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/fgraph.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfgraph: Add READ_ONCE() when accessing fgraph_array[]\n\nIn __ftrace_return_to_handler(), a loop iterates over the fgraph_array[]\nelements, which are fgraph_ops. The loop checks if an element is a\nfgraph_stub to prevent using a fgraph_stub afterward.\n\nHowever, if the compiler reloads fgraph_array[] after this check, it might\nrace with an update to fgraph_array[] that introduces a fgraph_stub. This\ncould result in the stub being processed, but the stub contains a null\n\"func_hash\" field, leading to a NULL pointer dereference.\n\nTo ensure that the gops compared against the fgraph_stub matches the gops\nprocessed later, add a READ_ONCE(). A similar patch appears in commit\n63a8dfb (\"function_graph: Add READ_ONCE() when accessing fgraph_array[]\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:59.208Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b68b2a3fbacc7be720ef589d489bcacdd05c6d38"
        },
        {
          "url": "https://git.kernel.org/stable/c/d65474033740ded0a4fe9a097fce72328655b41d"
        }
      ],
      "title": "fgraph: Add READ_ONCE() when accessing fgraph_array[]",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57934",
    "datePublished": "2025-01-21T12:01:30.537Z",
    "dateReserved": "2025-01-19T11:50:08.377Z",
    "dateUpdated": "2025-10-01T19:57:14.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57888 (GCVE-0-2024-57888)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-05-04 10:05

Title

workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker

Summary

In the Linux kernel, the following vulnerability has been resolved: workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker After commit 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") amdgpu started seeing the following warning: [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu] ... [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched] ... [ ] Call Trace: [ ] <TASK> ... [ ] ? check_flush_dependency+0xf5/0x110 ... [ ] cancel_delayed_work_sync+0x6e/0x80 [ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu] [ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu] [ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu] [ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched] [ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu] [ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched] [ ] process_one_work+0x217/0x720 ... [ ] </TASK> The intent of the verifcation done in check_flush_depedency is to ensure forward progress during memory reclaim, by flagging cases when either a memory reclaim process, or a memory reclaim work item is flushed from a context not marked as memory reclaim safe. This is correct when flushing, but when called from the cancel(_delayed)_work_sync() paths it is a false positive because work is either already running, or will not be running at all. Therefore cancelling it is safe and we can relax the warning criteria by letting the helper know of the calling context. References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1fd2a57dcb4de3cb4…
	https://git.kernel.org/stable/c/ffb231471a407c96e…
	https://git.kernel.org/stable/c/de35994ecd2dd6148…

Impacted products

Vendor

Product

Version

Linux

Affected: fca839c00a12d682cb59b3b620d109a1d850b262 , < 1fd2a57dcb4de3cb40844a29c71b5d7b46a84334 (git)
Affected: fca839c00a12d682cb59b3b620d109a1d850b262 , < ffb231471a407c96e114070bf828cd2378fdf431 (git)
Affected: fca839c00a12d682cb59b3b620d109a1d850b262 , < de35994ecd2dd6148ab5a6c5050a1670a04dec77 (git)

Linux

Affected: 4.5
Unaffected: 0 , < 4.5 (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/workqueue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1fd2a57dcb4de3cb40844a29c71b5d7b46a84334",
              "status": "affected",
              "version": "fca839c00a12d682cb59b3b620d109a1d850b262",
              "versionType": "git"
            },
            {
              "lessThan": "ffb231471a407c96e114070bf828cd2378fdf431",
              "status": "affected",
              "version": "fca839c00a12d682cb59b3b620d109a1d850b262",
              "versionType": "git"
            },
            {
              "lessThan": "de35994ecd2dd6148ab5a6c5050a1670a04dec77",
              "status": "affected",
              "version": "fca839c00a12d682cb59b3b620d109a1d850b262",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/workqueue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker\n\nAfter commit\n746ae46c1113 (\"drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM\")\namdgpu started seeing the following warning:\n\n [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu]\n...\n [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched]\n...\n [ ] Call Trace:\n [ ]  \u003cTASK\u003e\n...\n [ ]  ? check_flush_dependency+0xf5/0x110\n...\n [ ]  cancel_delayed_work_sync+0x6e/0x80\n [ ]  amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu]\n [ ]  amdgpu_ring_alloc+0x40/0x50 [amdgpu]\n [ ]  amdgpu_ib_schedule+0xf4/0x810 [amdgpu]\n [ ]  ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched]\n [ ]  amdgpu_job_run+0xaa/0x1f0 [amdgpu]\n [ ]  drm_sched_run_job_work+0x257/0x430 [gpu_sched]\n [ ]  process_one_work+0x217/0x720\n...\n [ ]  \u003c/TASK\u003e\n\nThe intent of the verifcation done in check_flush_depedency is to ensure\nforward progress during memory reclaim, by flagging cases when either a\nmemory reclaim process, or a memory reclaim work item is flushed from a\ncontext not marked as memory reclaim safe.\n\nThis is correct when flushing, but when called from the\ncancel(_delayed)_work_sync() paths it is a false positive because work is\neither already running, or will not be running at all. Therefore\ncancelling it is safe and we can relax the warning criteria by letting the\nhelper know of the calling context.\n\nReferences: 746ae46c1113 (\"drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM\")"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:56.241Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1fd2a57dcb4de3cb40844a29c71b5d7b46a84334"
        },
        {
          "url": "https://git.kernel.org/stable/c/ffb231471a407c96e114070bf828cd2378fdf431"
        },
        {
          "url": "https://git.kernel.org/stable/c/de35994ecd2dd6148ab5a6c5050a1670a04dec77"
        }
      ],
      "title": "workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57888",
    "datePublished": "2025-01-15T13:05:40.832Z",
    "dateReserved": "2025-01-11T14:45:42.027Z",
    "dateUpdated": "2025-05-04T10:05:56.241Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53681 (GCVE-0-2024-53681)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:10 – Updated: 2025-05-04 09:56

Title

nvmet: Don't overflow subsysnqn

Summary

In the Linux kernel, the following vulnerability has been resolved: nvmet: Don't overflow subsysnqn nvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed size buffer, even though it is dynamically allocated to the size of the string. Create a new string with kstrndup instead of using the old buffer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/86645d8d062af3fdc…
	https://git.kernel.org/stable/c/4db3d750ac7e89427…

Impacted products

Vendor

Product

Version

Linux

Affected: 95409e277d8343810adf8700d29d4329828d452b , < 86645d8d062af3fdcbdaa0a289b95de55bca827d (git)
Affected: 95409e277d8343810adf8700d29d4329828d452b , < 4db3d750ac7e894278ef1cb1c53cc7d883060496 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/configfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "86645d8d062af3fdcbdaa0a289b95de55bca827d",
              "status": "affected",
              "version": "95409e277d8343810adf8700d29d4329828d452b",
              "versionType": "git"
            },
            {
              "lessThan": "4db3d750ac7e894278ef1cb1c53cc7d883060496",
              "status": "affected",
              "version": "95409e277d8343810adf8700d29d4329828d452b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/configfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: Don\u0027t overflow subsysnqn\n\nnvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed\nsize buffer, even though it is dynamically allocated to the size of the\nstring.\n\nCreate a new string with kstrndup instead of using the old buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:56:51.804Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/86645d8d062af3fdcbdaa0a289b95de55bca827d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4db3d750ac7e894278ef1cb1c53cc7d883060496"
        }
      ],
      "title": "nvmet: Don\u0027t overflow subsysnqn",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53681",
    "datePublished": "2025-01-15T13:10:22.141Z",
    "dateReserved": "2025-01-15T13:08:59.671Z",
    "dateUpdated": "2025-05-04T09:56:51.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56654 (GCVE-0-2024-56654)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2025-10-01 20:07

Title

Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating The usage of rcu_read_(un)lock while inside list_for_each_entry_rcu is not safe since for the most part entries fetched this way shall be treated as rcu_dereference: Note that the value returned by rcu_dereference() is valid only within the enclosing RCU read-side critical section [1]_. For example, the following is **not** legal:: rcu_read_lock(); p = rcu_dereference(head.next); rcu_read_unlock(); x = p->address; /* BUG!!! */ rcu_read_lock(); y = p->data; /* BUG!!! */ rcu_read_unlock();

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0108132d7d76d884e…
	https://git.kernel.org/stable/c/f9ecc90b5d501b3a5…
	https://git.kernel.org/stable/c/581dd2dc168fe0ed2…

Impacted products

Vendor

Product

Version

Linux

Affected: a0bfde167b506423111ddb8cd71930497a40fc54 , < 0108132d7d76d884e443d18b4f067cdf2811911b (git)
Affected: a0bfde167b506423111ddb8cd71930497a40fc54 , < f9ecc90b5d501b3a5a62d0685d5104f934bb0104 (git)
Affected: a0bfde167b506423111ddb8cd71930497a40fc54 , < 581dd2dc168fe0ed2a7a5534a724f0d3751c93ae (git)
Affected: b475c1109251e30ec21fb574d72a1c71a4ab0039 (git)
Affected: 2ccde10127447c1a5caad8469fede945bdb62fdf (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56654",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:00:19.506429Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:11.020Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0108132d7d76d884e443d18b4f067cdf2811911b",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "lessThan": "f9ecc90b5d501b3a5a62d0685d5104f934bb0104",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "lessThan": "581dd2dc168fe0ed2a7a5534a724f0d3751c93ae",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b475c1109251e30ec21fb574d72a1c71a4ab0039",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2ccde10127447c1a5caad8469fede945bdb62fdf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix using rcu_read_(un)lock while iterating\n\nThe usage of rcu_read_(un)lock while inside list_for_each_entry_rcu is\nnot safe since for the most part entries fetched this way shall be\ntreated as rcu_dereference:\n\n\tNote that the value returned by rcu_dereference() is valid\n\tonly within the enclosing RCU read-side critical section [1]_.\n\tFor example, the following is **not** legal::\n\n\t\trcu_read_lock();\n\t\tp = rcu_dereference(head.next);\n\t\trcu_read_unlock();\n\t\tx = p-\u003eaddress;\t/* BUG!!! */\n\t\trcu_read_lock();\n\t\ty = p-\u003edata;\t/* BUG!!! */\n\t\trcu_read_unlock();"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:01.571Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0108132d7d76d884e443d18b4f067cdf2811911b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9ecc90b5d501b3a5a62d0685d5104f934bb0104"
        },
        {
          "url": "https://git.kernel.org/stable/c/581dd2dc168fe0ed2a7a5534a724f0d3751c93ae"
        }
      ],
      "title": "Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56654",
    "datePublished": "2024-12-27T15:06:18.224Z",
    "dateReserved": "2024-12-27T15:00:39.841Z",
    "dateUpdated": "2025-10-01T20:07:11.020Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57940 (GCVE-0-2024-57940)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-11-03 20:56

Title

exfat: fix the infinite loop in exfat_readdir()

Summary

In the Linux kernel, the following vulnerability has been resolved: exfat: fix the infinite loop in exfat_readdir() If the file system is corrupted so that a cluster is linked to itself in the cluster chain, and there is an unused directory entry in the cluster, 'dentry' will not be incremented, causing condition 'dentry < max_dentries' unable to prevent an infinite loop. This infinite loop causes s_lock not to be released, and other tasks will hang, such as exfat_sync_fs(). This commit stops traversing the cluster chain when there is unused directory entry in the cluster to avoid this infinite loop.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d8cfbb8723bd3d322…
	https://git.kernel.org/stable/c/28c21f0ac5293a4bf…
	https://git.kernel.org/stable/c/31beabd0f47f8c3ed…
	https://git.kernel.org/stable/c/dc1d7afceb982e8f6…
	https://git.kernel.org/stable/c/d9ea94f5cd117d56e…
	https://git.kernel.org/stable/c/fee873761bd978d07…

Impacted products

Vendor

Product

Version

Linux

Affected: ca06197382bde0a3bc20215595d1c9ce20c6e341 , < d8cfbb8723bd3d3222f360227a1cc15227189ca6 (git)
Affected: ca06197382bde0a3bc20215595d1c9ce20c6e341 , < 28c21f0ac5293a4bf19b3e0e32005d6dd31a6c17 (git)
Affected: ca06197382bde0a3bc20215595d1c9ce20c6e341 , < 31beabd0f47f8c3ed9965ba861c9e5b252d4920a (git)
Affected: ca06197382bde0a3bc20215595d1c9ce20c6e341 , < dc1d7afceb982e8f666e70a582e6b5aa806de063 (git)
Affected: ca06197382bde0a3bc20215595d1c9ce20c6e341 , < d9ea94f5cd117d56e573696d0045ab3044185a15 (git)
Affected: ca06197382bde0a3bc20215595d1c9ce20c6e341 , < fee873761bd978d077d8c55334b4966ac4cb7b59 (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:56:09.764Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d8cfbb8723bd3d3222f360227a1cc15227189ca6",
              "status": "affected",
              "version": "ca06197382bde0a3bc20215595d1c9ce20c6e341",
              "versionType": "git"
            },
            {
              "lessThan": "28c21f0ac5293a4bf19b3e0e32005d6dd31a6c17",
              "status": "affected",
              "version": "ca06197382bde0a3bc20215595d1c9ce20c6e341",
              "versionType": "git"
            },
            {
              "lessThan": "31beabd0f47f8c3ed9965ba861c9e5b252d4920a",
              "status": "affected",
              "version": "ca06197382bde0a3bc20215595d1c9ce20c6e341",
              "versionType": "git"
            },
            {
              "lessThan": "dc1d7afceb982e8f666e70a582e6b5aa806de063",
              "status": "affected",
              "version": "ca06197382bde0a3bc20215595d1c9ce20c6e341",
              "versionType": "git"
            },
            {
              "lessThan": "d9ea94f5cd117d56e573696d0045ab3044185a15",
              "status": "affected",
              "version": "ca06197382bde0a3bc20215595d1c9ce20c6e341",
              "versionType": "git"
            },
            {
              "lessThan": "fee873761bd978d077d8c55334b4966ac4cb7b59",
              "status": "affected",
              "version": "ca06197382bde0a3bc20215595d1c9ce20c6e341",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix the infinite loop in exfat_readdir()\n\nIf the file system is corrupted so that a cluster is linked to\nitself in the cluster chain, and there is an unused directory\nentry in the cluster, \u0027dentry\u0027 will not be incremented, causing\ncondition \u0027dentry \u003c max_dentries\u0027 unable to prevent an infinite\nloop.\n\nThis infinite loop causes s_lock not to be released, and other\ntasks will hang, such as exfat_sync_fs().\n\nThis commit stops traversing the cluster chain when there is unused\ndirectory entry in the cluster to avoid this infinite loop."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:07.089Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d8cfbb8723bd3d3222f360227a1cc15227189ca6"
        },
        {
          "url": "https://git.kernel.org/stable/c/28c21f0ac5293a4bf19b3e0e32005d6dd31a6c17"
        },
        {
          "url": "https://git.kernel.org/stable/c/31beabd0f47f8c3ed9965ba861c9e5b252d4920a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc1d7afceb982e8f666e70a582e6b5aa806de063"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9ea94f5cd117d56e573696d0045ab3044185a15"
        },
        {
          "url": "https://git.kernel.org/stable/c/fee873761bd978d077d8c55334b4966ac4cb7b59"
        }
      ],
      "title": "exfat: fix the infinite loop in exfat_readdir()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57940",
    "datePublished": "2025-01-21T12:18:09.150Z",
    "dateReserved": "2025-01-19T11:50:08.378Z",
    "dateUpdated": "2025-11-03T20:56:09.764Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-49568 (GCVE-0-2024-49568)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:35 – Updated: 2025-05-04 09:39

Title

net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg When receiving proposal msg in server, the fields v2_ext_offset/ eid_cnt/ism_gid_cnt in proposal msg are from the remote client and can not be fully trusted. Especially the field v2_ext_offset, once exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt before using them.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/295a92e3df32e72af…
	https://git.kernel.org/stable/c/42f6beb2d57794294…
	https://git.kernel.org/stable/c/7863c9f3d24ba49db…

Impacted products

Vendor

Product

Version

Linux

Affected: 8c3dca341aea885249e08856c4380300b75d2cf5 , < 295a92e3df32e72aff0f4bc25c310e349d07ffbf (git)
Affected: 8c3dca341aea885249e08856c4380300b75d2cf5 , < 42f6beb2d5779429417b5f8115a4e3fa695d2a6c (git)
Affected: 8c3dca341aea885249e08856c4380300b75d2cf5 , < 7863c9f3d24ba49dbead7e03dfbe40deb5888fdf (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 6.6.68 , ≤ 6.6.* (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c",
            "net/smc/smc_clc.c",
            "net/smc/smc_clc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "295a92e3df32e72aff0f4bc25c310e349d07ffbf",
              "status": "affected",
              "version": "8c3dca341aea885249e08856c4380300b75d2cf5",
              "versionType": "git"
            },
            {
              "lessThan": "42f6beb2d5779429417b5f8115a4e3fa695d2a6c",
              "status": "affected",
              "version": "8c3dca341aea885249e08856c4380300b75d2cf5",
              "versionType": "git"
            },
            {
              "lessThan": "7863c9f3d24ba49dbead7e03dfbe40deb5888fdf",
              "status": "affected",
              "version": "8c3dca341aea885249e08856c4380300b75d2cf5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c",
            "net/smc/smc_clc.c",
            "net/smc/smc_clc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg\n\nWhen receiving proposal msg in server, the fields v2_ext_offset/\neid_cnt/ism_gid_cnt in proposal msg are from the remote client\nand can not be fully trusted. Especially the field v2_ext_offset,\nonce exceed the max value, there has the chance to access wrong\naddress, and crash may happen.\n\nThis patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt\nbefore using them."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:39:23.222Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/295a92e3df32e72aff0f4bc25c310e349d07ffbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/42f6beb2d5779429417b5f8115a4e3fa695d2a6c"
        },
        {
          "url": "https://git.kernel.org/stable/c/7863c9f3d24ba49dbead7e03dfbe40deb5888fdf"
        }
      ],
      "title": "net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49568",
    "datePublished": "2025-01-11T12:35:36.190Z",
    "dateReserved": "2025-01-11T12:34:02.664Z",
    "dateUpdated": "2025-05-04T09:39:23.222Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-49569 (GCVE-0-2024-49569)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2025-05-04 12:59

Title

nvme-rdma: unquiesce admin_q before destroy it

Summary

In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: unquiesce admin_q before destroy it Kernel will hang on destroy admin_q while we create ctrl failed, such as following calltrace: PID: 23644 TASK: ff2d52b40f439fc0 CPU: 2 COMMAND: "nvme" #0 [ff61d23de260fb78] __schedule at ffffffff8323bc15 #1 [ff61d23de260fc08] schedule at ffffffff8323c014 #2 [ff61d23de260fc28] blk_mq_freeze_queue_wait at ffffffff82a3dba1 #3 [ff61d23de260fc78] blk_freeze_queue at ffffffff82a4113a #4 [ff61d23de260fc90] blk_cleanup_queue at ffffffff82a33006 #5 [ff61d23de260fcb0] nvme_rdma_destroy_admin_queue at ffffffffc12686ce #6 [ff61d23de260fcc8] nvme_rdma_setup_ctrl at ffffffffc1268ced #7 [ff61d23de260fd28] nvme_rdma_create_ctrl at ffffffffc126919b #8 [ff61d23de260fd68] nvmf_dev_write at ffffffffc024f362 #9 [ff61d23de260fe38] vfs_write at ffffffff827d5f25 RIP: 00007fda7891d574 RSP: 00007ffe2ef06958 RFLAGS: 00000202 RAX: ffffffffffffffda RBX: 000055e8122a4d90 RCX: 00007fda7891d574 RDX: 000000000000012b RSI: 000055e8122a4d90 RDI: 0000000000000004 RBP: 00007ffe2ef079c0 R8: 000000000000012b R9: 000055e8122a4d90 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004 R13: 000055e8122923c0 R14: 000000000000012b R15: 00007fda78a54500 ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b This due to we have quiesced admi_q before cancel requests, but forgot to unquiesce before destroy it, as a result we fail to drain the pending requests, and hang on blk_mq_freeze_queue_wait() forever. Here try to reuse nvme_rdma_teardown_admin_queue() to fix this issue and simplify the code.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/427036030f4d79653…
	https://git.kernel.org/stable/c/05b436f3cf65c957e…
	https://git.kernel.org/stable/c/5858b687559809f05…

Impacted products

Vendor

Product

Version

Linux

Affected: 958dc1d32c80566f58d18f05ef1f05bd32d172c1 , < 427036030f4d796533dcadba9b845896cb6c10a7 (git)
Affected: 958dc1d32c80566f58d18f05ef1f05bd32d172c1 , < 05b436f3cf65c957eff86c5ea5ddfa2604b32c63 (git)
Affected: 958dc1d32c80566f58d18f05ef1f05bd32d172c1 , < 5858b687559809f05393af745cbadf06dee61295 (git)
Affected: a9ea34d2717a8c8892d3c5677329de9485e325ac (git)
Affected: 7da81eaf8710130a9e63d7429627183be5a93787 (git)
Affected: caed0b3851a4f52afd1ef77a27b30410fe7b68c7 (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/rdma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "427036030f4d796533dcadba9b845896cb6c10a7",
              "status": "affected",
              "version": "958dc1d32c80566f58d18f05ef1f05bd32d172c1",
              "versionType": "git"
            },
            {
              "lessThan": "05b436f3cf65c957eff86c5ea5ddfa2604b32c63",
              "status": "affected",
              "version": "958dc1d32c80566f58d18f05ef1f05bd32d172c1",
              "versionType": "git"
            },
            {
              "lessThan": "5858b687559809f05393af745cbadf06dee61295",
              "status": "affected",
              "version": "958dc1d32c80566f58d18f05ef1f05bd32d172c1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a9ea34d2717a8c8892d3c5677329de9485e325ac",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7da81eaf8710130a9e63d7429627183be5a93787",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "caed0b3851a4f52afd1ef77a27b30410fe7b68c7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/rdma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.21",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.11.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-rdma: unquiesce admin_q before destroy it\n\nKernel will hang on destroy admin_q while we create ctrl failed, such\nas following calltrace:\n\nPID: 23644    TASK: ff2d52b40f439fc0  CPU: 2    COMMAND: \"nvme\"\n #0 [ff61d23de260fb78] __schedule at ffffffff8323bc15\n #1 [ff61d23de260fc08] schedule at ffffffff8323c014\n #2 [ff61d23de260fc28] blk_mq_freeze_queue_wait at ffffffff82a3dba1\n #3 [ff61d23de260fc78] blk_freeze_queue at ffffffff82a4113a\n #4 [ff61d23de260fc90] blk_cleanup_queue at ffffffff82a33006\n #5 [ff61d23de260fcb0] nvme_rdma_destroy_admin_queue at ffffffffc12686ce\n #6 [ff61d23de260fcc8] nvme_rdma_setup_ctrl at ffffffffc1268ced\n #7 [ff61d23de260fd28] nvme_rdma_create_ctrl at ffffffffc126919b\n #8 [ff61d23de260fd68] nvmf_dev_write at ffffffffc024f362\n #9 [ff61d23de260fe38] vfs_write at ffffffff827d5f25\n    RIP: 00007fda7891d574  RSP: 00007ffe2ef06958  RFLAGS: 00000202\n    RAX: ffffffffffffffda  RBX: 000055e8122a4d90  RCX: 00007fda7891d574\n    RDX: 000000000000012b  RSI: 000055e8122a4d90  RDI: 0000000000000004\n    RBP: 00007ffe2ef079c0   R8: 000000000000012b   R9: 000055e8122a4d90\n    R10: 0000000000000000  R11: 0000000000000202  R12: 0000000000000004\n    R13: 000055e8122923c0  R14: 000000000000012b  R15: 00007fda78a54500\n    ORIG_RAX: 0000000000000001  CS: 0033  SS: 002b\n\nThis due to we have quiesced admi_q before cancel requests, but forgot\nto unquiesce before destroy it, as a result we fail to drain the\npending requests, and hang on blk_mq_freeze_queue_wait() forever. Here\ntry to reuse nvme_rdma_teardown_admin_queue() to fix this issue and\nsimplify the code."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:59:06.659Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/427036030f4d796533dcadba9b845896cb6c10a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/05b436f3cf65c957eff86c5ea5ddfa2604b32c63"
        },
        {
          "url": "https://git.kernel.org/stable/c/5858b687559809f05393af745cbadf06dee61295"
        }
      ],
      "title": "nvme-rdma: unquiesce admin_q before destroy it",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49569",
    "datePublished": "2025-01-11T12:25:19.455Z",
    "dateReserved": "2025-01-09T09:50:31.772Z",
    "dateUpdated": "2025-05-04T12:59:06.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56646 (GCVE-0-2024-56646)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2026-01-11 16:29

Title

ipv6: avoid possible NULL deref in modify_prefix_route()

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid possible NULL deref in modify_prefix_route() syzbot found a NULL deref [1] in modify_prefix_route(), caused by one fib6_info without a fib6_table pointer set. This can happen for net->ipv6.fib6_null_entry [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089 Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84 RSP: 0018:ffffc900035d7268 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030 R13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000 FS: 0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831 inet6_addr_modify net/ipv6/addrconf.c:4923 [inline] inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055 rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637 __sys_sendmsg+0x16e/0x220 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd1dcef8b79 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79 RDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006 R10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 </TASK>

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/90f7d995b861fd77a…
	https://git.kernel.org/stable/c/01f95357e47219a9c…
	https://git.kernel.org/stable/c/a747e02430dfb3657…

Impacted products

Vendor

Product

Version

Linux

Affected: bd12abe294c7738421bdfbc486f1909d02db30e9 , < 90f7d995b861fd77ae4885cc58e26a6a4e5ccdb9 (git)
Affected: 5eb902b8e7193cdcb33242af0a56502e6b5206e9 , < 01f95357e47219a9c4b29e177b717edbfab721b4 (git)
Affected: 5eb902b8e7193cdcb33242af0a56502e6b5206e9 , < a747e02430dfb3657141f99aa6b09331283fa493 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56646",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:00:35.984541Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:11.893Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/addrconf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "90f7d995b861fd77ae4885cc58e26a6a4e5ccdb9",
              "status": "affected",
              "version": "bd12abe294c7738421bdfbc486f1909d02db30e9",
              "versionType": "git"
            },
            {
              "lessThan": "01f95357e47219a9c4b29e177b717edbfab721b4",
              "status": "affected",
              "version": "5eb902b8e7193cdcb33242af0a56502e6b5206e9",
              "versionType": "git"
            },
            {
              "lessThan": "a747e02430dfb3657141f99aa6b09331283fa493",
              "status": "affected",
              "version": "5eb902b8e7193cdcb33242af0a56502e6b5206e9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/addrconf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid possible NULL deref in modify_prefix_route()\n\nsyzbot found a NULL deref [1] in modify_prefix_route(), caused by one\nfib6_info without a fib6_table pointer set.\n\nThis can happen for net-\u003eipv6.fib6_null_entry\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\nCPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089\nCode: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84\nRSP: 0018:ffffc900035d7268 EFLAGS: 00010006\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001\nR10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030\nR13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000\nFS:  0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n  lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849\n  __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n  _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178\n  spin_lock_bh include/linux/spinlock.h:356 [inline]\n  modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831\n  inet6_addr_modify net/ipv6/addrconf.c:4923 [inline]\n  inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055\n  rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920\n  netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541\n  netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n  netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347\n  netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891\n  sock_sendmsg_nosec net/socket.c:711 [inline]\n  __sock_sendmsg net/socket.c:726 [inline]\n  ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583\n  ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637\n  __sys_sendmsg+0x16e/0x220 net/socket.c:2669\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fd1dcef8b79\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79\nRDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004\nRBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c\nR13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:29:07.104Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/90f7d995b861fd77ae4885cc58e26a6a4e5ccdb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/01f95357e47219a9c4b29e177b717edbfab721b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a747e02430dfb3657141f99aa6b09331283fa493"
        }
      ],
      "title": "ipv6: avoid possible NULL deref in modify_prefix_route()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56646",
    "datePublished": "2024-12-27T15:02:47.265Z",
    "dateReserved": "2024-12-27T15:00:39.840Z",
    "dateUpdated": "2026-01-11T16:29:07.104Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57841 (GCVE-0-2024-57841)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:10 – Updated: 2025-11-03 20:54

Title

net: fix memory leak in tcp_conn_request()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in tcp_conn_request() If inet_csk_reqsk_queue_hash_add() return false, tcp_conn_request() will return without free the dst memory, which allocated in af_ops->route_req. Here is the kmemleak stack: unreferenced object 0xffff8881198631c0 (size 240): comm "softirq", pid 0, jiffies 4299266571 (age 1802.392s) hex dump (first 32 bytes): 00 10 9b 03 81 88 ff ff 80 98 da bc ff ff ff ff ................ 81 55 18 bb ff ff ff ff 00 00 00 00 00 00 00 00 .U.............. backtrace: [<ffffffffb93e8d4c>] kmem_cache_alloc+0x60c/0xa80 [<ffffffffba11b4c5>] dst_alloc+0x55/0x250 [<ffffffffba227bf6>] rt_dst_alloc+0x46/0x1d0 [<ffffffffba23050a>] __mkroute_output+0x29a/0xa50 [<ffffffffba23456b>] ip_route_output_key_hash+0x10b/0x240 [<ffffffffba2346bd>] ip_route_output_flow+0x1d/0x90 [<ffffffffba254855>] inet_csk_route_req+0x2c5/0x500 [<ffffffffba26b331>] tcp_conn_request+0x691/0x12c0 [<ffffffffba27bd08>] tcp_rcv_state_process+0x3c8/0x11b0 [<ffffffffba2965c6>] tcp_v4_do_rcv+0x156/0x3b0 [<ffffffffba299c98>] tcp_v4_rcv+0x1cf8/0x1d80 [<ffffffffba239656>] ip_protocol_deliver_rcu+0xf6/0x360 [<ffffffffba2399a6>] ip_local_deliver_finish+0xe6/0x1e0 [<ffffffffba239b8e>] ip_local_deliver+0xee/0x360 [<ffffffffba239ead>] ip_rcv+0xad/0x2f0 [<ffffffffba110943>] __netif_receive_skb_one_core+0x123/0x140 Call dst_release() to free the dst memory when inet_csk_reqsk_queue_hash_add() return false in tcp_conn_request().

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9d38959677291552d…
	https://git.kernel.org/stable/c/de3f999bf8aee16e9…
	https://git.kernel.org/stable/c/2af69905180b3fea1…
	https://git.kernel.org/stable/c/b0b190218c78d8aee…
	https://git.kernel.org/stable/c/4f4aa4aa28142d53f…

Impacted products

Vendor

Product

Version

Linux

Affected: 527bec1f56ac7a2fceb8eb77eb0fc2678ecba394 , < 9d38959677291552d1b0ed2689a540af279b5bf8 (git)
Affected: c14f3c3793f7a785763e353df7fc40426187f832 , < de3f999bf8aee16e9da1c1224191abdc69e97c9d (git)
Affected: fdae4d139f4778b20a40c60705c53f5f146459b5 , < 2af69905180b3fea12f9c1db374b153a06977021 (git)
Affected: ff46e3b4421923937b7f6e44ffcd3549a074f321 , < b0b190218c78d8aeecfba36ea3a90063b3ede52d (git)
Affected: ff46e3b4421923937b7f6e44ffcd3549a074f321 , < 4f4aa4aa28142d53f8b06585c478476cfe325cfc (git)
Affected: 360892e60710427229fc1f7bb2218cf4d578229b (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57841",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:23.329434Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:18.572Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:41.406Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_input.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9d38959677291552d1b0ed2689a540af279b5bf8",
              "status": "affected",
              "version": "527bec1f56ac7a2fceb8eb77eb0fc2678ecba394",
              "versionType": "git"
            },
            {
              "lessThan": "de3f999bf8aee16e9da1c1224191abdc69e97c9d",
              "status": "affected",
              "version": "c14f3c3793f7a785763e353df7fc40426187f832",
              "versionType": "git"
            },
            {
              "lessThan": "2af69905180b3fea12f9c1db374b153a06977021",
              "status": "affected",
              "version": "fdae4d139f4778b20a40c60705c53f5f146459b5",
              "versionType": "git"
            },
            {
              "lessThan": "b0b190218c78d8aeecfba36ea3a90063b3ede52d",
              "status": "affected",
              "version": "ff46e3b4421923937b7f6e44ffcd3549a074f321",
              "versionType": "git"
            },
            {
              "lessThan": "4f4aa4aa28142d53f8b06585c478476cfe325cfc",
              "status": "affected",
              "version": "ff46e3b4421923937b7f6e44ffcd3549a074f321",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "360892e60710427229fc1f7bb2218cf4d578229b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_input.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.15.162",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "6.1.97",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.9.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix memory leak in tcp_conn_request()\n\nIf inet_csk_reqsk_queue_hash_add() return false, tcp_conn_request() will\nreturn without free the dst memory, which allocated in af_ops-\u003eroute_req.\n\nHere is the kmemleak stack:\n\nunreferenced object 0xffff8881198631c0 (size 240):\n  comm \"softirq\", pid 0, jiffies 4299266571 (age 1802.392s)\n  hex dump (first 32 bytes):\n    00 10 9b 03 81 88 ff ff 80 98 da bc ff ff ff ff  ................\n    81 55 18 bb ff ff ff ff 00 00 00 00 00 00 00 00  .U..............\n  backtrace:\n    [\u003cffffffffb93e8d4c\u003e] kmem_cache_alloc+0x60c/0xa80\n    [\u003cffffffffba11b4c5\u003e] dst_alloc+0x55/0x250\n    [\u003cffffffffba227bf6\u003e] rt_dst_alloc+0x46/0x1d0\n    [\u003cffffffffba23050a\u003e] __mkroute_output+0x29a/0xa50\n    [\u003cffffffffba23456b\u003e] ip_route_output_key_hash+0x10b/0x240\n    [\u003cffffffffba2346bd\u003e] ip_route_output_flow+0x1d/0x90\n    [\u003cffffffffba254855\u003e] inet_csk_route_req+0x2c5/0x500\n    [\u003cffffffffba26b331\u003e] tcp_conn_request+0x691/0x12c0\n    [\u003cffffffffba27bd08\u003e] tcp_rcv_state_process+0x3c8/0x11b0\n    [\u003cffffffffba2965c6\u003e] tcp_v4_do_rcv+0x156/0x3b0\n    [\u003cffffffffba299c98\u003e] tcp_v4_rcv+0x1cf8/0x1d80\n    [\u003cffffffffba239656\u003e] ip_protocol_deliver_rcu+0xf6/0x360\n    [\u003cffffffffba2399a6\u003e] ip_local_deliver_finish+0xe6/0x1e0\n    [\u003cffffffffba239b8e\u003e] ip_local_deliver+0xee/0x360\n    [\u003cffffffffba239ead\u003e] ip_rcv+0xad/0x2f0\n    [\u003cffffffffba110943\u003e] __netif_receive_skb_one_core+0x123/0x140\n\nCall dst_release() to free the dst memory when\ninet_csk_reqsk_queue_hash_add() return false in tcp_conn_request()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:26.346Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9d38959677291552d1b0ed2689a540af279b5bf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/de3f999bf8aee16e9da1c1224191abdc69e97c9d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2af69905180b3fea12f9c1db374b153a06977021"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0b190218c78d8aeecfba36ea3a90063b3ede52d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f4aa4aa28142d53f8b06585c478476cfe325cfc"
        }
      ],
      "title": "net: fix memory leak in tcp_conn_request()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57841",
    "datePublished": "2025-01-15T13:10:26.842Z",
    "dateReserved": "2025-01-15T13:08:59.716Z",
    "dateUpdated": "2025-11-03T20:54:41.406Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21648 (GCVE-0-2025-21648)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:18 – Updated: 2025-11-03 20:58

Title

netfilter: conntrack: clamp maximum hashtable size to INT_MAX

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: clamp maximum hashtable size to INT_MAX Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. See: 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls") Note: hashtable resize is only possible from init_netns.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a965f7f0ea3ae61b9…
	https://git.kernel.org/stable/c/b1b2353d768f1b80c…
	https://git.kernel.org/stable/c/5552b4fd44be3393b…
	https://git.kernel.org/stable/c/d5807dd1328bbc86e…
	https://git.kernel.org/stable/c/f559357d035877b9d…
	https://git.kernel.org/stable/c/b541ba7d1f5a5b7b3…

Impacted products

Vendor

Product

Version

Linux

Affected: 9cc1c73ad66610bffc80b691136ffc1e9a3b1a58 , < a965f7f0ea3ae61b9165bed619d5d6da02c75f80 (git)
Affected: 9cc1c73ad66610bffc80b691136ffc1e9a3b1a58 , < b1b2353d768f1b80cd7fe045a70adee576b9b338 (git)
Affected: 9cc1c73ad66610bffc80b691136ffc1e9a3b1a58 , < 5552b4fd44be3393b930434a7845d8d95a2a3c33 (git)
Affected: 9cc1c73ad66610bffc80b691136ffc1e9a3b1a58 , < d5807dd1328bbc86e059c5de80d1bbee9d58ca3d (git)
Affected: 9cc1c73ad66610bffc80b691136ffc1e9a3b1a58 , < f559357d035877b9d0dcd273e0ff83e18e1d46aa (git)
Affected: 9cc1c73ad66610bffc80b691136ffc1e9a3b1a58 , < b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13 (git)

Linux

Affected: 4.7
Unaffected: 0 , < 4.7 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:30.561Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_conntrack_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a965f7f0ea3ae61b9165bed619d5d6da02c75f80",
              "status": "affected",
              "version": "9cc1c73ad66610bffc80b691136ffc1e9a3b1a58",
              "versionType": "git"
            },
            {
              "lessThan": "b1b2353d768f1b80cd7fe045a70adee576b9b338",
              "status": "affected",
              "version": "9cc1c73ad66610bffc80b691136ffc1e9a3b1a58",
              "versionType": "git"
            },
            {
              "lessThan": "5552b4fd44be3393b930434a7845d8d95a2a3c33",
              "status": "affected",
              "version": "9cc1c73ad66610bffc80b691136ffc1e9a3b1a58",
              "versionType": "git"
            },
            {
              "lessThan": "d5807dd1328bbc86e059c5de80d1bbee9d58ca3d",
              "status": "affected",
              "version": "9cc1c73ad66610bffc80b691136ffc1e9a3b1a58",
              "versionType": "git"
            },
            {
              "lessThan": "f559357d035877b9d0dcd273e0ff83e18e1d46aa",
              "status": "affected",
              "version": "9cc1c73ad66610bffc80b691136ffc1e9a3b1a58",
              "versionType": "git"
            },
            {
              "lessThan": "b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13",
              "status": "affected",
              "version": "9cc1c73ad66610bffc80b691136ffc1e9a3b1a58",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_conntrack_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.7"
            },
            {
              "lessThan": "4.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: clamp maximum hashtable size to INT_MAX\n\nUse INT_MAX as maximum size for the conntrack hashtable. Otherwise, it\nis possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when\nresizing hashtable because __GFP_NOWARN is unset. See:\n\n  0708a0afe291 (\"mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls\")\n\nNote: hashtable resize is only possible from init_netns."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:12.315Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a965f7f0ea3ae61b9165bed619d5d6da02c75f80"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1b2353d768f1b80cd7fe045a70adee576b9b338"
        },
        {
          "url": "https://git.kernel.org/stable/c/5552b4fd44be3393b930434a7845d8d95a2a3c33"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5807dd1328bbc86e059c5de80d1bbee9d58ca3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f559357d035877b9d0dcd273e0ff83e18e1d46aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13"
        }
      ],
      "title": "netfilter: conntrack: clamp maximum hashtable size to INT_MAX",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21648",
    "datePublished": "2025-01-19T10:18:05.700Z",
    "dateReserved": "2024-12-29T08:45:45.728Z",
    "dateUpdated": "2025-11-03T20:58:30.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21661 (GCVE-0-2025-21661)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-10-01 19:57

Title

gpio: virtuser: fix missing lookup table cleanups

Summary

In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix missing lookup table cleanups When a virtuser device is created via configfs and the probe fails due to an incorrect lookup table, the table is not removed. This prevents subsequent probe attempts from succeeding, even if the issue is corrected, unless the device is released. Additionally, cleanup is also needed in the less likely case of platform_device_register_full() failure. Besides, a consistent memory leak in lookup_table->dev_id was spotted using kmemleak by toggling the live state between 0 and 1 with a correct lookup table. Introduce gpio_virtuser_remove_lookup_table() as the counterpart to the existing gpio_virtuser_make_lookup_table() and call it from all necessary points to ensure proper cleanup.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d72d0126b1f6981f6…
	https://git.kernel.org/stable/c/a619cba8c69c43425…

Impacted products

Vendor

Product

Version

Linux

Affected: 91581c4b3f29e2e22aeb1a62e842d529ca638b2d , < d72d0126b1f6981f6ce8b4247305f359958c11b5 (git)
Affected: 91581c4b3f29e2e22aeb1a62e842d529ca638b2d , < a619cba8c69c434258ff4101d463322cd63e1bdc (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21661",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:52:33.900455Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:13.331Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpio-virtuser.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d72d0126b1f6981f6ce8b4247305f359958c11b5",
              "status": "affected",
              "version": "91581c4b3f29e2e22aeb1a62e842d529ca638b2d",
              "versionType": "git"
            },
            {
              "lessThan": "a619cba8c69c434258ff4101d463322cd63e1bdc",
              "status": "affected",
              "version": "91581c4b3f29e2e22aeb1a62e842d529ca638b2d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpio-virtuser.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: virtuser: fix missing lookup table cleanups\n\nWhen a virtuser device is created via configfs and the probe fails due\nto an incorrect lookup table, the table is not removed. This prevents\nsubsequent probe attempts from succeeding, even if the issue is\ncorrected, unless the device is released. Additionally, cleanup is also\nneeded in the less likely case of platform_device_register_full()\nfailure.\n\nBesides, a consistent memory leak in lookup_table-\u003edev_id was spotted\nusing kmemleak by toggling the live state between 0 and 1 with a correct\nlookup table.\n\nIntroduce gpio_virtuser_remove_lookup_table() as the counterpart to the\nexisting gpio_virtuser_make_lookup_table() and call it from all\nnecessary points to ensure proper cleanup."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:27.332Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d72d0126b1f6981f6ce8b4247305f359958c11b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/a619cba8c69c434258ff4101d463322cd63e1bdc"
        }
      ],
      "title": "gpio: virtuser: fix missing lookup table cleanups",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21661",
    "datePublished": "2025-01-21T12:18:16.902Z",
    "dateReserved": "2024-12-29T08:45:45.732Z",
    "dateUpdated": "2025-10-01T19:57:13.331Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56586 (GCVE-0-2024-56586)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:50 – Updated: 2025-11-03 20:50

Title

f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode.

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode. creating a large files during checkpoint disable until it runs out of space and then delete it, then remount to enable checkpoint again, and then unmount the filesystem triggers the f2fs_bug_on as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inode.c:896! CPU: 2 UID: 0 PID: 1286 Comm: umount Not tainted 6.11.0-rc7-dirty #360 Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:f2fs_evict_inode+0x58c/0x610 Call Trace: __die_body+0x15/0x60 die+0x33/0x50 do_trap+0x10a/0x120 f2fs_evict_inode+0x58c/0x610 do_error_trap+0x60/0x80 f2fs_evict_inode+0x58c/0x610 exc_invalid_op+0x53/0x60 f2fs_evict_inode+0x58c/0x610 asm_exc_invalid_op+0x16/0x20 f2fs_evict_inode+0x58c/0x610 evict+0x101/0x260 dispose_list+0x30/0x50 evict_inodes+0x140/0x190 generic_shutdown_super+0x2f/0x150 kill_block_super+0x11/0x40 kill_f2fs_super+0x7d/0x140 deactivate_locked_super+0x2a/0x70 cleanup_mnt+0xb3/0x140 task_work_run+0x61/0x90 The root cause is: creating large files during disable checkpoint period results in not enough free segments, so when writing back root inode will failed in f2fs_enable_checkpoint. When umount the file system after enabling checkpoint, the root inode is dirty in f2fs_evict_inode function, which triggers BUG_ON. The steps to reproduce are as follows: dd if=/dev/zero of=f2fs.img bs=1M count=55 mount f2fs.img f2fs_dir -o checkpoint=disable:10% dd if=/dev/zero of=big bs=1M count=50 sync rm big mount -o remount,checkpoint=enable f2fs_dir umount f2fs_dir Let's redirty inode when there is not free segments during checkpoint is disable.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ac8aaf78bd039fa1b…
	https://git.kernel.org/stable/c/dff561e4060d28edc…
	https://git.kernel.org/stable/c/a365de2fbfbe1e674…
	https://git.kernel.org/stable/c/ef517d2d21c3d8e2a…
	https://git.kernel.org/stable/c/9669b28f81e0ec630…
	https://git.kernel.org/stable/c/9e28513fd2858911d…
	https://git.kernel.org/stable/c/d5c367ef8287fb4d2…

Impacted products

Vendor

Product

Version

Linux

Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < ac8aaf78bd039fa1be0acaa8e84a56499f79d721 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < dff561e4060d28edc9a2960d4a87f3c945a96aa3 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < a365de2fbfbe1e6740bfb75ab5c3245cf7bbe4d7 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < ef517d2d21c3d8e2ad35b2bb728bd1c90a31e617 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 9669b28f81e0ec6305af7773846fbe2cef1e7d61 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 9e28513fd2858911dcf47b84160a8824587536b6 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < d5c367ef8287fb4d235c46a2f8c8d68715f3a0ca (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:06.930Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac8aaf78bd039fa1be0acaa8e84a56499f79d721",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "dff561e4060d28edc9a2960d4a87f3c945a96aa3",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "a365de2fbfbe1e6740bfb75ab5c3245cf7bbe4d7",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "ef517d2d21c3d8e2ad35b2bb728bd1c90a31e617",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "9669b28f81e0ec6305af7773846fbe2cef1e7d61",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "9e28513fd2858911dcf47b84160a8824587536b6",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "d5c367ef8287fb4d235c46a2f8c8d68715f3a0ca",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode.\n\ncreating a large files during checkpoint disable until it runs out of\nspace and then delete it, then remount to enable checkpoint again, and\nthen unmount the filesystem triggers the f2fs_bug_on as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/inode.c:896!\nCPU: 2 UID: 0 PID: 1286 Comm: umount Not tainted 6.11.0-rc7-dirty #360\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:f2fs_evict_inode+0x58c/0x610\nCall Trace:\n __die_body+0x15/0x60\n die+0x33/0x50\n do_trap+0x10a/0x120\n f2fs_evict_inode+0x58c/0x610\n do_error_trap+0x60/0x80\n f2fs_evict_inode+0x58c/0x610\n exc_invalid_op+0x53/0x60\n f2fs_evict_inode+0x58c/0x610\n asm_exc_invalid_op+0x16/0x20\n f2fs_evict_inode+0x58c/0x610\n evict+0x101/0x260\n dispose_list+0x30/0x50\n evict_inodes+0x140/0x190\n generic_shutdown_super+0x2f/0x150\n kill_block_super+0x11/0x40\n kill_f2fs_super+0x7d/0x140\n deactivate_locked_super+0x2a/0x70\n cleanup_mnt+0xb3/0x140\n task_work_run+0x61/0x90\n\nThe root cause is: creating large files during disable checkpoint\nperiod results in not enough free segments, so when writing back root\ninode will failed in f2fs_enable_checkpoint. When umount the file\nsystem after enabling checkpoint, the root inode is dirty in\nf2fs_evict_inode function, which triggers BUG_ON. The steps to\nreproduce are as follows:\n\ndd if=/dev/zero of=f2fs.img bs=1M count=55\nmount f2fs.img f2fs_dir -o checkpoint=disable:10%\ndd if=/dev/zero of=big bs=1M count=50\nsync\nrm big\nmount -o remount,checkpoint=enable f2fs_dir\numount f2fs_dir\n\nLet\u0027s redirty inode when there is not free segments during checkpoint\nis disable."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T17:21:32.749Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac8aaf78bd039fa1be0acaa8e84a56499f79d721"
        },
        {
          "url": "https://git.kernel.org/stable/c/dff561e4060d28edc9a2960d4a87f3c945a96aa3"
        },
        {
          "url": "https://git.kernel.org/stable/c/a365de2fbfbe1e6740bfb75ab5c3245cf7bbe4d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef517d2d21c3d8e2ad35b2bb728bd1c90a31e617"
        },
        {
          "url": "https://git.kernel.org/stable/c/9669b28f81e0ec6305af7773846fbe2cef1e7d61"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e28513fd2858911dcf47b84160a8824587536b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5c367ef8287fb4d235c46a2f8c8d68715f3a0ca"
        }
      ],
      "title": "f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56586",
    "datePublished": "2024-12-27T14:50:54.378Z",
    "dateReserved": "2024-12-27T14:03:06.001Z",
    "dateUpdated": "2025-11-03T20:50:06.930Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56577 (GCVE-0-2024-56577)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-10-01 20:07

Title

media: mtk-jpeg: Fix null-ptr-deref during unload module

Summary

In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix null-ptr-deref during unload module The workqueue should be destroyed in mtk_jpeg_core.c since commit 09aea13ecf6f ("media: mtk-jpeg: refactor some variables"), otherwise the below calltrace can be easily triggered. [ 677.862514] Unable to handle kernel paging request at virtual address dfff800000000023 [ 677.863633] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] ... [ 677.879654] CPU: 6 PID: 1071 Comm: modprobe Tainted: G O 6.8.12-mtk+gfa1a78e5d24b+ #17 ... [ 677.882838] pc : destroy_workqueue+0x3c/0x770 [ 677.883413] lr : mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw] [ 677.884314] sp : ffff80008ad974f0 [ 677.884744] x29: ffff80008ad974f0 x28: ffff0000d7115580 x27: ffff0000dd691070 [ 677.885669] x26: ffff0000dd691408 x25: ffff8000844af3e0 x24: ffff80008ad97690 [ 677.886592] x23: ffff0000e051d400 x22: ffff0000dd691010 x21: dfff800000000000 [ 677.887515] x20: 0000000000000000 x19: 0000000000000000 x18: ffff800085397ac0 [ 677.888438] x17: 0000000000000000 x16: ffff8000801b87c8 x15: 1ffff000115b2e10 [ 677.889361] x14: 00000000f1f1f1f1 x13: 0000000000000000 x12: ffff7000115b2e4d [ 677.890285] x11: 1ffff000115b2e4c x10: ffff7000115b2e4c x9 : ffff80000aa43e90 [ 677.891208] x8 : 00008fffeea4d1b4 x7 : ffff80008ad97267 x6 : 0000000000000001 [ 677.892131] x5 : ffff80008ad97260 x4 : ffff7000115b2e4d x3 : 0000000000000000 [ 677.893054] x2 : 0000000000000023 x1 : dfff800000000000 x0 : 0000000000000118 [ 677.893977] Call trace: [ 677.894297] destroy_workqueue+0x3c/0x770 [ 677.894826] mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw] [ 677.895677] devm_action_release+0x50/0x90 [ 677.896211] release_nodes+0xe8/0x170 [ 677.896688] devres_release_all+0xf8/0x178 [ 677.897219] device_unbind_cleanup+0x24/0x170 [ 677.897785] device_release_driver_internal+0x35c/0x480 [ 677.898461] device_release_driver+0x20/0x38 ... [ 677.912665] ---[ end trace 0000000000000000 ]---

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0ba08c21c6a92e651…
	https://git.kernel.org/stable/c/bc3889a39baf783c6…
	https://git.kernel.org/stable/c/17af2b39daf12870c…

Impacted products

Vendor

Product

Version

Linux

Affected: 09aea13ecf6f89ed7f18114953695563f64f461c , < 0ba08c21c6a92e6512e73644555120427c9a49d4 (git)
Affected: 09aea13ecf6f89ed7f18114953695563f64f461c , < bc3889a39baf783c64c6d628bbb74d76ce164bb1 (git)
Affected: 09aea13ecf6f89ed7f18114953695563f64f461c , < 17af2b39daf12870cac61ffc360e62bc35798afb (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56577",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:01:56.696947Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:14.975Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c",
            "drivers/media/platform/mediatek/jpeg/mtk_jpeg_dec_hw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0ba08c21c6a92e6512e73644555120427c9a49d4",
              "status": "affected",
              "version": "09aea13ecf6f89ed7f18114953695563f64f461c",
              "versionType": "git"
            },
            {
              "lessThan": "bc3889a39baf783c64c6d628bbb74d76ce164bb1",
              "status": "affected",
              "version": "09aea13ecf6f89ed7f18114953695563f64f461c",
              "versionType": "git"
            },
            {
              "lessThan": "17af2b39daf12870cac61ffc360e62bc35798afb",
              "status": "affected",
              "version": "09aea13ecf6f89ed7f18114953695563f64f461c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c",
            "drivers/media/platform/mediatek/jpeg/mtk_jpeg_dec_hw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-jpeg: Fix null-ptr-deref during unload module\n\nThe workqueue should be destroyed in mtk_jpeg_core.c since commit\n09aea13ecf6f (\"media: mtk-jpeg: refactor some variables\"), otherwise\nthe below calltrace can be easily triggered.\n\n[  677.862514] Unable to handle kernel paging request at virtual address dfff800000000023\n[  677.863633] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\n...\n[  677.879654] CPU: 6 PID: 1071 Comm: modprobe Tainted: G           O       6.8.12-mtk+gfa1a78e5d24b+ #17\n...\n[  677.882838] pc : destroy_workqueue+0x3c/0x770\n[  677.883413] lr : mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw]\n[  677.884314] sp : ffff80008ad974f0\n[  677.884744] x29: ffff80008ad974f0 x28: ffff0000d7115580 x27: ffff0000dd691070\n[  677.885669] x26: ffff0000dd691408 x25: ffff8000844af3e0 x24: ffff80008ad97690\n[  677.886592] x23: ffff0000e051d400 x22: ffff0000dd691010 x21: dfff800000000000\n[  677.887515] x20: 0000000000000000 x19: 0000000000000000 x18: ffff800085397ac0\n[  677.888438] x17: 0000000000000000 x16: ffff8000801b87c8 x15: 1ffff000115b2e10\n[  677.889361] x14: 00000000f1f1f1f1 x13: 0000000000000000 x12: ffff7000115b2e4d\n[  677.890285] x11: 1ffff000115b2e4c x10: ffff7000115b2e4c x9 : ffff80000aa43e90\n[  677.891208] x8 : 00008fffeea4d1b4 x7 : ffff80008ad97267 x6 : 0000000000000001\n[  677.892131] x5 : ffff80008ad97260 x4 : ffff7000115b2e4d x3 : 0000000000000000\n[  677.893054] x2 : 0000000000000023 x1 : dfff800000000000 x0 : 0000000000000118\n[  677.893977] Call trace:\n[  677.894297]  destroy_workqueue+0x3c/0x770\n[  677.894826]  mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw]\n[  677.895677]  devm_action_release+0x50/0x90\n[  677.896211]  release_nodes+0xe8/0x170\n[  677.896688]  devres_release_all+0xf8/0x178\n[  677.897219]  device_unbind_cleanup+0x24/0x170\n[  677.897785]  device_release_driver_internal+0x35c/0x480\n[  677.898461]  device_release_driver+0x20/0x38\n...\n[  677.912665] ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:46.663Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0ba08c21c6a92e6512e73644555120427c9a49d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc3889a39baf783c64c6d628bbb74d76ce164bb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/17af2b39daf12870cac61ffc360e62bc35798afb"
        }
      ],
      "title": "media: mtk-jpeg: Fix null-ptr-deref during unload module",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56577",
    "datePublished": "2024-12-27T14:23:19.725Z",
    "dateReserved": "2024-12-27T14:03:05.999Z",
    "dateUpdated": "2025-10-01T20:07:14.975Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53179 (GCVE-0-2024-53179)

Vulnerability from cvelistv5 – Published: 2024-12-27 13:49 – Updated: 2026-01-05 10:55

Title

smb: client: fix use-after-free of signing key

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free of signing key Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/39619c65ab4bbb3e7…
	https://git.kernel.org/stable/c/0e2b654a3848bf9da…
	https://git.kernel.org/stable/c/343d7fe6df9e24767…

Impacted products

Vendor

Product

Version

Linux

Affected: 32811d242ff6f28da2ab18c90a15e32fd958e774 , < 39619c65ab4bbb3e78c818f537687653e112764d (git)
Affected: 32811d242ff6f28da2ab18c90a15e32fd958e774 , < 0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591 (git)
Affected: 32811d242ff6f28da2ab18c90a15e32fd958e774 , < 343d7fe6df9e247671440a932b6a73af4fa86d95 (git)

Linux

Affected: 3.12
Unaffected: 0 , < 3.12 (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.2 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-53179",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:13:09.010478Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:21:09.328Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2proto.h",
            "fs/smb/client/smb2transport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "39619c65ab4bbb3e78c818f537687653e112764d",
              "status": "affected",
              "version": "32811d242ff6f28da2ab18c90a15e32fd958e774",
              "versionType": "git"
            },
            {
              "lessThan": "0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591",
              "status": "affected",
              "version": "32811d242ff6f28da2ab18c90a15e32fd958e774",
              "versionType": "git"
            },
            {
              "lessThan": "343d7fe6df9e247671440a932b6a73af4fa86d95",
              "status": "affected",
              "version": "32811d242ff6f28da2ab18c90a15e32fd958e774",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2proto.h",
            "fs/smb/client/smb2transport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free of signing key\n\nCustomers have reported use-after-free in @ses-\u003eauth_key.response with\nSMB2.1 + sign mounts which occurs due to following race:\n\ntask A                         task B\ncifs_mount()\n dfs_mount_share()\n  get_session()\n   cifs_mount_get_session()    cifs_send_recv()\n    cifs_get_smb_ses()          compound_send_recv()\n     cifs_setup_session()        smb2_setup_request()\n      kfree_sensitive()           smb2_calc_signature()\n                                   crypto_shash_setkey() *UAF*\n\nFix this by ensuring that we have a valid @ses-\u003eauth_key.response by\nchecking whether @ses-\u003eses_status is SES_GOOD or SES_EXITING with\n@ses-\u003eses_lock held.  After commit 24a9799aa8ef (\"smb: client: fix UAF\nin smb2_reconnect_server()\"), we made sure to call -\u003elogoff() only\nwhen @ses was known to be good (e.g. valid -\u003eauth_key.response), so\nit\u0027s safe to access signing key when @ses-\u003eses_status == SES_EXITING."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:55:42.113Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/39619c65ab4bbb3e78c818f537687653e112764d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e2b654a3848bf9da3b0d54c1ccf3f1b8c635591"
        },
        {
          "url": "https://git.kernel.org/stable/c/343d7fe6df9e247671440a932b6a73af4fa86d95"
        }
      ],
      "title": "smb: client: fix use-after-free of signing key",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53179",
    "datePublished": "2024-12-27T13:49:22.982Z",
    "dateReserved": "2024-11-19T17:17:25.008Z",
    "dateUpdated": "2026-01-05T10:55:42.113Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56572 (GCVE-0-2024-56572)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-11-03 20:49

Title

media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()

Summary

In the Linux kernel, the following vulnerability has been resolved: media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal() The buffer in the loop should be released under the exception path, otherwise there may be a memory leak here. To mitigate this, free the buffer when allegro_alloc_buffer fails.

Severity ?

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cf642904be39ae0d4…
	https://git.kernel.org/stable/c/74a65313578b35e12…
	https://git.kernel.org/stable/c/64f72a738864b506a…
	https://git.kernel.org/stable/c/17e5613666209be4e…
	https://git.kernel.org/stable/c/6712a28a4f923ffdf…
	https://git.kernel.org/stable/c/891b5790bee8fc6dd…
	https://git.kernel.org/stable/c/0f514068fbc5d4d18…

Impacted products

Vendor

Product

Version

Linux

Affected: f20387dfd065693ba7ea2788a2f893bf653c9cb8 , < cf642904be39ae0d441dbdfa8f485e0a46260be4 (git)
Affected: f20387dfd065693ba7ea2788a2f893bf653c9cb8 , < 74a65313578b35e1239966adfa7ac2bdd60caf00 (git)
Affected: f20387dfd065693ba7ea2788a2f893bf653c9cb8 , < 64f72a738864b506ab50b4a6cb3ce3c3e04b71af (git)
Affected: f20387dfd065693ba7ea2788a2f893bf653c9cb8 , < 17e5613666209be4e5be1f1894f1a6014a8a0658 (git)
Affected: f20387dfd065693ba7ea2788a2f893bf653c9cb8 , < 6712a28a4f923ffdf51cff267ad05a634ee1babc (git)
Affected: f20387dfd065693ba7ea2788a2f893bf653c9cb8 , < 891b5790bee8fc6ddba17874dd87a646128d0b99 (git)
Affected: f20387dfd065693ba7ea2788a2f893bf653c9cb8 , < 0f514068fbc5d4d189c817adc7c4e32cffdc2e47 (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "LOW",
              "baseScore": 3.3,
              "baseSeverity": "LOW",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56572",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-17T20:10:43.633548Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-17T20:15:53.019Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:49:45.324Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/allegro-dvt/allegro-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cf642904be39ae0d441dbdfa8f485e0a46260be4",
              "status": "affected",
              "version": "f20387dfd065693ba7ea2788a2f893bf653c9cb8",
              "versionType": "git"
            },
            {
              "lessThan": "74a65313578b35e1239966adfa7ac2bdd60caf00",
              "status": "affected",
              "version": "f20387dfd065693ba7ea2788a2f893bf653c9cb8",
              "versionType": "git"
            },
            {
              "lessThan": "64f72a738864b506ab50b4a6cb3ce3c3e04b71af",
              "status": "affected",
              "version": "f20387dfd065693ba7ea2788a2f893bf653c9cb8",
              "versionType": "git"
            },
            {
              "lessThan": "17e5613666209be4e5be1f1894f1a6014a8a0658",
              "status": "affected",
              "version": "f20387dfd065693ba7ea2788a2f893bf653c9cb8",
              "versionType": "git"
            },
            {
              "lessThan": "6712a28a4f923ffdf51cff267ad05a634ee1babc",
              "status": "affected",
              "version": "f20387dfd065693ba7ea2788a2f893bf653c9cb8",
              "versionType": "git"
            },
            {
              "lessThan": "891b5790bee8fc6ddba17874dd87a646128d0b99",
              "status": "affected",
              "version": "f20387dfd065693ba7ea2788a2f893bf653c9cb8",
              "versionType": "git"
            },
            {
              "lessThan": "0f514068fbc5d4d189c817adc7c4e32cffdc2e47",
              "status": "affected",
              "version": "f20387dfd065693ba7ea2788a2f893bf653c9cb8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/allegro-dvt/allegro-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()\n\nThe buffer in the loop should be released under the exception path,\notherwise there may be a memory leak here.\n\nTo mitigate this, free the buffer when allegro_alloc_buffer fails."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:38.800Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cf642904be39ae0d441dbdfa8f485e0a46260be4"
        },
        {
          "url": "https://git.kernel.org/stable/c/74a65313578b35e1239966adfa7ac2bdd60caf00"
        },
        {
          "url": "https://git.kernel.org/stable/c/64f72a738864b506ab50b4a6cb3ce3c3e04b71af"
        },
        {
          "url": "https://git.kernel.org/stable/c/17e5613666209be4e5be1f1894f1a6014a8a0658"
        },
        {
          "url": "https://git.kernel.org/stable/c/6712a28a4f923ffdf51cff267ad05a634ee1babc"
        },
        {
          "url": "https://git.kernel.org/stable/c/891b5790bee8fc6ddba17874dd87a646128d0b99"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f514068fbc5d4d189c817adc7c4e32cffdc2e47"
        }
      ],
      "title": "media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56572",
    "datePublished": "2024-12-27T14:23:15.298Z",
    "dateReserved": "2024-12-27T14:03:05.998Z",
    "dateUpdated": "2025-11-03T20:49:45.324Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21633 (GCVE-0-2025-21633)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:17 – Updated: 2025-05-20 13:56

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2025-05-20T13:56:01.414Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21633",
    "datePublished": "2025-01-19T10:17:51.933Z",
    "dateRejected": "2025-05-20T13:56:01.414Z",
    "dateReserved": "2024-12-29T08:45:45.726Z",
    "dateUpdated": "2025-05-20T13:56:01.414Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57890 (GCVE-0-2024-57890)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-11-03 20:55

Title

RDMA/uverbs: Prevent integer overflow issue

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Prevent integer overflow issue In the expression "cmd.wqe_size * cmd.wr_count", both variables are u32 values that come from the user so the multiplication can lead to integer wrapping. Then we pass the result to uverbs_request_next_ptr() which also could potentially wrap. The "cmd.sge_count * sizeof(struct ib_uverbs_sge)" multiplication can also overflow on 32bit systems although it's fine on 64bit systems. This patch does two things. First, I've re-arranged the condition in uverbs_request_next_ptr() so that the use controlled variable "len" is on one side of the comparison by itself without any math. Then I've modified all the callers to use size_mul() for the multiplications.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c57721b24bd897338…
	https://git.kernel.org/stable/c/42a6eb4ed7a9a41ba…
	https://git.kernel.org/stable/c/c2f961c46ea0e5274…
	https://git.kernel.org/stable/c/346db03e9926ab711…
	https://git.kernel.org/stable/c/b92667f755749cf10…
	https://git.kernel.org/stable/c/b3ef4ae7133605011…
	https://git.kernel.org/stable/c/d0257e089d1bbd35c…

Impacted products

Vendor

Product

Version

Linux

Affected: 67cdb40ca444c09853ab4d8a41cf547ac26a4de4 , < c57721b24bd897338a81a0ca5fff41600f0f1ad1 (git)
Affected: 67cdb40ca444c09853ab4d8a41cf547ac26a4de4 , < 42a6eb4ed7a9a41ba0b83eb0c7e0225b5fca5608 (git)
Affected: 67cdb40ca444c09853ab4d8a41cf547ac26a4de4 , < c2f961c46ea0e5274c5c320d007c2dd949cf627a (git)
Affected: 67cdb40ca444c09853ab4d8a41cf547ac26a4de4 , < 346db03e9926ab7117ed9bf19665699c037c773c (git)
Affected: 67cdb40ca444c09853ab4d8a41cf547ac26a4de4 , < b92667f755749cf10d9ef1088865c555ae83ffb7 (git)
Affected: 67cdb40ca444c09853ab4d8a41cf547ac26a4de4 , < b3ef4ae713360501182695dd47d6b4f6e1a43eb8 (git)
Affected: 67cdb40ca444c09853ab4d8a41cf547ac26a4de4 , < d0257e089d1bbd35c69b6c97ff73e3690ab149a9 (git)

Linux

Affected: 2.6.15
Unaffected: 0 , < 2.6.15 (semver)
Unaffected: 5.4.289 , ≤ 5.4.* (semver)
Unaffected: 5.10.233 , ≤ 5.10.* (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57890",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:43.293040Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:19.385Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:02.845Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/uverbs_cmd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c57721b24bd897338a81a0ca5fff41600f0f1ad1",
              "status": "affected",
              "version": "67cdb40ca444c09853ab4d8a41cf547ac26a4de4",
              "versionType": "git"
            },
            {
              "lessThan": "42a6eb4ed7a9a41ba0b83eb0c7e0225b5fca5608",
              "status": "affected",
              "version": "67cdb40ca444c09853ab4d8a41cf547ac26a4de4",
              "versionType": "git"
            },
            {
              "lessThan": "c2f961c46ea0e5274c5c320d007c2dd949cf627a",
              "status": "affected",
              "version": "67cdb40ca444c09853ab4d8a41cf547ac26a4de4",
              "versionType": "git"
            },
            {
              "lessThan": "346db03e9926ab7117ed9bf19665699c037c773c",
              "status": "affected",
              "version": "67cdb40ca444c09853ab4d8a41cf547ac26a4de4",
              "versionType": "git"
            },
            {
              "lessThan": "b92667f755749cf10d9ef1088865c555ae83ffb7",
              "status": "affected",
              "version": "67cdb40ca444c09853ab4d8a41cf547ac26a4de4",
              "versionType": "git"
            },
            {
              "lessThan": "b3ef4ae713360501182695dd47d6b4f6e1a43eb8",
              "status": "affected",
              "version": "67cdb40ca444c09853ab4d8a41cf547ac26a4de4",
              "versionType": "git"
            },
            {
              "lessThan": "d0257e089d1bbd35c69b6c97ff73e3690ab149a9",
              "status": "affected",
              "version": "67cdb40ca444c09853ab4d8a41cf547ac26a4de4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/uverbs_cmd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.15"
            },
            {
              "lessThan": "2.6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.289",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.289",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/uverbs: Prevent integer overflow issue\n\nIn the expression \"cmd.wqe_size * cmd.wr_count\", both variables are u32\nvalues that come from the user so the multiplication can lead to integer\nwrapping.  Then we pass the result to uverbs_request_next_ptr() which also\ncould potentially wrap.  The \"cmd.sge_count * sizeof(struct ib_uverbs_sge)\"\nmultiplication can also overflow on 32bit systems although it\u0027s fine on\n64bit systems.\n\nThis patch does two things.  First, I\u0027ve re-arranged the condition in\nuverbs_request_next_ptr() so that the use controlled variable \"len\" is on\none side of the comparison by itself without any math.  Then I\u0027ve modified\nall the callers to use size_mul() for the multiplications."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:59.389Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c57721b24bd897338a81a0ca5fff41600f0f1ad1"
        },
        {
          "url": "https://git.kernel.org/stable/c/42a6eb4ed7a9a41ba0b83eb0c7e0225b5fca5608"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2f961c46ea0e5274c5c320d007c2dd949cf627a"
        },
        {
          "url": "https://git.kernel.org/stable/c/346db03e9926ab7117ed9bf19665699c037c773c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b92667f755749cf10d9ef1088865c555ae83ffb7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3ef4ae713360501182695dd47d6b4f6e1a43eb8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0257e089d1bbd35c69b6c97ff73e3690ab149a9"
        }
      ],
      "title": "RDMA/uverbs: Prevent integer overflow issue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57890",
    "datePublished": "2025-01-15T13:05:42.690Z",
    "dateReserved": "2025-01-11T14:45:42.027Z",
    "dateUpdated": "2025-11-03T20:55:02.845Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21645 (GCVE-0-2025-21645)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:18 – Updated: 2025-11-03 19:35

Title

platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it

Summary

In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it Wakeup for IRQ1 should be disabled only in cases where i8042 had actually enabled it, otherwise "wake_depth" for this IRQ will try to drop below zero and there will be an unpleasant WARN() logged: kernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug kernel: ------------[ cut here ]------------ kernel: Unbalanced IRQ 1 wake disable kernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0 The PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops which sets amd_pmc_suspend_handler() to the .suspend, .freeze, and .poweroff handlers. i8042_pm_suspend(), however, is only set as the .suspend handler. Fix the issue by call PMC suspend handler only from the same set of dev_pm_ops handlers as i8042_pm_suspend(), which currently means just the .suspend handler. To reproduce this issue try hibernating (S4) the machine after a fresh boot without putting it into s2idle first. [ij: edited the commit message.]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ab47d72b736e78d3c…
	https://git.kernel.org/stable/c/5cc621085e2b7a9b1…
	https://git.kernel.org/stable/c/b25778c87a6bce40c…
	https://git.kernel.org/stable/c/dd410d784402c5775…

Impacted products

Vendor

Product

Version

Linux

Affected: 72e5a83b7c8401856cc3732150af24e43726717a , < ab47d72b736e78d3c2370b26e0bfc46eb0918391 (git)
Affected: 8e60615e8932167057b363c11a7835da7f007106 , < 5cc621085e2b7a9b1905a98f8e5a86bb4aea2016 (git)
Affected: 8e60615e8932167057b363c11a7835da7f007106 , < b25778c87a6bce40c31e92364f08aa6240309e25 (git)
Affected: 8e60615e8932167057b363c11a7835da7f007106 , < dd410d784402c5775f66faf8b624e85e41c38aaf (git)
Affected: 3fc9dc0340e0b5df8059313537b55f82c1e84e94 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.1.140 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:35:40.906Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/amd/pmc/pmc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ab47d72b736e78d3c2370b26e0bfc46eb0918391",
              "status": "affected",
              "version": "72e5a83b7c8401856cc3732150af24e43726717a",
              "versionType": "git"
            },
            {
              "lessThan": "5cc621085e2b7a9b1905a98f8e5a86bb4aea2016",
              "status": "affected",
              "version": "8e60615e8932167057b363c11a7835da7f007106",
              "versionType": "git"
            },
            {
              "lessThan": "b25778c87a6bce40c31e92364f08aa6240309e25",
              "status": "affected",
              "version": "8e60615e8932167057b363c11a7835da7f007106",
              "versionType": "git"
            },
            {
              "lessThan": "dd410d784402c5775f66faf8b624e85e41c38aaf",
              "status": "affected",
              "version": "8e60615e8932167057b363c11a7835da7f007106",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3fc9dc0340e0b5df8059313537b55f82c1e84e94",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/amd/pmc/pmc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.140",
                  "versionStartIncluding": "6.1.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.95",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it\n\nWakeup for IRQ1 should be disabled only in cases where i8042 had\nactually enabled it, otherwise \"wake_depth\" for this IRQ will try to\ndrop below zero and there will be an unpleasant WARN() logged:\n\nkernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug\nkernel: ------------[ cut here ]------------\nkernel: Unbalanced IRQ 1 wake disable\nkernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0\n\nThe PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops\nwhich sets amd_pmc_suspend_handler() to the .suspend, .freeze, and\n.poweroff handlers. i8042_pm_suspend(), however, is only set as\nthe .suspend handler.\n\nFix the issue by call PMC suspend handler only from the same set of\ndev_pm_ops handlers as i8042_pm_suspend(), which currently means just\nthe .suspend handler.\n\nTo reproduce this issue try hibernating (S4) the machine after a fresh boot\nwithout putting it into s2idle first.\n\n[ij: edited the commit message.]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-22T12:40:04.881Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ab47d72b736e78d3c2370b26e0bfc46eb0918391"
        },
        {
          "url": "https://git.kernel.org/stable/c/5cc621085e2b7a9b1905a98f8e5a86bb4aea2016"
        },
        {
          "url": "https://git.kernel.org/stable/c/b25778c87a6bce40c31e92364f08aa6240309e25"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd410d784402c5775f66faf8b624e85e41c38aaf"
        }
      ],
      "title": "platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21645",
    "datePublished": "2025-01-19T10:18:01.556Z",
    "dateReserved": "2024-12-29T08:45:45.728Z",
    "dateUpdated": "2025-11-03T19:35:40.906Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21629 (GCVE-0-2025-21629)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:06 – Updated: 2025-11-03 20:58

Title

net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets

Summary

In the Linux kernel, the following vulnerability has been resolved: net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets The blamed commit disabled hardware offoad of IPv6 packets with extension headers on devices that advertise NETIF_F_IPV6_CSUM, based on the definition of that feature in skbuff.h: * * - %NETIF_F_IPV6_CSUM * - Driver (device) is only able to checksum plain * TCP or UDP packets over IPv6. These are specifically * unencapsulated packets of the form IPv6|TCP or * IPv6|UDP where the Next Header field in the IPv6 * header is either TCP or UDP. IPv6 extension headers * are not supported with this feature. This feature * cannot be set in features for a device with * NETIF_F_HW_CSUM also set. This feature is being * DEPRECATED (see below). The change causes skb_warn_bad_offload to fire for BIG TCP packets. [ 496.310233] WARNING: CPU: 13 PID: 23472 at net/core/dev.c:3129 skb_warn_bad_offload+0xc4/0xe0 [ 496.310297] ? skb_warn_bad_offload+0xc4/0xe0 [ 496.310300] skb_checksum_help+0x129/0x1f0 [ 496.310303] skb_csum_hwoffload_help+0x150/0x1b0 [ 496.310306] validate_xmit_skb+0x159/0x270 [ 496.310309] validate_xmit_skb_list+0x41/0x70 [ 496.310312] sch_direct_xmit+0x5c/0x250 [ 496.310317] __qdisc_run+0x388/0x620 BIG TCP introduced an IPV6_TLV_JUMBO IPv6 extension header to communicate packet length, as this is an IPv6 jumbogram. But, the feature is only enabled on devices that support BIG TCP TSO. The header is only present for PF_PACKET taps like tcpdump, and not transmitted by physical devices. For this specific case of extension headers that are not transmitted, return to the situation before the blamed commit and support hardware offload. ipv6_has_hopopt_jumbo() tests not only whether this header is present, but also that it is the only extension header before a terminal (L4) header.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ac9cfef69565021c9…
	https://git.kernel.org/stable/c/95ccf006bbc8b5904…
	https://git.kernel.org/stable/c/d3b7a9c7597b77903…
	https://git.kernel.org/stable/c/68e068cabd2c6c533…

Impacted products

Vendor

Product

Version

Linux

Affected: a84978a9cda68f0afe3f01d476c68db21526baf1 , < ac9cfef69565021c9e1022a493a9c40b03e2caf9 (git)
Affected: c69bc67c1cb211aa390bea6e512bb01b1241fefb , < 95ccf006bbc8b59044313b8c309dcf29c546abd4 (git)
Affected: 04c20a9356f283da623903e81e7c6d5df7e4dc3c , < d3b7a9c7597b779039a51d7b34116fbe424bf2b7 (git)
Affected: 04c20a9356f283da623903e81e7c6d5df7e4dc3c , < 68e068cabd2c6c533ef934c2e5151609cf6ecc6d (git)
Affected: bcefc3cd7f592a70fcbbbfd7ad1fbc69172ea78b (git)
Affected: 477b35d94a21530046fe91589960732fcf2b29ed (git)
Affected: a27a5c40ee4cbe00294e2c76160de5f2589061ba (git)
Affected: 9f605135a5c0fe614c2b15197b9ced1e217eca59 (git)
Affected: 705350fbd6ed4b5d89ee045fa57a0594a72b17d7 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:10.807Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac9cfef69565021c9e1022a493a9c40b03e2caf9",
              "status": "affected",
              "version": "a84978a9cda68f0afe3f01d476c68db21526baf1",
              "versionType": "git"
            },
            {
              "lessThan": "95ccf006bbc8b59044313b8c309dcf29c546abd4",
              "status": "affected",
              "version": "c69bc67c1cb211aa390bea6e512bb01b1241fefb",
              "versionType": "git"
            },
            {
              "lessThan": "d3b7a9c7597b779039a51d7b34116fbe424bf2b7",
              "status": "affected",
              "version": "04c20a9356f283da623903e81e7c6d5df7e4dc3c",
              "versionType": "git"
            },
            {
              "lessThan": "68e068cabd2c6c533ef934c2e5151609cf6ecc6d",
              "status": "affected",
              "version": "04c20a9356f283da623903e81e7c6d5df7e4dc3c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bcefc3cd7f592a70fcbbbfd7ad1fbc69172ea78b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "477b35d94a21530046fe91589960732fcf2b29ed",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a27a5c40ee4cbe00294e2c76160de5f2589061ba",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9f605135a5c0fe614c2b15197b9ced1e217eca59",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "705350fbd6ed4b5d89ee045fa57a0594a72b17d7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "6.1.116",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.6.60",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.323",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.285",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.229",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.171",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\n\nThe blamed commit disabled hardware offoad of IPv6 packets with\nextension headers on devices that advertise NETIF_F_IPV6_CSUM,\nbased on the definition of that feature in skbuff.h:\n\n *   * - %NETIF_F_IPV6_CSUM\n *     - Driver (device) is only able to checksum plain\n *       TCP or UDP packets over IPv6. These are specifically\n *       unencapsulated packets of the form IPv6|TCP or\n *       IPv6|UDP where the Next Header field in the IPv6\n *       header is either TCP or UDP. IPv6 extension headers\n *       are not supported with this feature. This feature\n *       cannot be set in features for a device with\n *       NETIF_F_HW_CSUM also set. This feature is being\n *       DEPRECATED (see below).\n\nThe change causes skb_warn_bad_offload to fire for BIG TCP\npackets.\n\n[  496.310233] WARNING: CPU: 13 PID: 23472 at net/core/dev.c:3129 skb_warn_bad_offload+0xc4/0xe0\n\n[  496.310297]  ? skb_warn_bad_offload+0xc4/0xe0\n[  496.310300]  skb_checksum_help+0x129/0x1f0\n[  496.310303]  skb_csum_hwoffload_help+0x150/0x1b0\n[  496.310306]  validate_xmit_skb+0x159/0x270\n[  496.310309]  validate_xmit_skb_list+0x41/0x70\n[  496.310312]  sch_direct_xmit+0x5c/0x250\n[  496.310317]  __qdisc_run+0x388/0x620\n\nBIG TCP introduced an IPV6_TLV_JUMBO IPv6 extension header to\ncommunicate packet length, as this is an IPv6 jumbogram. But, the\nfeature is only enabled on devices that support BIG TCP TSO. The\nheader is only present for PF_PACKET taps like tcpdump, and not\ntransmitted by physical devices.\n\nFor this specific case of extension headers that are not\ntransmitted, return to the situation before the blamed commit\nand support hardware offload.\n\nipv6_has_hopopt_jumbo() tests not only whether this header is present,\nbut also that it is the only extension header before a terminal (L4)\nheader."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:05:58.402Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac9cfef69565021c9e1022a493a9c40b03e2caf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/95ccf006bbc8b59044313b8c309dcf29c546abd4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3b7a9c7597b779039a51d7b34116fbe424bf2b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/68e068cabd2c6c533ef934c2e5151609cf6ecc6d"
        }
      ],
      "title": "net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21629",
    "datePublished": "2025-01-15T13:06:00.128Z",
    "dateReserved": "2024-12-29T08:45:45.725Z",
    "dateUpdated": "2025-11-03T20:58:10.807Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56566 (GCVE-0-2024-56566)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-05-04 09:58

Title

mm/slub: Avoid list corruption when removing a slab from the full list

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/slub: Avoid list corruption when removing a slab from the full list Boot with slub_debug=UFPZ. If allocated object failed in alloc_consistency_checks, all objects of the slab will be marked as used, and then the slab will be removed from the partial list. When an object belonging to the slab got freed later, the remove_full() function is called. Because the slab is neither on the partial list nor on the full list, it eventually lead to a list corruption (actually a list poison being detected). So we need to mark and isolate the slab page with metadata corruption, do not put it back in circulation. Because the debug caches avoid all the fastpaths, reusing the frozen bit to mark slab page with metadata corruption seems to be fine. [ 4277.385669] list_del corruption, ffffea00044b3e50->next is LIST_POISON1 (dead000000000100) [ 4277.387023] ------------[ cut here ]------------ [ 4277.387880] kernel BUG at lib/list_debug.c:56! [ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G OE 6.6.1-1 #1 [ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs] [ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91 [ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082 [ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000 [ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff [ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0 [ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910 [ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0 [ 4277.404049] FS: 0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000 [ 4277.405357] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0 [ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4277.410000] PKRU: 55555554 [ 4277.410645] Call Trace: [ 4277.411234] <TASK> [ 4277.411777] ? die+0x32/0x80 [ 4277.412439] ? do_trap+0xd6/0x100 [ 4277.413150] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.414158] ? do_error_trap+0x6a/0x90 [ 4277.414948] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.415915] ? exc_invalid_op+0x4c/0x60 [ 4277.416710] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.417675] ? asm_exc_invalid_op+0x16/0x20 [ 4277.418482] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.419466] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.420410] free_to_partial_list+0x515/0x5e0 [ 4277.421242] ? xfs_iext_remove+0x41a/0xa10 [xfs] [ 4277.422298] xfs_iext_remove+0x41a/0xa10 [xfs] [ 4277.423316] ? xfs_inodegc_worker+0xb4/0x1a0 [xfs] [ 4277.424383] xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs] [ 4277.425490] __xfs_bunmapi+0x50d/0x840 [xfs] [ 4277.426445] xfs_itruncate_extents_flags+0x13a/0x490 [xfs] [ 4277.427553] xfs_inactive_truncate+0xa3/0x120 [xfs] [ 4277.428567] xfs_inactive+0x22d/0x290 [xfs] [ 4277.429500] xfs_inodegc_worker+0xb4/0x1a0 [xfs] [ 4277.430479] process_one_work+0x171/0x340 [ 4277.431227] worker_thread+0x277/0x390 [ 4277.431962] ? __pfx_worker_thread+0x10/0x10 [ 4277.432752] kthread+0xf0/0x120 [ 4277.433382] ? __pfx_kthread+0x10/0x10 [ 4277.434134] ret_from_fork+0x2d/0x50 [ 4277.434837] ? __pfx_kthread+0x10/0x10 [ 4277.435566] ret_from_fork_asm+0x1b/0x30 [ 4277.436280] </TASK>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/33a213c04faff6c3a…
	https://git.kernel.org/stable/c/943c0f601cd28c107…
	https://git.kernel.org/stable/c/dbc16915279a548a2…

Impacted products

Vendor

Product

Version

Linux

Affected: 643b113849d8faa68c9f01c3c9d929bfbffd50bd , < 33a213c04faff6c3a7fe77e947db81bc7270fe32 (git)
Affected: 643b113849d8faa68c9f01c3c9d929bfbffd50bd , < 943c0f601cd28c1073b92b5f944c6c6c2643e709 (git)
Affected: 643b113849d8faa68c9f01c3c9d929bfbffd50bd , < dbc16915279a548a204154368da23d402c141c81 (git)

Linux

Affected: 2.6.22
Unaffected: 0 , < 2.6.22 (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/slab.h",
            "mm/slub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "33a213c04faff6c3a7fe77e947db81bc7270fe32",
              "status": "affected",
              "version": "643b113849d8faa68c9f01c3c9d929bfbffd50bd",
              "versionType": "git"
            },
            {
              "lessThan": "943c0f601cd28c1073b92b5f944c6c6c2643e709",
              "status": "affected",
              "version": "643b113849d8faa68c9f01c3c9d929bfbffd50bd",
              "versionType": "git"
            },
            {
              "lessThan": "dbc16915279a548a204154368da23d402c141c81",
              "status": "affected",
              "version": "643b113849d8faa68c9f01c3c9d929bfbffd50bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/slab.h",
            "mm/slub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: Avoid list corruption when removing a slab from the full list\n\nBoot with slub_debug=UFPZ.\n\nIf allocated object failed in alloc_consistency_checks, all objects of\nthe slab will be marked as used, and then the slab will be removed from\nthe partial list.\n\nWhen an object belonging to the slab got freed later, the remove_full()\nfunction is called. Because the slab is neither on the partial list nor\non the full list, it eventually lead to a list corruption (actually a\nlist poison being detected).\n\nSo we need to mark and isolate the slab page with metadata corruption,\ndo not put it back in circulation.\n\nBecause the debug caches avoid all the fastpaths, reusing the frozen bit\nto mark slab page with metadata corruption seems to be fine.\n\n[ 4277.385669] list_del corruption, ffffea00044b3e50-\u003enext is LIST_POISON1 (dead000000000100)\n[ 4277.387023] ------------[ cut here ]------------\n[ 4277.387880] kernel BUG at lib/list_debug.c:56!\n[ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G           OE      6.6.1-1 #1\n[ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs]\n[ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91\n[ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082\n[ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000\n[ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff\n[ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0\n[ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910\n[ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0\n[ 4277.404049] FS:  0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000\n[ 4277.405357] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0\n[ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4277.410000] PKRU: 55555554\n[ 4277.410645] Call Trace:\n[ 4277.411234]  \u003cTASK\u003e\n[ 4277.411777]  ? die+0x32/0x80\n[ 4277.412439]  ? do_trap+0xd6/0x100\n[ 4277.413150]  ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.414158]  ? do_error_trap+0x6a/0x90\n[ 4277.414948]  ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.415915]  ? exc_invalid_op+0x4c/0x60\n[ 4277.416710]  ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.417675]  ? asm_exc_invalid_op+0x16/0x20\n[ 4277.418482]  ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.419466]  ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.420410]  free_to_partial_list+0x515/0x5e0\n[ 4277.421242]  ? xfs_iext_remove+0x41a/0xa10 [xfs]\n[ 4277.422298]  xfs_iext_remove+0x41a/0xa10 [xfs]\n[ 4277.423316]  ? xfs_inodegc_worker+0xb4/0x1a0 [xfs]\n[ 4277.424383]  xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs]\n[ 4277.425490]  __xfs_bunmapi+0x50d/0x840 [xfs]\n[ 4277.426445]  xfs_itruncate_extents_flags+0x13a/0x490 [xfs]\n[ 4277.427553]  xfs_inactive_truncate+0xa3/0x120 [xfs]\n[ 4277.428567]  xfs_inactive+0x22d/0x290 [xfs]\n[ 4277.429500]  xfs_inodegc_worker+0xb4/0x1a0 [xfs]\n[ 4277.430479]  process_one_work+0x171/0x340\n[ 4277.431227]  worker_thread+0x277/0x390\n[ 4277.431962]  ? __pfx_worker_thread+0x10/0x10\n[ 4277.432752]  kthread+0xf0/0x120\n[ 4277.433382]  ? __pfx_kthread+0x10/0x10\n[ 4277.434134]  ret_from_fork+0x2d/0x50\n[ 4277.434837]  ? __pfx_kthread+0x10/0x10\n[ 4277.435566]  ret_from_fork_asm+0x1b/0x30\n[ 4277.436280]  \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:31.111Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/33a213c04faff6c3a7fe77e947db81bc7270fe32"
        },
        {
          "url": "https://git.kernel.org/stable/c/943c0f601cd28c1073b92b5f944c6c6c2643e709"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbc16915279a548a204154368da23d402c141c81"
        }
      ],
      "title": "mm/slub: Avoid list corruption when removing a slab from the full list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56566",
    "datePublished": "2024-12-27T14:23:10.178Z",
    "dateReserved": "2024-12-27T14:03:05.996Z",
    "dateUpdated": "2025-05-04T09:58:31.111Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57801 (GCVE-0-2024-57801)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:10 – Updated: 2025-05-04 10:05

Title

net/mlx5e: Skip restore TC rules for vport rep without loaded flag

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Skip restore TC rules for vport rep without loaded flag During driver unload, unregister_netdev is called after unloading vport rep. So, the mlx5e_rep_priv is already freed while trying to get rpriv->netdev, or walk rpriv->tc_ht, which results in use-after-free. So add the checking to make sure access the data of vport rep which is still loaded.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3e45dd1622a2c1a83…
	https://git.kernel.org/stable/c/47c78d3fc26e38ab8…
	https://git.kernel.org/stable/c/5a03b368562a7ff5f…

Impacted products

Vendor

Product

Version

Linux

Affected: d1569537a837d66620aa7ffc2bddf918e902f227 , < 3e45dd1622a2c1a83c11bf42fdd8c1810123d6c0 (git)
Affected: d1569537a837d66620aa7ffc2bddf918e902f227 , < 47c78d3fc26e38ab805613a0f592dc8a820c7c64 (git)
Affected: d1569537a837d66620aa7ffc2bddf918e902f227 , < 5a03b368562a7ff5f5f1f63b5adf8309cbdbd5be (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57801",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:06.687224Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:20.073Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c",
            "drivers/net/ethernet/mellanox/mlx5/core/eswitch.h",
            "drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3e45dd1622a2c1a83c11bf42fdd8c1810123d6c0",
              "status": "affected",
              "version": "d1569537a837d66620aa7ffc2bddf918e902f227",
              "versionType": "git"
            },
            {
              "lessThan": "47c78d3fc26e38ab805613a0f592dc8a820c7c64",
              "status": "affected",
              "version": "d1569537a837d66620aa7ffc2bddf918e902f227",
              "versionType": "git"
            },
            {
              "lessThan": "5a03b368562a7ff5f5f1f63b5adf8309cbdbd5be",
              "status": "affected",
              "version": "d1569537a837d66620aa7ffc2bddf918e902f227",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c",
            "drivers/net/ethernet/mellanox/mlx5/core/eswitch.h",
            "drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Skip restore TC rules for vport rep without loaded flag\n\nDuring driver unload, unregister_netdev is called after unloading\nvport rep. So, the mlx5e_rep_priv is already freed while trying to get\nrpriv-\u003enetdev, or walk rpriv-\u003etc_ht, which results in use-after-free.\nSo add the checking to make sure access the data of vport rep which is\nstill loaded."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:08.464Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3e45dd1622a2c1a83c11bf42fdd8c1810123d6c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/47c78d3fc26e38ab805613a0f592dc8a820c7c64"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a03b368562a7ff5f5f1f63b5adf8309cbdbd5be"
        }
      ],
      "title": "net/mlx5e: Skip restore TC rules for vport rep without loaded flag",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57801",
    "datePublished": "2025-01-15T13:10:24.619Z",
    "dateReserved": "2025-01-15T13:08:59.741Z",
    "dateUpdated": "2025-05-04T10:05:08.464Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56580 (GCVE-0-2024-56580)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-10-01 20:07

Title

media: qcom: camss: fix error path on configuration of power domains

Summary

In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: fix error path on configuration of power domains There is a chance to meet runtime issues during configuration of CAMSS power domains, because on the error path dev_pm_domain_detach() is unexpectedly called with NULL or error pointer. One of the simplest ways to reproduce the problem is to probe CAMSS driver before registration of CAMSS power domains, for instance if a platform CAMCC driver is simply not built. Warning backtrace example: Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a2 <snip> pc : dev_pm_domain_detach+0x8/0x48 lr : camss_probe+0x374/0x9c0 <snip> Call trace: dev_pm_domain_detach+0x8/0x48 platform_probe+0x70/0xf0 really_probe+0xc4/0x2a8 __driver_probe_device+0x80/0x140 driver_probe_device+0x48/0x170 __device_attach_driver+0xc0/0x148 bus_for_each_drv+0x88/0xf0 __device_attach+0xb0/0x1c0 device_initial_probe+0x1c/0x30 bus_probe_device+0xb4/0xc0 deferred_probe_work_func+0x90/0xd0 process_one_work+0x164/0x3e0 worker_thread+0x310/0x420 kthread+0x120/0x130 ret_from_fork+0x10/0x20

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c98586d8d01c9e860…
	https://git.kernel.org/stable/c/4f45d65b781499d2a…

Impacted products

Vendor

Product

Version

Linux

Affected: 23aa4f0cd3273b269560a9236c48b43a3982ac13 , < c98586d8d01c9e860e7acc3807c2afeb1dc14e8a (git)
Affected: 23aa4f0cd3273b269560a9236c48b43a3982ac13 , < 4f45d65b781499d2a79eca12155532739c876aa2 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56580",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:01:46.947831Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:14.600Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/camss/camss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c98586d8d01c9e860e7acc3807c2afeb1dc14e8a",
              "status": "affected",
              "version": "23aa4f0cd3273b269560a9236c48b43a3982ac13",
              "versionType": "git"
            },
            {
              "lessThan": "4f45d65b781499d2a79eca12155532739c876aa2",
              "status": "affected",
              "version": "23aa4f0cd3273b269560a9236c48b43a3982ac13",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/camss/camss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: qcom: camss: fix error path on configuration of power domains\n\nThere is a chance to meet runtime issues during configuration of CAMSS\npower domains, because on the error path dev_pm_domain_detach() is\nunexpectedly called with NULL or error pointer.\n\nOne of the simplest ways to reproduce the problem is to probe CAMSS\ndriver before registration of CAMSS power domains, for instance if\na platform CAMCC driver is simply not built.\n\nWarning backtrace example:\n\n    Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a2\n\n    \u003csnip\u003e\n\n    pc : dev_pm_domain_detach+0x8/0x48\n    lr : camss_probe+0x374/0x9c0\n\n    \u003csnip\u003e\n\n    Call trace:\n     dev_pm_domain_detach+0x8/0x48\n     platform_probe+0x70/0xf0\n     really_probe+0xc4/0x2a8\n     __driver_probe_device+0x80/0x140\n     driver_probe_device+0x48/0x170\n     __device_attach_driver+0xc0/0x148\n     bus_for_each_drv+0x88/0xf0\n     __device_attach+0xb0/0x1c0\n     device_initial_probe+0x1c/0x30\n     bus_probe_device+0xb4/0xc0\n     deferred_probe_work_func+0x90/0xd0\n     process_one_work+0x164/0x3e0\n     worker_thread+0x310/0x420\n     kthread+0x120/0x130\n     ret_from_fork+0x10/0x20"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:56.589Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c98586d8d01c9e860e7acc3807c2afeb1dc14e8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f45d65b781499d2a79eca12155532739c876aa2"
        }
      ],
      "title": "media: qcom: camss: fix error path on configuration of power domains",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56580",
    "datePublished": "2024-12-27T14:23:22.380Z",
    "dateReserved": "2024-12-27T14:03:06.000Z",
    "dateUpdated": "2025-10-01T20:07:14.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56583 (GCVE-0-2024-56583)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:50 – Updated: 2025-05-04 13:00

Title

sched/deadline: Fix warning in migrate_enable for boosted tasks

Summary

In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Fix warning in migrate_enable for boosted tasks When running the following command: while true; do stress-ng --cyclic 30 --timeout 30s --minimize --quiet done a warning is eventually triggered: WARNING: CPU: 43 PID: 2848 at kernel/sched/deadline.c:794 setup_new_dl_entity+0x13e/0x180 ... Call Trace: <TASK> ? show_trace_log_lvl+0x1c4/0x2df ? enqueue_dl_entity+0x631/0x6e0 ? setup_new_dl_entity+0x13e/0x180 ? __warn+0x7e/0xd0 ? report_bug+0x11a/0x1a0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 enqueue_dl_entity+0x631/0x6e0 enqueue_task_dl+0x7d/0x120 __do_set_cpus_allowed+0xe3/0x280 __set_cpus_allowed_ptr_locked+0x140/0x1d0 __set_cpus_allowed_ptr+0x54/0xa0 migrate_enable+0x7e/0x150 rt_spin_unlock+0x1c/0x90 group_send_sig_info+0xf7/0x1a0 ? kill_pid_info+0x1f/0x1d0 kill_pid_info+0x78/0x1d0 kill_proc_info+0x5b/0x110 __x64_sys_kill+0x93/0xc0 do_syscall_64+0x5c/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7f0dab31f92b This warning occurs because set_cpus_allowed dequeues and enqueues tasks with the ENQUEUE_RESTORE flag set. If the task is boosted, the warning is triggered. A boosted task already had its parameters set by rt_mutex_setprio, and a new call to setup_new_dl_entity is unnecessary, hence the WARN_ON call. Check if we are requeueing a boosted task and avoid calling setup_new_dl_entity if that's the case.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b600d30402854415a…
	https://git.kernel.org/stable/c/e41074904d9ed3fe5…
	https://git.kernel.org/stable/c/0664e2c311b9fa43b…

Impacted products

Vendor

Product

Version

Linux

Affected: 295d6d5e373607729bcc8182c25afe964655714f , < b600d30402854415aa57548a6b53dc6478f65517 (git)
Affected: 295d6d5e373607729bcc8182c25afe964655714f , < e41074904d9ed3fe582d6e544c77b40c22043c82 (git)
Affected: 295d6d5e373607729bcc8182c25afe964655714f , < 0664e2c311b9fa43b33e3e81429cd0c2d7f9c638 (git)
Affected: fd8cb2e71cdd8e814cbdadddd0d0e6e3d49eaa2c (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/deadline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b600d30402854415aa57548a6b53dc6478f65517",
              "status": "affected",
              "version": "295d6d5e373607729bcc8182c25afe964655714f",
              "versionType": "git"
            },
            {
              "lessThan": "e41074904d9ed3fe582d6e544c77b40c22043c82",
              "status": "affected",
              "version": "295d6d5e373607729bcc8182c25afe964655714f",
              "versionType": "git"
            },
            {
              "lessThan": "0664e2c311b9fa43b33e3e81429cd0c2d7f9c638",
              "status": "affected",
              "version": "295d6d5e373607729bcc8182c25afe964655714f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fd8cb2e71cdd8e814cbdadddd0d0e6e3d49eaa2c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/deadline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.70",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix warning in migrate_enable for boosted tasks\n\nWhen running the following command:\n\nwhile true; do\n    stress-ng --cyclic 30 --timeout 30s --minimize --quiet\ndone\n\na warning is eventually triggered:\n\nWARNING: CPU: 43 PID: 2848 at kernel/sched/deadline.c:794\nsetup_new_dl_entity+0x13e/0x180\n...\nCall Trace:\n \u003cTASK\u003e\n ? show_trace_log_lvl+0x1c4/0x2df\n ? enqueue_dl_entity+0x631/0x6e0\n ? setup_new_dl_entity+0x13e/0x180\n ? __warn+0x7e/0xd0\n ? report_bug+0x11a/0x1a0\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n enqueue_dl_entity+0x631/0x6e0\n enqueue_task_dl+0x7d/0x120\n __do_set_cpus_allowed+0xe3/0x280\n __set_cpus_allowed_ptr_locked+0x140/0x1d0\n __set_cpus_allowed_ptr+0x54/0xa0\n migrate_enable+0x7e/0x150\n rt_spin_unlock+0x1c/0x90\n group_send_sig_info+0xf7/0x1a0\n ? kill_pid_info+0x1f/0x1d0\n kill_pid_info+0x78/0x1d0\n kill_proc_info+0x5b/0x110\n __x64_sys_kill+0x93/0xc0\n do_syscall_64+0x5c/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n RIP: 0033:0x7f0dab31f92b\n\nThis warning occurs because set_cpus_allowed dequeues and enqueues tasks\nwith the ENQUEUE_RESTORE flag set. If the task is boosted, the warning\nis triggered. A boosted task already had its parameters set by\nrt_mutex_setprio, and a new call to setup_new_dl_entity is unnecessary,\nhence the WARN_ON call.\n\nCheck if we are requeueing a boosted task and avoid calling\nsetup_new_dl_entity if that\u0027s the case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:54.578Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b600d30402854415aa57548a6b53dc6478f65517"
        },
        {
          "url": "https://git.kernel.org/stable/c/e41074904d9ed3fe582d6e544c77b40c22043c82"
        },
        {
          "url": "https://git.kernel.org/stable/c/0664e2c311b9fa43b33e3e81429cd0c2d7f9c638"
        }
      ],
      "title": "sched/deadline: Fix warning in migrate_enable for boosted tasks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56583",
    "datePublished": "2024-12-27T14:50:51.781Z",
    "dateReserved": "2024-12-27T14:03:06.001Z",
    "dateUpdated": "2025-05-04T13:00:54.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-36476 (GCVE-0-2024-36476)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:10 – Updated: 2025-11-03 20:37

Title

RDMA/rtrs: Ensure 'ib_sge list' is accessible

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs: Ensure 'ib_sge list' is accessible Move the declaration of the 'ib_sge list' variable outside the 'always_invalidate' block to ensure it remains accessible for use throughout the function. Previously, 'ib_sge list' was declared within the 'always_invalidate' block, limiting its accessibility, then caused a 'BUG: kernel NULL pointer dereference'[1]. ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2d0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? memcpy_orig+0xd5/0x140 rxe_mr_copy+0x1c3/0x200 [rdma_rxe] ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe] copy_data+0xa5/0x230 [rdma_rxe] rxe_requester+0xd9b/0xf70 [rdma_rxe] ? finish_task_switch.isra.0+0x99/0x2e0 rxe_sender+0x13/0x40 [rdma_rxe] do_task+0x68/0x1e0 [rdma_rxe] process_one_work+0x177/0x330 worker_thread+0x252/0x390 ? __pfx_worker_thread+0x10/0x10 This change ensures the variable is available for subsequent operations that require it. [1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7eaa71f56a6f7ab87…
	https://git.kernel.org/stable/c/143378075904e78b3…
	https://git.kernel.org/stable/c/32e1e748a85bd52b2…
	https://git.kernel.org/stable/c/b238f61cc394d5fef…
	https://git.kernel.org/stable/c/6ffb5c1885195ae52…
	https://git.kernel.org/stable/c/fb514b31395946022…

Impacted products

Vendor

Product

Version

Linux

Affected: 9cb837480424e78ed585376f944088246685aec3 , < 7eaa71f56a6f7ab87957213472dc6d4055862722 (git)
Affected: 9cb837480424e78ed585376f944088246685aec3 , < 143378075904e78b3b2a810099bcc3b3d82d762f (git)
Affected: 9cb837480424e78ed585376f944088246685aec3 , < 32e1e748a85bd52b20b3857d80fd166d22fa455a (git)
Affected: 9cb837480424e78ed585376f944088246685aec3 , < b238f61cc394d5fef27b26d7d9aa383ebfddabb0 (git)
Affected: 9cb837480424e78ed585376f944088246685aec3 , < 6ffb5c1885195ae5211a12b4acd2d51843ca41b0 (git)
Affected: 9cb837480424e78ed585376f944088246685aec3 , < fb514b31395946022f13a08e06a435f53cf9e8b3 (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.233 , ≤ 5.10.* (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-36476",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:29.846906Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:18.837Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:37:45.505Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/ulp/rtrs/rtrs-srv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7eaa71f56a6f7ab87957213472dc6d4055862722",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            },
            {
              "lessThan": "143378075904e78b3b2a810099bcc3b3d82d762f",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            },
            {
              "lessThan": "32e1e748a85bd52b20b3857d80fd166d22fa455a",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            },
            {
              "lessThan": "b238f61cc394d5fef27b26d7d9aa383ebfddabb0",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            },
            {
              "lessThan": "6ffb5c1885195ae5211a12b4acd2d51843ca41b0",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            },
            {
              "lessThan": "fb514b31395946022f13a08e06a435f53cf9e8b3",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/ulp/rtrs/rtrs-srv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs: Ensure \u0027ib_sge list\u0027 is accessible\n\nMove the declaration of the \u0027ib_sge list\u0027 variable outside the\n\u0027always_invalidate\u0027 block to ensure it remains accessible for use\nthroughout the function.\n\nPreviously, \u0027ib_sge list\u0027 was declared within the \u0027always_invalidate\u0027\nblock, limiting its accessibility, then caused a\n\u0027BUG: kernel NULL pointer dereference\u0027[1].\n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15a/0x2d0\n ? search_module_extables+0x19/0x60\n ? search_bpf_extables+0x5f/0x80\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? memcpy_orig+0xd5/0x140\n rxe_mr_copy+0x1c3/0x200 [rdma_rxe]\n ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe]\n copy_data+0xa5/0x230 [rdma_rxe]\n rxe_requester+0xd9b/0xf70 [rdma_rxe]\n ? finish_task_switch.isra.0+0x99/0x2e0\n rxe_sender+0x13/0x40 [rdma_rxe]\n do_task+0x68/0x1e0 [rdma_rxe]\n process_one_work+0x177/0x330\n worker_thread+0x252/0x390\n ? __pfx_worker_thread+0x10/0x10\n\nThis change ensures the variable is available for subsequent operations\nthat require it.\n\n[1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:11:05.567Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7eaa71f56a6f7ab87957213472dc6d4055862722"
        },
        {
          "url": "https://git.kernel.org/stable/c/143378075904e78b3b2a810099bcc3b3d82d762f"
        },
        {
          "url": "https://git.kernel.org/stable/c/32e1e748a85bd52b20b3857d80fd166d22fa455a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b238f61cc394d5fef27b26d7d9aa383ebfddabb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ffb5c1885195ae5211a12b4acd2d51843ca41b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb514b31395946022f13a08e06a435f53cf9e8b3"
        }
      ],
      "title": "RDMA/rtrs: Ensure \u0027ib_sge list\u0027 is accessible",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-36476",
    "datePublished": "2025-01-15T13:10:20.507Z",
    "dateReserved": "2025-01-15T13:08:59.730Z",
    "dateUpdated": "2025-11-03T20:37:45.505Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57876 (GCVE-0-2024-57876)

Vulnerability from cvelistv5 – Published: 2025-01-11 14:49 – Updated: 2025-11-03 20:54

Title

drm/dp_mst: Fix resetting msg rx state after topology removal

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Fix resetting msg rx state after topology removal If the MST topology is removed during the reception of an MST down reply or MST up request sideband message, the drm_dp_mst_topology_mgr::up_req_recv/down_rep_recv states could be reset from one thread via drm_dp_mst_topology_mgr_set_mst(false), racing with the reading/parsing of the message from another thread via drm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req(). The race is possible since the reader/parser doesn't hold any lock while accessing the reception state. This in turn can lead to a memory corruption in the reader/parser as described by commit bd2fccac61b4 ("drm/dp_mst: Fix MST sideband message body length check"). Fix the above by resetting the message reception state if needed before reading/parsing a message. Another solution would be to hold the drm_dp_mst_topology_mgr::lock for the whole duration of the message reception/parsing in drm_dp_mst_handle_down_rep() and drm_dp_mst_handle_up_req(), however this would require a bigger change. Since the fix is also needed for stable, opting for the simpler solution in this patch.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/94b33b2d7640e8078…
	https://git.kernel.org/stable/c/d834d20d2e86c52ed…
	https://git.kernel.org/stable/c/be826b4451fd187a7…
	https://git.kernel.org/stable/c/a6fa67d26de385c3c…

Impacted products

Vendor

Product

Version

Linux

Affected: b30fcedeba643ca16eaa6212c1245598b7cd830d , < 94b33b2d7640e807869451384eb88321dd0ffbd4 (git)
Affected: 1d082618bbf3b6755b8cc68c0a8122af2842d593 , < d834d20d2e86c52ed5cab41763fa61e6071680ef (git)
Affected: 1d082618bbf3b6755b8cc68c0a8122af2842d593 , < be826b4451fd187a7c0b04be4f8243d5df6e0450 (git)
Affected: 1d082618bbf3b6755b8cc68c0a8122af2842d593 , < a6fa67d26de385c3c7a23c1e109a0e23bfda4ec7 (git)
Affected: ee4a4282d78d96e07e714c28ca54679713fa2157 (git)
Affected: db35e49413a4d03ea0c003598803e49956f59324 (git)
Affected: a579ed4613b5a64074963988ad481e43cf3b917b (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:49.904Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/display/drm_dp_mst_topology.c",
            "include/drm/display/drm_dp_mst_helper.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "94b33b2d7640e807869451384eb88321dd0ffbd4",
              "status": "affected",
              "version": "b30fcedeba643ca16eaa6212c1245598b7cd830d",
              "versionType": "git"
            },
            {
              "lessThan": "d834d20d2e86c52ed5cab41763fa61e6071680ef",
              "status": "affected",
              "version": "1d082618bbf3b6755b8cc68c0a8122af2842d593",
              "versionType": "git"
            },
            {
              "lessThan": "be826b4451fd187a7c0b04be4f8243d5df6e0450",
              "status": "affected",
              "version": "1d082618bbf3b6755b8cc68c0a8122af2842d593",
              "versionType": "git"
            },
            {
              "lessThan": "a6fa67d26de385c3c7a23c1e109a0e23bfda4ec7",
              "status": "affected",
              "version": "1d082618bbf3b6755b8cc68c0a8122af2842d593",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ee4a4282d78d96e07e714c28ca54679713fa2157",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "db35e49413a4d03ea0c003598803e49956f59324",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a579ed4613b5a64074963988ad481e43cf3b917b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/display/drm_dp_mst_topology.c",
            "include/drm/display/drm_dp_mst_helper.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "6.1.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.173",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.100",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.2.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/dp_mst: Fix resetting msg rx state after topology removal\n\nIf the MST topology is removed during the reception of an MST down reply\nor MST up request sideband message, the\ndrm_dp_mst_topology_mgr::up_req_recv/down_rep_recv states could be reset\nfrom one thread via drm_dp_mst_topology_mgr_set_mst(false), racing with\nthe reading/parsing of the message from another thread via\ndrm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req(). The race is\npossible since the reader/parser doesn\u0027t hold any lock while accessing\nthe reception state. This in turn can lead to a memory corruption in the\nreader/parser as described by commit bd2fccac61b4 (\"drm/dp_mst: Fix MST\nsideband message body length check\").\n\nFix the above by resetting the message reception state if needed before\nreading/parsing a message. Another solution would be to hold the\ndrm_dp_mst_topology_mgr::lock for the whole duration of the message\nreception/parsing in drm_dp_mst_handle_down_rep() and\ndrm_dp_mst_handle_up_req(), however this would require a bigger change.\nSince the fix is also needed for stable, opting for the simpler solution\nin this patch."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:27.572Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/94b33b2d7640e807869451384eb88321dd0ffbd4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d834d20d2e86c52ed5cab41763fa61e6071680ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/be826b4451fd187a7c0b04be4f8243d5df6e0450"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6fa67d26de385c3c7a23c1e109a0e23bfda4ec7"
        }
      ],
      "title": "drm/dp_mst: Fix resetting msg rx state after topology removal",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57876",
    "datePublished": "2025-01-11T14:49:02.550Z",
    "dateReserved": "2025-01-11T14:45:42.023Z",
    "dateUpdated": "2025-11-03T20:54:49.904Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56588 (GCVE-0-2024-56588)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:50 – Updated: 2025-05-04 09:59

Title

scsi: hisi_sas: Create all dump files during debugfs initialization

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Create all dump files during debugfs initialization For the current debugfs of hisi_sas, after user triggers dump, the driver allocate memory space to save the register information and create debugfs files to display the saved information. In this process, the debugfs files created after each dump. Therefore, when the dump is triggered while the driver is unbind, the following hang occurs: [67840.853907] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 [67840.862947] Mem abort info: [67840.865855] ESR = 0x0000000096000004 [67840.869713] EC = 0x25: DABT (current EL), IL = 32 bits [67840.875125] SET = 0, FnV = 0 [67840.878291] EA = 0, S1PTW = 0 [67840.881545] FSC = 0x04: level 0 translation fault [67840.886528] Data abort info: [67840.889524] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [67840.895117] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [67840.900284] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [67840.905709] user pgtable: 4k pages, 48-bit VAs, pgdp=0000002803a1f000 [67840.912263] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000 [67840.919177] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [67840.996435] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [67841.003628] pc : down_write+0x30/0x98 [67841.007546] lr : start_creating.part.0+0x60/0x198 [67841.012495] sp : ffff8000b979ba20 [67841.016046] x29: ffff8000b979ba20 x28: 0000000000000010 x27: 0000000000024b40 [67841.023412] x26: 0000000000000012 x25: ffff20202b355ae8 x24: ffff20202b35a8c8 [67841.030779] x23: ffffa36877928208 x22: ffffa368b4972240 x21: ffff8000b979bb18 [67841.038147] x20: ffff00281dc1e3c0 x19: fffffffffffffffe x18: 0000000000000020 [67841.045515] x17: 0000000000000000 x16: ffffa368b128a530 x15: ffffffffffffffff [67841.052888] x14: ffff8000b979bc18 x13: ffffffffffffffff x12: ffff8000b979bb18 [67841.060263] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa368b1289b18 [67841.067640] x8 : 0000000000000012 x7 : 0000000000000000 x6 : 00000000000003a9 [67841.075014] x5 : 0000000000000000 x4 : ffff002818c5cb00 x3 : 0000000000000001 [67841.082388] x2 : 0000000000000000 x1 : ffff002818c5cb00 x0 : 00000000000000a0 [67841.089759] Call trace: [67841.092456] down_write+0x30/0x98 [67841.096017] start_creating.part.0+0x60/0x198 [67841.100613] debugfs_create_dir+0x48/0x1f8 [67841.104950] debugfs_create_files_v3_hw+0x88/0x348 [hisi_sas_v3_hw] [67841.111447] debugfs_snapshot_regs_v3_hw+0x708/0x798 [hisi_sas_v3_hw] [67841.118111] debugfs_trigger_dump_v3_hw_write+0x9c/0x120 [hisi_sas_v3_hw] [67841.125115] full_proxy_write+0x68/0xc8 [67841.129175] vfs_write+0xd8/0x3f0 [67841.132708] ksys_write+0x70/0x108 [67841.136317] __arm64_sys_write+0x24/0x38 [67841.140440] invoke_syscall+0x50/0x128 [67841.144385] el0_svc_common.constprop.0+0xc8/0xf0 [67841.149273] do_el0_svc+0x24/0x38 [67841.152773] el0_svc+0x38/0xd8 [67841.156009] el0t_64_sync_handler+0xc0/0xc8 [67841.160361] el0t_64_sync+0x1a4/0x1a8 [67841.164189] Code: b9000882 d2800002 d2800023 f9800011 (c85ffc05) [67841.170443] ---[ end trace 0000000000000000 ]--- To fix this issue, create all directories and files during debugfs initialization. In this way, the driver only needs to allocate memory space to save information each time the user triggers dumping.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7c8c50c9855a9e1b0…
	https://git.kernel.org/stable/c/6c55f99123075e542…
	https://git.kernel.org/stable/c/9f564f15f88490b48…

Impacted products

Vendor

Product

Version

Linux

Affected: 47caad1577cd7a39e2048c5e4edbce4b863dc12b , < 7c8c50c9855a9e1b0d1e3680e5ad839002a9deb5 (git)
Affected: 47caad1577cd7a39e2048c5e4edbce4b863dc12b , < 6c55f99123075e5429850b41b06f7dfffcb708eb (git)
Affected: 47caad1577cd7a39e2048c5e4edbce4b863dc12b , < 9f564f15f88490b484e02442dc4c4b11640ea172 (git)

Linux

Affected: 4.5
Unaffected: 0 , < 4.5 (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hisi_sas/hisi_sas_v3_hw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7c8c50c9855a9e1b0d1e3680e5ad839002a9deb5",
              "status": "affected",
              "version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
              "versionType": "git"
            },
            {
              "lessThan": "6c55f99123075e5429850b41b06f7dfffcb708eb",
              "status": "affected",
              "version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
              "versionType": "git"
            },
            {
              "lessThan": "9f564f15f88490b484e02442dc4c4b11640ea172",
              "status": "affected",
              "version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hisi_sas/hisi_sas_v3_hw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Create all dump files during debugfs initialization\n\nFor the current debugfs of hisi_sas, after user triggers dump, the\ndriver allocate memory space to save the register information and create\ndebugfs files to display the saved information. In this process, the\ndebugfs files created after each dump.\n\nTherefore, when the dump is triggered while the driver is unbind, the\nfollowing hang occurs:\n\n[67840.853907] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[67840.862947] Mem abort info:\n[67840.865855]   ESR = 0x0000000096000004\n[67840.869713]   EC = 0x25: DABT (current EL), IL = 32 bits\n[67840.875125]   SET = 0, FnV = 0\n[67840.878291]   EA = 0, S1PTW = 0\n[67840.881545]   FSC = 0x04: level 0 translation fault\n[67840.886528] Data abort info:\n[67840.889524]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[67840.895117]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[67840.900284]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[67840.905709] user pgtable: 4k pages, 48-bit VAs, pgdp=0000002803a1f000\n[67840.912263] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000\n[67840.919177] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[67840.996435] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[67841.003628] pc : down_write+0x30/0x98\n[67841.007546] lr : start_creating.part.0+0x60/0x198\n[67841.012495] sp : ffff8000b979ba20\n[67841.016046] x29: ffff8000b979ba20 x28: 0000000000000010 x27: 0000000000024b40\n[67841.023412] x26: 0000000000000012 x25: ffff20202b355ae8 x24: ffff20202b35a8c8\n[67841.030779] x23: ffffa36877928208 x22: ffffa368b4972240 x21: ffff8000b979bb18\n[67841.038147] x20: ffff00281dc1e3c0 x19: fffffffffffffffe x18: 0000000000000020\n[67841.045515] x17: 0000000000000000 x16: ffffa368b128a530 x15: ffffffffffffffff\n[67841.052888] x14: ffff8000b979bc18 x13: ffffffffffffffff x12: ffff8000b979bb18\n[67841.060263] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa368b1289b18\n[67841.067640] x8 : 0000000000000012 x7 : 0000000000000000 x6 : 00000000000003a9\n[67841.075014] x5 : 0000000000000000 x4 : ffff002818c5cb00 x3 : 0000000000000001\n[67841.082388] x2 : 0000000000000000 x1 : ffff002818c5cb00 x0 : 00000000000000a0\n[67841.089759] Call trace:\n[67841.092456]  down_write+0x30/0x98\n[67841.096017]  start_creating.part.0+0x60/0x198\n[67841.100613]  debugfs_create_dir+0x48/0x1f8\n[67841.104950]  debugfs_create_files_v3_hw+0x88/0x348 [hisi_sas_v3_hw]\n[67841.111447]  debugfs_snapshot_regs_v3_hw+0x708/0x798 [hisi_sas_v3_hw]\n[67841.118111]  debugfs_trigger_dump_v3_hw_write+0x9c/0x120 [hisi_sas_v3_hw]\n[67841.125115]  full_proxy_write+0x68/0xc8\n[67841.129175]  vfs_write+0xd8/0x3f0\n[67841.132708]  ksys_write+0x70/0x108\n[67841.136317]  __arm64_sys_write+0x24/0x38\n[67841.140440]  invoke_syscall+0x50/0x128\n[67841.144385]  el0_svc_common.constprop.0+0xc8/0xf0\n[67841.149273]  do_el0_svc+0x24/0x38\n[67841.152773]  el0_svc+0x38/0xd8\n[67841.156009]  el0t_64_sync_handler+0xc0/0xc8\n[67841.160361]  el0t_64_sync+0x1a4/0x1a8\n[67841.164189] Code: b9000882 d2800002 d2800023 f9800011 (c85ffc05)\n[67841.170443] ---[ end trace 0000000000000000 ]---\n\nTo fix this issue, create all directories and files during debugfs\ninitialization. In this way, the driver only needs to allocate memory\nspace to save information each time the user triggers dumping."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:59:08.349Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7c8c50c9855a9e1b0d1e3680e5ad839002a9deb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c55f99123075e5429850b41b06f7dfffcb708eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f564f15f88490b484e02442dc4c4b11640ea172"
        }
      ],
      "title": "scsi: hisi_sas: Create all dump files during debugfs initialization",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56588",
    "datePublished": "2024-12-27T14:50:56.214Z",
    "dateReserved": "2024-12-27T14:03:06.002Z",
    "dateUpdated": "2025-05-04T09:59:08.349Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56764 (GCVE-0-2024-56764)

Vulnerability from cvelistv5 – Published: 2025-01-06 16:20 – Updated: 2025-05-04 10:04

Title

ublk: detach gendisk from ublk device if add_disk() fails

Summary

In the Linux kernel, the following vulnerability has been resolved: ublk: detach gendisk from ublk device if add_disk() fails Inside ublk_abort_requests(), gendisk is grabbed for aborting all inflight requests. And ublk_abort_requests() is called when exiting the uring context or handling timeout. If add_disk() fails, the gendisk may have been freed when calling ublk_abort_requests(), so use-after-free can be caused when getting disk's reference in ublk_abort_requests(). Fixes the bug by detaching gendisk from ublk device if add_disk() fails.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7d680f2f76a3417fd…
	https://git.kernel.org/stable/c/75cd4005da5492129…

Impacted products

Vendor

Product

Version

Linux

Affected: bd23f6c2c2d00518e2f27f2d25cef795de9bee56 , < 7d680f2f76a3417fdfc3946da7471e81464f7b41 (git)
Affected: bd23f6c2c2d00518e2f27f2d25cef795de9bee56 , < 75cd4005da5492129917a4a4ee45e81660556104 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.8 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56764",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:19.788451Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:20.712Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/ublk_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7d680f2f76a3417fdfc3946da7471e81464f7b41",
              "status": "affected",
              "version": "bd23f6c2c2d00518e2f27f2d25cef795de9bee56",
              "versionType": "git"
            },
            {
              "lessThan": "75cd4005da5492129917a4a4ee45e81660556104",
              "status": "affected",
              "version": "bd23f6c2c2d00518e2f27f2d25cef795de9bee56",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/ublk_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: detach gendisk from ublk device if add_disk() fails\n\nInside ublk_abort_requests(), gendisk is grabbed for aborting all\ninflight requests. And ublk_abort_requests() is called when exiting\nthe uring context or handling timeout.\n\nIf add_disk() fails, the gendisk may have been freed when calling\nublk_abort_requests(), so use-after-free can be caused when getting\ndisk\u0027s reference in ublk_abort_requests().\n\nFixes the bug by detaching gendisk from ublk device if add_disk() fails."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:10.535Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7d680f2f76a3417fdfc3946da7471e81464f7b41"
        },
        {
          "url": "https://git.kernel.org/stable/c/75cd4005da5492129917a4a4ee45e81660556104"
        }
      ],
      "title": "ublk: detach gendisk from ublk device if add_disk() fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56764",
    "datePublished": "2025-01-06T16:20:43.256Z",
    "dateReserved": "2024-12-29T11:26:39.762Z",
    "dateUpdated": "2025-05-04T10:04:10.535Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57905 (GCVE-0-2024-57905)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-10-01 19:57

Title

iio: adc: ti-ads1119: fix information leak in triggered buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: adc: ti-ads1119: fix information leak in triggered buffer The 'scan' local struct is used to push data to user space from a triggered buffer, but it has a hole between the sample (unsigned int) and the timestamp. This hole is never initialized. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2f1687cca911a2f29…
	https://git.kernel.org/stable/c/75f339d3ecd38cb1c…

Impacted products

Vendor

Product

Version

Linux

Affected: a9306887eba41c5fe7232727a8147da3d3c4f83c , < 2f1687cca911a2f294313c762e0646cd9e7be8cc (git)
Affected: a9306887eba41c5fe7232727a8147da3d3c4f83c , < 75f339d3ecd38cb1ce05357d647189d4a7f7ed08 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57905",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:53:46.295007Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:16.772Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/adc/ti-ads1119.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2f1687cca911a2f294313c762e0646cd9e7be8cc",
              "status": "affected",
              "version": "a9306887eba41c5fe7232727a8147da3d3c4f83c",
              "versionType": "git"
            },
            {
              "lessThan": "75f339d3ecd38cb1ce05357d647189d4a7f7ed08",
              "status": "affected",
              "version": "a9306887eba41c5fe7232727a8147da3d3c4f83c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/adc/ti-ads1119.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ti-ads1119: fix information leak in triggered buffer\n\nThe \u0027scan\u0027 local struct is used to push data to user space from a\ntriggered buffer, but it has a hole between the sample (unsigned int)\nand the timestamp. This hole is never initialized.\n\nInitialize the struct to zero before using it to avoid pushing\nuninitialized information to userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:20.414Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2f1687cca911a2f294313c762e0646cd9e7be8cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/75f339d3ecd38cb1ce05357d647189d4a7f7ed08"
        }
      ],
      "title": "iio: adc: ti-ads1119: fix information leak in triggered buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57905",
    "datePublished": "2025-01-19T11:52:29.699Z",
    "dateReserved": "2025-01-19T11:50:08.372Z",
    "dateUpdated": "2025-10-01T19:57:16.772Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57939 (GCVE-0-2024-57939)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-11-03 20:56

Title

riscv: Fix sleeping in invalid context in die()

Summary

In the Linux kernel, the following vulnerability has been resolved: riscv: Fix sleeping in invalid context in die() die() can be called in exception handler, and therefore cannot sleep. However, die() takes spinlock_t which can sleep with PREEMPT_RT enabled. That causes the following warning: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex preempt_count: 110001, expected: 0 RCU nest depth: 0, expected: 0 CPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234 Hardware name: riscv-virtio,qemu (DT) Call Trace: dump_backtrace+0x1c/0x24 show_stack+0x2c/0x38 dump_stack_lvl+0x5a/0x72 dump_stack+0x14/0x1c __might_resched+0x130/0x13a rt_spin_lock+0x2a/0x5c die+0x24/0x112 do_trap_insn_illegal+0xa0/0xea _new_vmalloc_restore_context_a0+0xcc/0xd8 Oops - illegal instruction [#1] Switch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT enabled.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8c38baa03ac8e1814…
	https://git.kernel.org/stable/c/10c24df2e303f517f…
	https://git.kernel.org/stable/c/c21df31fc2a4afc02…
	https://git.kernel.org/stable/c/f48f060a4b36b5e96…
	https://git.kernel.org/stable/c/76ab0afcdbe8c9685…
	https://git.kernel.org/stable/c/6a97f4118ac07cfdc…

Impacted products

Vendor

Product

Version

Linux

Affected: 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 , < 8c38baa03ac8e18140faf36a3b955d30cad48e74 (git)
Affected: 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 , < 10c24df2e303f517fab0359392c11b6b1d553f2b (git)
Affected: 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 , < c21df31fc2a4afc02a6e56511364e9e793ea92ec (git)
Affected: 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 , < f48f060a4b36b5e96628f6c3fb1540f1e8dedb69 (git)
Affected: 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 , < 76ab0afcdbe8c9685b589016ee1c0e25fe596707 (git)
Affected: 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 , < 6a97f4118ac07cfdc316433f385dbdc12af5025e (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57939",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:52:46.665901Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:13.873Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:56:06.960Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/kernel/traps.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8c38baa03ac8e18140faf36a3b955d30cad48e74",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            },
            {
              "lessThan": "10c24df2e303f517fab0359392c11b6b1d553f2b",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            },
            {
              "lessThan": "c21df31fc2a4afc02a6e56511364e9e793ea92ec",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            },
            {
              "lessThan": "f48f060a4b36b5e96628f6c3fb1540f1e8dedb69",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            },
            {
              "lessThan": "76ab0afcdbe8c9685b589016ee1c0e25fe596707",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            },
            {
              "lessThan": "6a97f4118ac07cfdc316433f385dbdc12af5025e",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/kernel/traps.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix sleeping in invalid context in die()\n\ndie() can be called in exception handler, and therefore cannot sleep.\nHowever, die() takes spinlock_t which can sleep with PREEMPT_RT enabled.\nThat causes the following warning:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex\npreempt_count: 110001, expected: 0\nRCU nest depth: 0, expected: 0\nCPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n    dump_backtrace+0x1c/0x24\n    show_stack+0x2c/0x38\n    dump_stack_lvl+0x5a/0x72\n    dump_stack+0x14/0x1c\n    __might_resched+0x130/0x13a\n    rt_spin_lock+0x2a/0x5c\n    die+0x24/0x112\n    do_trap_insn_illegal+0xa0/0xea\n    _new_vmalloc_restore_context_a0+0xcc/0xd8\nOops - illegal instruction [#1]\n\nSwitch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT\nenabled."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:05.839Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8c38baa03ac8e18140faf36a3b955d30cad48e74"
        },
        {
          "url": "https://git.kernel.org/stable/c/10c24df2e303f517fab0359392c11b6b1d553f2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c21df31fc2a4afc02a6e56511364e9e793ea92ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/f48f060a4b36b5e96628f6c3fb1540f1e8dedb69"
        },
        {
          "url": "https://git.kernel.org/stable/c/76ab0afcdbe8c9685b589016ee1c0e25fe596707"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a97f4118ac07cfdc316433f385dbdc12af5025e"
        }
      ],
      "title": "riscv: Fix sleeping in invalid context in die()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57939",
    "datePublished": "2025-01-21T12:18:08.433Z",
    "dateReserved": "2025-01-19T11:50:08.378Z",
    "dateUpdated": "2025-11-03T20:56:06.960Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56643 (GCVE-0-2024-56643)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51

Title

dccp: Fix memory leak in dccp_feat_change_recv

Summary

In the Linux kernel, the following vulnerability has been resolved: dccp: Fix memory leak in dccp_feat_change_recv If dccp_feat_push_confirm() fails after new value for SP feature was accepted without reconciliation ('entry == NULL' branch), memory allocated for that value with dccp_feat_clone_sp_val() is never freed. Here is the kmemleak stack for this: unreferenced object 0xffff88801d4ab488 (size 8): comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s) hex dump (first 8 bytes): 01 b4 4a 1d 80 88 ff ff ..J..... backtrace: [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128 [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline] [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline] [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416 [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125 [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650 [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688 [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline] [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570 [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111 [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline] [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696 [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735 [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865 [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882 [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline] [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline] [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889 [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1 Clean up the allocated memory in case of dccp_feat_push_confirm() failure and bail out with an error reset code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity ?

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/623be080ab3c13d71…
	https://git.kernel.org/stable/c/c99507fff94b926fc…
	https://git.kernel.org/stable/c/bc3d4423def1a9412…
	https://git.kernel.org/stable/c/6ff67909ee2ffad91…
	https://git.kernel.org/stable/c/d3ec686a369fae503…
	https://git.kernel.org/stable/c/9ee68b0f23706a77f…
	https://git.kernel.org/stable/c/22be4727a8f898442…

Impacted products

Vendor

Product

Version

Linux

Affected: e77b8363b2ea7c0d89919547c1a8b0562f298b57 , < 623be080ab3c13d71570bd32f7202a8efa8e2252 (git)
Affected: e77b8363b2ea7c0d89919547c1a8b0562f298b57 , < c99507fff94b926fc92279c92d80f229c91cb85d (git)
Affected: e77b8363b2ea7c0d89919547c1a8b0562f298b57 , < bc3d4423def1a9412a0ae454cb4477089ab79276 (git)
Affected: e77b8363b2ea7c0d89919547c1a8b0562f298b57 , < 6ff67909ee2ffad911e3122616df41dee23ff4f6 (git)
Affected: e77b8363b2ea7c0d89919547c1a8b0562f298b57 , < d3ec686a369fae5034303061f003cd3f94ddfd23 (git)
Affected: e77b8363b2ea7c0d89919547c1a8b0562f298b57 , < 9ee68b0f23706a77f53c832457b9384178b76421 (git)
Affected: e77b8363b2ea7c0d89919547c1a8b0562f298b57 , < 22be4727a8f898442066bcac34f8a1ad0bc72e14 (git)

Linux

Affected: 2.6.29
Unaffected: 0 , < 2.6.29 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "LOW",
              "baseScore": 3.3,
              "baseSeverity": "LOW",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56643",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-17T20:10:38.316606Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-17T20:15:52.853Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:45.595Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/dccp/feat.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "623be080ab3c13d71570bd32f7202a8efa8e2252",
              "status": "affected",
              "version": "e77b8363b2ea7c0d89919547c1a8b0562f298b57",
              "versionType": "git"
            },
            {
              "lessThan": "c99507fff94b926fc92279c92d80f229c91cb85d",
              "status": "affected",
              "version": "e77b8363b2ea7c0d89919547c1a8b0562f298b57",
              "versionType": "git"
            },
            {
              "lessThan": "bc3d4423def1a9412a0ae454cb4477089ab79276",
              "status": "affected",
              "version": "e77b8363b2ea7c0d89919547c1a8b0562f298b57",
              "versionType": "git"
            },
            {
              "lessThan": "6ff67909ee2ffad911e3122616df41dee23ff4f6",
              "status": "affected",
              "version": "e77b8363b2ea7c0d89919547c1a8b0562f298b57",
              "versionType": "git"
            },
            {
              "lessThan": "d3ec686a369fae5034303061f003cd3f94ddfd23",
              "status": "affected",
              "version": "e77b8363b2ea7c0d89919547c1a8b0562f298b57",
              "versionType": "git"
            },
            {
              "lessThan": "9ee68b0f23706a77f53c832457b9384178b76421",
              "status": "affected",
              "version": "e77b8363b2ea7c0d89919547c1a8b0562f298b57",
              "versionType": "git"
            },
            {
              "lessThan": "22be4727a8f898442066bcac34f8a1ad0bc72e14",
              "status": "affected",
              "version": "e77b8363b2ea7c0d89919547c1a8b0562f298b57",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/dccp/feat.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: Fix memory leak in dccp_feat_change_recv\n\nIf dccp_feat_push_confirm() fails after new value for SP feature was accepted\nwithout reconciliation (\u0027entry == NULL\u0027 branch), memory allocated for that value\nwith dccp_feat_clone_sp_val() is never freed.\n\nHere is the kmemleak stack for this:\n\nunreferenced object 0xffff88801d4ab488 (size 8):\n  comm \"syz-executor310\", pid 1127, jiffies 4295085598 (age 41.666s)\n  hex dump (first 8 bytes):\n    01 b4 4a 1d 80 88 ff ff                          ..J.....\n  backtrace:\n    [\u003c00000000db7cabfe\u003e] kmemdup+0x23/0x50 mm/util.c:128\n    [\u003c0000000019b38405\u003e] kmemdup include/linux/string.h:465 [inline]\n    [\u003c0000000019b38405\u003e] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]\n    [\u003c0000000019b38405\u003e] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]\n    [\u003c0000000019b38405\u003e] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]\n    [\u003c0000000019b38405\u003e] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416\n    [\u003c00000000b1f6d94a\u003e] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125\n    [\u003c0000000030d7b621\u003e] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650\n    [\u003c000000001f74c72e\u003e] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688\n    [\u003c00000000a6c24128\u003e] sk_backlog_rcv include/net/sock.h:1041 [inline]\n    [\u003c00000000a6c24128\u003e] __release_sock+0x139/0x3b0 net/core/sock.c:2570\n    [\u003c00000000cf1f3a53\u003e] release_sock+0x54/0x1b0 net/core/sock.c:3111\n    [\u003c000000008422fa23\u003e] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]\n    [\u003c000000008422fa23\u003e] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696\n    [\u003c0000000015b6f64d\u003e] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735\n    [\u003c0000000010122488\u003e] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865\n    [\u003c00000000b4b70023\u003e] __sys_connect+0x165/0x1a0 net/socket.c:1882\n    [\u003c00000000f4cb3815\u003e] __do_sys_connect net/socket.c:1892 [inline]\n    [\u003c00000000f4cb3815\u003e] __se_sys_connect net/socket.c:1889 [inline]\n    [\u003c00000000f4cb3815\u003e] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889\n    [\u003c00000000e7b1e839\u003e] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n    [\u003c0000000055e91434\u003e] entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nClean up the allocated memory in case of dccp_feat_push_confirm() failure\nand bail out with an error reset code.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:51.915Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/623be080ab3c13d71570bd32f7202a8efa8e2252"
        },
        {
          "url": "https://git.kernel.org/stable/c/c99507fff94b926fc92279c92d80f229c91cb85d"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc3d4423def1a9412a0ae454cb4477089ab79276"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ff67909ee2ffad911e3122616df41dee23ff4f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3ec686a369fae5034303061f003cd3f94ddfd23"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ee68b0f23706a77f53c832457b9384178b76421"
        },
        {
          "url": "https://git.kernel.org/stable/c/22be4727a8f898442066bcac34f8a1ad0bc72e14"
        }
      ],
      "title": "dccp: Fix memory leak in dccp_feat_change_recv",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56643",
    "datePublished": "2024-12-27T15:02:44.492Z",
    "dateReserved": "2024-12-27T15:00:39.840Z",
    "dateUpdated": "2025-11-03T20:51:45.595Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56642 (GCVE-0-2024-56642)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51

Title

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

Summary

In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free of kernel socket in cleanup_bearer(). syzkaller reported a use-after-free of UDP kernel socket in cleanup_bearer() without repro. [0][1] When bearer_disable() calls tipc_udp_disable(), cleanup of the UDP kernel socket is deferred by work calling cleanup_bearer(). tipc_exit_net() waits for such works to finish by checking tipc_net(net)->wq_count. However, the work decrements the count too early before releasing the kernel socket, unblocking cleanup_net() and resulting in use-after-free. Let's move the decrement after releasing the socket in cleanup_bearer(). [0]: ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at sk_alloc+0x438/0x608 inet_create+0x4c8/0xcb0 __sock_create+0x350/0x6b8 sock_create_kern+0x58/0x78 udp_sock_create4+0x68/0x398 udp_sock_create+0x88/0xc8 tipc_udp_enable+0x5e8/0x848 __tipc_nl_bearer_enable+0x84c/0xed8 tipc_nl_bearer_enable+0x38/0x60 genl_family_rcv_msg_doit+0x170/0x248 genl_rcv_msg+0x400/0x5b0 netlink_rcv_skb+0x1dc/0x398 genl_rcv+0x44/0x68 netlink_unicast+0x678/0x8b0 netlink_sendmsg+0x5e4/0x898 ____sys_sendmsg+0x500/0x830 [1]: BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline] BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 udp_hashslot include/net/udp.h:85 [inline] udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 sk_common_release+0xaf/0x3f0 net/core/sock.c:3820 inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437 inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489 __sock_release net/socket.c:658 [inline] sock_release+0xa0/0x210 net/socket.c:686 cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 Uninit was created at: slab_free_hook mm/slub.c:2269 [inline] slab_free mm/slub.c:4580 [inline] kmem_cache_free+0x207/0xc40 mm/slub.c:4682 net_free net/core/net_namespace.c:454 [inline] cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: events cleanup_bearer

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4e69457f9dfae6743…
	https://git.kernel.org/stable/c/650ee9a22d7a2de89…
	https://git.kernel.org/stable/c/d2a4894f238551eae…
	https://git.kernel.org/stable/c/d62d5180c036eeac0…
	https://git.kernel.org/stable/c/d00d4470bf8c42826…
	https://git.kernel.org/stable/c/e48b211c4c59062cb…
	https://git.kernel.org/stable/c/6a2fa13312e51a621…

Impacted products

Vendor

Product

Version

Linux

Affected: d1f76dfadaf8f47ed1753f97dbcbd41c16215ffa , < 4e69457f9dfae67435f3ccf29008768eae860415 (git)
Affected: 5195ec5e365a2a9331bfeb585b613a6e94f98dba , < 650ee9a22d7a2de8999fac2d45983597a0c22359 (git)
Affected: 04c26faa51d1e2fe71cf13c45791f5174c37f986 , < d2a4894f238551eae178904e7f45af87577074fd (git)
Affected: 04c26faa51d1e2fe71cf13c45791f5174c37f986 , < d62d5180c036eeac09f80660edc7a602b369125f (git)
Affected: 04c26faa51d1e2fe71cf13c45791f5174c37f986 , < d00d4470bf8c4282617a3a10e76b20a9c7e4cffa (git)
Affected: 04c26faa51d1e2fe71cf13c45791f5174c37f986 , < e48b211c4c59062cb6dd6c2c37c51a7cc235a464 (git)
Affected: 04c26faa51d1e2fe71cf13c45791f5174c37f986 , < 6a2fa13312e51a621f652d522d7e2df7066330b6 (git)
Affected: b9f5b7ad4ac3af006443f535b1ce7bff1d130d7d (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56642",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:46.826025Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:21.774Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:42.786Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tipc/udp_media.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4e69457f9dfae67435f3ccf29008768eae860415",
              "status": "affected",
              "version": "d1f76dfadaf8f47ed1753f97dbcbd41c16215ffa",
              "versionType": "git"
            },
            {
              "lessThan": "650ee9a22d7a2de8999fac2d45983597a0c22359",
              "status": "affected",
              "version": "5195ec5e365a2a9331bfeb585b613a6e94f98dba",
              "versionType": "git"
            },
            {
              "lessThan": "d2a4894f238551eae178904e7f45af87577074fd",
              "status": "affected",
              "version": "04c26faa51d1e2fe71cf13c45791f5174c37f986",
              "versionType": "git"
            },
            {
              "lessThan": "d62d5180c036eeac09f80660edc7a602b369125f",
              "status": "affected",
              "version": "04c26faa51d1e2fe71cf13c45791f5174c37f986",
              "versionType": "git"
            },
            {
              "lessThan": "d00d4470bf8c4282617a3a10e76b20a9c7e4cffa",
              "status": "affected",
              "version": "04c26faa51d1e2fe71cf13c45791f5174c37f986",
              "versionType": "git"
            },
            {
              "lessThan": "e48b211c4c59062cb6dd6c2c37c51a7cc235a464",
              "status": "affected",
              "version": "04c26faa51d1e2fe71cf13c45791f5174c37f986",
              "versionType": "git"
            },
            {
              "lessThan": "6a2fa13312e51a621f652d522d7e2df7066330b6",
              "status": "affected",
              "version": "04c26faa51d1e2fe71cf13c45791f5174c37f986",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b9f5b7ad4ac3af006443f535b1ce7bff1d130d7d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tipc/udp_media.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "5.4.124",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.10.42",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.12.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free of kernel socket in cleanup_bearer().\n\nsyzkaller reported a use-after-free of UDP kernel socket\nin cleanup_bearer() without repro. [0][1]\n\nWhen bearer_disable() calls tipc_udp_disable(), cleanup\nof the UDP kernel socket is deferred by work calling\ncleanup_bearer().\n\ntipc_exit_net() waits for such works to finish by checking\ntipc_net(net)-\u003ewq_count.  However, the work decrements the\ncount too early before releasing the kernel socket,\nunblocking cleanup_net() and resulting in use-after-free.\n\nLet\u0027s move the decrement after releasing the socket in\ncleanup_bearer().\n\n[0]:\nref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at\n     sk_alloc+0x438/0x608\n     inet_create+0x4c8/0xcb0\n     __sock_create+0x350/0x6b8\n     sock_create_kern+0x58/0x78\n     udp_sock_create4+0x68/0x398\n     udp_sock_create+0x88/0xc8\n     tipc_udp_enable+0x5e8/0x848\n     __tipc_nl_bearer_enable+0x84c/0xed8\n     tipc_nl_bearer_enable+0x38/0x60\n     genl_family_rcv_msg_doit+0x170/0x248\n     genl_rcv_msg+0x400/0x5b0\n     netlink_rcv_skb+0x1dc/0x398\n     genl_rcv+0x44/0x68\n     netlink_unicast+0x678/0x8b0\n     netlink_sendmsg+0x5e4/0x898\n     ____sys_sendmsg+0x500/0x830\n\n[1]:\nBUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline]\nBUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979\n udp_hashslot include/net/udp.h:85 [inline]\n udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979\n sk_common_release+0xaf/0x3f0 net/core/sock.c:3820\n inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437\n inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489\n __sock_release net/socket.c:658 [inline]\n sock_release+0xa0/0x210 net/socket.c:686\n cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310\n worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391\n kthread+0x531/0x6b0 kernel/kthread.c:389\n ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244\n\nUninit was created at:\n slab_free_hook mm/slub.c:2269 [inline]\n slab_free mm/slub.c:4580 [inline]\n kmem_cache_free+0x207/0xc40 mm/slub.c:4682\n net_free net/core/net_namespace.c:454 [inline]\n cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310\n worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391\n kthread+0x531/0x6b0 kernel/kthread.c:389\n ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244\n\nCPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: events cleanup_bearer"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:56.851Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4e69457f9dfae67435f3ccf29008768eae860415"
        },
        {
          "url": "https://git.kernel.org/stable/c/650ee9a22d7a2de8999fac2d45983597a0c22359"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2a4894f238551eae178904e7f45af87577074fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/d62d5180c036eeac09f80660edc7a602b369125f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d00d4470bf8c4282617a3a10e76b20a9c7e4cffa"
        },
        {
          "url": "https://git.kernel.org/stable/c/e48b211c4c59062cb6dd6c2c37c51a7cc235a464"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a2fa13312e51a621f652d522d7e2df7066330b6"
        }
      ],
      "title": "tipc: Fix use-after-free of kernel socket in cleanup_bearer().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56642",
    "datePublished": "2024-12-27T15:02:43.660Z",
    "dateReserved": "2024-12-27T15:00:39.839Z",
    "dateUpdated": "2025-11-03T20:51:42.786Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56369 (GCVE-0-2024-56369)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:35 – Updated: 2025-11-03 20:49

Title

drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/modes: Avoid divide by zero harder in drm_mode_vrefresh() drm_mode_vrefresh() is trying to avoid divide by zero by checking whether htotal or vtotal are zero. But we may still end up with a div-by-zero of vtotal*htotal*...

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-369 - Divide By Zero

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e7c7b48a0fc5ed83b…
	https://git.kernel.org/stable/c/69fbb01e891701e6d…
	https://git.kernel.org/stable/c/b39de5a71bac5641d…
	https://git.kernel.org/stable/c/47c8b6cf1d08f0ad4…
	https://git.kernel.org/stable/c/9398332f23fab10c5…

Impacted products

Vendor

Product

Version

Linux

Affected: 2f0e9d804935970a4ce0f58dd046b41881bfd8f3 , < e7c7b48a0fc5ed83baae400a1b15e33978c25d7f (git)
Affected: 2f0e9d804935970a4ce0f58dd046b41881bfd8f3 , < 69fbb01e891701e6d04db1ddb5ad49e42c4dd963 (git)
Affected: 2f0e9d804935970a4ce0f58dd046b41881bfd8f3 , < b39de5a71bac5641d0fda33d1cf5682d82cf1ae5 (git)
Affected: 2f0e9d804935970a4ce0f58dd046b41881bfd8f3 , < 47c8b6cf1d08f0ad40d7ea7b025442e51b35ee1f (git)
Affected: 2f0e9d804935970a4ce0f58dd046b41881bfd8f3 , < 9398332f23fab10c5ec57c168b44e72997d6318e (git)

Linux

Affected: 4.17
Unaffected: 0 , < 4.17 (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.122 , ≤ 6.1.* (semver)
Unaffected: 6.6.68 , ≤ 6.6.* (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56369",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:55:17.719047Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-369",
                "description": "CWE-369 Divide By Zero",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:20.893Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:49:08.142Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/drm_modes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e7c7b48a0fc5ed83baae400a1b15e33978c25d7f",
              "status": "affected",
              "version": "2f0e9d804935970a4ce0f58dd046b41881bfd8f3",
              "versionType": "git"
            },
            {
              "lessThan": "69fbb01e891701e6d04db1ddb5ad49e42c4dd963",
              "status": "affected",
              "version": "2f0e9d804935970a4ce0f58dd046b41881bfd8f3",
              "versionType": "git"
            },
            {
              "lessThan": "b39de5a71bac5641d0fda33d1cf5682d82cf1ae5",
              "status": "affected",
              "version": "2f0e9d804935970a4ce0f58dd046b41881bfd8f3",
              "versionType": "git"
            },
            {
              "lessThan": "47c8b6cf1d08f0ad40d7ea7b025442e51b35ee1f",
              "status": "affected",
              "version": "2f0e9d804935970a4ce0f58dd046b41881bfd8f3",
              "versionType": "git"
            },
            {
              "lessThan": "9398332f23fab10c5ec57c168b44e72997d6318e",
              "status": "affected",
              "version": "2f0e9d804935970a4ce0f58dd046b41881bfd8f3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/drm_modes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/modes: Avoid divide by zero harder in drm_mode_vrefresh()\n\ndrm_mode_vrefresh() is trying to avoid divide by zero\nby checking whether htotal or vtotal are zero. But we may\nstill end up with a div-by-zero of vtotal*htotal*..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:57:22.189Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e7c7b48a0fc5ed83baae400a1b15e33978c25d7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/69fbb01e891701e6d04db1ddb5ad49e42c4dd963"
        },
        {
          "url": "https://git.kernel.org/stable/c/b39de5a71bac5641d0fda33d1cf5682d82cf1ae5"
        },
        {
          "url": "https://git.kernel.org/stable/c/47c8b6cf1d08f0ad40d7ea7b025442e51b35ee1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9398332f23fab10c5ec57c168b44e72997d6318e"
        }
      ],
      "title": "drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56369",
    "datePublished": "2025-01-11T12:35:46.439Z",
    "dateReserved": "2025-01-11T12:34:02.670Z",
    "dateUpdated": "2025-11-03T20:49:08.142Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56634 (GCVE-0-2024-56634)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51

Title

gpio: grgpio: Add NULL check in grgpio_probe

Summary

In the Linux kernel, the following vulnerability has been resolved: gpio: grgpio: Add NULL check in grgpio_probe devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/53ff0caa6ad57372d…
	https://git.kernel.org/stable/c/4733f68e59bb7b9e3…
	https://git.kernel.org/stable/c/ad4dfa7ea7f5f7e9a…
	https://git.kernel.org/stable/c/09adf8792b61c09ae…
	https://git.kernel.org/stable/c/8d2ca6ac3711a4f40…
	https://git.kernel.org/stable/c/db2fc255fcf41f536…
	https://git.kernel.org/stable/c/050b23d081da0f294…

Impacted products

Vendor

Product

Version

Linux

Affected: 7eb6ce2f272336ff8337f40fa8668fa04dc2d684 , < 53ff0caa6ad57372d426b4f48fc0f66df43a731f (git)
Affected: 7eb6ce2f272336ff8337f40fa8668fa04dc2d684 , < 4733f68e59bb7b9e3d395699abb18366954b9ba7 (git)
Affected: 7eb6ce2f272336ff8337f40fa8668fa04dc2d684 , < ad4dfa7ea7f5f7e9a3c78627cfc749bc7005ca7a (git)
Affected: 7eb6ce2f272336ff8337f40fa8668fa04dc2d684 , < 09adf8792b61c09ae543972a1ece1884ef773848 (git)
Affected: 7eb6ce2f272336ff8337f40fa8668fa04dc2d684 , < 8d2ca6ac3711a4f4015d26b7cc84f325ac608edb (git)
Affected: 7eb6ce2f272336ff8337f40fa8668fa04dc2d684 , < db2fc255fcf41f536ac8666409849e11659af88d (git)
Affected: 7eb6ce2f272336ff8337f40fa8668fa04dc2d684 , < 050b23d081da0f29474de043e9538c1f7a351b3b (git)

Linux

Affected: 4.14
Unaffected: 0 , < 4.14 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56634",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:00:39.281598Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:12.022Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:32.959Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpio-grgpio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "53ff0caa6ad57372d426b4f48fc0f66df43a731f",
              "status": "affected",
              "version": "7eb6ce2f272336ff8337f40fa8668fa04dc2d684",
              "versionType": "git"
            },
            {
              "lessThan": "4733f68e59bb7b9e3d395699abb18366954b9ba7",
              "status": "affected",
              "version": "7eb6ce2f272336ff8337f40fa8668fa04dc2d684",
              "versionType": "git"
            },
            {
              "lessThan": "ad4dfa7ea7f5f7e9a3c78627cfc749bc7005ca7a",
              "status": "affected",
              "version": "7eb6ce2f272336ff8337f40fa8668fa04dc2d684",
              "versionType": "git"
            },
            {
              "lessThan": "09adf8792b61c09ae543972a1ece1884ef773848",
              "status": "affected",
              "version": "7eb6ce2f272336ff8337f40fa8668fa04dc2d684",
              "versionType": "git"
            },
            {
              "lessThan": "8d2ca6ac3711a4f4015d26b7cc84f325ac608edb",
              "status": "affected",
              "version": "7eb6ce2f272336ff8337f40fa8668fa04dc2d684",
              "versionType": "git"
            },
            {
              "lessThan": "db2fc255fcf41f536ac8666409849e11659af88d",
              "status": "affected",
              "version": "7eb6ce2f272336ff8337f40fa8668fa04dc2d684",
              "versionType": "git"
            },
            {
              "lessThan": "050b23d081da0f29474de043e9538c1f7a351b3b",
              "status": "affected",
              "version": "7eb6ce2f272336ff8337f40fa8668fa04dc2d684",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpio-grgpio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: grgpio: Add NULL check in grgpio_probe\n\ndevm_kasprintf() can return a NULL pointer on failure,but this\nreturned value in grgpio_probe is not checked.\nAdd NULL check in grgpio_probe, to handle kernel NULL\npointer dereference error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:38.405Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/53ff0caa6ad57372d426b4f48fc0f66df43a731f"
        },
        {
          "url": "https://git.kernel.org/stable/c/4733f68e59bb7b9e3d395699abb18366954b9ba7"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad4dfa7ea7f5f7e9a3c78627cfc749bc7005ca7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/09adf8792b61c09ae543972a1ece1884ef773848"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d2ca6ac3711a4f4015d26b7cc84f325ac608edb"
        },
        {
          "url": "https://git.kernel.org/stable/c/db2fc255fcf41f536ac8666409849e11659af88d"
        },
        {
          "url": "https://git.kernel.org/stable/c/050b23d081da0f29474de043e9538c1f7a351b3b"
        }
      ],
      "title": "gpio: grgpio: Add NULL check in grgpio_probe",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56634",
    "datePublished": "2024-12-27T15:02:32.192Z",
    "dateReserved": "2024-12-27T15:00:39.838Z",
    "dateUpdated": "2025-11-03T20:51:32.959Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56565 (GCVE-0-2024-56565)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-05-04 09:58

Title

f2fs: fix to drop all discards after creating snapshot on lvm device

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to drop all discards after creating snapshot on lvm device Piergiorgio reported a bug in bugzilla as below: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 969 at fs/f2fs/segment.c:1330 RIP: 0010:__submit_discard_cmd+0x27d/0x400 [f2fs] Call Trace: __issue_discard_cmd+0x1ca/0x350 [f2fs] issue_discard_thread+0x191/0x480 [f2fs] kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 w/ below testcase, it can reproduce this bug quickly: - pvcreate /dev/vdb - vgcreate myvg1 /dev/vdb - lvcreate -L 1024m -n mylv1 myvg1 - mount /dev/myvg1/mylv1 /mnt/f2fs - dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=20 - sync - rm /mnt/f2fs/file - sync - lvcreate -L 1024m -s -n mylv1-snapshot /dev/myvg1/mylv1 - umount /mnt/f2fs The root cause is: it will update discard_max_bytes of mounted lvm device to zero after creating snapshot on this lvm device, then, __submit_discard_cmd() will pass parameter @nr_sects w/ zero value to __blkdev_issue_discard(), it returns a NULL bio pointer, result in panic. This patch changes as below for fixing: 1. Let's drop all remained discards in f2fs_unfreeze() if snapshot of lvm device is created. 2. Checking discard_max_bytes before submitting discard during __submit_discard_cmd().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ed24ab98242f8d22b…
	https://git.kernel.org/stable/c/15136c3861a3341db…
	https://git.kernel.org/stable/c/bc8aeb04fd80cb8cf…

Impacted products

Vendor

Product

Version

Linux

Affected: 35ec7d5748849762008e8ae9f8ad2766229d5794 , < ed24ab98242f8d22b66fbe0452c97751b5ea4e22 (git)
Affected: 35ec7d5748849762008e8ae9f8ad2766229d5794 , < 15136c3861a3341db261ebdbb6ae4ae1765635e2 (git)
Affected: 35ec7d5748849762008e8ae9f8ad2766229d5794 , < bc8aeb04fd80cb8cfae3058445c84410fd0beb5e (git)

Linux

Affected: 4.19
Unaffected: 0 , < 4.19 (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/segment.c",
            "fs/f2fs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ed24ab98242f8d22b66fbe0452c97751b5ea4e22",
              "status": "affected",
              "version": "35ec7d5748849762008e8ae9f8ad2766229d5794",
              "versionType": "git"
            },
            {
              "lessThan": "15136c3861a3341db261ebdbb6ae4ae1765635e2",
              "status": "affected",
              "version": "35ec7d5748849762008e8ae9f8ad2766229d5794",
              "versionType": "git"
            },
            {
              "lessThan": "bc8aeb04fd80cb8cfae3058445c84410fd0beb5e",
              "status": "affected",
              "version": "35ec7d5748849762008e8ae9f8ad2766229d5794",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/segment.c",
            "fs/f2fs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to drop all discards after creating snapshot on lvm device\n\nPiergiorgio reported a bug in bugzilla as below:\n\n------------[ cut here ]------------\nWARNING: CPU: 2 PID: 969 at fs/f2fs/segment.c:1330\nRIP: 0010:__submit_discard_cmd+0x27d/0x400 [f2fs]\nCall Trace:\n __issue_discard_cmd+0x1ca/0x350 [f2fs]\n issue_discard_thread+0x191/0x480 [f2fs]\n kthread+0xcf/0x100\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1a/0x30\n\nw/ below testcase, it can reproduce this bug quickly:\n- pvcreate /dev/vdb\n- vgcreate myvg1 /dev/vdb\n- lvcreate -L 1024m -n mylv1 myvg1\n- mount /dev/myvg1/mylv1 /mnt/f2fs\n- dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=20\n- sync\n- rm /mnt/f2fs/file\n- sync\n- lvcreate -L 1024m -s -n mylv1-snapshot /dev/myvg1/mylv1\n- umount /mnt/f2fs\n\nThe root cause is: it will update discard_max_bytes of mounted lvm\ndevice to zero after creating snapshot on this lvm device, then,\n__submit_discard_cmd() will pass parameter @nr_sects w/ zero value\nto __blkdev_issue_discard(), it returns a NULL bio pointer, result\nin panic.\n\nThis patch changes as below for fixing:\n1. Let\u0027s drop all remained discards in f2fs_unfreeze() if snapshot\nof lvm device is created.\n2. Checking discard_max_bytes before submitting discard during\n__submit_discard_cmd()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:29.400Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ed24ab98242f8d22b66fbe0452c97751b5ea4e22"
        },
        {
          "url": "https://git.kernel.org/stable/c/15136c3861a3341db261ebdbb6ae4ae1765635e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc8aeb04fd80cb8cfae3058445c84410fd0beb5e"
        }
      ],
      "title": "f2fs: fix to drop all discards after creating snapshot on lvm device",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56565",
    "datePublished": "2024-12-27T14:23:09.350Z",
    "dateReserved": "2024-12-27T14:03:05.995Z",
    "dateUpdated": "2025-05-04T09:58:29.400Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56672 (GCVE-0-2024-56672)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2025-11-03 20:52

Title

blk-cgroup: Fix UAF in blkcg_unpin_online()

Summary

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: <TASK> dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/83f5a87ee8caa76a9…
	https://git.kernel.org/stable/c/8a07350fe070017a8…
	https://git.kernel.org/stable/c/64afc6fe24c9896c0…
	https://git.kernel.org/stable/c/5baa28569c924d9a9…
	https://git.kernel.org/stable/c/29d1e06560f0f6179…
	https://git.kernel.org/stable/c/86e6ca55b83c575ab…

Impacted products

Vendor

Product

Version

Linux

Affected: 4308a434e5e08c78676aa66bc626ef78cbef0883 , < 83f5a87ee8caa76a917f59912a74d6811f773c67 (git)
Affected: 4308a434e5e08c78676aa66bc626ef78cbef0883 , < 8a07350fe070017a887433f4d6909433955be5f1 (git)
Affected: 4308a434e5e08c78676aa66bc626ef78cbef0883 , < 64afc6fe24c9896c0153e5a199bcea241ecb0d5c (git)
Affected: 4308a434e5e08c78676aa66bc626ef78cbef0883 , < 5baa28569c924d9a90d036c2aaab79f791fedaf8 (git)
Affected: 4308a434e5e08c78676aa66bc626ef78cbef0883 , < 29d1e06560f0f6179062ac638b4064deb637d1ad (git)
Affected: 4308a434e5e08c78676aa66bc626ef78cbef0883 , < 86e6ca55b83c575ab0f2e105cf08f98e58d3d7af (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.121 , ≤ 6.1.* (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56672",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:12:31.915249Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:21:07.331Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:52:20.150Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk-cgroup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "83f5a87ee8caa76a917f59912a74d6811f773c67",
              "status": "affected",
              "version": "4308a434e5e08c78676aa66bc626ef78cbef0883",
              "versionType": "git"
            },
            {
              "lessThan": "8a07350fe070017a887433f4d6909433955be5f1",
              "status": "affected",
              "version": "4308a434e5e08c78676aa66bc626ef78cbef0883",
              "versionType": "git"
            },
            {
              "lessThan": "64afc6fe24c9896c0153e5a199bcea241ecb0d5c",
              "status": "affected",
              "version": "4308a434e5e08c78676aa66bc626ef78cbef0883",
              "versionType": "git"
            },
            {
              "lessThan": "5baa28569c924d9a90d036c2aaab79f791fedaf8",
              "status": "affected",
              "version": "4308a434e5e08c78676aa66bc626ef78cbef0883",
              "versionType": "git"
            },
            {
              "lessThan": "29d1e06560f0f6179062ac638b4064deb637d1ad",
              "status": "affected",
              "version": "4308a434e5e08c78676aa66bc626ef78cbef0883",
              "versionType": "git"
            },
            {
              "lessThan": "86e6ca55b83c575ab0f2e105cf08f98e58d3d7af",
              "status": "affected",
              "version": "4308a434e5e08c78676aa66bc626ef78cbef0883",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/blk-cgroup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.121",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Fix UAF in blkcg_unpin_online()\n\nblkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To\nwalk up, it uses blkcg_parent(blkcg) but it was calling that after\nblkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the\nfollowing UAF:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270\n  Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117\n\n  CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022\n  Workqueue: cgwb_release cgwb_release_workfn\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x27/0x80\n   print_report+0x151/0x710\n   kasan_report+0xc0/0x100\n   blkcg_unpin_online+0x15a/0x270\n   cgwb_release_workfn+0x194/0x480\n   process_scheduled_works+0x71b/0xe20\n   worker_thread+0x82a/0xbd0\n   kthread+0x242/0x2c0\n   ret_from_fork+0x33/0x70\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n  ...\n  Freed by task 1944:\n   kasan_save_track+0x2b/0x70\n   kasan_save_free_info+0x3c/0x50\n   __kasan_slab_free+0x33/0x50\n   kfree+0x10c/0x330\n   css_free_rwork_fn+0xe6/0xb30\n   process_scheduled_works+0x71b/0xe20\n   worker_thread+0x82a/0xbd0\n   kthread+0x242/0x2c0\n   ret_from_fork+0x33/0x70\n   ret_from_fork_asm+0x1a/0x30\n\nNote that the UAF is not easy to trigger as the free path is indirected\nbehind a couple RCU grace periods and a work item execution. I could only\ntrigger it with artifical msleep() injected in blkcg_unpin_online().\n\nFix it by reading the parent pointer before destroying the blkcg\u0027s blkg\u0027s."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:01:48.688Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/83f5a87ee8caa76a917f59912a74d6811f773c67"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a07350fe070017a887433f4d6909433955be5f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/64afc6fe24c9896c0153e5a199bcea241ecb0d5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5baa28569c924d9a90d036c2aaab79f791fedaf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/29d1e06560f0f6179062ac638b4064deb637d1ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/86e6ca55b83c575ab0f2e105cf08f98e58d3d7af"
        }
      ],
      "title": "blk-cgroup: Fix UAF in blkcg_unpin_online()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56672",
    "datePublished": "2024-12-27T15:06:33.358Z",
    "dateReserved": "2024-12-27T15:00:39.845Z",
    "dateUpdated": "2025-11-03T20:52:20.150Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-53685 (GCVE-0-2024-53685)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:35 – Updated: 2025-11-03 20:48

Title

ceph: give up on paths longer than PATH_MAX

Summary

In the Linux kernel, the following vulnerability has been resolved: ceph: give up on paths longer than PATH_MAX If the full path to be built by ceph_mdsc_build_path() happens to be longer than PATH_MAX, then this function will enter an endless (retry) loop, effectively blocking the whole task. Most of the machine becomes unusable, making this a very simple and effective DoS vulnerability. I cannot imagine why this retry was ever implemented, but it seems rather useless and harmful to me. Let's remove it and fail with ENAMETOOLONG instead.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0f2b2d9e881c90402…
	https://git.kernel.org/stable/c/d42ad3f161a5a487f…
	https://git.kernel.org/stable/c/e4b168c64da06954b…
	https://git.kernel.org/stable/c/c47ed91156daf3286…
	https://git.kernel.org/stable/c/99a37ab76a315c830…
	https://git.kernel.org/stable/c/550f7ca98ee028a60…

Impacted products

Vendor

Product

Version

Linux

Affected: 9030aaf9bf0a1eee47a154c316c789e959638b0f , < 0f2b2d9e881c90402dbe28f9ba831775b7992e1f (git)
Affected: 9030aaf9bf0a1eee47a154c316c789e959638b0f , < d42ad3f161a5a487f81915c406f46943c7187a0a (git)
Affected: 9030aaf9bf0a1eee47a154c316c789e959638b0f , < e4b168c64da06954be5d520f6c16469b1cadc069 (git)
Affected: 9030aaf9bf0a1eee47a154c316c789e959638b0f , < c47ed91156daf328601d02b58d52d9804da54108 (git)
Affected: 9030aaf9bf0a1eee47a154c316c789e959638b0f , < 99a37ab76a315c8307eb5b0dc095d8ad9d8efeaa (git)
Affected: 9030aaf9bf0a1eee47a154c316c789e959638b0f , < 550f7ca98ee028a606aa75705a7e77b1bd11720f (git)

Linux

Affected: 2.6.34
Unaffected: 0 , < 2.6.34 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:48:20.745Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ceph/mds_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0f2b2d9e881c90402dbe28f9ba831775b7992e1f",
              "status": "affected",
              "version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
              "versionType": "git"
            },
            {
              "lessThan": "d42ad3f161a5a487f81915c406f46943c7187a0a",
              "status": "affected",
              "version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
              "versionType": "git"
            },
            {
              "lessThan": "e4b168c64da06954be5d520f6c16469b1cadc069",
              "status": "affected",
              "version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
              "versionType": "git"
            },
            {
              "lessThan": "c47ed91156daf328601d02b58d52d9804da54108",
              "status": "affected",
              "version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
              "versionType": "git"
            },
            {
              "lessThan": "99a37ab76a315c8307eb5b0dc095d8ad9d8efeaa",
              "status": "affected",
              "version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
              "versionType": "git"
            },
            {
              "lessThan": "550f7ca98ee028a606aa75705a7e77b1bd11720f",
              "status": "affected",
              "version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ceph/mds_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: give up on paths longer than PATH_MAX\n\nIf the full path to be built by ceph_mdsc_build_path() happens to be\nlonger than PATH_MAX, then this function will enter an endless (retry)\nloop, effectively blocking the whole task.  Most of the machine\nbecomes unusable, making this a very simple and effective DoS\nvulnerability.\n\nI cannot imagine why this retry was ever implemented, but it seems\nrather useless and harmful to me.  Let\u0027s remove it and fail with\nENAMETOOLONG instead."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:56:54.870Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0f2b2d9e881c90402dbe28f9ba831775b7992e1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d42ad3f161a5a487f81915c406f46943c7187a0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4b168c64da06954be5d520f6c16469b1cadc069"
        },
        {
          "url": "https://git.kernel.org/stable/c/c47ed91156daf328601d02b58d52d9804da54108"
        },
        {
          "url": "https://git.kernel.org/stable/c/99a37ab76a315c8307eb5b0dc095d8ad9d8efeaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/550f7ca98ee028a606aa75705a7e77b1bd11720f"
        }
      ],
      "title": "ceph: give up on paths longer than PATH_MAX",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53685",
    "datePublished": "2025-01-11T12:35:40.252Z",
    "dateReserved": "2025-01-11T12:34:02.558Z",
    "dateUpdated": "2025-11-03T20:48:20.745Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-51729 (GCVE-0-2024-51729)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:35 – Updated: 2025-05-04 09:51

Title

mm: use aligned address in copy_user_gigantic_page()

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: use aligned address in copy_user_gigantic_page() In current kernel, hugetlb_wp() calls copy_user_large_folio() with the fault address. Where the fault address may be not aligned with the huge page size. Then, copy_user_large_folio() may call copy_user_gigantic_page() with the address, while copy_user_gigantic_page() requires the address to be huge page size aligned. So, this may cause memory corruption or information leak, addtional, use more obvious naming 'addr_hint' instead of 'addr' for copy_user_gigantic_page().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cb12d61361ce76967…
	https://git.kernel.org/stable/c/f5d09de9f1bf9674c…

Impacted products

Vendor

Product

Version

Linux

Affected: 530dd9926dc16220d2fae0997f45cda94f5f0864 , < cb12d61361ce769672c7c7bd32107252598cdd8b (git)
Affected: 530dd9926dc16220d2fae0997f45cda94f5f0864 , < f5d09de9f1bf9674c6418ff10d0a40cfe29268e1 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/hugetlb.c",
            "mm/memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb12d61361ce769672c7c7bd32107252598cdd8b",
              "status": "affected",
              "version": "530dd9926dc16220d2fae0997f45cda94f5f0864",
              "versionType": "git"
            },
            {
              "lessThan": "f5d09de9f1bf9674c6418ff10d0a40cfe29268e1",
              "status": "affected",
              "version": "530dd9926dc16220d2fae0997f45cda94f5f0864",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/hugetlb.c",
            "mm/memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: use aligned address in copy_user_gigantic_page()\n\nIn current kernel, hugetlb_wp() calls copy_user_large_folio() with the\nfault address.  Where the fault address may be not aligned with the huge\npage size.  Then, copy_user_large_folio() may call\ncopy_user_gigantic_page() with the address, while\ncopy_user_gigantic_page() requires the address to be huge page size\naligned.  So, this may cause memory corruption or information leak,\naddtional, use more obvious naming \u0027addr_hint\u0027 instead of \u0027addr\u0027 for\ncopy_user_gigantic_page()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:51:19.098Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb12d61361ce769672c7c7bd32107252598cdd8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5d09de9f1bf9674c6418ff10d0a40cfe29268e1"
        }
      ],
      "title": "mm: use aligned address in copy_user_gigantic_page()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-51729",
    "datePublished": "2025-01-11T12:35:38.375Z",
    "dateReserved": "2025-01-11T12:33:33.687Z",
    "dateUpdated": "2025-05-04T09:51:19.098Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56582 (GCVE-0-2024-56582)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-11-03 20:49

Title

btrfs: fix use-after-free in btrfs_encoded_read_endio()

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free in btrfs_encoded_read_endio() Shinichiro reported the following use-after free that sometimes is happening in our CI system when running fstests' btrfs/284 on a TCMU runner device: BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780 Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219 CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 ? lock_release+0x708/0x780 print_report+0x174/0x505 ? lock_release+0x708/0x780 ? __virt_addr_valid+0x224/0x410 ? lock_release+0x708/0x780 kasan_report+0xda/0x1b0 ? lock_release+0x708/0x780 ? __wake_up+0x44/0x60 lock_release+0x708/0x780 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? lock_is_held_type+0x9a/0x110 _raw_spin_unlock_irqrestore+0x1f/0x60 __wake_up+0x44/0x60 btrfs_encoded_read_endio+0x14b/0x190 [btrfs] btrfs_check_read_bio+0x8d9/0x1360 [btrfs] ? lock_release+0x1b0/0x780 ? trace_lock_acquire+0x12f/0x1a0 ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs] ? process_one_work+0x7e3/0x1460 ? lock_acquire+0x31/0xc0 ? process_one_work+0x7e3/0x1460 process_one_work+0x85c/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5e6/0xfc0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2c3/0x3a0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x4f/0x70 kfree+0x143/0x490 btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff888106a83f00 which belongs to the cache kmalloc-rnd-07-96 of size 96 The buggy address is located 24 bytes inside of freed 96-byte region [ffff888106a83f00, ffff888106a83f60) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004 raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Further analyzing the trace and ---truncated---

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a40de0330af4fb7bc…
	https://git.kernel.org/stable/c/6228f13f1996a4feb…
	https://git.kernel.org/stable/c/f8a5129e4a9fc3f6a…
	https://git.kernel.org/stable/c/05b36b04d74a517d6…

Impacted products

Vendor

Product

Version

Linux

Affected: 1881fba89bd5dcd364d2e1bf561912a90a11c21a , < a40de0330af4fb7bc6b354250c24f294f8b826a0 (git)
Affected: 1881fba89bd5dcd364d2e1bf561912a90a11c21a , < 6228f13f1996a4feb9b601d6644bf0bfe03671dd (git)
Affected: 1881fba89bd5dcd364d2e1bf561912a90a11c21a , < f8a5129e4a9fc3f6aa3f137513253b51b31b94d4 (git)
Affected: 1881fba89bd5dcd364d2e1bf561912a90a11c21a , < 05b36b04d74a517d6675bf2f90829ff1ac7e28dc (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56582",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:42:35.022378Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:24.334Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:49:59.647Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a40de0330af4fb7bc6b354250c24f294f8b826a0",
              "status": "affected",
              "version": "1881fba89bd5dcd364d2e1bf561912a90a11c21a",
              "versionType": "git"
            },
            {
              "lessThan": "6228f13f1996a4feb9b601d6644bf0bfe03671dd",
              "status": "affected",
              "version": "1881fba89bd5dcd364d2e1bf561912a90a11c21a",
              "versionType": "git"
            },
            {
              "lessThan": "f8a5129e4a9fc3f6aa3f137513253b51b31b94d4",
              "status": "affected",
              "version": "1881fba89bd5dcd364d2e1bf561912a90a11c21a",
              "versionType": "git"
            },
            {
              "lessThan": "05b36b04d74a517d6675bf2f90829ff1ac7e28dc",
              "status": "affected",
              "version": "1881fba89bd5dcd364d2e1bf561912a90a11c21a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free in btrfs_encoded_read_endio()\n\nShinichiro reported the following use-after free that sometimes is\nhappening in our CI system when running fstests\u0027 btrfs/284 on a TCMU\nrunner device:\n\n  BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780\n  Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219\n\n  CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15\n  Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n  Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x6e/0xa0\n   ? lock_release+0x708/0x780\n   print_report+0x174/0x505\n   ? lock_release+0x708/0x780\n   ? __virt_addr_valid+0x224/0x410\n   ? lock_release+0x708/0x780\n   kasan_report+0xda/0x1b0\n   ? lock_release+0x708/0x780\n   ? __wake_up+0x44/0x60\n   lock_release+0x708/0x780\n   ? __pfx_lock_release+0x10/0x10\n   ? __pfx_do_raw_spin_lock+0x10/0x10\n   ? lock_is_held_type+0x9a/0x110\n   _raw_spin_unlock_irqrestore+0x1f/0x60\n   __wake_up+0x44/0x60\n   btrfs_encoded_read_endio+0x14b/0x190 [btrfs]\n   btrfs_check_read_bio+0x8d9/0x1360 [btrfs]\n   ? lock_release+0x1b0/0x780\n   ? trace_lock_acquire+0x12f/0x1a0\n   ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs]\n   ? process_one_work+0x7e3/0x1460\n   ? lock_acquire+0x31/0xc0\n   ? process_one_work+0x7e3/0x1460\n   process_one_work+0x85c/0x1460\n   ? __pfx_process_one_work+0x10/0x10\n   ? assign_work+0x16c/0x240\n   worker_thread+0x5e6/0xfc0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x2c3/0x3a0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x31/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\n  Allocated by task 3661:\n   kasan_save_stack+0x30/0x50\n   kasan_save_track+0x14/0x30\n   __kasan_kmalloc+0xaa/0xb0\n   btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs]\n   send_extent_data+0xf0f/0x24a0 [btrfs]\n   process_extent+0x48a/0x1830 [btrfs]\n   changed_cb+0x178b/0x2ea0 [btrfs]\n   btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs]\n   _btrfs_ioctl_send+0x117/0x330 [btrfs]\n   btrfs_ioctl+0x184a/0x60a0 [btrfs]\n   __x64_sys_ioctl+0x12e/0x1a0\n   do_syscall_64+0x95/0x180\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n  Freed by task 3661:\n   kasan_save_stack+0x30/0x50\n   kasan_save_track+0x14/0x30\n   kasan_save_free_info+0x3b/0x70\n   __kasan_slab_free+0x4f/0x70\n   kfree+0x143/0x490\n   btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs]\n   send_extent_data+0xf0f/0x24a0 [btrfs]\n   process_extent+0x48a/0x1830 [btrfs]\n   changed_cb+0x178b/0x2ea0 [btrfs]\n   btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs]\n   _btrfs_ioctl_send+0x117/0x330 [btrfs]\n   btrfs_ioctl+0x184a/0x60a0 [btrfs]\n   __x64_sys_ioctl+0x12e/0x1a0\n   do_syscall_64+0x95/0x180\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n  The buggy address belongs to the object at ffff888106a83f00\n   which belongs to the cache kmalloc-rnd-07-96 of size 96\n  The buggy address is located 24 bytes inside of\n   freed 96-byte region [ffff888106a83f00, ffff888106a83f60)\n\n  The buggy address belongs to the physical page:\n  page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83\n  flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)\n  page_type: f5(slab)\n  raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004\n  raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000\n  page dumped because: kasan: bad access detected\n\n  Memory state around the buggy address:\n   ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n   ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n  \u003effff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n                              ^\n   ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n   ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ==================================================================\n\nFurther analyzing the trace and \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:59.341Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a40de0330af4fb7bc6b354250c24f294f8b826a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6228f13f1996a4feb9b601d6644bf0bfe03671dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8a5129e4a9fc3f6aa3f137513253b51b31b94d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/05b36b04d74a517d6675bf2f90829ff1ac7e28dc"
        }
      ],
      "title": "btrfs: fix use-after-free in btrfs_encoded_read_endio()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56582",
    "datePublished": "2024-12-27T14:23:23.851Z",
    "dateReserved": "2024-12-27T14:03:06.000Z",
    "dateUpdated": "2025-11-03T20:49:59.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57884 (GCVE-0-2024-57884)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-11-03 20:54

Title

mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() The task sometimes continues looping in throttle_direct_reclaim() because allow_direct_reclaim(pgdat) keeps returning false. #0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac #1 [ffff80002cb6f900] __schedule at ffff800008abbd1c #2 [ffff80002cb6f990] schedule at ffff800008abc50c #3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550 #4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68 #5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660 #6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98 #7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8 #8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974 #9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4 At this point, the pgdat contains the following two zones: NODE: 4 ZONE: 0 ADDR: ffff00817fffe540 NAME: "DMA32" SIZE: 20480 MIN/LOW/HIGH: 11/28/45 VM_STAT: NR_FREE_PAGES: 359 NR_ZONE_INACTIVE_ANON: 18813 NR_ZONE_ACTIVE_ANON: 0 NR_ZONE_INACTIVE_FILE: 50 NR_ZONE_ACTIVE_FILE: 0 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 NODE: 4 ZONE: 1 ADDR: ffff00817fffec00 NAME: "Normal" SIZE: 8454144 PRESENT: 98304 MIN/LOW/HIGH: 68/166/264 VM_STAT: NR_FREE_PAGES: 146 NR_ZONE_INACTIVE_ANON: 94668 NR_ZONE_ACTIVE_ANON: 3 NR_ZONE_INACTIVE_FILE: 735 NR_ZONE_ACTIVE_FILE: 78 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 In allow_direct_reclaim(), while processing ZONE_DMA32, the sum of inactive/active file-backed pages calculated in zone_reclaimable_pages() based on the result of zone_page_state_snapshot() is zero. Additionally, since this system lacks swap, the calculation of inactive/ active anonymous pages is skipped. crash> p nr_swap_pages nr_swap_pages = $1937 = { counter = 0 } As a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to the processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having free pages significantly exceeding the high watermark. The problem is that the pgdat->kswapd_failures hasn't been incremented. crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures $1935 = 0x0 This is because the node deemed balanced. The node balancing logic in balance_pgdat() evaluates all zones collectively. If one or more zones (e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the entire node is deemed balanced. This causes balance_pgdat() to exit early before incrementing the kswapd_failures, as it considers the overall memory state acceptable, even though some zones (like ZONE_NORMAL) remain under significant pressure. The patch ensures that zone_reclaimable_pages() includes free pages (NR_FREE_PAGES) in its calculation when no other reclaimable pages are available (e.g., file-backed or anonymous pages). This change prevents zones like ZONE_DMA32, which have sufficient free pages, from being mistakenly deemed unreclaimable. By doing so, the patch ensures proper node balancing, avoids masking pressure on other zones like ZONE_NORMAL, and prevents infinite loops in throttle_direct_reclaim() caused by allow_direct_reclaim(pgdat) repeatedly returning false. The kernel hangs due to a task stuck in throttle_direct_reclaim(), caused by a node being incorrectly deemed balanced despite pressure in certain zones, such as ZONE_NORMAL. This issue arises from zone_reclaimable_pages ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/66cd37660ec34ec44…
	https://git.kernel.org/stable/c/d675fefbaec3815b3…
	https://git.kernel.org/stable/c/63eac98d6f0898229…
	https://git.kernel.org/stable/c/bfb70119212980319…
	https://git.kernel.org/stable/c/1ff2302e8aeac7f2e…
	https://git.kernel.org/stable/c/58d0d02dbc67438fc…
	https://git.kernel.org/stable/c/6aaced5abd32e2a57…

Impacted products

Vendor

Product

Version

Linux

Affected: 5a1c84b404a7176b8b36e2a0041b6f0adb3151a3 , < 66cd37660ec34ec444fe42f2277330ae4a36bb19 (git)
Affected: 5a1c84b404a7176b8b36e2a0041b6f0adb3151a3 , < d675fefbaec3815b3ae0af1bebd97f27df3a05c8 (git)
Affected: 5a1c84b404a7176b8b36e2a0041b6f0adb3151a3 , < 63eac98d6f0898229f515cb62fe4e4db2430e99c (git)
Affected: 5a1c84b404a7176b8b36e2a0041b6f0adb3151a3 , < bfb701192129803191c9cd6cdd1f82cd07f8de2c (git)
Affected: 5a1c84b404a7176b8b36e2a0041b6f0adb3151a3 , < 1ff2302e8aeac7f2eedb551d7a89617283b5c6b2 (git)
Affected: 5a1c84b404a7176b8b36e2a0041b6f0adb3151a3 , < 58d0d02dbc67438fc80223fdd7bbc49cf0733284 (git)
Affected: 5a1c84b404a7176b8b36e2a0041b6f0adb3151a3 , < 6aaced5abd32e2a57cd94fd64f824514d0361da8 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.289 , ≤ 5.4.* (semver)
Unaffected: 5.10.233 , ≤ 5.10.* (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:54.121Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/vmscan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "66cd37660ec34ec444fe42f2277330ae4a36bb19",
              "status": "affected",
              "version": "5a1c84b404a7176b8b36e2a0041b6f0adb3151a3",
              "versionType": "git"
            },
            {
              "lessThan": "d675fefbaec3815b3ae0af1bebd97f27df3a05c8",
              "status": "affected",
              "version": "5a1c84b404a7176b8b36e2a0041b6f0adb3151a3",
              "versionType": "git"
            },
            {
              "lessThan": "63eac98d6f0898229f515cb62fe4e4db2430e99c",
              "status": "affected",
              "version": "5a1c84b404a7176b8b36e2a0041b6f0adb3151a3",
              "versionType": "git"
            },
            {
              "lessThan": "bfb701192129803191c9cd6cdd1f82cd07f8de2c",
              "status": "affected",
              "version": "5a1c84b404a7176b8b36e2a0041b6f0adb3151a3",
              "versionType": "git"
            },
            {
              "lessThan": "1ff2302e8aeac7f2eedb551d7a89617283b5c6b2",
              "status": "affected",
              "version": "5a1c84b404a7176b8b36e2a0041b6f0adb3151a3",
              "versionType": "git"
            },
            {
              "lessThan": "58d0d02dbc67438fc80223fdd7bbc49cf0733284",
              "status": "affected",
              "version": "5a1c84b404a7176b8b36e2a0041b6f0adb3151a3",
              "versionType": "git"
            },
            {
              "lessThan": "6aaced5abd32e2a57cd94fd64f824514d0361da8",
              "status": "affected",
              "version": "5a1c84b404a7176b8b36e2a0041b6f0adb3151a3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/vmscan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.289",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.289",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()\n\nThe task sometimes continues looping in throttle_direct_reclaim() because\nallow_direct_reclaim(pgdat) keeps returning false.  \n\n #0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac\n #1 [ffff80002cb6f900] __schedule at ffff800008abbd1c\n #2 [ffff80002cb6f990] schedule at ffff800008abc50c\n #3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550\n #4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68\n #5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660\n #6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98\n #7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8\n #8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974\n #9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4\n\nAt this point, the pgdat contains the following two zones:\n\n        NODE: 4  ZONE: 0  ADDR: ffff00817fffe540  NAME: \"DMA32\"\n          SIZE: 20480  MIN/LOW/HIGH: 11/28/45\n          VM_STAT:\n                NR_FREE_PAGES: 359\n        NR_ZONE_INACTIVE_ANON: 18813\n          NR_ZONE_ACTIVE_ANON: 0\n        NR_ZONE_INACTIVE_FILE: 50\n          NR_ZONE_ACTIVE_FILE: 0\n          NR_ZONE_UNEVICTABLE: 0\n        NR_ZONE_WRITE_PENDING: 0\n                     NR_MLOCK: 0\n                    NR_BOUNCE: 0\n                   NR_ZSPAGES: 0\n            NR_FREE_CMA_PAGES: 0\n\n        NODE: 4  ZONE: 1  ADDR: ffff00817fffec00  NAME: \"Normal\"\n          SIZE: 8454144  PRESENT: 98304  MIN/LOW/HIGH: 68/166/264\n          VM_STAT:\n                NR_FREE_PAGES: 146\n        NR_ZONE_INACTIVE_ANON: 94668\n          NR_ZONE_ACTIVE_ANON: 3\n        NR_ZONE_INACTIVE_FILE: 735\n          NR_ZONE_ACTIVE_FILE: 78\n          NR_ZONE_UNEVICTABLE: 0\n        NR_ZONE_WRITE_PENDING: 0\n                     NR_MLOCK: 0\n                    NR_BOUNCE: 0\n                   NR_ZSPAGES: 0\n            NR_FREE_CMA_PAGES: 0\n\nIn allow_direct_reclaim(), while processing ZONE_DMA32, the sum of\ninactive/active file-backed pages calculated in zone_reclaimable_pages()\nbased on the result of zone_page_state_snapshot() is zero.  \n\nAdditionally, since this system lacks swap, the calculation of inactive/\nactive anonymous pages is skipped.\n\n        crash\u003e p nr_swap_pages\n        nr_swap_pages = $1937 = {\n          counter = 0\n        }\n\nAs a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to\nthe processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having\nfree pages significantly exceeding the high watermark.\n\nThe problem is that the pgdat-\u003ekswapd_failures hasn\u0027t been incremented.\n\n        crash\u003e px ((struct pglist_data *) 0xffff00817fffe540)-\u003ekswapd_failures\n        $1935 = 0x0\n\nThis is because the node deemed balanced.  The node balancing logic in\nbalance_pgdat() evaluates all zones collectively.  If one or more zones\n(e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the\nentire node is deemed balanced.  This causes balance_pgdat() to exit early\nbefore incrementing the kswapd_failures, as it considers the overall\nmemory state acceptable, even though some zones (like ZONE_NORMAL) remain\nunder significant pressure.\n\n\nThe patch ensures that zone_reclaimable_pages() includes free pages\n(NR_FREE_PAGES) in its calculation when no other reclaimable pages are\navailable (e.g., file-backed or anonymous pages).  This change prevents\nzones like ZONE_DMA32, which have sufficient free pages, from being\nmistakenly deemed unreclaimable.  By doing so, the patch ensures proper\nnode balancing, avoids masking pressure on other zones like ZONE_NORMAL,\nand prevents infinite loops in throttle_direct_reclaim() caused by\nallow_direct_reclaim(pgdat) repeatedly returning false.\n\n\nThe kernel hangs due to a task stuck in throttle_direct_reclaim(), caused\nby a node being incorrectly deemed balanced despite pressure in certain\nzones, such as ZONE_NORMAL.  This issue arises from\nzone_reclaimable_pages\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:50.618Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/66cd37660ec34ec444fe42f2277330ae4a36bb19"
        },
        {
          "url": "https://git.kernel.org/stable/c/d675fefbaec3815b3ae0af1bebd97f27df3a05c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/63eac98d6f0898229f515cb62fe4e4db2430e99c"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfb701192129803191c9cd6cdd1f82cd07f8de2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1ff2302e8aeac7f2eedb551d7a89617283b5c6b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/58d0d02dbc67438fc80223fdd7bbc49cf0733284"
        },
        {
          "url": "https://git.kernel.org/stable/c/6aaced5abd32e2a57cd94fd64f824514d0361da8"
        }
      ],
      "title": "mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57884",
    "datePublished": "2025-01-15T13:05:37.152Z",
    "dateReserved": "2025-01-11T14:45:42.024Z",
    "dateUpdated": "2025-11-03T20:54:54.121Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56617 (GCVE-0-2024-56617)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-10-01 20:07

Title

cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU

Summary

In the Linux kernel, the following vulnerability has been resolved: cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU Commit 5944ce092b97 ("arch_topology: Build cacheinfo from primary CPU") adds functionality that architectures can use to optionally allocate and build cacheinfo early during boot. Commit 6539cffa9495 ("cacheinfo: Add arch specific early level initializer") lets secondary CPUs correct (and reallocate memory) cacheinfo data if needed. If the early build functionality is not used and cacheinfo does not need correction, memory for cacheinfo is never allocated. x86 does not use the early build functionality. Consequently, during the cacheinfo CPU hotplug callback, last_level_cache_is_valid() attempts to dereference a NULL pointer: BUG: kernel NULL pointer dereference, address: 0000000000000100 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not present page PGD 0 P4D 0 Oops: 0000 [#1] PREEPMT SMP NOPTI CPU: 0 PID 19 Comm: cpuhp/0 Not tainted 6.4.0-rc2 #1 RIP: 0010: last_level_cache_is_valid+0x95/0xe0a Allocate memory for cacheinfo during the cacheinfo CPU hotplug callback if not done earlier. Moreover, before determining the validity of the last-level cache info, ensure that it has been allocated. Simply checking for non-zero cache_leaves() is not sufficient, as some architectures (e.g., Intel processors) have non-zero cache_leaves() before allocation. Dereferencing NULL cacheinfo can occur in update_per_cpu_data_slice_size(). This function iterates over all online CPUs. However, a CPU may have come online recently, but its cacheinfo may not have been allocated yet. While here, remove an unnecessary indentation in allocate_cache_info(). [ bp: Massage. ]

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/23b5908b11b77ff8d…
	https://git.kernel.org/stable/c/95e197354e0de07e9…
	https://git.kernel.org/stable/c/b3fce429a1e030b50…

Impacted products

Vendor

Product

Version

Linux

Affected: 6539cffa94957241c096099a57d05fa4d8c7db8a , < 23b5908b11b77ff8d7b8f7b8f11cbab2e1f4bfc2 (git)
Affected: 6539cffa94957241c096099a57d05fa4d8c7db8a , < 95e197354e0de07e9a20819bdae6562e4dda0f20 (git)
Affected: 6539cffa94957241c096099a57d05fa4d8c7db8a , < b3fce429a1e030b50c1c91351d69b8667eef627b (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56617",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:01:04.156090Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:12.963Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/cacheinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "23b5908b11b77ff8d7b8f7b8f11cbab2e1f4bfc2",
              "status": "affected",
              "version": "6539cffa94957241c096099a57d05fa4d8c7db8a",
              "versionType": "git"
            },
            {
              "lessThan": "95e197354e0de07e9a20819bdae6562e4dda0f20",
              "status": "affected",
              "version": "6539cffa94957241c096099a57d05fa4d8c7db8a",
              "versionType": "git"
            },
            {
              "lessThan": "b3fce429a1e030b50c1c91351d69b8667eef627b",
              "status": "affected",
              "version": "6539cffa94957241c096099a57d05fa4d8c7db8a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/cacheinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU\n\nCommit\n\n  5944ce092b97 (\"arch_topology: Build cacheinfo from primary CPU\")\n\nadds functionality that architectures can use to optionally allocate and\nbuild cacheinfo early during boot. Commit\n\n  6539cffa9495 (\"cacheinfo: Add arch specific early level initializer\")\n\nlets secondary CPUs correct (and reallocate memory) cacheinfo data if\nneeded.\n\nIf the early build functionality is not used and cacheinfo does not need\ncorrection, memory for cacheinfo is never allocated. x86 does not use\nthe early build functionality. Consequently, during the cacheinfo CPU\nhotplug callback, last_level_cache_is_valid() attempts to dereference\na NULL pointer:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000100\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not present page\n  PGD 0 P4D 0\n  Oops: 0000 [#1] PREEPMT SMP NOPTI\n  CPU: 0 PID 19 Comm: cpuhp/0 Not tainted 6.4.0-rc2 #1\n  RIP: 0010: last_level_cache_is_valid+0x95/0xe0a\n\nAllocate memory for cacheinfo during the cacheinfo CPU hotplug callback\nif not done earlier.\n\nMoreover, before determining the validity of the last-level cache info,\nensure that it has been allocated. Simply checking for non-zero\ncache_leaves() is not sufficient, as some architectures (e.g., Intel\nprocessors) have non-zero cache_leaves() before allocation.\n\nDereferencing NULL cacheinfo can occur in update_per_cpu_data_slice_size().\nThis function iterates over all online CPUs. However, a CPU may have come\nonline recently, but its cacheinfo may not have been allocated yet.\n\nWhile here, remove an unnecessary indentation in allocate_cache_info().\n\n  [ bp: Massage. ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:59:59.495Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/23b5908b11b77ff8d7b8f7b8f11cbab2e1f4bfc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/95e197354e0de07e9a20819bdae6562e4dda0f20"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3fce429a1e030b50c1c91351d69b8667eef627b"
        }
      ],
      "title": "cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56617",
    "datePublished": "2024-12-27T14:51:21.869Z",
    "dateReserved": "2024-12-27T14:03:06.014Z",
    "dateUpdated": "2025-10-01T20:07:12.963Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57901 (GCVE-0-2024-57901)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-11-03 20:55

Title

af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK

Summary

In the Linux kernel, the following vulnerability has been resolved: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found by syzbot. Rework vlan_get_protocol_dgram() to not touch skb at all, so that it can be used from many cpus on the same skb. Add a const qualifier to skb argument. [1] skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900038d7638 EFLAGS: 00010282 RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60 R10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140 R13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011 FS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_push+0xe5/0x100 net/core/skbuff.c:2636 vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585 packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1055 ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803 ___sys_recvmsg net/socket.c:2845 [inline] do_recvmmsg+0x426/0xab0 net/socket.c:2940 __sys_recvmmsg net/socket.c:3014 [inline] __do_sys_recvmmsg net/socket.c:3037 [inline] __se_sys_recvmmsg net/socket.c:3030 [inline] __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/560cbdd26b510626f…
	https://git.kernel.org/stable/c/0d3fa6c3c9ca7aa25…
	https://git.kernel.org/stable/c/de4f8d477c67ec1d7…
	https://git.kernel.org/stable/c/5d336714db324bef8…
	https://git.kernel.org/stable/c/a693b87692b4d7c50…
	https://git.kernel.org/stable/c/cd8488fdc7116f6da…
	https://git.kernel.org/stable/c/f91a5b8089389eb40…

Impacted products

Vendor

Product

Version

Linux

Affected: c77064e76c768fb101ea5ff92dc771142fc9d8fd , < 560cbdd26b510626f3f4f27d34c44dfd3dd3499d (git)
Affected: 83e2dfadcb6258fe3111c8a8ec9cf34465e55e64 , < 0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1 (git)
Affected: d0a1f9aa70f0d8a05b6320e8a3f3b83adab8dac3 , < de4f8d477c67ec1d7c28f3486c3e47d147d90a01 (git)
Affected: 5839f59ff1dd4e35b9e767927931a039484839e1 , < 5d336714db324bef84490c75dcc48b387ef0346e (git)
Affected: 5a041d25b67042cbe06a0fb292ee22fd1147e65c , < a693b87692b4d7c50f4fc08a996678d60534a9da (git)
Affected: 79eecf631c14e7f4057186570ac20e2cfac3802e , < cd8488fdc7116f6da277515647b167859d4f72b1 (git)
Affected: 79eecf631c14e7f4057186570ac20e2cfac3802e , < f91a5b8089389eb408501af2762f168c3aaa7b79 (git)
Affected: 3dfd84aa72fa7329ed4a257c8f40e0c9aff4dc8f (git)
Affected: 66f23a7b5174b5d3e7111fd2d0d5a4f3faaa12e5 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 5.4.289 , ≤ 5.4.* (semver)
Unaffected: 5.10.233 , ≤ 5.10.* (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57901",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:36.657172Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:19.115Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:19.106Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/if_vlan.h",
            "net/packet/af_packet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "560cbdd26b510626f3f4f27d34c44dfd3dd3499d",
              "status": "affected",
              "version": "c77064e76c768fb101ea5ff92dc771142fc9d8fd",
              "versionType": "git"
            },
            {
              "lessThan": "0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1",
              "status": "affected",
              "version": "83e2dfadcb6258fe3111c8a8ec9cf34465e55e64",
              "versionType": "git"
            },
            {
              "lessThan": "de4f8d477c67ec1d7c28f3486c3e47d147d90a01",
              "status": "affected",
              "version": "d0a1f9aa70f0d8a05b6320e8a3f3b83adab8dac3",
              "versionType": "git"
            },
            {
              "lessThan": "5d336714db324bef84490c75dcc48b387ef0346e",
              "status": "affected",
              "version": "5839f59ff1dd4e35b9e767927931a039484839e1",
              "versionType": "git"
            },
            {
              "lessThan": "a693b87692b4d7c50f4fc08a996678d60534a9da",
              "status": "affected",
              "version": "5a041d25b67042cbe06a0fb292ee22fd1147e65c",
              "versionType": "git"
            },
            {
              "lessThan": "cd8488fdc7116f6da277515647b167859d4f72b1",
              "status": "affected",
              "version": "79eecf631c14e7f4057186570ac20e2cfac3802e",
              "versionType": "git"
            },
            {
              "lessThan": "f91a5b8089389eb408501af2762f168c3aaa7b79",
              "status": "affected",
              "version": "79eecf631c14e7f4057186570ac20e2cfac3802e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3dfd84aa72fa7329ed4a257c8f40e0c9aff4dc8f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "66f23a7b5174b5d3e7111fd2d0d5a4f3faaa12e5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/if_vlan.h",
            "net/packet/af_packet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.289",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.289",
                  "versionStartIncluding": "5.4.282",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "5.10.224",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.15.165",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "6.1.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.6.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.320",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK\n\nBlamed commit forgot MSG_PEEK case, allowing a crash [1] as found\nby syzbot.\n\nRework vlan_get_protocol_dgram() to not touch skb at all,\nso that it can be used from many cpus on the same skb.\n\nAdd a const qualifier to skb argument.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev:\u003cNULL\u003e\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:206 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]\n RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216\nCode: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 \u003c0f\u003e 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3\nRSP: 0018:ffffc900038d7638 EFLAGS: 00010282\nRAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600\nRDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\nRBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60\nR10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140\nR13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011\nFS:  00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n  skb_push+0xe5/0x100 net/core/skbuff.c:2636\n  vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585\n  packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552\n  sock_recvmsg_nosec net/socket.c:1033 [inline]\n  sock_recvmsg+0x22f/0x280 net/socket.c:1055\n  ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803\n  ___sys_recvmsg net/socket.c:2845 [inline]\n  do_recvmmsg+0x426/0xab0 net/socket.c:2940\n  __sys_recvmmsg net/socket.c:3014 [inline]\n  __do_sys_recvmmsg net/socket.c:3037 [inline]\n  __se_sys_recvmmsg net/socket.c:3030 [inline]\n  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:29.648Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/560cbdd26b510626f3f4f27d34c44dfd3dd3499d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/de4f8d477c67ec1d7c28f3486c3e47d147d90a01"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d336714db324bef84490c75dcc48b387ef0346e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a693b87692b4d7c50f4fc08a996678d60534a9da"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd8488fdc7116f6da277515647b167859d4f72b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f91a5b8089389eb408501af2762f168c3aaa7b79"
        }
      ],
      "title": "af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57901",
    "datePublished": "2025-01-15T13:05:57.527Z",
    "dateReserved": "2025-01-11T14:45:42.030Z",
    "dateUpdated": "2025-11-03T20:55:19.106Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-53687 (GCVE-0-2024-53687)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:29 – Updated: 2025-05-04 09:56

Title

riscv: Fix IPIs usage in kfence_protect_page()

Summary

In the Linux kernel, the following vulnerability has been resolved: riscv: Fix IPIs usage in kfence_protect_page() flush_tlb_kernel_range() may use IPIs to flush the TLBs of all the cores, which triggers the following warning when the irqs are disabled: [ 3.455330] WARNING: CPU: 1 PID: 0 at kernel/smp.c:815 smp_call_function_many_cond+0x452/0x520 [ 3.456647] Modules linked in: [ 3.457218] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.12.0-rc7-00010-g91d3de7240b8 #1 [ 3.457416] Hardware name: QEMU QEMU Virtual Machine, BIOS [ 3.457633] epc : smp_call_function_many_cond+0x452/0x520 [ 3.457736] ra : on_each_cpu_cond_mask+0x1e/0x30 [ 3.457786] epc : ffffffff800b669a ra : ffffffff800b67c2 sp : ff2000000000bb50 [ 3.457824] gp : ffffffff815212b8 tp : ff6000008014f080 t0 : 000000000000003f [ 3.457859] t1 : ffffffff815221e0 t2 : 000000000000000f s0 : ff2000000000bc10 [ 3.457920] s1 : 0000000000000040 a0 : ffffffff815221e0 a1 : 0000000000000001 [ 3.457953] a2 : 0000000000010000 a3 : 0000000000000003 a4 : 0000000000000000 [ 3.458006] a5 : 0000000000000000 a6 : ffffffffffffffff a7 : 0000000000000000 [ 3.458042] s2 : ffffffff815223be s3 : 00fffffffffff000 s4 : ff600001ffe38fc0 [ 3.458076] s5 : ff600001ff950d00 s6 : 0000000200000120 s7 : 0000000000000001 [ 3.458109] s8 : 0000000000000001 s9 : ff60000080841ef0 s10: 0000000000000001 [ 3.458141] s11: ffffffff81524812 t3 : 0000000000000001 t4 : ff60000080092bc0 [ 3.458172] t5 : 0000000000000000 t6 : ff200000000236d0 [ 3.458203] status: 0000000200000100 badaddr: ffffffff800b669a cause: 0000000000000003 [ 3.458373] [<ffffffff800b669a>] smp_call_function_many_cond+0x452/0x520 [ 3.458593] [<ffffffff800b67c2>] on_each_cpu_cond_mask+0x1e/0x30 [ 3.458625] [<ffffffff8000e4ca>] __flush_tlb_range+0x118/0x1ca [ 3.458656] [<ffffffff8000e6b2>] flush_tlb_kernel_range+0x1e/0x26 [ 3.458683] [<ffffffff801ea56a>] kfence_protect+0xc0/0xce [ 3.458717] [<ffffffff801e9456>] kfence_guarded_free+0xc6/0x1c0 [ 3.458742] [<ffffffff801e9d6c>] __kfence_free+0x62/0xc6 [ 3.458764] [<ffffffff801c57d8>] kfree+0x106/0x32c [ 3.458786] [<ffffffff80588cf2>] detach_buf_split+0x188/0x1a8 [ 3.458816] [<ffffffff8058708c>] virtqueue_get_buf_ctx+0xb6/0x1f6 [ 3.458839] [<ffffffff805871da>] virtqueue_get_buf+0xe/0x16 [ 3.458880] [<ffffffff80613d6a>] virtblk_done+0x5c/0xe2 [ 3.458908] [<ffffffff8058766e>] vring_interrupt+0x6a/0x74 [ 3.458930] [<ffffffff800747d8>] __handle_irq_event_percpu+0x7c/0xe2 [ 3.458956] [<ffffffff800748f0>] handle_irq_event+0x3c/0x86 [ 3.458978] [<ffffffff800786cc>] handle_simple_irq+0x9e/0xbe [ 3.459004] [<ffffffff80073934>] generic_handle_domain_irq+0x1c/0x2a [ 3.459027] [<ffffffff804bf87c>] imsic_handle_irq+0xba/0x120 [ 3.459056] [<ffffffff80073934>] generic_handle_domain_irq+0x1c/0x2a [ 3.459080] [<ffffffff804bdb76>] riscv_intc_aia_irq+0x24/0x34 [ 3.459103] [<ffffffff809d0452>] handle_riscv_irq+0x2e/0x4c [ 3.459133] [<ffffffff809d923e>] call_on_irq_stack+0x32/0x40 So only flush the local TLB and let the lazy kfence page fault handling deal with the faults which could happen when a core has an old protected pte version cached in its TLB. That leads to potential inaccuracies which can be tolerated when using kfence.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6f796a6a396d6f963…
	https://git.kernel.org/stable/c/3abfc4130c4222099…
	https://git.kernel.org/stable/c/b3431a8bb336cece8…

Impacted products

Vendor

Product

Version

Linux

Affected: 47513f243b452a5e21180dcf3d6ac1c57e1781a6 , < 6f796a6a396d6f963f2cc8f5edd7dfba2cca097f (git)
Affected: 47513f243b452a5e21180dcf3d6ac1c57e1781a6 , < 3abfc4130c4222099c69d023fed97f1180a8ad7b (git)
Affected: 47513f243b452a5e21180dcf3d6ac1c57e1781a6 , < b3431a8bb336cece8adc452437befa7d4534b2fd (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/kfence.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6f796a6a396d6f963f2cc8f5edd7dfba2cca097f",
              "status": "affected",
              "version": "47513f243b452a5e21180dcf3d6ac1c57e1781a6",
              "versionType": "git"
            },
            {
              "lessThan": "3abfc4130c4222099c69d023fed97f1180a8ad7b",
              "status": "affected",
              "version": "47513f243b452a5e21180dcf3d6ac1c57e1781a6",
              "versionType": "git"
            },
            {
              "lessThan": "b3431a8bb336cece8adc452437befa7d4534b2fd",
              "status": "affected",
              "version": "47513f243b452a5e21180dcf3d6ac1c57e1781a6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/kfence.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix IPIs usage in kfence_protect_page()\n\nflush_tlb_kernel_range() may use IPIs to flush the TLBs of all the\ncores, which triggers the following warning when the irqs are disabled:\n\n[    3.455330] WARNING: CPU: 1 PID: 0 at kernel/smp.c:815 smp_call_function_many_cond+0x452/0x520\n[    3.456647] Modules linked in:\n[    3.457218] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.12.0-rc7-00010-g91d3de7240b8 #1\n[    3.457416] Hardware name: QEMU QEMU Virtual Machine, BIOS\n[    3.457633] epc : smp_call_function_many_cond+0x452/0x520\n[    3.457736]  ra : on_each_cpu_cond_mask+0x1e/0x30\n[    3.457786] epc : ffffffff800b669a ra : ffffffff800b67c2 sp : ff2000000000bb50\n[    3.457824]  gp : ffffffff815212b8 tp : ff6000008014f080 t0 : 000000000000003f\n[    3.457859]  t1 : ffffffff815221e0 t2 : 000000000000000f s0 : ff2000000000bc10\n[    3.457920]  s1 : 0000000000000040 a0 : ffffffff815221e0 a1 : 0000000000000001\n[    3.457953]  a2 : 0000000000010000 a3 : 0000000000000003 a4 : 0000000000000000\n[    3.458006]  a5 : 0000000000000000 a6 : ffffffffffffffff a7 : 0000000000000000\n[    3.458042]  s2 : ffffffff815223be s3 : 00fffffffffff000 s4 : ff600001ffe38fc0\n[    3.458076]  s5 : ff600001ff950d00 s6 : 0000000200000120 s7 : 0000000000000001\n[    3.458109]  s8 : 0000000000000001 s9 : ff60000080841ef0 s10: 0000000000000001\n[    3.458141]  s11: ffffffff81524812 t3 : 0000000000000001 t4 : ff60000080092bc0\n[    3.458172]  t5 : 0000000000000000 t6 : ff200000000236d0\n[    3.458203] status: 0000000200000100 badaddr: ffffffff800b669a cause: 0000000000000003\n[    3.458373] [\u003cffffffff800b669a\u003e] smp_call_function_many_cond+0x452/0x520\n[    3.458593] [\u003cffffffff800b67c2\u003e] on_each_cpu_cond_mask+0x1e/0x30\n[    3.458625] [\u003cffffffff8000e4ca\u003e] __flush_tlb_range+0x118/0x1ca\n[    3.458656] [\u003cffffffff8000e6b2\u003e] flush_tlb_kernel_range+0x1e/0x26\n[    3.458683] [\u003cffffffff801ea56a\u003e] kfence_protect+0xc0/0xce\n[    3.458717] [\u003cffffffff801e9456\u003e] kfence_guarded_free+0xc6/0x1c0\n[    3.458742] [\u003cffffffff801e9d6c\u003e] __kfence_free+0x62/0xc6\n[    3.458764] [\u003cffffffff801c57d8\u003e] kfree+0x106/0x32c\n[    3.458786] [\u003cffffffff80588cf2\u003e] detach_buf_split+0x188/0x1a8\n[    3.458816] [\u003cffffffff8058708c\u003e] virtqueue_get_buf_ctx+0xb6/0x1f6\n[    3.458839] [\u003cffffffff805871da\u003e] virtqueue_get_buf+0xe/0x16\n[    3.458880] [\u003cffffffff80613d6a\u003e] virtblk_done+0x5c/0xe2\n[    3.458908] [\u003cffffffff8058766e\u003e] vring_interrupt+0x6a/0x74\n[    3.458930] [\u003cffffffff800747d8\u003e] __handle_irq_event_percpu+0x7c/0xe2\n[    3.458956] [\u003cffffffff800748f0\u003e] handle_irq_event+0x3c/0x86\n[    3.458978] [\u003cffffffff800786cc\u003e] handle_simple_irq+0x9e/0xbe\n[    3.459004] [\u003cffffffff80073934\u003e] generic_handle_domain_irq+0x1c/0x2a\n[    3.459027] [\u003cffffffff804bf87c\u003e] imsic_handle_irq+0xba/0x120\n[    3.459056] [\u003cffffffff80073934\u003e] generic_handle_domain_irq+0x1c/0x2a\n[    3.459080] [\u003cffffffff804bdb76\u003e] riscv_intc_aia_irq+0x24/0x34\n[    3.459103] [\u003cffffffff809d0452\u003e] handle_riscv_irq+0x2e/0x4c\n[    3.459133] [\u003cffffffff809d923e\u003e] call_on_irq_stack+0x32/0x40\n\nSo only flush the local TLB and let the lazy kfence page fault handling\ndeal with the faults which could happen when a core has an old protected\npte version cached in its TLB. That leads to potential inaccuracies which\ncan be tolerated when using kfence."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:56:56.259Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6f796a6a396d6f963f2cc8f5edd7dfba2cca097f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3abfc4130c4222099c69d023fed97f1180a8ad7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3431a8bb336cece8adc452437befa7d4534b2fd"
        }
      ],
      "title": "riscv: Fix IPIs usage in kfence_protect_page()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53687",
    "datePublished": "2025-01-11T12:29:50.589Z",
    "dateReserved": "2025-01-09T09:49:29.686Z",
    "dateUpdated": "2025-05-04T09:56:56.259Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56783 (GCVE-0-2024-56783)

Vulnerability from cvelistv5 – Published: 2025-01-08 17:51 – Updated: 2025-11-03 20:54

Title

netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level cgroup maximum depth is INT_MAX by default, there is a cgroup toggle to restrict this maximum depth to a more reasonable value not to harm performance. Remove unnecessary WARN_ON_ONCE which is reachable from userspace.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-617 - Reachable Assertion

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7064a6daa4a700a29…
	https://git.kernel.org/stable/c/2f9bec0a749eb646b…
	https://git.kernel.org/stable/c/e227c042580ab065e…
	https://git.kernel.org/stable/c/b7529880cb961d515…

Impacted products

Vendor

Product

Version

Linux

Affected: ace0db36b4a1db07a48517c4f04488d1cd05e5f5 , < 7064a6daa4a700a298fe3aee11dea296bfe59fc4 (git)
Affected: f07e28e4c623168f9fa5c00f518bd341d4014aa6 , < 2f9bec0a749eb646b384fde0c7b7c24687b2ffae (git)
Affected: 7f3287db654395f9c5ddd246325ff7889f550286 , < e227c042580ab065edc610c9ddc9bea691e6fc4d (git)
Affected: 7f3287db654395f9c5ddd246325ff7889f550286 , < b7529880cb961d515642ce63f9d7570869bbbdc3 (git)
Affected: ecc5368315af8473fe052cb928e53756dbfe4403 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56783",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:15.405176Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-617",
                "description": "CWE-617 Reachable Assertion",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:23.562Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:22.599Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7064a6daa4a700a298fe3aee11dea296bfe59fc4",
              "status": "affected",
              "version": "ace0db36b4a1db07a48517c4f04488d1cd05e5f5",
              "versionType": "git"
            },
            {
              "lessThan": "2f9bec0a749eb646b384fde0c7b7c24687b2ffae",
              "status": "affected",
              "version": "f07e28e4c623168f9fa5c00f518bd341d4014aa6",
              "versionType": "git"
            },
            {
              "lessThan": "e227c042580ab065edc610c9ddc9bea691e6fc4d",
              "status": "affected",
              "version": "7f3287db654395f9c5ddd246325ff7889f550286",
              "versionType": "git"
            },
            {
              "lessThan": "b7529880cb961d515642ce63f9d7570869bbbdc3",
              "status": "affected",
              "version": "7f3287db654395f9c5ddd246325ff7889f550286",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ecc5368315af8473fe052cb928e53756dbfe4403",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "6.1.112",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "6.6.53",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level\n\ncgroup maximum depth is INT_MAX by default, there is a cgroup toggle to\nrestrict this maximum depth to a more reasonable value not to harm\nperformance. Remove unnecessary WARN_ON_ONCE which is reachable from\nuserspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:24.261Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7064a6daa4a700a298fe3aee11dea296bfe59fc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f9bec0a749eb646b384fde0c7b7c24687b2ffae"
        },
        {
          "url": "https://git.kernel.org/stable/c/e227c042580ab065edc610c9ddc9bea691e6fc4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7529880cb961d515642ce63f9d7570869bbbdc3"
        }
      ],
      "title": "netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56783",
    "datePublished": "2025-01-08T17:51:59.704Z",
    "dateReserved": "2024-12-29T11:26:39.768Z",
    "dateUpdated": "2025-11-03T20:54:22.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21664 (GCVE-0-2025-21664)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-11-03 20:58

Title

dm thin: make get_first_thin use rcu-safe list first function

Summary

In the Linux kernel, the following vulnerability has been resolved: dm thin: make get_first_thin use rcu-safe list first function The documentation in rculist.h explains the absence of list_empty_rcu() and cautions programmers against relying on a list_empty() -> list_first() sequence in RCU safe code. This is because each of these functions performs its own READ_ONCE() of the list head. This can lead to a situation where the list_empty() sees a valid list entry, but the subsequent list_first() sees a different view of list head state after a modification. In the case of dm-thin, this author had a production box crash from a GP fault in the process_deferred_bios path. This function saw a valid list head in get_first_thin() but when it subsequently dereferenced that and turned it into a thin_c, it got the inside of the struct pool, since the list was now empty and referring to itself. The kernel on which this occurred printed both a warning about a refcount_t being saturated, and a UBSAN error for an out-of-bounds cpuid access in the queued spinlock, prior to the fault itself. When the resulting kdump was examined, it was possible to see another thread patiently waiting in thin_dtr's synchronize_rcu. The thin_dtr call managed to pull the thin_c out of the active thins list (and have it be the last entry in the active_thins list) at just the wrong moment which lead to this crash. Fortunately, the fix here is straight forward. Switch get_first_thin() function to use list_first_or_null_rcu() which performs just a single READ_ONCE() and returns NULL if the list is already empty. This was run against the devicemapper test suite's thin-provisioning suites for delete and suspend and no regressions were observed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ec037fe8c0d0f6140…
	https://git.kernel.org/stable/c/cd30a3960433ec2db…
	https://git.kernel.org/stable/c/802666a40c71a2354…
	https://git.kernel.org/stable/c/12771050b6d059eea…
	https://git.kernel.org/stable/c/6b305e98de0d225cc…
	https://git.kernel.org/stable/c/cbd0d5ecfa390ac29…
	https://git.kernel.org/stable/c/80f130bfad1dab93b…

Impacted products

Vendor

Product

Version

Linux

Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < ec037fe8c0d0f6140e3d8a49c7b29cb5582160b8 (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < cd30a3960433ec2db94b3689752fa3c5df44d649 (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < 802666a40c71a23542c43a3f87e3a2d0f4e8fe45 (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < 12771050b6d059eea096993bf2001da9da9fddff (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < 6b305e98de0d225ccebfb225730a9f560d28ecb0 (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < cbd0d5ecfa390ac29c5380200147d09c381b2ac6 (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < 80f130bfad1dab93b95683fc39b87235682b8f72 (git)

Linux

Affected: 3.15
Unaffected: 0 , < 3.15 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:40.356Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-thin.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ec037fe8c0d0f6140e3d8a49c7b29cb5582160b8",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "cd30a3960433ec2db94b3689752fa3c5df44d649",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "802666a40c71a23542c43a3f87e3a2d0f4e8fe45",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "12771050b6d059eea096993bf2001da9da9fddff",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "6b305e98de0d225ccebfb225730a9f560d28ecb0",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "cbd0d5ecfa390ac29c5380200147d09c381b2ac6",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "80f130bfad1dab93b95683fc39b87235682b8f72",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-thin.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.15"
            },
            {
              "lessThan": "3.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: make get_first_thin use rcu-safe list first function\n\nThe documentation in rculist.h explains the absence of list_empty_rcu()\nand cautions programmers against relying on a list_empty() -\u003e\nlist_first() sequence in RCU safe code.  This is because each of these\nfunctions performs its own READ_ONCE() of the list head.  This can lead\nto a situation where the list_empty() sees a valid list entry, but the\nsubsequent list_first() sees a different view of list head state after a\nmodification.\n\nIn the case of dm-thin, this author had a production box crash from a GP\nfault in the process_deferred_bios path.  This function saw a valid list\nhead in get_first_thin() but when it subsequently dereferenced that and\nturned it into a thin_c, it got the inside of the struct pool, since the\nlist was now empty and referring to itself.  The kernel on which this\noccurred printed both a warning about a refcount_t being saturated, and\na UBSAN error for an out-of-bounds cpuid access in the queued spinlock,\nprior to the fault itself.  When the resulting kdump was examined, it\nwas possible to see another thread patiently waiting in thin_dtr\u0027s\nsynchronize_rcu.\n\nThe thin_dtr call managed to pull the thin_c out of the active thins\nlist (and have it be the last entry in the active_thins list) at just\nthe wrong moment which lead to this crash.\n\nFortunately, the fix here is straight forward.  Switch get_first_thin()\nfunction to use list_first_or_null_rcu() which performs just a single\nREAD_ONCE() and returns NULL if the list is already empty.\n\nThis was run against the devicemapper test suite\u0027s thin-provisioning\nsuites for delete and suspend and no regressions were observed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:30.814Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ec037fe8c0d0f6140e3d8a49c7b29cb5582160b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd30a3960433ec2db94b3689752fa3c5df44d649"
        },
        {
          "url": "https://git.kernel.org/stable/c/802666a40c71a23542c43a3f87e3a2d0f4e8fe45"
        },
        {
          "url": "https://git.kernel.org/stable/c/12771050b6d059eea096993bf2001da9da9fddff"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b305e98de0d225ccebfb225730a9f560d28ecb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbd0d5ecfa390ac29c5380200147d09c381b2ac6"
        },
        {
          "url": "https://git.kernel.org/stable/c/80f130bfad1dab93b95683fc39b87235682b8f72"
        }
      ],
      "title": "dm thin: make get_first_thin use rcu-safe list first function",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21664",
    "datePublished": "2025-01-21T12:18:19.015Z",
    "dateReserved": "2024-12-29T08:45:45.732Z",
    "dateUpdated": "2025-11-03T20:58:40.356Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56632 (GCVE-0-2024-56632)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-10-01 20:07

Title

nvme-tcp: fix the memleak while create new ctrl failed

Summary

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix the memleak while create new ctrl failed Now while we create new ctrl failed, we have not free the tagset occupied by admin_q, here try to fix it.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ceff9ac13a2478afd…
	https://git.kernel.org/stable/c/fec55c29e54d3ca6f…

Impacted products

Vendor

Product

Version

Linux

Affected: fd1418de10b9ca03d78404cf00a95138689ea369 , < ceff9ac13a2478afddce85414d404e6aff6425f6 (git)
Affected: fd1418de10b9ca03d78404cf00a95138689ea369 , < fec55c29e54d3ca6fe9d7d7d9266098b4514fd34 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56632",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:00:42.380071Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:12.162Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ceff9ac13a2478afddce85414d404e6aff6425f6",
              "status": "affected",
              "version": "fd1418de10b9ca03d78404cf00a95138689ea369",
              "versionType": "git"
            },
            {
              "lessThan": "fec55c29e54d3ca6fe9d7d7d9266098b4514fd34",
              "status": "affected",
              "version": "fd1418de10b9ca03d78404cf00a95138689ea369",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix the memleak while create new ctrl failed\n\nNow while we create new ctrl failed, we have not free the\ntagset occupied by admin_q, here try to fix it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:30.196Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ceff9ac13a2478afddce85414d404e6aff6425f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/fec55c29e54d3ca6fe9d7d7d9266098b4514fd34"
        }
      ],
      "title": "nvme-tcp: fix the memleak while create new ctrl failed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56632",
    "datePublished": "2024-12-27T15:02:30.396Z",
    "dateReserved": "2024-12-27T15:00:39.838Z",
    "dateUpdated": "2025-10-01T20:07:12.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-48876 (GCVE-0-2024-48876)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2025-05-04 09:39

Title

stackdepot: fix stack_depot_save_flags() in NMI context

Summary

In the Linux kernel, the following vulnerability has been resolved: stackdepot: fix stack_depot_save_flags() in NMI context Per documentation, stack_depot_save_flags() was meant to be usable from NMI context if STACK_DEPOT_FLAG_CAN_ALLOC is unset. However, it still would try to take the pool_lock in an attempt to save a stack trace in the current pool (if space is available). This could result in deadlock if an NMI is handled while pool_lock is already held. To avoid deadlock, only try to take the lock in NMI context and give up if unsuccessful. The documentation is fixed to clearly convey this.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9bfeeeff2c92b9dd2…
	https://git.kernel.org/stable/c/031e04bdc834cda3b…

Impacted products

Vendor

Product

Version

Linux

Affected: 4434a56ec20925333d6cf4d4093641d063abd35b , < 9bfeeeff2c92b9dd261198b601b45bde4c529841 (git)
Affected: 4434a56ec20925333d6cf4d4093641d063abd35b , < 031e04bdc834cda3b054ef6b698503b2b97e8186 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/stackdepot.h",
            "lib/stackdepot.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9bfeeeff2c92b9dd261198b601b45bde4c529841",
              "status": "affected",
              "version": "4434a56ec20925333d6cf4d4093641d063abd35b",
              "versionType": "git"
            },
            {
              "lessThan": "031e04bdc834cda3b054ef6b698503b2b97e8186",
              "status": "affected",
              "version": "4434a56ec20925333d6cf4d4093641d063abd35b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/stackdepot.h",
            "lib/stackdepot.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstackdepot: fix stack_depot_save_flags() in NMI context\n\nPer documentation, stack_depot_save_flags() was meant to be usable from\nNMI context if STACK_DEPOT_FLAG_CAN_ALLOC is unset.  However, it still\nwould try to take the pool_lock in an attempt to save a stack trace in the\ncurrent pool (if space is available).\n\nThis could result in deadlock if an NMI is handled while pool_lock is\nalready held.  To avoid deadlock, only try to take the lock in NMI context\nand give up if unsuccessful.\n\nThe documentation is fixed to clearly convey this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:39:20.195Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9bfeeeff2c92b9dd261198b601b45bde4c529841"
        },
        {
          "url": "https://git.kernel.org/stable/c/031e04bdc834cda3b054ef6b698503b2b97e8186"
        }
      ],
      "title": "stackdepot: fix stack_depot_save_flags() in NMI context",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-48876",
    "datePublished": "2025-01-11T12:25:17.819Z",
    "dateReserved": "2025-01-09T09:51:32.384Z",
    "dateUpdated": "2025-05-04T09:39:20.195Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57809 (GCVE-0-2024-57809)

Vulnerability from cvelistv5 – Published: 2025-01-11 14:08 – Updated: 2026-01-05 10:56

Title

PCI: imx6: Fix suspend/resume support on i.MX6QDL

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: imx6: Fix suspend/resume support on i.MX6QDL The suspend/resume functionality is currently broken on the i.MX6QDL platform, as documented in the NXP errata (ERR005723): https://www.nxp.com/docs/en/errata/IMX6DQCE.pdf This patch addresses the issue by sharing most of the suspend/resume sequences used by other i.MX devices, while avoiding modifications to critical registers that disrupt the PCIe functionality. It targets the same problem as the following downstream commit: https://github.com/nxp-imx/linux-imx/commit/4e92355e1f79d225ea842511fcfd42b343b32995 Unlike the downstream commit, this patch also resets the connected PCIe device if possible. Without this reset, certain drivers, such as ath10k or iwlwifi, will crash on resume. The device reset is also done by the driver on other i.MX platforms, making this patch consistent with existing practices. Upon resuming, the kernel will hang and display an error. Here's an example of the error encountered with the ath10k driver: ath10k_pci 0000:01:00.0: Unable to change power state from D3hot to D0, device inaccessible Unhandled fault: imprecise external abort (0x1406) at 0x0106f944 Without this patch, suspend/resume will fail on i.MX6QDL devices if a PCIe device is connected. [kwilczynski: commit log, added tag for stable releases]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ac43ea3d27a8f9bea…
	https://git.kernel.org/stable/c/0a726f542d7c8cc0f…

Impacted products

Vendor

Product

Version

Linux

Affected: 0ee2c1f2429f74328c82ea559b127c96d5224ccd , < ac43ea3d27a8f9beadf3af66c9ea4a566ebfff1f (git)
Affected: 0ee2c1f2429f74328c82ea559b127c96d5224ccd , < 0a726f542d7c8cc0f9c5ed7df5a4bd4b59ac21b3 (git)

Linux

Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/dwc/pci-imx6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac43ea3d27a8f9beadf3af66c9ea4a566ebfff1f",
              "status": "affected",
              "version": "0ee2c1f2429f74328c82ea559b127c96d5224ccd",
              "versionType": "git"
            },
            {
              "lessThan": "0a726f542d7c8cc0f9c5ed7df5a4bd4b59ac21b3",
              "status": "affected",
              "version": "0ee2c1f2429f74328c82ea559b127c96d5224ccd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/dwc/pci-imx6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: imx6: Fix suspend/resume support on i.MX6QDL\n\nThe suspend/resume functionality is currently broken on the i.MX6QDL\nplatform, as documented in the NXP errata (ERR005723):\n\n  https://www.nxp.com/docs/en/errata/IMX6DQCE.pdf\n\nThis patch addresses the issue by sharing most of the suspend/resume\nsequences used by other i.MX devices, while avoiding modifications to\ncritical registers that disrupt the PCIe functionality. It targets the\nsame problem as the following downstream commit:\n\n  https://github.com/nxp-imx/linux-imx/commit/4e92355e1f79d225ea842511fcfd42b343b32995\n\nUnlike the downstream commit, this patch also resets the connected PCIe\ndevice if possible. Without this reset, certain drivers, such as ath10k\nor iwlwifi, will crash on resume. The device reset is also done by the\ndriver on other i.MX platforms, making this patch consistent with\nexisting practices.\n\nUpon resuming, the kernel will hang and display an error. Here\u0027s an\nexample of the error encountered with the ath10k driver:\n\n  ath10k_pci 0000:01:00.0: Unable to change power state from D3hot to D0, device inaccessible\n  Unhandled fault: imprecise external abort (0x1406) at 0x0106f944\n\nWithout this patch, suspend/resume will fail on i.MX6QDL devices if a\nPCIe device is connected.\n\n[kwilczynski: commit log, added tag for stable releases]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:56:24.484Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac43ea3d27a8f9beadf3af66c9ea4a566ebfff1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a726f542d7c8cc0f9c5ed7df5a4bd4b59ac21b3"
        }
      ],
      "title": "PCI: imx6: Fix suspend/resume support on i.MX6QDL",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57809",
    "datePublished": "2025-01-11T14:08:56.044Z",
    "dateReserved": "2025-01-11T12:34:02.689Z",
    "dateUpdated": "2026-01-05T10:56:24.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56772 (GCVE-0-2024-56772)

Vulnerability from cvelistv5 – Published: 2025-01-08 17:49 – Updated: 2025-05-04 10:04

Title

kunit: string-stream: Fix a UAF bug in kunit_init_suite()

Summary

In the Linux kernel, the following vulnerability has been resolved: kunit: string-stream: Fix a UAF bug in kunit_init_suite() In kunit_debugfs_create_suite(), if alloc_string_stream() fails in the kunit_suite_for_each_test_case() loop, the "suite->log = stream" has assigned before, and the error path only free the suite->log's stream memory but not set it to NULL, so the later string_stream_clear() of suite->log in kunit_init_suite() will cause below UAF bug. Set stream pointer to NULL after free to fix it. Unable to handle kernel paging request at virtual address 006440150000030d Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [006440150000030d] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts] CPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G B W N 6.12.0-rc4+ #458 Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST Hardware name: linux,dummy-virt (DT) pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : string_stream_clear+0x54/0x1ac lr : string_stream_clear+0x1a8/0x1ac sp : ffffffc080b47410 x29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98 x26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003 x23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000 x20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4 x14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75 x11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000 x8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001 x5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000 Call trace: string_stream_clear+0x54/0x1ac __kunit_test_suites_init+0x108/0x1d8 kunit_exec_run_tests+0xb8/0x100 kunit_module_notify+0x400/0x55c notifier_call_chain+0xfc/0x3b4 blocking_notifier_call_chain+0x68/0x9c do_init_module+0x24c/0x5c8 load_module+0x4acc/0x4e90 init_module_from_file+0xd4/0x128 idempotent_init_module+0x2d4/0x57c __arm64_sys_finit_module+0xac/0x100 invoke_syscall+0x6c/0x258 el0_svc_common.constprop.0+0x160/0x22c do_el0_svc+0x44/0x5c el0_svc+0x48/0xb8 el0t_64_sync_handler+0x13c/0x158 el0t_64_sync+0x190/0x194 Code: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3213b92754b94dec6…
	https://git.kernel.org/stable/c/39e21403c97886284…

Impacted products

Vendor

Product

Version

Linux

Affected: a3fdf784780ccb0008d630e8722d1389c49c7499 , < 3213b92754b94dec6836e8b4d6ec7d224a805b61 (git)
Affected: a3fdf784780ccb0008d630e8722d1389c49c7499 , < 39e21403c978862846fa68b7f6d06f9cca235194 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56772",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:12:12.420293Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:21:06.581Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "lib/kunit/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3213b92754b94dec6836e8b4d6ec7d224a805b61",
              "status": "affected",
              "version": "a3fdf784780ccb0008d630e8722d1389c49c7499",
              "versionType": "git"
            },
            {
              "lessThan": "39e21403c978862846fa68b7f6d06f9cca235194",
              "status": "affected",
              "version": "a3fdf784780ccb0008d630e8722d1389c49c7499",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "lib/kunit/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: string-stream: Fix a UAF bug in kunit_init_suite()\n\nIn kunit_debugfs_create_suite(), if alloc_string_stream() fails in the\nkunit_suite_for_each_test_case() loop, the \"suite-\u003elog = stream\"\nhas assigned before, and the error path only free the suite-\u003elog\u0027s stream\nmemory but not set it to NULL, so the later string_stream_clear() of\nsuite-\u003elog in kunit_init_suite() will cause below UAF bug.\n\nSet stream pointer to NULL after free to fix it.\n\n\tUnable to handle kernel paging request at virtual address 006440150000030d\n\tMem abort info:\n\t  ESR = 0x0000000096000004\n\t  EC = 0x25: DABT (current EL), IL = 32 bits\n\t  SET = 0, FnV = 0\n\t  EA = 0, S1PTW = 0\n\t  FSC = 0x04: level 0 translation fault\n\tData abort info:\n\t  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n\t  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n\t  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\t[006440150000030d] address between user and kernel address ranges\n\tInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n\tDumping ftrace buffer:\n\t   (ftrace buffer empty)\n\tModules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts]\n\tCPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G    B   W        N 6.12.0-rc4+ #458\n\tTainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : string_stream_clear+0x54/0x1ac\n\tlr : string_stream_clear+0x1a8/0x1ac\n\tsp : ffffffc080b47410\n\tx29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98\n\tx26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003\n\tx23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000\n\tx20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840\n\tx17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4\n\tx14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75\n\tx11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000\n\tx8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001\n\tx5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000\n\tCall trace:\n\t string_stream_clear+0x54/0x1ac\n\t __kunit_test_suites_init+0x108/0x1d8\n\t kunit_exec_run_tests+0xb8/0x100\n\t kunit_module_notify+0x400/0x55c\n\t notifier_call_chain+0xfc/0x3b4\n\t blocking_notifier_call_chain+0x68/0x9c\n\t do_init_module+0x24c/0x5c8\n\t load_module+0x4acc/0x4e90\n\t init_module_from_file+0xd4/0x128\n\t idempotent_init_module+0x2d4/0x57c\n\t __arm64_sys_finit_module+0xac/0x100\n\t invoke_syscall+0x6c/0x258\n\t el0_svc_common.constprop.0+0x160/0x22c\n\t do_el0_svc+0x44/0x5c\n\t el0_svc+0x48/0xb8\n\t el0t_64_sync_handler+0x13c/0x158\n\t el0t_64_sync+0x190/0x194\n\tCode: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80)\n\t---[ end trace 0000000000000000 ]---\n\tKernel panic - not syncing: Oops: Fatal exception"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:22.165Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3213b92754b94dec6836e8b4d6ec7d224a805b61"
        },
        {
          "url": "https://git.kernel.org/stable/c/39e21403c978862846fa68b7f6d06f9cca235194"
        }
      ],
      "title": "kunit: string-stream: Fix a UAF bug in kunit_init_suite()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56772",
    "datePublished": "2025-01-08T17:49:11.544Z",
    "dateReserved": "2024-12-29T11:26:39.763Z",
    "dateUpdated": "2025-05-04T10:04:22.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57795 (GCVE-0-2024-57795)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:10 – Updated: 2026-01-11 16:29

Title

RDMA/rxe: Remove the direct link to net_device

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Remove the direct link to net_device The similar patch in siw is in the link: https://git.kernel.org/rdma/rdma/c/16b87037b48889 This problem also occurred in RXE. The following analyze this problem. In the following Call Traces: " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295 CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: infiniband ib_cache_event_task Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60 __ib_query_port drivers/infiniband/core/device.c:2111 [inline] ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143 ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494 ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> " 1). In the link [1], " infiniband syz2: set down " This means that on 839.350575, the event ib_cache_event_task was sent andi queued in ib_wq. 2). In the link [1], " team0 (unregistering): Port device team_slave_0 removed " It indicates that before 843.251853, the net device should be freed. 3). In the link [1], " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 " This means that on 850.559070, this slab-use-after-free problem occurred. In all, on 839.350575, the event ib_cache_event_task was sent and queued in ib_wq, before 843.251853, the net device veth was freed. on 850.559070, this event was executed, and the mentioned freed net device was called. Thus, the above call trace occurred. [1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/32ca3557d968e6629…
	https://git.kernel.org/stable/c/9f6f54e6a68631314…
	https://git.kernel.org/stable/c/2ac5415022d16d63d…

Impacted products

Vendor

Product

Version

Linux

Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 32ca3557d968e662957131374a5f81c9c9cdbba8 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 9f6f54e6a6863131442b40e14d1792b090c7ce21 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 2ac5415022d16d63d912a39a06f32f1f51140261 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57795",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T13:56:40.628550Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-13T14:04:27.443Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe.c",
            "drivers/infiniband/sw/rxe/rxe.h",
            "drivers/infiniband/sw/rxe/rxe_mcast.c",
            "drivers/infiniband/sw/rxe/rxe_net.c",
            "drivers/infiniband/sw/rxe/rxe_verbs.c",
            "drivers/infiniband/sw/rxe/rxe_verbs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "32ca3557d968e662957131374a5f81c9c9cdbba8",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "9f6f54e6a6863131442b40e14d1792b090c7ce21",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "2ac5415022d16d63d912a39a06f32f1f51140261",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe.c",
            "drivers/infiniband/sw/rxe/rxe.h",
            "drivers/infiniband/sw/rxe/rxe_mcast.c",
            "drivers/infiniband/sw/rxe/rxe_net.c",
            "drivers/infiniband/sw/rxe/rxe_verbs.c",
            "drivers/infiniband/sw/rxe/rxe_verbs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Remove the direct link to net_device\n\nThe similar patch in siw is in the link:\nhttps://git.kernel.org/rdma/rdma/c/16b87037b48889\n\nThis problem also occurred in RXE. The following analyze this problem.\nIn the following Call Traces:\n\"\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nRead of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295\n\nCPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted\n6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nWorkqueue: infiniband ib_cache_event_task\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\n rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60\n __ib_query_port drivers/infiniband/core/device.c:2111 [inline]\n ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143\n ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494\n ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\"\n\n1). In the link [1],\n\n\"\n infiniband syz2: set down\n\"\n\nThis means that on 839.350575, the event ib_cache_event_task was sent andi\nqueued in ib_wq.\n\n2). In the link [1],\n\n\"\n team0 (unregistering): Port device team_slave_0 removed\n\"\n\nIt indicates that before 843.251853, the net device should be freed.\n\n3). In the link [1],\n\n\"\n BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0\n\"\n\nThis means that on 850.559070, this slab-use-after-free problem occurred.\n\nIn all, on 839.350575, the event ib_cache_event_task was sent and queued\nin ib_wq,\n\nbefore 843.251853, the net device veth was freed.\n\non 850.559070, this event was executed, and the mentioned freed net device\nwas called. Thus, the above call trace occurred.\n\n[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:29:08.315Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/32ca3557d968e662957131374a5f81c9c9cdbba8"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f6f54e6a6863131442b40e14d1792b090c7ce21"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ac5415022d16d63d912a39a06f32f1f51140261"
        }
      ],
      "title": "RDMA/rxe: Remove the direct link to net_device",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57795",
    "datePublished": "2025-01-15T13:10:23.880Z",
    "dateReserved": "2025-01-15T13:08:59.657Z",
    "dateUpdated": "2026-01-11T16:29:08.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-54455 (GCVE-0-2024-54455)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:35 – Updated: 2025-05-04 09:57

Title

accel/ivpu: Fix general protection fault in ivpu_bo_list()

Summary

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix general protection fault in ivpu_bo_list() Check if ctx is not NULL before accessing its fields.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a1e597ee5920a6aab…
	https://git.kernel.org/stable/c/4b2efb9db0c22a130…

Impacted products

Vendor

Product

Version

Linux

Affected: 37dee2a2f4330a030abc5674bcec25ccc4addbcc , < a1e597ee5920a6aabdf4dfc3bf76e55e1b115e23 (git)
Affected: 37dee2a2f4330a030abc5674bcec25ccc4addbcc , < 4b2efb9db0c22a130bbd1275e489b42c02d08050 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/ivpu/ivpu_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a1e597ee5920a6aabdf4dfc3bf76e55e1b115e23",
              "status": "affected",
              "version": "37dee2a2f4330a030abc5674bcec25ccc4addbcc",
              "versionType": "git"
            },
            {
              "lessThan": "4b2efb9db0c22a130bbd1275e489b42c02d08050",
              "status": "affected",
              "version": "37dee2a2f4330a030abc5674bcec25ccc4addbcc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/ivpu/ivpu_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix general protection fault in ivpu_bo_list()\n\nCheck if ctx is not NULL before accessing its fields."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:57:04.283Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a1e597ee5920a6aabdf4dfc3bf76e55e1b115e23"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b2efb9db0c22a130bbd1275e489b42c02d08050"
        }
      ],
      "title": "accel/ivpu: Fix general protection fault in ivpu_bo_list()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-54455",
    "datePublished": "2025-01-11T12:35:42.392Z",
    "dateReserved": "2025-01-11T12:32:49.400Z",
    "dateUpdated": "2025-05-04T09:57:04.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21652 (GCVE-0-2025-21652)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:18 – Updated: 2025-05-04 07:18

Title

ipvlan: Fix use-after-free in ipvlan_get_iflink().

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix use-after-free in ipvlan_get_iflink(). syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch. ipvlan does not hold a refcnt of the lower device unlike vlan and macvlan. If the linkwatch work is triggered for the ipvlan dev, the lower dev might have already been freed, resulting in UAF of ipvlan->phy_dev in ipvlan_get_iflink(). We can delay the lower dev unregistration like vlan and macvlan by holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and releasing it in dev->priv_destructor(). Jakub pointed out calling .ndo_XXX after unregister_netdevice() has returned is error prone and suggested [1] addressing this UAF in the core by taking commit 750e51603395 ("net: avoid potential UAF in default_operstate()") further. Let's assume unregistering devices DOWN and use RCU protection in default_operstate() not to race with the device unregistration. [0]: BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944 CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47 Hardware name: linux,dummy-virt (DT) Workqueue: events_unbound linkwatch_event Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380 ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 dev_get_iflink+0x7c/0xd8 net/core/dev.c:674 default_operstate net/core/link_watch.c:45 [inline] rfc2863_policy+0x144/0x360 net/core/link_watch.c:72 linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175 __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239 linkwatch_event+0x64/0xa8 net/core/link_watch.c:282 process_one_work+0x700/0x1398 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391 kthread+0x2b0/0x360 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 9303: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4283 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650 alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209 rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771 __rtnl_newlink net/core/rtnetlink.c:3896 [inline] rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x2ec/0x438 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el ---truncated---

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ba9f7c16ec879c83b…
	https://git.kernel.org/stable/c/52a24538d569f48e7…
	https://git.kernel.org/stable/c/cb358ff94154774d0…

Impacted products

Vendor

Product

Version

Linux

Affected: 8c55facecd7ade835287298ce325f930d888d8ec , < ba9f7c16ec879c83bb4f80406773a911aace8267 (git)
Affected: 8c55facecd7ade835287298ce325f930d888d8ec , < 52a24538d569f48e79d1a169a5d359d384152950 (git)
Affected: 8c55facecd7ade835287298ce325f930d888d8ec , < cb358ff94154774d031159b018adf45e17673941 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21652",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:11:55.315711Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:21:05.821Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/link_watch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ba9f7c16ec879c83bb4f80406773a911aace8267",
              "status": "affected",
              "version": "8c55facecd7ade835287298ce325f930d888d8ec",
              "versionType": "git"
            },
            {
              "lessThan": "52a24538d569f48e79d1a169a5d359d384152950",
              "status": "affected",
              "version": "8c55facecd7ade835287298ce325f930d888d8ec",
              "versionType": "git"
            },
            {
              "lessThan": "cb358ff94154774d031159b018adf45e17673941",
              "status": "affected",
              "version": "8c55facecd7ade835287298ce325f930d888d8ec",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/link_watch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Fix use-after-free in ipvlan_get_iflink().\n\nsyzbot presented an use-after-free report [0] regarding ipvlan and\nlinkwatch.\n\nipvlan does not hold a refcnt of the lower device unlike vlan and\nmacvlan.\n\nIf the linkwatch work is triggered for the ipvlan dev, the lower dev\nmight have already been freed, resulting in UAF of ipvlan-\u003ephy_dev in\nipvlan_get_iflink().\n\nWe can delay the lower dev unregistration like vlan and macvlan by\nholding the lower dev\u0027s refcnt in dev-\u003enetdev_ops-\u003endo_init() and\nreleasing it in dev-\u003epriv_destructor().\n\nJakub pointed out calling .ndo_XXX after unregister_netdevice() has\nreturned is error prone and suggested [1] addressing this UAF in the\ncore by taking commit 750e51603395 (\"net: avoid potential UAF in\ndefault_operstate()\") further.\n\nLet\u0027s assume unregistering devices DOWN and use RCU protection in\ndefault_operstate() not to race with the device unregistration.\n\n[0]:\nBUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353\nRead of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944\n\nCPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47\nHardware name: linux,dummy-virt (DT)\nWorkqueue: events_unbound linkwatch_event\nCall trace:\n show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x16c/0x6f0 mm/kasan/report.c:489\n kasan_report+0xc0/0x120 mm/kasan/report.c:602\n __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380\n ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353\n dev_get_iflink+0x7c/0xd8 net/core/dev.c:674\n default_operstate net/core/link_watch.c:45 [inline]\n rfc2863_policy+0x144/0x360 net/core/link_watch.c:72\n linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175\n __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239\n linkwatch_event+0x64/0xa8 net/core/link_watch.c:282\n process_one_work+0x700/0x1398 kernel/workqueue.c:3229\n process_scheduled_works kernel/workqueue.c:3310 [inline]\n worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391\n kthread+0x2b0/0x360 kernel/kthread.c:389\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862\n\nAllocated by task 9303:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x68 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4283 [inline]\n __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289\n __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650\n alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209\n rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595\n rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771\n __rtnl_newlink net/core/rtnetlink.c:3896 [inline]\n rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928\n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347\n netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg net/socket.c:726 [inline]\n __sys_sendto+0x2ec/0x438 net/socket.c:2197\n __do_sys_sendto net/socket.c:2204 [inline]\n __se_sys_sendto net/socket.c:2200 [inline]\n __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151\n el\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:16.995Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ba9f7c16ec879c83bb4f80406773a911aace8267"
        },
        {
          "url": "https://git.kernel.org/stable/c/52a24538d569f48e79d1a169a5d359d384152950"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb358ff94154774d031159b018adf45e17673941"
        }
      ],
      "title": "ipvlan: Fix use-after-free in ipvlan_get_iflink().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21652",
    "datePublished": "2025-01-19T10:18:09.570Z",
    "dateReserved": "2024-12-29T08:45:45.729Z",
    "dateUpdated": "2025-05-04T07:18:16.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56581 (GCVE-0-2024-56581)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-11-03 20:49

Title

btrfs: ref-verify: fix use-after-free after invalid ref action

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: ref-verify: fix use-after-free after invalid ref action At btrfs_ref_tree_mod() after we successfully inserted the new ref entry (local variable 'ref') into the respective block entry's rbtree (local variable 'be'), if we find an unexpected action of BTRFS_DROP_DELAYED_REF, we error out and free the ref entry without removing it from the block entry's rbtree. Then in the error path of btrfs_ref_tree_mod() we call btrfs_free_ref_cache(), which iterates over all block entries and then calls free_block_entry() for each one, and there we will trigger a use-after-free when we are called against the block entry to which we added the freed ref entry to its rbtree, since the rbtree still points to the block entry, as we didn't remove it from the rbtree before freeing it in the error path at btrfs_ref_tree_mod(). Fix this by removing the new ref entry from the rbtree before freeing it. Syzbot report this with the following stack traces: BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615 __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_insert_empty_items+0x9c/0x1a0 fs/btrfs/ctree.c:4314 btrfs_insert_empty_item fs/btrfs/ctree.h:669 [inline] btrfs_insert_orphan_item+0x1f1/0x320 fs/btrfs/orphan.c:23 btrfs_orphan_add+0x6d/0x1a0 fs/btrfs/inode.c:3482 btrfs_unlink+0x267/0x350 fs/btrfs/inode.c:4293 vfs_unlink+0x365/0x650 fs/namei.c:4469 do_unlinkat+0x4ae/0x830 fs/namei.c:4533 __do_sys_unlinkat fs/namei.c:4576 [inline] __se_sys_unlinkat fs/namei.c:4569 [inline] __x64_sys_unlinkat+0xcc/0xf0 fs/namei.c:4569 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f BTRFS error (device loop0 state EA): Ref action 1, root 5, ref_root 5, parent 0, owner 260, offset 0, num_refs 1 __btrfs_mod_ref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521 update_ref_for_cow+0x96a/0x11f0 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411 __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline] __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137 __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171 btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313 prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586 relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611 btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081 btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377 __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161 btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538 BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615 __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411 __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfs_update_delayed_i ---truncated---

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dfb9fe7de61f34cc2…
	https://git.kernel.org/stable/c/6fd018aa168e472ce…
	https://git.kernel.org/stable/c/d2b85ce0561fde894…
	https://git.kernel.org/stable/c/6370db28af9a8ae3b…
	https://git.kernel.org/stable/c/4275ac2741941c9c7…
	https://git.kernel.org/stable/c/a6f9e7a0bf1185c90…
	https://git.kernel.org/stable/c/7c4e39f9d2af4abaf…

Impacted products

Vendor

Product

Version

Linux

Affected: fd708b81d972a0714b02a60eb4792fdbf15868c4 , < dfb9fe7de61f34cc241ab3900bdde93341096e0e (git)
Affected: fd708b81d972a0714b02a60eb4792fdbf15868c4 , < 6fd018aa168e472ce35be32296d109db6adb87ea (git)
Affected: fd708b81d972a0714b02a60eb4792fdbf15868c4 , < d2b85ce0561fde894e28fa01bd5d32820d585006 (git)
Affected: fd708b81d972a0714b02a60eb4792fdbf15868c4 , < 6370db28af9a8ae3bbdfe97f8a48f8f995e144cf (git)
Affected: fd708b81d972a0714b02a60eb4792fdbf15868c4 , < 4275ac2741941c9c7c2293619fdbacb9f70ba85b (git)
Affected: fd708b81d972a0714b02a60eb4792fdbf15868c4 , < a6f9e7a0bf1185c9070c0de03bb85eafb9abd650 (git)
Affected: fd708b81d972a0714b02a60eb4792fdbf15868c4 , < 7c4e39f9d2af4abaf82ca0e315d1fd340456620f (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56581",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:42:39.280771Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:24.590Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:49:58.257Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ref-verify.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dfb9fe7de61f34cc241ab3900bdde93341096e0e",
              "status": "affected",
              "version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
              "versionType": "git"
            },
            {
              "lessThan": "6fd018aa168e472ce35be32296d109db6adb87ea",
              "status": "affected",
              "version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
              "versionType": "git"
            },
            {
              "lessThan": "d2b85ce0561fde894e28fa01bd5d32820d585006",
              "status": "affected",
              "version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
              "versionType": "git"
            },
            {
              "lessThan": "6370db28af9a8ae3bbdfe97f8a48f8f995e144cf",
              "status": "affected",
              "version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
              "versionType": "git"
            },
            {
              "lessThan": "4275ac2741941c9c7c2293619fdbacb9f70ba85b",
              "status": "affected",
              "version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
              "versionType": "git"
            },
            {
              "lessThan": "a6f9e7a0bf1185c9070c0de03bb85eafb9abd650",
              "status": "affected",
              "version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
              "versionType": "git"
            },
            {
              "lessThan": "7c4e39f9d2af4abaf82ca0e315d1fd340456620f",
              "status": "affected",
              "version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ref-verify.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: ref-verify: fix use-after-free after invalid ref action\n\nAt btrfs_ref_tree_mod() after we successfully inserted the new ref entry\n(local variable \u0027ref\u0027) into the respective block entry\u0027s rbtree (local\nvariable \u0027be\u0027), if we find an unexpected action of BTRFS_DROP_DELAYED_REF,\nwe error out and free the ref entry without removing it from the block\nentry\u0027s rbtree. Then in the error path of btrfs_ref_tree_mod() we call\nbtrfs_free_ref_cache(), which iterates over all block entries and then\ncalls free_block_entry() for each one, and there we will trigger a\nuse-after-free when we are called against the block entry to which we\nadded the freed ref entry to its rbtree, since the rbtree still points\nto the block entry, as we didn\u0027t remove it from the rbtree before freeing\nit in the error path at btrfs_ref_tree_mod(). Fix this by removing the\nnew ref entry from the rbtree before freeing it.\n\nSyzbot report this with the following stack traces:\n\n   BTRFS error (device loop0 state EA):   Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615\n      __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523\n      update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512\n      btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594\n      btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754\n      btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116\n      btrfs_insert_empty_items+0x9c/0x1a0 fs/btrfs/ctree.c:4314\n      btrfs_insert_empty_item fs/btrfs/ctree.h:669 [inline]\n      btrfs_insert_orphan_item+0x1f1/0x320 fs/btrfs/orphan.c:23\n      btrfs_orphan_add+0x6d/0x1a0 fs/btrfs/inode.c:3482\n      btrfs_unlink+0x267/0x350 fs/btrfs/inode.c:4293\n      vfs_unlink+0x365/0x650 fs/namei.c:4469\n      do_unlinkat+0x4ae/0x830 fs/namei.c:4533\n      __do_sys_unlinkat fs/namei.c:4576 [inline]\n      __se_sys_unlinkat fs/namei.c:4569 [inline]\n      __x64_sys_unlinkat+0xcc/0xf0 fs/namei.c:4569\n      do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n      do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n      entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   BTRFS error (device loop0 state EA):   Ref action 1, root 5, ref_root 5, parent 0, owner 260, offset 0, num_refs 1\n      __btrfs_mod_ref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521\n      update_ref_for_cow+0x96a/0x11f0\n      btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594\n      btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754\n      btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116\n      btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411\n      __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030\n      btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]\n      __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137\n      __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171\n      btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313\n      prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586\n      relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611\n      btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081\n      btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377\n      __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161\n      btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538\n   BTRFS error (device loop0 state EA):   Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615\n      __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523\n      update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512\n      btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594\n      btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754\n      btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116\n      btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411\n      __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030\n      btrfs_update_delayed_i\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:58.116Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dfb9fe7de61f34cc241ab3900bdde93341096e0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fd018aa168e472ce35be32296d109db6adb87ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2b85ce0561fde894e28fa01bd5d32820d585006"
        },
        {
          "url": "https://git.kernel.org/stable/c/6370db28af9a8ae3bbdfe97f8a48f8f995e144cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/4275ac2741941c9c7c2293619fdbacb9f70ba85b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6f9e7a0bf1185c9070c0de03bb85eafb9abd650"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c4e39f9d2af4abaf82ca0e315d1fd340456620f"
        }
      ],
      "title": "btrfs: ref-verify: fix use-after-free after invalid ref action",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56581",
    "datePublished": "2024-12-27T14:23:23.193Z",
    "dateReserved": "2024-12-27T14:03:06.000Z",
    "dateUpdated": "2025-11-03T20:49:58.257Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21647 (GCVE-0-2025-21647)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:18 – Updated: 2025-11-03 20:58

Title

sched: sch_cake: add bounds checks to host bulk flow fairness counts

Summary

In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: add bounds checks to host bulk flow fairness counts Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the per-host bulk flow counters, leading to an out of bounds memory access. To avoid any such logic errors causing out of bounds memory accesses, this commit factors out all accesses to the per-host bulk flow counters to a series of helpers that perform bounds-checking before any increments and decrements. This also has the benefit of improving readability by moving the conditional checks for the flow mode into these helpers, instead of having them spread out throughout the code (which was the cause of the original logic error). As part of this change, the flow quantum calculation is consolidated into a helper function, which means that the dithering applied to the ost load scaling is now applied both in the DRR rotation and when a sparse flow's quantum is first initiated. The only user-visible effect of this is that the maximum packet size that can be sent while a flow stays sparse will now vary with +/- one byte in some cases. This should not make a noticeable difference in practice, and thus it's not worth complicating the code to preserve the old behaviour.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/44fe1efb4961c1a5c…
	https://git.kernel.org/stable/c/b1a1743aaa4906c41…
	https://git.kernel.org/stable/c/bb0245fa72b783cb2…
	https://git.kernel.org/stable/c/a777e06dfc72bed73…
	https://git.kernel.org/stable/c/27202e2e8721c3b23…
	https://git.kernel.org/stable/c/91bb18950b88f9558…
	https://git.kernel.org/stable/c/737d4d91d35b5f7fa…

Impacted products

Vendor

Product

Version

Linux

Affected: 4a4eeefa514db570be025ab46d779af180e2c9bb , < 44fe1efb4961c1a5ccab16bb579dfc6b308ad58b (git)
Affected: 7725152b54d295b7da5e34c2f419539b30d017bd , < b1a1743aaa4906c41c426eda97e2e2586f79246d (git)
Affected: cde71a5677971f4f1b69b25e854891dbe78066a4 , < bb0245fa72b783cb23a9949c5048781341e91423 (git)
Affected: 549e407569e08459d16122341d332cb508024094 , < a777e06dfc72bed73c05dcb437d7c27ad5f90f3f (git)
Affected: d4a9039a7b3d8005b90c7b1a55a306444f0e5447 , < 27202e2e8721c3b23831563c36ed5ac7818641ba (git)
Affected: 546ea84d07e3e324644025e2aae2d12ea4c5896e , < 91bb18950b88f955838ec0c1d97f74d135756dc7 (git)
Affected: 546ea84d07e3e324644025e2aae2d12ea4c5896e , < 737d4d91d35b5f7fa5bb442651472277318b0bfd (git)
Affected: d7c01c0714c04431b5e18cf17a9ea68a553d1c3c (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:27.786Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_cake.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "44fe1efb4961c1a5ccab16bb579dfc6b308ad58b",
              "status": "affected",
              "version": "4a4eeefa514db570be025ab46d779af180e2c9bb",
              "versionType": "git"
            },
            {
              "lessThan": "b1a1743aaa4906c41c426eda97e2e2586f79246d",
              "status": "affected",
              "version": "7725152b54d295b7da5e34c2f419539b30d017bd",
              "versionType": "git"
            },
            {
              "lessThan": "bb0245fa72b783cb23a9949c5048781341e91423",
              "status": "affected",
              "version": "cde71a5677971f4f1b69b25e854891dbe78066a4",
              "versionType": "git"
            },
            {
              "lessThan": "a777e06dfc72bed73c05dcb437d7c27ad5f90f3f",
              "status": "affected",
              "version": "549e407569e08459d16122341d332cb508024094",
              "versionType": "git"
            },
            {
              "lessThan": "27202e2e8721c3b23831563c36ed5ac7818641ba",
              "status": "affected",
              "version": "d4a9039a7b3d8005b90c7b1a55a306444f0e5447",
              "versionType": "git"
            },
            {
              "lessThan": "91bb18950b88f955838ec0c1d97f74d135756dc7",
              "status": "affected",
              "version": "546ea84d07e3e324644025e2aae2d12ea4c5896e",
              "versionType": "git"
            },
            {
              "lessThan": "737d4d91d35b5f7fa5bb442651472277318b0bfd",
              "status": "affected",
              "version": "546ea84d07e3e324644025e2aae2d12ea4c5896e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d7c01c0714c04431b5e18cf17a9ea68a553d1c3c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_cake.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.284",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.226",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.167",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "6.1.110",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.6.51",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: sch_cake: add bounds checks to host bulk flow fairness counts\n\nEven though we fixed a logic error in the commit cited below, syzbot\nstill managed to trigger an underflow of the per-host bulk flow\ncounters, leading to an out of bounds memory access.\n\nTo avoid any such logic errors causing out of bounds memory accesses,\nthis commit factors out all accesses to the per-host bulk flow counters\nto a series of helpers that perform bounds-checking before any\nincrements and decrements. This also has the benefit of improving\nreadability by moving the conditional checks for the flow mode into\nthese helpers, instead of having them spread out throughout the\ncode (which was the cause of the original logic error).\n\nAs part of this change, the flow quantum calculation is consolidated\ninto a helper function, which means that the dithering applied to the\nost load scaling is now applied both in the DRR rotation and when a\nsparse flow\u0027s quantum is first initiated. The only user-visible effect\nof this is that the maximum packet size that can be sent while a flow\nstays sparse will now vary with +/- one byte in some cases. This should\nnot make a noticeable difference in practice, and thus it\u0027s not worth\ncomplicating the code to preserve the old behaviour."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:10.192Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/44fe1efb4961c1a5ccab16bb579dfc6b308ad58b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1a1743aaa4906c41c426eda97e2e2586f79246d"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb0245fa72b783cb23a9949c5048781341e91423"
        },
        {
          "url": "https://git.kernel.org/stable/c/a777e06dfc72bed73c05dcb437d7c27ad5f90f3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/27202e2e8721c3b23831563c36ed5ac7818641ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/91bb18950b88f955838ec0c1d97f74d135756dc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/737d4d91d35b5f7fa5bb442651472277318b0bfd"
        }
      ],
      "title": "sched: sch_cake: add bounds checks to host bulk flow fairness counts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21647",
    "datePublished": "2025-01-19T10:18:04.415Z",
    "dateReserved": "2024-12-29T08:45:45.728Z",
    "dateUpdated": "2025-11-03T20:58:27.786Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56662 (GCVE-0-2024-56662)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2025-11-03 20:52

Title

acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl

Summary

In the Linux kernel, the following vulnerability has been resolved: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl Fix an issue detected by syzbot with KASAN: BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/ core.c:416 [inline] BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 drivers/acpi/nfit/core.c:459 The issue occurs in cmd_to_func when the call_pkg->nd_reserved2 array is accessed without verifying that call_pkg points to a buffer that is appropriately sized as a struct nd_cmd_pkg. This can lead to out-of-bounds access and undefined behavior if the buffer does not have sufficient space. To address this, a check was added in acpi_nfit_ctl() to ensure that buf is not NULL and that buf_len is less than sizeof(*call_pkg) before accessing it. This ensures safe access to the members of call_pkg, including the nd_reserved2 array.

Severity ?

6 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/616aa5f3c86e0479b…
	https://git.kernel.org/stable/c/bbdb3307f609ec4dc…
	https://git.kernel.org/stable/c/143f723e9eb4f0302…
	https://git.kernel.org/stable/c/e08dc2dc3c3f7938d…
	https://git.kernel.org/stable/c/212846fafb753a48e…
	https://git.kernel.org/stable/c/265e98f72bac6c41a…

Impacted products

Vendor

Product

Version

Linux

Affected: ebe9f6f19d80d8978d16078dff3d5bd93ad8d102 , < 616aa5f3c86e0479bcbb81e41c08c43ff32af637 (git)
Affected: ebe9f6f19d80d8978d16078dff3d5bd93ad8d102 , < bbdb3307f609ec4dc9558770f464ede01fe52aed (git)
Affected: ebe9f6f19d80d8978d16078dff3d5bd93ad8d102 , < 143f723e9eb4f0302ffb7adfdc7ef77eab3f68e0 (git)
Affected: ebe9f6f19d80d8978d16078dff3d5bd93ad8d102 , < e08dc2dc3c3f7938df0e4476fe3e6fdec5583c1d (git)
Affected: ebe9f6f19d80d8978d16078dff3d5bd93ad8d102 , < 212846fafb753a48e869e2a342fc1e24048da771 (git)
Affected: ebe9f6f19d80d8978d16078dff3d5bd93ad8d102 , < 265e98f72bac6c41a4492d3e30a8e5fd22fe0779 (git)
Affected: 63108f2a408abea7ecab063efa0f398da4d0d14b (git)
Affected: f5878c4f084dc6b1386dad03970bb61ad5e9dc4b (git)
Affected: 0c79794474895dbbc3c52225f7e9f73cfecbb7dd (git)

Linux

Affected: 5.1
Unaffected: 0 , < 5.1 (semver)
Unaffected: 5.10.232 , ≤ 5.10.* (semver)
Unaffected: 5.15.175 , ≤ 5.15.* (semver)
Unaffected: 6.1.121 , ≤ 6.1.* (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56662",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:59:57.981489Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-125",
                "description": "CWE-125 Out-of-bounds Read",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:10.083Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:52:10.200Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/nfit/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "616aa5f3c86e0479bcbb81e41c08c43ff32af637",
              "status": "affected",
              "version": "ebe9f6f19d80d8978d16078dff3d5bd93ad8d102",
              "versionType": "git"
            },
            {
              "lessThan": "bbdb3307f609ec4dc9558770f464ede01fe52aed",
              "status": "affected",
              "version": "ebe9f6f19d80d8978d16078dff3d5bd93ad8d102",
              "versionType": "git"
            },
            {
              "lessThan": "143f723e9eb4f0302ffb7adfdc7ef77eab3f68e0",
              "status": "affected",
              "version": "ebe9f6f19d80d8978d16078dff3d5bd93ad8d102",
              "versionType": "git"
            },
            {
              "lessThan": "e08dc2dc3c3f7938df0e4476fe3e6fdec5583c1d",
              "status": "affected",
              "version": "ebe9f6f19d80d8978d16078dff3d5bd93ad8d102",
              "versionType": "git"
            },
            {
              "lessThan": "212846fafb753a48e869e2a342fc1e24048da771",
              "status": "affected",
              "version": "ebe9f6f19d80d8978d16078dff3d5bd93ad8d102",
              "versionType": "git"
            },
            {
              "lessThan": "265e98f72bac6c41a4492d3e30a8e5fd22fe0779",
              "status": "affected",
              "version": "ebe9f6f19d80d8978d16078dff3d5bd93ad8d102",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "63108f2a408abea7ecab063efa0f398da4d0d14b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f5878c4f084dc6b1386dad03970bb61ad5e9dc4b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0c79794474895dbbc3c52225f7e9f73cfecbb7dd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/nfit/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.232",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.232",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.175",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.121",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.176",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.0.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nacpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl\n\nFix an issue detected by syzbot with KASAN:\n\nBUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/\ncore.c:416 [inline]\nBUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0\ndrivers/acpi/nfit/core.c:459\n\nThe issue occurs in cmd_to_func when the call_pkg-\u003end_reserved2\narray is accessed without verifying that call_pkg points to a buffer\nthat is appropriately sized as a struct nd_cmd_pkg. This can lead\nto out-of-bounds access and undefined behavior if the buffer does not\nhave sufficient space.\n\nTo address this, a check was added in acpi_nfit_ctl() to ensure that\nbuf is not NULL and that buf_len is less than sizeof(*call_pkg)\nbefore accessing it. This ensures safe access to the members of\ncall_pkg, including the nd_reserved2 array."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:10.155Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/616aa5f3c86e0479bcbb81e41c08c43ff32af637"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbdb3307f609ec4dc9558770f464ede01fe52aed"
        },
        {
          "url": "https://git.kernel.org/stable/c/143f723e9eb4f0302ffb7adfdc7ef77eab3f68e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e08dc2dc3c3f7938df0e4476fe3e6fdec5583c1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/212846fafb753a48e869e2a342fc1e24048da771"
        },
        {
          "url": "https://git.kernel.org/stable/c/265e98f72bac6c41a4492d3e30a8e5fd22fe0779"
        }
      ],
      "title": "acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56662",
    "datePublished": "2024-12-27T15:06:24.661Z",
    "dateReserved": "2024-12-27T15:00:39.843Z",
    "dateUpdated": "2025-11-03T20:52:10.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-48881 (GCVE-0-2024-48881)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2025-11-03 20:40

Title

bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again

Summary

In the Linux kernel, the following vulnerability has been resolved: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations") leads a NULL pointer deference in cache_set_flush(). 1721 if (!IS_ERR_OR_NULL(c->root)) 1722 list_add(&c->root->list, &c->btree_cache); >From the above code in cache_set_flush(), if previous registration code fails before allocating c->root, it is possible c->root is NULL as what it is initialized. __bch_btree_node_alloc() never returns NULL but c->root is possible to be NULL at above line 1721. This patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4379c5828492a4c2a…
	https://git.kernel.org/stable/c/336e30f32ae7c043f…
	https://git.kernel.org/stable/c/fb5fee35bdd18316a…
	https://git.kernel.org/stable/c/5202391970ffbf819…
	https://git.kernel.org/stable/c/cc05aa2c0117e20fa…
	https://git.kernel.org/stable/c/5e0e913624bcd24f3…
	https://git.kernel.org/stable/c/b2e382ae12a63560f…

Impacted products

Vendor

Product

Version

Linux

Affected: 0729029e647234fa1a94376b6edffec5c2cd75f6 , < 4379c5828492a4c2a651c8f826a01453bd2b80b0 (git)
Affected: db9439cef0b5efccf8021fe89f4953e0f901e85b , < 336e30f32ae7c043fde0f6fa21586ff30bea9fe2 (git)
Affected: 991e9c186a8ac6ab272a86e0ddc6f9733c38b867 , < fb5fee35bdd18316a84b5f30881a24e1415e1464 (git)
Affected: 68118c339c6e1e16ae017bef160dbe28a27ae9c8 , < 5202391970ffbf81975251b3526b890ba027b715 (git)
Affected: 028ddcac477b691dd9205c92f991cc15259d033e , < cc05aa2c0117e20fa25a3c0d915f98b8f2e78667 (git)
Affected: 028ddcac477b691dd9205c92f991cc15259d033e , < 5e0e913624bcd24f3de414475018d3023f060ee1 (git)
Affected: 028ddcac477b691dd9205c92f991cc15259d033e , < b2e382ae12a63560fca35050498e19e760adf8c0 (git)
Affected: fe75e8a0c20127a8dc95704f1a7ad6b82c9a0ef8 (git)
Affected: 0cabf9e164660e8d66c4810396046383a1110a69 (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-48881",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:55:37.185480Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:21.982Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:40:59.667Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/bcache/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4379c5828492a4c2a651c8f826a01453bd2b80b0",
              "status": "affected",
              "version": "0729029e647234fa1a94376b6edffec5c2cd75f6",
              "versionType": "git"
            },
            {
              "lessThan": "336e30f32ae7c043fde0f6fa21586ff30bea9fe2",
              "status": "affected",
              "version": "db9439cef0b5efccf8021fe89f4953e0f901e85b",
              "versionType": "git"
            },
            {
              "lessThan": "fb5fee35bdd18316a84b5f30881a24e1415e1464",
              "status": "affected",
              "version": "991e9c186a8ac6ab272a86e0ddc6f9733c38b867",
              "versionType": "git"
            },
            {
              "lessThan": "5202391970ffbf81975251b3526b890ba027b715",
              "status": "affected",
              "version": "68118c339c6e1e16ae017bef160dbe28a27ae9c8",
              "versionType": "git"
            },
            {
              "lessThan": "cc05aa2c0117e20fa25a3c0d915f98b8f2e78667",
              "status": "affected",
              "version": "028ddcac477b691dd9205c92f991cc15259d033e",
              "versionType": "git"
            },
            {
              "lessThan": "5e0e913624bcd24f3de414475018d3023f060ee1",
              "status": "affected",
              "version": "028ddcac477b691dd9205c92f991cc15259d033e",
              "versionType": "git"
            },
            {
              "lessThan": "b2e382ae12a63560fca35050498e19e760adf8c0",
              "status": "affected",
              "version": "028ddcac477b691dd9205c92f991cc15259d033e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fe75e8a0c20127a8dc95704f1a7ad6b82c9a0ef8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0cabf9e164660e8d66c4810396046383a1110a69",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/bcache/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "5.4.251",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.10.188",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.15.121",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "6.1.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: revert replacing IS_ERR_OR_NULL with IS_ERR again\n\nCommit 028ddcac477b (\"bcache: Remove unnecessary NULL point check in\nnode allocations\") leads a NULL pointer deference in cache_set_flush().\n\n1721         if (!IS_ERR_OR_NULL(c-\u003eroot))\n1722                 list_add(\u0026c-\u003eroot-\u003elist, \u0026c-\u003ebtree_cache);\n\n\u003eFrom the above code in cache_set_flush(), if previous registration code\nfails before allocating c-\u003eroot, it is possible c-\u003eroot is NULL as what\nit is initialized. __bch_btree_node_alloc() never returns NULL but\nc-\u003eroot is possible to be NULL at above line 1721.\n\nThis patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:59:05.443Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4379c5828492a4c2a651c8f826a01453bd2b80b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/336e30f32ae7c043fde0f6fa21586ff30bea9fe2"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb5fee35bdd18316a84b5f30881a24e1415e1464"
        },
        {
          "url": "https://git.kernel.org/stable/c/5202391970ffbf81975251b3526b890ba027b715"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc05aa2c0117e20fa25a3c0d915f98b8f2e78667"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e0e913624bcd24f3de414475018d3023f060ee1"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2e382ae12a63560fca35050498e19e760adf8c0"
        }
      ],
      "title": "bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-48881",
    "datePublished": "2025-01-11T12:25:18.614Z",
    "dateReserved": "2025-01-09T09:50:31.739Z",
    "dateUpdated": "2025-11-03T20:40:59.667Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56620 (GCVE-0-2024-56620)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-05-04 10:00

Title

scsi: ufs: qcom: Only free platform MSIs when ESI is enabled

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: qcom: Only free platform MSIs when ESI is enabled Otherwise, it will result in a NULL pointer dereference as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Call trace: mutex_lock+0xc/0x54 platform_device_msi_free_irqs_all+0x14/0x20 ufs_qcom_remove+0x34/0x48 [ufs_qcom] platform_remove+0x28/0x44 device_remove+0x4c/0x80 device_release_driver_internal+0xd8/0x178 driver_detach+0x50/0x9c bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 ufs_qcom_pltform_exit+0x18/0xb94 [ufs_qcom] __arm64_sys_delete_module+0x180/0x260 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xdc el0t_64_sync_handler+0xc0/0xc4 el0t_64_sync+0x190/0x194

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f16a097047e38dcdd…
	https://git.kernel.org/stable/c/f99cb5f6344ef9377…
	https://git.kernel.org/stable/c/64506b3d23a337e98…

Impacted products

Vendor

Product

Version

Linux

Affected: 519b6274a7775f5fe00a086f189efb8f063467d1 , < f16a097047e38dcdd169a15e3eed1b2f2147a2e7 (git)
Affected: 519b6274a7775f5fe00a086f189efb8f063467d1 , < f99cb5f6344ef93777fd3add7979ebf291a852df (git)
Affected: 519b6274a7775f5fe00a086f189efb8f063467d1 , < 64506b3d23a337e98a74b18dcb10c8619365f2bd (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.86 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/host/ufs-qcom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f16a097047e38dcdd169a15e3eed1b2f2147a2e7",
              "status": "affected",
              "version": "519b6274a7775f5fe00a086f189efb8f063467d1",
              "versionType": "git"
            },
            {
              "lessThan": "f99cb5f6344ef93777fd3add7979ebf291a852df",
              "status": "affected",
              "version": "519b6274a7775f5fe00a086f189efb8f063467d1",
              "versionType": "git"
            },
            {
              "lessThan": "64506b3d23a337e98a74b18dcb10c8619365f2bd",
              "status": "affected",
              "version": "519b6274a7775f5fe00a086f189efb8f063467d1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/host/ufs-qcom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.86",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: qcom: Only free platform MSIs when ESI is enabled\n\nOtherwise, it will result in a NULL pointer dereference as below:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\nCall trace:\n mutex_lock+0xc/0x54\n platform_device_msi_free_irqs_all+0x14/0x20\n ufs_qcom_remove+0x34/0x48 [ufs_qcom]\n platform_remove+0x28/0x44\n device_remove+0x4c/0x80\n device_release_driver_internal+0xd8/0x178\n driver_detach+0x50/0x9c\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n platform_driver_unregister+0x14/0x20\n ufs_qcom_pltform_exit+0x18/0xb94 [ufs_qcom]\n __arm64_sys_delete_module+0x180/0x260\n invoke_syscall+0x44/0x100\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xdc\n el0t_64_sync_handler+0xc0/0xc4\n el0t_64_sync+0x190/0x194"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:07.399Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f16a097047e38dcdd169a15e3eed1b2f2147a2e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f99cb5f6344ef93777fd3add7979ebf291a852df"
        },
        {
          "url": "https://git.kernel.org/stable/c/64506b3d23a337e98a74b18dcb10c8619365f2bd"
        }
      ],
      "title": "scsi: ufs: qcom: Only free platform MSIs when ESI is enabled",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56620",
    "datePublished": "2024-12-27T14:51:24.239Z",
    "dateReserved": "2024-12-27T14:03:06.016Z",
    "dateUpdated": "2025-05-04T10:00:07.399Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-54460 (GCVE-0-2024-54460)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:29 – Updated: 2025-10-01 19:57

Title

Bluetooth: iso: Fix circular lock in iso_listen_bis

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Fix circular lock in iso_listen_bis This fixes the circular locking dependency warning below, by releasing the socket lock before enterning iso_listen_bis, to avoid any potential deadlock with hdev lock. [ 75.307983] ====================================================== [ 75.307984] WARNING: possible circular locking dependency detected [ 75.307985] 6.12.0-rc6+ #22 Not tainted [ 75.307987] ------------------------------------------------------ [ 75.307987] kworker/u81:2/2623 is trying to acquire lock: [ 75.307988] ffff8fde1769da58 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO) at: iso_connect_cfm+0x253/0x840 [bluetooth] [ 75.308021] but task is already holding lock: [ 75.308022] ffff8fdd61a10078 (&hdev->lock) at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth] [ 75.308053] which lock already depends on the new lock. [ 75.308054] the existing dependency chain (in reverse order) is: [ 75.308055] -> #1 (&hdev->lock){+.+.}-{3:3}: [ 75.308057] __mutex_lock+0xad/0xc50 [ 75.308061] mutex_lock_nested+0x1b/0x30 [ 75.308063] iso_sock_listen+0x143/0x5c0 [bluetooth] [ 75.308085] __sys_listen_socket+0x49/0x60 [ 75.308088] __x64_sys_listen+0x4c/0x90 [ 75.308090] x64_sys_call+0x2517/0x25f0 [ 75.308092] do_syscall_64+0x87/0x150 [ 75.308095] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 75.308098] -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: [ 75.308100] __lock_acquire+0x155e/0x25f0 [ 75.308103] lock_acquire+0xc9/0x300 [ 75.308105] lock_sock_nested+0x32/0x90 [ 75.308107] iso_connect_cfm+0x253/0x840 [bluetooth] [ 75.308128] hci_connect_cfm+0x6c/0x190 [bluetooth] [ 75.308155] hci_le_per_adv_report_evt+0x27b/0x2f0 [bluetooth] [ 75.308180] hci_le_meta_evt+0xe7/0x200 [bluetooth] [ 75.308206] hci_event_packet+0x21f/0x5c0 [bluetooth] [ 75.308230] hci_rx_work+0x3ae/0xb10 [bluetooth] [ 75.308254] process_one_work+0x212/0x740 [ 75.308256] worker_thread+0x1bd/0x3a0 [ 75.308258] kthread+0xe4/0x120 [ 75.308259] ret_from_fork+0x44/0x70 [ 75.308261] ret_from_fork_asm+0x1a/0x30 [ 75.308263] other info that might help us debug this: [ 75.308264] Possible unsafe locking scenario: [ 75.308264] CPU0 CPU1 [ 75.308265] ---- ---- [ 75.308265] lock(&hdev->lock); [ 75.308267] lock(sk_lock- AF_BLUETOOTH-BTPROTO_ISO); [ 75.308268] lock(&hdev->lock); [ 75.308269] lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO); [ 75.308270] *** DEADLOCK *** [ 75.308271] 4 locks held by kworker/u81:2/2623: [ 75.308272] #0: ffff8fdd66e52148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x443/0x740 [ 75.308276] #1: ffffafb488b7fe48 ((work_completion)(&hdev->rx_work)), at: process_one_work+0x1ce/0x740 [ 75.308280] #2: ffff8fdd61a10078 (&hdev->lock){+.+.}-{3:3} at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth] [ 75.308304] #3: ffffffffb6ba4900 (rcu_read_lock){....}-{1:2}, at: hci_connect_cfm+0x29/0x190 [bluetooth]

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - Improper Locking

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c541d7b5e17987ed3…
	https://git.kernel.org/stable/c/168e28305b871d8ec…

Impacted products

Vendor

Product

Version

Linux

Affected: 02171da6e86a73e1b343b36722f5d9d5c04b3539 , < c541d7b5e17987ed330798b07d4ad508859c1c93 (git)
Affected: 02171da6e86a73e1b343b36722f5d9d5c04b3539 , < 168e28305b871d8ec604a8f51f35467b8d7ba05b (git)
Affected: a6c3af0a620082d191dabc69c4925b3e6c26dd48 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-54460",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:55:30.634283Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-667",
                "description": "CWE-667 Improper Locking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:21.713Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/iso.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c541d7b5e17987ed330798b07d4ad508859c1c93",
              "status": "affected",
              "version": "02171da6e86a73e1b343b36722f5d9d5c04b3539",
              "versionType": "git"
            },
            {
              "lessThan": "168e28305b871d8ec604a8f51f35467b8d7ba05b",
              "status": "affected",
              "version": "02171da6e86a73e1b343b36722f5d9d5c04b3539",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a6c3af0a620082d191dabc69c4925b3e6c26dd48",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/iso.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Fix circular lock in iso_listen_bis\n\nThis fixes the circular locking dependency warning below, by\nreleasing the socket lock before enterning iso_listen_bis, to\navoid any potential deadlock with hdev lock.\n\n[   75.307983] ======================================================\n[   75.307984] WARNING: possible circular locking dependency detected\n[   75.307985] 6.12.0-rc6+ #22 Not tainted\n[   75.307987] ------------------------------------------------------\n[   75.307987] kworker/u81:2/2623 is trying to acquire lock:\n[   75.307988] ffff8fde1769da58 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO)\n               at: iso_connect_cfm+0x253/0x840 [bluetooth]\n[   75.308021]\n               but task is already holding lock:\n[   75.308022] ffff8fdd61a10078 (\u0026hdev-\u003elock)\n               at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth]\n[   75.308053]\n               which lock already depends on the new lock.\n\n[   75.308054]\n               the existing dependency chain (in reverse order) is:\n[   75.308055]\n               -\u003e #1 (\u0026hdev-\u003elock){+.+.}-{3:3}:\n[   75.308057]        __mutex_lock+0xad/0xc50\n[   75.308061]        mutex_lock_nested+0x1b/0x30\n[   75.308063]        iso_sock_listen+0x143/0x5c0 [bluetooth]\n[   75.308085]        __sys_listen_socket+0x49/0x60\n[   75.308088]        __x64_sys_listen+0x4c/0x90\n[   75.308090]        x64_sys_call+0x2517/0x25f0\n[   75.308092]        do_syscall_64+0x87/0x150\n[   75.308095]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[   75.308098]\n               -\u003e #0 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:\n[   75.308100]        __lock_acquire+0x155e/0x25f0\n[   75.308103]        lock_acquire+0xc9/0x300\n[   75.308105]        lock_sock_nested+0x32/0x90\n[   75.308107]        iso_connect_cfm+0x253/0x840 [bluetooth]\n[   75.308128]        hci_connect_cfm+0x6c/0x190 [bluetooth]\n[   75.308155]        hci_le_per_adv_report_evt+0x27b/0x2f0 [bluetooth]\n[   75.308180]        hci_le_meta_evt+0xe7/0x200 [bluetooth]\n[   75.308206]        hci_event_packet+0x21f/0x5c0 [bluetooth]\n[   75.308230]        hci_rx_work+0x3ae/0xb10 [bluetooth]\n[   75.308254]        process_one_work+0x212/0x740\n[   75.308256]        worker_thread+0x1bd/0x3a0\n[   75.308258]        kthread+0xe4/0x120\n[   75.308259]        ret_from_fork+0x44/0x70\n[   75.308261]        ret_from_fork_asm+0x1a/0x30\n[   75.308263]\n               other info that might help us debug this:\n\n[   75.308264]  Possible unsafe locking scenario:\n\n[   75.308264]        CPU0                CPU1\n[   75.308265]        ----                ----\n[   75.308265]   lock(\u0026hdev-\u003elock);\n[   75.308267]                            lock(sk_lock-\n                                                AF_BLUETOOTH-BTPROTO_ISO);\n[   75.308268]                            lock(\u0026hdev-\u003elock);\n[   75.308269]   lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO);\n[   75.308270]\n                *** DEADLOCK ***\n\n[   75.308271] 4 locks held by kworker/u81:2/2623:\n[   75.308272]  #0: ffff8fdd66e52148 ((wq_completion)hci0#2){+.+.}-{0:0},\n                at: process_one_work+0x443/0x740\n[   75.308276]  #1: ffffafb488b7fe48 ((work_completion)(\u0026hdev-\u003erx_work)),\n                at: process_one_work+0x1ce/0x740\n[   75.308280]  #2: ffff8fdd61a10078 (\u0026hdev-\u003elock){+.+.}-{3:3}\n                at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth]\n[   75.308304]  #3: ffffffffb6ba4900 (rcu_read_lock){....}-{1:2},\n                at: hci_connect_cfm+0x29/0x190 [bluetooth]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:50.023Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c541d7b5e17987ed330798b07d4ad508859c1c93"
        },
        {
          "url": "https://git.kernel.org/stable/c/168e28305b871d8ec604a8f51f35467b8d7ba05b"
        }
      ],
      "title": "Bluetooth: iso: Fix circular lock in iso_listen_bis",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-54460",
    "datePublished": "2025-01-11T12:29:53.553Z",
    "dateReserved": "2025-01-09T09:51:32.434Z",
    "dateUpdated": "2025-10-01T19:57:21.713Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56584 (GCVE-0-2024-56584)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:50 – Updated: 2025-11-03 20:50

Title

io_uring/tctx: work around xa_store() allocation error issue

Summary

In the Linux kernel, the following vulnerability has been resolved: io_uring/tctx: work around xa_store() allocation error issue syzbot triggered the following WARN_ON: WARNING: CPU: 0 PID: 16 at io_uring/tctx.c:51 __io_uring_free+0xfa/0x140 io_uring/tctx.c:51 which is the WARN_ON_ONCE(!xa_empty(&tctx->xa)); sanity check in __io_uring_free() when a io_uring_task is going through its final put. The syzbot test case includes injecting memory allocation failures, and it very much looks like xa_store() can fail one of its memory allocations and end up with ->head being non-NULL even though no entries exist in the xarray. Until this issue gets sorted out, work around it by attempting to iterate entries in our xarray, and WARN_ON_ONCE() if one is found.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/94ad56f61b873ffee…
	https://git.kernel.org/stable/c/42882b583095dcf74…
	https://git.kernel.org/stable/c/d5b2ddf1f90c7248e…
	https://git.kernel.org/stable/c/7eb75ce7527129d7f…

Impacted products

Vendor

Product

Version

Linux

Affected: 2b188cc1bb857a9d4701ae59aa7768b5124e262e , < 94ad56f61b873ffeebcc620d451eacfbdf9d40f0 (git)
Affected: 2b188cc1bb857a9d4701ae59aa7768b5124e262e , < 42882b583095dcf747da6e3af1daeff40e27033e (git)
Affected: 2b188cc1bb857a9d4701ae59aa7768b5124e262e , < d5b2ddf1f90c7248eff9630b95895c8950f2f36d (git)
Affected: 2b188cc1bb857a9d4701ae59aa7768b5124e262e , < 7eb75ce7527129d7f1fee6951566af409a37a1c4 (git)

Linux

Affected: 5.1
Unaffected: 0 , < 5.1 (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:01.079Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/tctx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "94ad56f61b873ffeebcc620d451eacfbdf9d40f0",
              "status": "affected",
              "version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
              "versionType": "git"
            },
            {
              "lessThan": "42882b583095dcf747da6e3af1daeff40e27033e",
              "status": "affected",
              "version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
              "versionType": "git"
            },
            {
              "lessThan": "d5b2ddf1f90c7248eff9630b95895c8950f2f36d",
              "status": "affected",
              "version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
              "versionType": "git"
            },
            {
              "lessThan": "7eb75ce7527129d7f1fee6951566af409a37a1c4",
              "status": "affected",
              "version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/tctx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/tctx: work around xa_store() allocation error issue\n\nsyzbot triggered the following WARN_ON:\n\nWARNING: CPU: 0 PID: 16 at io_uring/tctx.c:51 __io_uring_free+0xfa/0x140 io_uring/tctx.c:51\n\nwhich is the\n\nWARN_ON_ONCE(!xa_empty(\u0026tctx-\u003exa));\n\nsanity check in __io_uring_free() when a io_uring_task is going through\nits final put. The syzbot test case includes injecting memory allocation\nfailures, and it very much looks like xa_store() can fail one of its\nmemory allocations and end up with -\u003ehead being non-NULL even though no\nentries exist in the xarray.\n\nUntil this issue gets sorted out, work around it by attempting to\niterate entries in our xarray, and WARN_ON_ONCE() if one is found."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:59:02.385Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/94ad56f61b873ffeebcc620d451eacfbdf9d40f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/42882b583095dcf747da6e3af1daeff40e27033e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5b2ddf1f90c7248eff9630b95895c8950f2f36d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7eb75ce7527129d7f1fee6951566af409a37a1c4"
        }
      ],
      "title": "io_uring/tctx: work around xa_store() allocation error issue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56584",
    "datePublished": "2024-12-27T14:50:52.735Z",
    "dateReserved": "2024-12-27T14:03:06.001Z",
    "dateUpdated": "2025-11-03T20:50:01.079Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-43098 (GCVE-0-2024-43098)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2025-11-03 20:38

Title

i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock

Summary

In the Linux kernel, the following vulnerability has been resolved: i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock A deadlock may happen since the i3c_master_register() acquires &i3cbus->lock twice. See the log below. Use i3cdev->desc->info instead of calling i3c_device_info() to avoid acquiring the lock twice. v2: - Modified the title and commit message ============================================ WARNING: possible recursive locking detected 6.11.0-mainline -------------------------------------------- init/1 is trying to acquire lock: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_bus_normaluse_lock but task is already holding lock: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&i3cbus->lock); lock(&i3cbus->lock); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by init/1: #0: fcffff809b6798f8 (&dev->mutex){....}-{3:3}, at: __driver_attach #1: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register stack backtrace: CPU: 6 UID: 0 PID: 1 Comm: init Call trace: dump_backtrace+0xfc/0x17c show_stack+0x18/0x28 dump_stack_lvl+0x40/0xc0 dump_stack+0x18/0x24 print_deadlock_bug+0x388/0x390 __lock_acquire+0x18bc/0x32ec lock_acquire+0x134/0x2b0 down_read+0x50/0x19c i3c_bus_normaluse_lock+0x14/0x24 i3c_device_get_info+0x24/0x58 i3c_device_uevent+0x34/0xa4 dev_uevent+0x310/0x384 kobject_uevent_env+0x244/0x414 kobject_uevent+0x14/0x20 device_add+0x278/0x460 device_register+0x20/0x34 i3c_master_register_new_i3c_devs+0x78/0x154 i3c_master_register+0x6a0/0x6d4 mtk_i3c_master_probe+0x3b8/0x4d8 platform_probe+0xa0/0xe0 really_probe+0x114/0x454 __driver_probe_device+0xa0/0x15c driver_probe_device+0x3c/0x1ac __driver_attach+0xc4/0x1f0 bus_for_each_dev+0x104/0x160 driver_attach+0x24/0x34 bus_add_driver+0x14c/0x294 driver_register+0x68/0x104 __platform_driver_register+0x20/0x30 init_module+0x20/0xfe4 do_one_initcall+0x184/0x464 do_init_module+0x58/0x1ec load_module+0xefc/0x10c8 __arm64_sys_finit_module+0x238/0x33c invoke_syscall+0x58/0x10c el0_svc_common+0xa8/0xdc do_el0_svc+0x1c/0x28 el0_svc+0x50/0xac el0t_64_sync_handler+0x70/0xbc el0t_64_sync+0x1a8/0x1ac

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - Improper Locking

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9a2173660ee53d569…
	https://git.kernel.org/stable/c/5ac1dd51aaa0ce8b5…
	https://git.kernel.org/stable/c/2d98fa2a50b8058de…
	https://git.kernel.org/stable/c/816187b1833908941…
	https://git.kernel.org/stable/c/ffe19e363c6f8b992…
	https://git.kernel.org/stable/c/1f51ae217d09c361e…
	https://git.kernel.org/stable/c/6cf7b65f7029914dc…

Impacted products

Vendor

Product

Version

Linux

Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 9a2173660ee53d5699744f02e6ab7bf89fcd0b1a (git)
Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 5ac1dd51aaa0ce8b5421d1137e857955a4b6f55e (git)
Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 2d98fa2a50b8058de52ada168fa5dbabb574711b (git)
Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 816187b1833908941286e71b0041059a4acd52ed (git)
Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < ffe19e363c6f8b992ba835a361542568dea17409 (git)
Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 1f51ae217d09c361ede900b94735a6d2df6c0344 (git)
Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 6cf7b65f7029914dc0cd7db86fac9ee5159008c6 (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-43098",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:01.817545Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-667",
                "description": "CWE-667 Improper Locking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:22.947Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:38:43.911Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/i3c/master.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9a2173660ee53d5699744f02e6ab7bf89fcd0b1a",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "5ac1dd51aaa0ce8b5421d1137e857955a4b6f55e",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "2d98fa2a50b8058de52ada168fa5dbabb574711b",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "816187b1833908941286e71b0041059a4acd52ed",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "ffe19e363c6f8b992ba835a361542568dea17409",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "1f51ae217d09c361ede900b94735a6d2df6c0344",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "6cf7b65f7029914dc0cd7db86fac9ee5159008c6",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/i3c/master.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: Use i3cdev-\u003edesc-\u003einfo instead of calling i3c_device_get_info() to avoid deadlock\n\nA deadlock may happen since the i3c_master_register() acquires\n\u0026i3cbus-\u003elock twice. See the log below.\nUse i3cdev-\u003edesc-\u003einfo instead of calling i3c_device_info() to\navoid acquiring the lock twice.\n\nv2:\n  - Modified the title and commit message\n\n============================================\nWARNING: possible recursive locking detected\n6.11.0-mainline\n--------------------------------------------\ninit/1 is trying to acquire lock:\nf1ffff80a6a40dc0 (\u0026i3cbus-\u003elock){++++}-{3:3}, at: i3c_bus_normaluse_lock\n\nbut task is already holding lock:\nf1ffff80a6a40dc0 (\u0026i3cbus-\u003elock){++++}-{3:3}, at: i3c_master_register\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n       CPU0\n       ----\n  lock(\u0026i3cbus-\u003elock);\n  lock(\u0026i3cbus-\u003elock);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n2 locks held by init/1:\n #0: fcffff809b6798f8 (\u0026dev-\u003emutex){....}-{3:3}, at: __driver_attach\n #1: f1ffff80a6a40dc0 (\u0026i3cbus-\u003elock){++++}-{3:3}, at: i3c_master_register\n\nstack backtrace:\nCPU: 6 UID: 0 PID: 1 Comm: init\nCall trace:\n dump_backtrace+0xfc/0x17c\n show_stack+0x18/0x28\n dump_stack_lvl+0x40/0xc0\n dump_stack+0x18/0x24\n print_deadlock_bug+0x388/0x390\n __lock_acquire+0x18bc/0x32ec\n lock_acquire+0x134/0x2b0\n down_read+0x50/0x19c\n i3c_bus_normaluse_lock+0x14/0x24\n i3c_device_get_info+0x24/0x58\n i3c_device_uevent+0x34/0xa4\n dev_uevent+0x310/0x384\n kobject_uevent_env+0x244/0x414\n kobject_uevent+0x14/0x20\n device_add+0x278/0x460\n device_register+0x20/0x34\n i3c_master_register_new_i3c_devs+0x78/0x154\n i3c_master_register+0x6a0/0x6d4\n mtk_i3c_master_probe+0x3b8/0x4d8\n platform_probe+0xa0/0xe0\n really_probe+0x114/0x454\n __driver_probe_device+0xa0/0x15c\n driver_probe_device+0x3c/0x1ac\n __driver_attach+0xc4/0x1f0\n bus_for_each_dev+0x104/0x160\n driver_attach+0x24/0x34\n bus_add_driver+0x14c/0x294\n driver_register+0x68/0x104\n __platform_driver_register+0x20/0x30\n init_module+0x20/0xfe4\n do_one_initcall+0x184/0x464\n do_init_module+0x58/0x1ec\n load_module+0xefc/0x10c8\n __arm64_sys_finit_module+0x238/0x33c\n invoke_syscall+0x58/0x10c\n el0_svc_common+0xa8/0xdc\n do_el0_svc+0x1c/0x28\n el0_svc+0x50/0xac\n el0t_64_sync_handler+0x70/0xbc\n el0t_64_sync+0x1a8/0x1ac"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:26:51.205Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9a2173660ee53d5699744f02e6ab7bf89fcd0b1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ac1dd51aaa0ce8b5421d1137e857955a4b6f55e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d98fa2a50b8058de52ada168fa5dbabb574711b"
        },
        {
          "url": "https://git.kernel.org/stable/c/816187b1833908941286e71b0041059a4acd52ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/ffe19e363c6f8b992ba835a361542568dea17409"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f51ae217d09c361ede900b94735a6d2df6c0344"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cf7b65f7029914dc0cd7db86fac9ee5159008c6"
        }
      ],
      "title": "i3c: Use i3cdev-\u003edesc-\u003einfo instead of calling i3c_device_get_info() to avoid deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-43098",
    "datePublished": "2025-01-11T12:25:10.587Z",
    "dateReserved": "2025-01-09T09:51:32.424Z",
    "dateUpdated": "2025-11-03T20:38:43.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57885 (GCVE-0-2024-57885)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-05-04 10:05

Title

mm/kmemleak: fix sleeping function called from invalid context at print message

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: fix sleeping function called from invalid context at print message Address a bug in the kernel that triggers a "sleeping function called from invalid context" warning when /sys/kernel/debug/kmemleak is printed under specific conditions: - CONFIG_PREEMPT_RT=y - Set SELinux as the LSM for the system - Set kptr_restrict to 1 - kmemleak buffer contains at least one item BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 6 locks held by cat/136: #0: ffff32e64bcbf950 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30 #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128 #3: ffff32e6546b1cd0 (&object->lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0 #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0 #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0 irq event stamp: 136660 hardirqs last enabled at (136659): [<ffffafe6a80fd7a0>] _raw_spin_unlock_irqrestore+0xa8/0xd8 hardirqs last disabled at (136660): [<ffffafe6a80fd85c>] _raw_spin_lock_irqsave+0x8c/0xb0 softirqs last enabled at (0): [<ffffafe6a5d50b28>] copy_process+0x11d8/0x3df8 softirqs last disabled at (0): [<0000000000000000>] 0x0 Preemption disabled at: [<ffffafe6a6598a4c>] kmemleak_seq_show+0x3c/0x1e0 CPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34 Tainted: [E]=UNSIGNED_MODULE Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0xa0/0x128 show_stack+0x1c/0x30 dump_stack_lvl+0xe8/0x198 dump_stack+0x18/0x20 rt_spin_lock+0x8c/0x1a8 avc_perm_nonode+0xa0/0x150 cred_has_capability.isra.0+0x118/0x218 selinux_capable+0x50/0x80 security_capable+0x7c/0xd0 has_ns_capability_noaudit+0x94/0x1b0 has_capability_noaudit+0x20/0x30 restricted_pointer+0x21c/0x4b0 pointer+0x298/0x760 vsnprintf+0x330/0xf70 seq_printf+0x178/0x218 print_unreferenced+0x1a4/0x2d0 kmemleak_seq_show+0xd0/0x1e0 seq_read_iter+0x354/0xe30 seq_read+0x250/0x378 full_proxy_read+0xd8/0x148 vfs_read+0x190/0x918 ksys_read+0xf0/0x1e0 __arm64_sys_read+0x70/0xa8 invoke_syscall.constprop.0+0xd4/0x1d8 el0_svc+0x50/0x158 el0t_64_sync+0x17c/0x180 %pS and %pK, in the same back trace line, are redundant, and %pS can void %pK service in certain contexts. %pS alone already provides the necessary information, and if it cannot resolve the symbol, it falls back to printing the raw address voiding the original intent behind the %pK. Additionally, %pK requires a privilege check CAP_SYSLOG enforced through the LSM, which can trigger a "sleeping function called from invalid context" warning under RT_PREEMPT kernels when the check occurs in an atomic context. This issue may also affect other LSMs. This change avoids the unnecessary privilege check and resolves the sleeping function warning without any loss of information.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/86d946f3f9992aaa1…
	https://git.kernel.org/stable/c/64b2d32f22597b2a1…
	https://git.kernel.org/stable/c/cddc76b165161a02f…

Impacted products

Vendor

Product

Version

Linux

Affected: 3a6f33d86baa8103c80f62edd9393e9f7bf25d72 , < 86d946f3f9992aaa12abcfd09f925446c2cd42a2 (git)
Affected: 3a6f33d86baa8103c80f62edd9393e9f7bf25d72 , < 64b2d32f22597b2a1dc83ac600b2426588851a97 (git)
Affected: 3a6f33d86baa8103c80f62edd9393e9f7bf25d72 , < cddc76b165161a02ff14c4d84d0f5266d9d32b9e (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/kmemleak.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "86d946f3f9992aaa12abcfd09f925446c2cd42a2",
              "status": "affected",
              "version": "3a6f33d86baa8103c80f62edd9393e9f7bf25d72",
              "versionType": "git"
            },
            {
              "lessThan": "64b2d32f22597b2a1dc83ac600b2426588851a97",
              "status": "affected",
              "version": "3a6f33d86baa8103c80f62edd9393e9f7bf25d72",
              "versionType": "git"
            },
            {
              "lessThan": "cddc76b165161a02ff14c4d84d0f5266d9d32b9e",
              "status": "affected",
              "version": "3a6f33d86baa8103c80f62edd9393e9f7bf25d72",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/kmemleak.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: fix sleeping function called from invalid context at print message\n\nAddress a bug in the kernel that triggers a \"sleeping function called from\ninvalid context\" warning when /sys/kernel/debug/kmemleak is printed under\nspecific conditions:\n- CONFIG_PREEMPT_RT=y\n- Set SELinux as the LSM for the system\n- Set kptr_restrict to 1\n- kmemleak buffer contains at least one item\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n6 locks held by cat/136:\n #0: ffff32e64bcbf950 (\u0026p-\u003elock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30\n #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128\n #3: ffff32e6546b1cd0 (\u0026object-\u003elock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0\n #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0\n #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0\nirq event stamp: 136660\nhardirqs last  enabled at (136659): [\u003cffffafe6a80fd7a0\u003e] _raw_spin_unlock_irqrestore+0xa8/0xd8\nhardirqs last disabled at (136660): [\u003cffffafe6a80fd85c\u003e] _raw_spin_lock_irqsave+0x8c/0xb0\nsoftirqs last  enabled at (0): [\u003cffffafe6a5d50b28\u003e] copy_process+0x11d8/0x3df8\nsoftirqs last disabled at (0): [\u003c0000000000000000\u003e] 0x0\nPreemption disabled at:\n[\u003cffffafe6a6598a4c\u003e] kmemleak_seq_show+0x3c/0x1e0\nCPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G            E      6.11.0-rt7+ #34\nTainted: [E]=UNSIGNED_MODULE\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0xa0/0x128\n show_stack+0x1c/0x30\n dump_stack_lvl+0xe8/0x198\n dump_stack+0x18/0x20\n rt_spin_lock+0x8c/0x1a8\n avc_perm_nonode+0xa0/0x150\n cred_has_capability.isra.0+0x118/0x218\n selinux_capable+0x50/0x80\n security_capable+0x7c/0xd0\n has_ns_capability_noaudit+0x94/0x1b0\n has_capability_noaudit+0x20/0x30\n restricted_pointer+0x21c/0x4b0\n pointer+0x298/0x760\n vsnprintf+0x330/0xf70\n seq_printf+0x178/0x218\n print_unreferenced+0x1a4/0x2d0\n kmemleak_seq_show+0xd0/0x1e0\n seq_read_iter+0x354/0xe30\n seq_read+0x250/0x378\n full_proxy_read+0xd8/0x148\n vfs_read+0x190/0x918\n ksys_read+0xf0/0x1e0\n __arm64_sys_read+0x70/0xa8\n invoke_syscall.constprop.0+0xd4/0x1d8\n el0_svc+0x50/0x158\n el0t_64_sync+0x17c/0x180\n\n%pS and %pK, in the same back trace line, are redundant, and %pS can void\n%pK service in certain contexts.\n\n%pS alone already provides the necessary information, and if it cannot\nresolve the symbol, it falls back to printing the raw address voiding\nthe original intent behind the %pK.\n\nAdditionally, %pK requires a privilege check CAP_SYSLOG enforced through\nthe LSM, which can trigger a \"sleeping function called from invalid\ncontext\" warning under RT_PREEMPT kernels when the check occurs in an\natomic context. This issue may also affect other LSMs.\n\nThis change avoids the unnecessary privilege check and resolves the\nsleeping function warning without any loss of information."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:52.075Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/86d946f3f9992aaa12abcfd09f925446c2cd42a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/64b2d32f22597b2a1dc83ac600b2426588851a97"
        },
        {
          "url": "https://git.kernel.org/stable/c/cddc76b165161a02ff14c4d84d0f5266d9d32b9e"
        }
      ],
      "title": "mm/kmemleak: fix sleeping function called from invalid context at print message",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57885",
    "datePublished": "2025-01-15T13:05:38.261Z",
    "dateReserved": "2025-01-11T14:45:42.026Z",
    "dateUpdated": "2025-05-04T10:05:52.075Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57933 (GCVE-0-2024-57933)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:01 – Updated: 2025-10-01 19:57

Title

gve: guard XSK operations on the existence of queues

Summary

In the Linux kernel, the following vulnerability has been resolved: gve: guard XSK operations on the existence of queues This patch predicates the enabling and disabling of XSK pools on the existence of queues. As it stands, if the interface is down, disabling or enabling XSK pools would result in a crash, as the RX queue pointer would be NULL. XSK pool registration will occur as part of the next interface up. Similarly, xsk_wakeup needs be guarded against queues disappearing while the function is executing, so a check against the GVE_PRIV_FLAGS_NAPI_ENABLED flag is added to synchronize with the disabling of the bit and the synchronize_net() in gve_turndown.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/771d66f2bd8c4dba1…
	https://git.kernel.org/stable/c/8e8d7037c89437af1…
	https://git.kernel.org/stable/c/40338d7987d810fca…

Impacted products

Vendor

Product

Version

Linux

Affected: fd8e40321a12391e6f554cc637d0c4b6109682a9 , < 771d66f2bd8c4dba1286a9163ab982cecd825718 (git)
Affected: fd8e40321a12391e6f554cc637d0c4b6109682a9 , < 8e8d7037c89437af12725f454e2eaf40e8166c0f (git)
Affected: fd8e40321a12391e6f554cc637d0c4b6109682a9 , < 40338d7987d810fcaa95c500b1068a52b08eec9b (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57933",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:52:56.426501Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:14.306Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/google/gve/gve_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "771d66f2bd8c4dba1286a9163ab982cecd825718",
              "status": "affected",
              "version": "fd8e40321a12391e6f554cc637d0c4b6109682a9",
              "versionType": "git"
            },
            {
              "lessThan": "8e8d7037c89437af12725f454e2eaf40e8166c0f",
              "status": "affected",
              "version": "fd8e40321a12391e6f554cc637d0c4b6109682a9",
              "versionType": "git"
            },
            {
              "lessThan": "40338d7987d810fcaa95c500b1068a52b08eec9b",
              "status": "affected",
              "version": "fd8e40321a12391e6f554cc637d0c4b6109682a9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/google/gve/gve_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: guard XSK operations on the existence of queues\n\nThis patch predicates the enabling and disabling of XSK pools on the\nexistence of queues. As it stands, if the interface is down, disabling\nor enabling XSK pools would result in a crash, as the RX queue pointer\nwould be NULL. XSK pool registration will occur as part of the next\ninterface up.\n\nSimilarly, xsk_wakeup needs be guarded against queues disappearing\nwhile the function is executing, so a check against the\nGVE_PRIV_FLAGS_NAPI_ENABLED flag is added to synchronize with the\ndisabling of the bit and the synchronize_net() in gve_turndown."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:57.881Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/771d66f2bd8c4dba1286a9163ab982cecd825718"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e8d7037c89437af12725f454e2eaf40e8166c0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/40338d7987d810fcaa95c500b1068a52b08eec9b"
        }
      ],
      "title": "gve: guard XSK operations on the existence of queues",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57933",
    "datePublished": "2025-01-21T12:01:29.882Z",
    "dateReserved": "2025-01-19T11:50:08.377Z",
    "dateUpdated": "2025-10-01T19:57:14.306Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56594 (GCVE-0-2024-56594)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-11-03 20:50

Title

drm/amdgpu: set the right AMDGPU sg segment limitation

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: set the right AMDGPU sg segment limitation The driver needs to set the correct max_segment_size; otherwise debug_dma_map_sg() will complain about the over-mapping of the AMDGPU sg length as following: WARNING: CPU: 6 PID: 1964 at kernel/dma/debug.c:1178 debug_dma_map_sg+0x2dc/0x370 [ 364.049444] Modules linked in: veth amdgpu(OE) amdxcp drm_exec gpu_sched drm_buddy drm_ttm_helper ttm(OE) drm_suballoc_helper drm_display_helper drm_kms_helper i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc amd_atl intel_rapl_msr intel_rapl_common sunrpc sch_fq_codel snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd binfmt_misc snd_hda_codec snd_pci_acp6x snd_hda_core snd_acp_config snd_hwdep snd_soc_acpi kvm_amd snd_pcm kvm snd_seq_midi snd_seq_midi_event crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_rawmidi sha256_ssse3 sha1_ssse3 aesni_intel snd_seq nls_iso8859_1 crypto_simd snd_seq_device cryptd snd_timer rapl input_leds snd [ 364.049532] ipmi_devintf wmi_bmof ccp serio_raw k10temp sp5100_tco soundcore ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii [ 364.049576] CPU: 6 PID: 1964 Comm: rocminfo Tainted: G OE 6.10.0-custom #492 [ 364.049579] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021 [ 364.049582] RIP: 0010:debug_dma_map_sg+0x2dc/0x370 [ 364.049585] Code: 89 4d b8 e8 36 b1 86 00 8b 4d b8 48 8b 55 b0 44 8b 45 a8 4c 8b 4d a0 48 89 c6 48 c7 c7 00 4b 74 bc 4c 89 4d b8 e8 b4 73 f3 ff <0f> 0b 4c 8b 4d b8 8b 15 c8 2c b8 01 85 d2 0f 85 ee fd ff ff 8b 05 [ 364.049588] RSP: 0018:ffff9ca600b57ac0 EFLAGS: 00010286 [ 364.049590] RAX: 0000000000000000 RBX: ffff88b7c132b0c8 RCX: 0000000000000027 [ 364.049592] RDX: ffff88bb0f521688 RSI: 0000000000000001 RDI: ffff88bb0f521680 [ 364.049594] RBP: ffff9ca600b57b20 R08: 000000000000006f R09: ffff9ca600b57930 [ 364.049596] R10: ffff9ca600b57928 R11: ffffffffbcb46328 R12: 0000000000000000 [ 364.049597] R13: 0000000000000001 R14: ffff88b7c19c0700 R15: ffff88b7c9059800 [ 364.049599] FS: 00007fb2d3516e80(0000) GS:ffff88bb0f500000(0000) knlGS:0000000000000000 [ 364.049601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 364.049603] CR2: 000055610bd03598 CR3: 00000001049f6000 CR4: 0000000000350ef0 [ 364.049605] Call Trace: [ 364.049607] <TASK> [ 364.049609] ? show_regs+0x6d/0x80 [ 364.049614] ? __warn+0x8c/0x140 [ 364.049618] ? debug_dma_map_sg+0x2dc/0x370 [ 364.049621] ? report_bug+0x193/0x1a0 [ 364.049627] ? handle_bug+0x46/0x80 [ 364.049631] ? exc_invalid_op+0x1d/0x80 [ 364.049635] ? asm_exc_invalid_op+0x1f/0x30 [ 364.049642] ? debug_dma_map_sg+0x2dc/0x370 [ 364.049647] __dma_map_sg_attrs+0x90/0xe0 [ 364.049651] dma_map_sgtable+0x25/0x40 [ 364.049654] amdgpu_bo_move+0x59a/0x850 [amdgpu] [ 364.049935] ? srso_return_thunk+0x5/0x5f [ 364.049939] ? amdgpu_ttm_tt_populate+0x5d/0xc0 [amdgpu] [ 364.050095] ttm_bo_handle_move_mem+0xc3/0x180 [ttm] [ 364.050103] ttm_bo_validate+0xc1/0x160 [ttm] [ 364.050108] ? amdgpu_ttm_tt_get_user_pages+0xe5/0x1b0 [amdgpu] [ 364.050263] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0xa12/0xc90 [amdgpu] [ 364.050473] kfd_ioctl_alloc_memory_of_gpu+0x16b/0x3b0 [amdgpu] [ 364.050680] kfd_ioctl+0x3c2/0x530 [amdgpu] [ 364.050866] ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu] [ 364.05105 ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b5807a08954fdf914…
	https://git.kernel.org/stable/c/13c3a54f48a612a11…
	https://git.kernel.org/stable/c/76581147b05c2adb6…
	https://git.kernel.org/stable/c/ff0346a74627a5f60…
	https://git.kernel.org/stable/c/b9e52a96ec92245bf…
	https://git.kernel.org/stable/c/76649ccf97e2cd72b…
	https://git.kernel.org/stable/c/e2e97435783979124…

Impacted products

Vendor

Product

Version

Linux

Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < b5807a08954fdf914ef80b49aaa6cda965ecc95c (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 13c3a54f48a612a117dfd82a9dd91732261e869d (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 76581147b05c2adb6b47bbc697521725f10224e4 (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < ff0346a74627a5f607a33a3852586f8c7f678329 (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < b9e52a96ec92245bf15dabba1d3d862d7a03efb8 (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 76649ccf97e2cd72b62e34ed2fba6e0f89497eab (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < e2e97435783979124ba92d6870415c57ecfef6a5 (git)

Linux

Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:20.938Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b5807a08954fdf914ef80b49aaa6cda965ecc95c",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "13c3a54f48a612a117dfd82a9dd91732261e869d",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "76581147b05c2adb6b47bbc697521725f10224e4",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "ff0346a74627a5f607a33a3852586f8c7f678329",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "b9e52a96ec92245bf15dabba1d3d862d7a03efb8",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "76649ccf97e2cd72b62e34ed2fba6e0f89497eab",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "e2e97435783979124ba92d6870415c57ecfef6a5",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: set the right AMDGPU sg segment limitation\n\nThe driver needs to set the correct max_segment_size;\notherwise debug_dma_map_sg() will complain about the\nover-mapping of the AMDGPU sg length as following:\n\nWARNING: CPU: 6 PID: 1964 at kernel/dma/debug.c:1178 debug_dma_map_sg+0x2dc/0x370\n[  364.049444] Modules linked in: veth amdgpu(OE) amdxcp drm_exec gpu_sched drm_buddy drm_ttm_helper ttm(OE) drm_suballoc_helper drm_display_helper drm_kms_helper i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc amd_atl intel_rapl_msr intel_rapl_common sunrpc sch_fq_codel snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd binfmt_misc snd_hda_codec snd_pci_acp6x snd_hda_core snd_acp_config snd_hwdep snd_soc_acpi kvm_amd snd_pcm kvm snd_seq_midi snd_seq_midi_event crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_rawmidi sha256_ssse3 sha1_ssse3 aesni_intel snd_seq nls_iso8859_1 crypto_simd snd_seq_device cryptd snd_timer rapl input_leds snd\n[  364.049532]  ipmi_devintf wmi_bmof ccp serio_raw k10temp sp5100_tco soundcore ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii\n[  364.049576] CPU: 6 PID: 1964 Comm: rocminfo Tainted: G           OE      6.10.0-custom #492\n[  364.049579] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021\n[  364.049582] RIP: 0010:debug_dma_map_sg+0x2dc/0x370\n[  364.049585] Code: 89 4d b8 e8 36 b1 86 00 8b 4d b8 48 8b 55 b0 44 8b 45 a8 4c 8b 4d a0 48 89 c6 48 c7 c7 00 4b 74 bc 4c 89 4d b8 e8 b4 73 f3 ff \u003c0f\u003e 0b 4c 8b 4d b8 8b 15 c8 2c b8 01 85 d2 0f 85 ee fd ff ff 8b 05\n[  364.049588] RSP: 0018:ffff9ca600b57ac0 EFLAGS: 00010286\n[  364.049590] RAX: 0000000000000000 RBX: ffff88b7c132b0c8 RCX: 0000000000000027\n[  364.049592] RDX: ffff88bb0f521688 RSI: 0000000000000001 RDI: ffff88bb0f521680\n[  364.049594] RBP: ffff9ca600b57b20 R08: 000000000000006f R09: ffff9ca600b57930\n[  364.049596] R10: ffff9ca600b57928 R11: ffffffffbcb46328 R12: 0000000000000000\n[  364.049597] R13: 0000000000000001 R14: ffff88b7c19c0700 R15: ffff88b7c9059800\n[  364.049599] FS:  00007fb2d3516e80(0000) GS:ffff88bb0f500000(0000) knlGS:0000000000000000\n[  364.049601] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  364.049603] CR2: 000055610bd03598 CR3: 00000001049f6000 CR4: 0000000000350ef0\n[  364.049605] Call Trace:\n[  364.049607]  \u003cTASK\u003e\n[  364.049609]  ? show_regs+0x6d/0x80\n[  364.049614]  ? __warn+0x8c/0x140\n[  364.049618]  ? debug_dma_map_sg+0x2dc/0x370\n[  364.049621]  ? report_bug+0x193/0x1a0\n[  364.049627]  ? handle_bug+0x46/0x80\n[  364.049631]  ? exc_invalid_op+0x1d/0x80\n[  364.049635]  ? asm_exc_invalid_op+0x1f/0x30\n[  364.049642]  ? debug_dma_map_sg+0x2dc/0x370\n[  364.049647]  __dma_map_sg_attrs+0x90/0xe0\n[  364.049651]  dma_map_sgtable+0x25/0x40\n[  364.049654]  amdgpu_bo_move+0x59a/0x850 [amdgpu]\n[  364.049935]  ? srso_return_thunk+0x5/0x5f\n[  364.049939]  ? amdgpu_ttm_tt_populate+0x5d/0xc0 [amdgpu]\n[  364.050095]  ttm_bo_handle_move_mem+0xc3/0x180 [ttm]\n[  364.050103]  ttm_bo_validate+0xc1/0x160 [ttm]\n[  364.050108]  ? amdgpu_ttm_tt_get_user_pages+0xe5/0x1b0 [amdgpu]\n[  364.050263]  amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0xa12/0xc90 [amdgpu]\n[  364.050473]  kfd_ioctl_alloc_memory_of_gpu+0x16b/0x3b0 [amdgpu]\n[  364.050680]  kfd_ioctl+0x3c2/0x530 [amdgpu]\n[  364.050866]  ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu]\n[  364.05105\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-16T08:02:56.947Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b5807a08954fdf914ef80b49aaa6cda965ecc95c"
        },
        {
          "url": "https://git.kernel.org/stable/c/13c3a54f48a612a117dfd82a9dd91732261e869d"
        },
        {
          "url": "https://git.kernel.org/stable/c/76581147b05c2adb6b47bbc697521725f10224e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff0346a74627a5f607a33a3852586f8c7f678329"
        },
        {
          "url": "https://git.kernel.org/stable/c/b9e52a96ec92245bf15dabba1d3d862d7a03efb8"
        },
        {
          "url": "https://git.kernel.org/stable/c/76649ccf97e2cd72b62e34ed2fba6e0f89497eab"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2e97435783979124ba92d6870415c57ecfef6a5"
        }
      ],
      "title": "drm/amdgpu: set the right AMDGPU sg segment limitation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56594",
    "datePublished": "2024-12-27T14:51:01.431Z",
    "dateReserved": "2024-12-27T14:03:06.004Z",
    "dateUpdated": "2025-11-03T20:50:20.938Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57886 (GCVE-0-2024-57886)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-05-04 10:05

Title

mm/damon/core: fix new damon_target objects leaks on damon_commit_targets()

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() Patch series "mm/damon/core: fix memory leaks and ignored inputs from damon_commit_ctx()". Due to two bugs in damon_commit_targets() and damon_commit_schemes(), which are called from damon_commit_ctx(), some user inputs can be ignored, and some mmeory objects can be leaked. Fix those. Note that only DAMON sysfs interface users are affected. Other DAMON core API user modules that more focused more on simple and dedicated production usages, including DAMON_RECLAIM and DAMON_LRU_SORT are not using the buggy function in the way, so not affected. This patch (of 2): When new DAMON targets are added via damon_commit_targets(), the newly created targets are not deallocated when updating the internal data (damon_commit_target()) is failed. Worse yet, even if the setup is successfully done, the new target is not linked to the context. Hence, the new targets are always leaked regardless of the internal data setup failure. Fix the leaks.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3647932d0b3e609c7…
	https://git.kernel.org/stable/c/8debfc5b1aa569d3d…

Impacted products

Vendor

Product

Version

Linux

Affected: 9cb3d0b9dfce6a3258d91e6d69e418d0b4cce46a , < 3647932d0b3e609c762c55e8f9fe10a09776e0a7 (git)
Affected: 9cb3d0b9dfce6a3258d91e6d69e418d0b4cce46a , < 8debfc5b1aa569d3d2ac836af2553da037611c61 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/damon/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3647932d0b3e609c762c55e8f9fe10a09776e0a7",
              "status": "affected",
              "version": "9cb3d0b9dfce6a3258d91e6d69e418d0b4cce46a",
              "versionType": "git"
            },
            {
              "lessThan": "8debfc5b1aa569d3d2ac836af2553da037611c61",
              "status": "affected",
              "version": "9cb3d0b9dfce6a3258d91e6d69e418d0b4cce46a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/damon/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: fix new damon_target objects leaks on damon_commit_targets()\n\nPatch series \"mm/damon/core: fix memory leaks and ignored inputs from\ndamon_commit_ctx()\".\n\nDue to two bugs in damon_commit_targets() and damon_commit_schemes(),\nwhich are called from damon_commit_ctx(), some user inputs can be ignored,\nand some mmeory objects can be leaked.  Fix those.\n\nNote that only DAMON sysfs interface users are affected.  Other DAMON core\nAPI user modules that more focused more on simple and dedicated production\nusages, including DAMON_RECLAIM and DAMON_LRU_SORT are not using the buggy\nfunction in the way, so not affected.\n\n\nThis patch (of 2):\n\nWhen new DAMON targets are added via damon_commit_targets(), the newly\ncreated targets are not deallocated when updating the internal data\n(damon_commit_target()) is failed.  Worse yet, even if the setup is\nsuccessfully done, the new target is not linked to the context.  Hence,\nthe new targets are always leaked regardless of the internal data setup\nfailure.  Fix the leaks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:53.521Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3647932d0b3e609c762c55e8f9fe10a09776e0a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/8debfc5b1aa569d3d2ac836af2553da037611c61"
        }
      ],
      "title": "mm/damon/core: fix new damon_target objects leaks on damon_commit_targets()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57886",
    "datePublished": "2025-01-15T13:05:39.110Z",
    "dateReserved": "2025-01-11T14:45:42.026Z",
    "dateUpdated": "2025-05-04T10:05:53.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-54683 (GCVE-0-2024-54683)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:29 – Updated: 2025-10-01 19:57

Title

netfilter: IDLETIMER: Fix for possible ABBA deadlock

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: IDLETIMER: Fix for possible ABBA deadlock Deletion of the last rule referencing a given idletimer may happen at the same time as a read of its file in sysfs: | ====================================================== | WARNING: possible circular locking dependency detected | 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted | ------------------------------------------------------ | iptables/3303 is trying to acquire lock: | ffff8881057e04b8 (kn->active#48){++++}-{0:0}, at: __kernfs_remove+0x20 | | but task is already holding lock: | ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v] | | which lock already depends on the new lock. A simple reproducer is: | #!/bin/bash | | while true; do | iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" | iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" | done & | while true; do | cat /sys/class/xt_idletimer/timers/testme >/dev/null | done Avoid this by freeing list_mutex right after deleting the element from the list, then continuing with the teardown.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - Improper Locking

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8c2c8445cda8f59c3…
	https://git.kernel.org/stable/c/45fe76573a2557f63…
	https://git.kernel.org/stable/c/f36b01994d68ffc25…

Impacted products

Vendor

Product

Version

Linux

Affected: 0902b469bd25065aa0688c3cee6f11744c817e7c , < 8c2c8445cda8f59c38dec7dc10509bcb23ae26a0 (git)
Affected: 0902b469bd25065aa0688c3cee6f11744c817e7c , < 45fe76573a2557f632e248cc141342233f422b9a (git)
Affected: 0902b469bd25065aa0688c3cee6f11744c817e7c , < f36b01994d68ffc253c8296e2228dfe6e6431c03 (git)

Linux

Affected: 2.6.36
Unaffected: 0 , < 2.6.36 (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-54683",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:55:27.468543Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-667",
                "description": "CWE-667 Improper Locking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:21.581Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8c2c8445cda8f59c38dec7dc10509bcb23ae26a0",
              "status": "affected",
              "version": "0902b469bd25065aa0688c3cee6f11744c817e7c",
              "versionType": "git"
            },
            {
              "lessThan": "45fe76573a2557f632e248cc141342233f422b9a",
              "status": "affected",
              "version": "0902b469bd25065aa0688c3cee6f11744c817e7c",
              "versionType": "git"
            },
            {
              "lessThan": "f36b01994d68ffc253c8296e2228dfe6e6431c03",
              "status": "affected",
              "version": "0902b469bd25065aa0688c3cee6f11744c817e7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.36"
            },
            {
              "lessThan": "2.6.36",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: IDLETIMER: Fix for possible ABBA deadlock\n\nDeletion of the last rule referencing a given idletimer may happen at\nthe same time as a read of its file in sysfs:\n\n| ======================================================\n| WARNING: possible circular locking dependency detected\n| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted\n| ------------------------------------------------------\n| iptables/3303 is trying to acquire lock:\n| ffff8881057e04b8 (kn-\u003eactive#48){++++}-{0:0}, at: __kernfs_remove+0x20\n|\n| but task is already holding lock:\n| ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v]\n|\n| which lock already depends on the new lock.\n\nA simple reproducer is:\n\n| #!/bin/bash\n|\n| while true; do\n|         iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label \"testme\"\n|         iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label \"testme\"\n| done \u0026\n| while true; do\n|         cat /sys/class/xt_idletimer/timers/testme \u003e/dev/null\n| done\n\nAvoid this by freeing list_mutex right after deleting the element from\nthe list, then continuing with the teardown."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:57:10.479Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8c2c8445cda8f59c38dec7dc10509bcb23ae26a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/45fe76573a2557f632e248cc141342233f422b9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f36b01994d68ffc253c8296e2228dfe6e6431c03"
        }
      ],
      "title": "netfilter: IDLETIMER: Fix for possible ABBA deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-54683",
    "datePublished": "2025-01-11T12:29:54.407Z",
    "dateReserved": "2025-01-09T09:49:29.693Z",
    "dateUpdated": "2025-10-01T19:57:21.581Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56650 (GCVE-0-2024-56650)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51

Title

netfilter: x_tables: fix LED ID check in led_tg_check()

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: fix LED ID check in led_tg_check() Syzbot has reported the following BUG detected by KASAN: BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70 Read of size 1 at addr ffff8881022da0c8 by task repro/5879 ... Call Trace: <TASK> dump_stack_lvl+0x241/0x360 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? _printk+0xd5/0x120 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 print_report+0x169/0x550 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x45f/0x530 ? __phys_addr+0xba/0x170 ? strlen+0x58/0x70 kasan_report+0x143/0x180 ? strlen+0x58/0x70 strlen+0x58/0x70 kstrdup+0x20/0x80 led_tg_check+0x18b/0x3c0 xt_check_target+0x3bb/0xa40 ? __pfx_xt_check_target+0x10/0x10 ? stack_depot_save_flags+0x6e4/0x830 ? nft_target_init+0x174/0xc30 nft_target_init+0x82d/0xc30 ? __pfx_nft_target_init+0x10/0x10 ? nf_tables_newrule+0x1609/0x2980 ? nf_tables_newrule+0x1609/0x2980 ? rcu_is_watching+0x15/0xb0 ? nf_tables_newrule+0x1609/0x2980 ? nf_tables_newrule+0x1609/0x2980 ? __kmalloc_noprof+0x21a/0x400 nf_tables_newrule+0x1860/0x2980 ? __pfx_nf_tables_newrule+0x10/0x10 ? __nla_parse+0x40/0x60 nfnetlink_rcv+0x14e5/0x2ab0 ? __pfx_validate_chain+0x10/0x10 ? __pfx_nfnetlink_rcv+0x10/0x10 ? __lock_acquire+0x1384/0x2050 ? netlink_deliver_tap+0x2e/0x1b0 ? __pfx_lock_release+0x10/0x10 ? netlink_deliver_tap+0x2e/0x1b0 netlink_unicast+0x7f8/0x990 ? __pfx_netlink_unicast+0x10/0x10 ? __virt_addr_valid+0x183/0x530 ? __check_object_size+0x48e/0x900 netlink_sendmsg+0x8e4/0xcb0 ? __pfx_netlink_sendmsg+0x10/0x10 ? aa_sock_msg_perm+0x91/0x160 ? __pfx_netlink_sendmsg+0x10/0x10 __sock_sendmsg+0x223/0x270 ____sys_sendmsg+0x52a/0x7e0 ? __pfx_____sys_sendmsg+0x10/0x10 __sys_sendmsg+0x292/0x380 ? __pfx___sys_sendmsg+0x10/0x10 ? lockdep_hardirqs_on_prepare+0x43d/0x780 ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 ? exc_page_fault+0x590/0x8c0 ? do_syscall_64+0xb6/0x230 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> Since an invalid (without '\0' byte at all) byte sequence may be passed from userspace, add an extra check to ensure that such a sequence is rejected as possible ID and so never passed to 'kstrdup()' and further.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/147a42bb02de8735c…
	https://git.kernel.org/stable/c/ad28612ebae1fcc11…
	https://git.kernel.org/stable/c/36a9d94dac28beef6…
	https://git.kernel.org/stable/c/ab9916321c95f5280…
	https://git.kernel.org/stable/c/a9bcc0b70d9baf3ff…
	https://git.kernel.org/stable/c/c40c96d98e536fc1d…
	https://git.kernel.org/stable/c/04317f4eb2aad312a…

Impacted products

Vendor

Product

Version

Linux

Affected: 268cb38e1802db560c73167e643f14a3dcb4b07c , < 147a42bb02de8735cb08476be6d0917987d022c2 (git)
Affected: 268cb38e1802db560c73167e643f14a3dcb4b07c , < ad28612ebae1fcc1104bd432e99e99d87f6bfe09 (git)
Affected: 268cb38e1802db560c73167e643f14a3dcb4b07c , < 36a9d94dac28beef6b8abba46ba8874320d3e800 (git)
Affected: 268cb38e1802db560c73167e643f14a3dcb4b07c , < ab9916321c95f5280b72b4c5055e269f98627efe (git)
Affected: 268cb38e1802db560c73167e643f14a3dcb4b07c , < a9bcc0b70d9baf3ff005874489a0dc9d023b54c3 (git)
Affected: 268cb38e1802db560c73167e643f14a3dcb4b07c , < c40c96d98e536fc1daaa125c2332b988615e30a4 (git)
Affected: 268cb38e1802db560c73167e643f14a3dcb4b07c , < 04317f4eb2aad312ad85c1a17ad81fe75f1f9bc7 (git)

Linux

Affected: 2.6.30
Unaffected: 0 , < 2.6.30 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56650",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:00:22.683789Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-125",
                "description": "CWE-125 Out-of-bounds Read",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:11.150Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:56.813Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_LED.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "147a42bb02de8735cb08476be6d0917987d022c2",
              "status": "affected",
              "version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
              "versionType": "git"
            },
            {
              "lessThan": "ad28612ebae1fcc1104bd432e99e99d87f6bfe09",
              "status": "affected",
              "version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
              "versionType": "git"
            },
            {
              "lessThan": "36a9d94dac28beef6b8abba46ba8874320d3e800",
              "status": "affected",
              "version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
              "versionType": "git"
            },
            {
              "lessThan": "ab9916321c95f5280b72b4c5055e269f98627efe",
              "status": "affected",
              "version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
              "versionType": "git"
            },
            {
              "lessThan": "a9bcc0b70d9baf3ff005874489a0dc9d023b54c3",
              "status": "affected",
              "version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
              "versionType": "git"
            },
            {
              "lessThan": "c40c96d98e536fc1daaa125c2332b988615e30a4",
              "status": "affected",
              "version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
              "versionType": "git"
            },
            {
              "lessThan": "04317f4eb2aad312ad85c1a17ad81fe75f1f9bc7",
              "status": "affected",
              "version": "268cb38e1802db560c73167e643f14a3dcb4b07c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_LED.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: fix LED ID check in led_tg_check()\n\nSyzbot has reported the following BUG detected by KASAN:\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70\nRead of size 1 at addr ffff8881022da0c8 by task repro/5879\n...\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x241/0x360\n ? __pfx_dump_stack_lvl+0x10/0x10\n ? __pfx__printk+0x10/0x10\n ? _printk+0xd5/0x120\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x183/0x530\n print_report+0x169/0x550\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x45f/0x530\n ? __phys_addr+0xba/0x170\n ? strlen+0x58/0x70\n kasan_report+0x143/0x180\n ? strlen+0x58/0x70\n strlen+0x58/0x70\n kstrdup+0x20/0x80\n led_tg_check+0x18b/0x3c0\n xt_check_target+0x3bb/0xa40\n ? __pfx_xt_check_target+0x10/0x10\n ? stack_depot_save_flags+0x6e4/0x830\n ? nft_target_init+0x174/0xc30\n nft_target_init+0x82d/0xc30\n ? __pfx_nft_target_init+0x10/0x10\n ? nf_tables_newrule+0x1609/0x2980\n ? nf_tables_newrule+0x1609/0x2980\n ? rcu_is_watching+0x15/0xb0\n ? nf_tables_newrule+0x1609/0x2980\n ? nf_tables_newrule+0x1609/0x2980\n ? __kmalloc_noprof+0x21a/0x400\n nf_tables_newrule+0x1860/0x2980\n ? __pfx_nf_tables_newrule+0x10/0x10\n ? __nla_parse+0x40/0x60\n nfnetlink_rcv+0x14e5/0x2ab0\n ? __pfx_validate_chain+0x10/0x10\n ? __pfx_nfnetlink_rcv+0x10/0x10\n ? __lock_acquire+0x1384/0x2050\n ? netlink_deliver_tap+0x2e/0x1b0\n ? __pfx_lock_release+0x10/0x10\n ? netlink_deliver_tap+0x2e/0x1b0\n netlink_unicast+0x7f8/0x990\n ? __pfx_netlink_unicast+0x10/0x10\n ? __virt_addr_valid+0x183/0x530\n ? __check_object_size+0x48e/0x900\n netlink_sendmsg+0x8e4/0xcb0\n ? __pfx_netlink_sendmsg+0x10/0x10\n ? aa_sock_msg_perm+0x91/0x160\n ? __pfx_netlink_sendmsg+0x10/0x10\n __sock_sendmsg+0x223/0x270\n ____sys_sendmsg+0x52a/0x7e0\n ? __pfx_____sys_sendmsg+0x10/0x10\n __sys_sendmsg+0x292/0x380\n ? __pfx___sys_sendmsg+0x10/0x10\n ? lockdep_hardirqs_on_prepare+0x43d/0x780\n ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10\n ? exc_page_fault+0x590/0x8c0\n ? do_syscall_64+0xb6/0x230\n do_syscall_64+0xf3/0x230\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n \u003c/TASK\u003e\n\nSince an invalid (without \u0027\\0\u0027 byte at all) byte sequence may be passed\nfrom userspace, add an extra check to ensure that such a sequence is\nrejected as possible ID and so never passed to \u0027kstrdup()\u0027 and further."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:01:03.454Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/147a42bb02de8735cb08476be6d0917987d022c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad28612ebae1fcc1104bd432e99e99d87f6bfe09"
        },
        {
          "url": "https://git.kernel.org/stable/c/36a9d94dac28beef6b8abba46ba8874320d3e800"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab9916321c95f5280b72b4c5055e269f98627efe"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9bcc0b70d9baf3ff005874489a0dc9d023b54c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/c40c96d98e536fc1daaa125c2332b988615e30a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/04317f4eb2aad312ad85c1a17ad81fe75f1f9bc7"
        }
      ],
      "title": "netfilter: x_tables: fix LED ID check in led_tg_check()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56650",
    "datePublished": "2024-12-27T15:02:50.098Z",
    "dateReserved": "2024-12-27T15:00:39.840Z",
    "dateUpdated": "2025-11-03T20:51:56.813Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57849 (GCVE-0-2024-57849)

Vulnerability from cvelistv5 – Published: 2025-01-11 14:30 – Updated: 2026-01-05 10:56

Title

s390/cpum_sf: Handle CPU hotplug remove during sampling

Summary

In the Linux kernel, the following vulnerability has been resolved: s390/cpum_sf: Handle CPU hotplug remove during sampling CPU hotplug remove handling triggers the following function call sequence: CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu() ... CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu() The s390 CPUMF sampling CPU hotplug handler invokes: s390_pmu_sf_offline_cpu() +--> cpusf_pmu_setup() +--> setup_pmc_cpu() +--> deallocate_buffers() This function de-allocates all sampling data buffers (SDBs) allocated for that CPU at event initialization. It also clears the PMU_F_RESERVED bit. The CPU is gone and can not be sampled. With the event still being active on the removed CPU, the CPU event hotplug support in kernel performance subsystem triggers the following function calls on the removed CPU: perf_event_exit_cpu() +--> perf_event_exit_cpu_context() +--> __perf_event_exit_context() +--> __perf_remove_from_context() +--> event_sched_out() +--> cpumsf_pmu_del() +--> cpumsf_pmu_stop() +--> hw_perf_event_update() to stop and remove the event. During removal of the event, the sampling device driver tries to read out the remaining samples from the sample data buffers (SDBs). But they have already been freed (and may have been re-assigned). This may lead to a use after free situation in which case the samples are most likely invalid. In the best case the memory has not been reassigned and still contains valid data. Remedy this situation and check if the CPU is still in reserved state (bit PMU_F_RESERVED set). In this case the SDBs have not been released an contain valid data. This is always the case when the event is removed (and no CPU hotplug off occured). If the PMU_F_RESERVED bit is not set, the SDB buffers are gone.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/238e3af849dfdcb1f…
	https://git.kernel.org/stable/c/99192c735ed4bfdff…
	https://git.kernel.org/stable/c/06a92f810df8037ca…
	https://git.kernel.org/stable/c/b5be6a0bb639d165c…
	https://git.kernel.org/stable/c/a69752f1e5de81794…
	https://git.kernel.org/stable/c/be54e6e0f93a39a9c…
	https://git.kernel.org/stable/c/a0bd7dacbd51c632b…

Impacted products

Vendor

Product

Version

Linux

Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < 238e3af849dfdcb1faed544349f7025e533f9aab (git)
Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < 99192c735ed4bfdff0d215ec85c8a87a677cb898 (git)
Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < 06a92f810df8037ca36157282ddcbefdcaf049b8 (git)
Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < b5be6a0bb639d165c8418d8dddd8f322587be8be (git)
Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < a69752f1e5de817941a2ea0609254f6f25acd274 (git)
Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < be54e6e0f93a39a9c00478d70d12956a5f3d5b9b (git)
Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < a0bd7dacbd51c632b8e2c0500b479af564afadf3 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:42.821Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/s390/kernel/perf_cpum_sf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "238e3af849dfdcb1faed544349f7025e533f9aab",
              "status": "affected",
              "version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
              "versionType": "git"
            },
            {
              "lessThan": "99192c735ed4bfdff0d215ec85c8a87a677cb898",
              "status": "affected",
              "version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
              "versionType": "git"
            },
            {
              "lessThan": "06a92f810df8037ca36157282ddcbefdcaf049b8",
              "status": "affected",
              "version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
              "versionType": "git"
            },
            {
              "lessThan": "b5be6a0bb639d165c8418d8dddd8f322587be8be",
              "status": "affected",
              "version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
              "versionType": "git"
            },
            {
              "lessThan": "a69752f1e5de817941a2ea0609254f6f25acd274",
              "status": "affected",
              "version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
              "versionType": "git"
            },
            {
              "lessThan": "be54e6e0f93a39a9c00478d70d12956a5f3d5b9b",
              "status": "affected",
              "version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
              "versionType": "git"
            },
            {
              "lessThan": "a0bd7dacbd51c632b8e2c0500b479af564afadf3",
              "status": "affected",
              "version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/s390/kernel/perf_cpum_sf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cpum_sf: Handle CPU hotplug remove during sampling\n\nCPU hotplug remove handling triggers the following function\ncall sequence:\n\n   CPUHP_AP_PERF_S390_SF_ONLINE  --\u003e s390_pmu_sf_offline_cpu()\n   ...\n   CPUHP_AP_PERF_ONLINE          --\u003e perf_event_exit_cpu()\n\nThe s390 CPUMF sampling CPU hotplug handler invokes:\n\n s390_pmu_sf_offline_cpu()\n +--\u003e  cpusf_pmu_setup()\n       +--\u003e setup_pmc_cpu()\n            +--\u003e deallocate_buffers()\n\nThis function de-allocates all sampling data buffers (SDBs) allocated\nfor that CPU at event initialization. It also clears the\nPMU_F_RESERVED bit. The CPU is gone and can not be sampled.\n\nWith the event still being active on the removed CPU, the CPU event\nhotplug support in kernel performance subsystem triggers the\nfollowing function calls on the removed CPU:\n\n  perf_event_exit_cpu()\n  +--\u003e perf_event_exit_cpu_context()\n       +--\u003e __perf_event_exit_context()\n\t    +--\u003e __perf_remove_from_context()\n\t         +--\u003e event_sched_out()\n\t              +--\u003e cpumsf_pmu_del()\n\t                   +--\u003e cpumsf_pmu_stop()\n                                +--\u003e hw_perf_event_update()\n\nto stop and remove the event. During removal of the event, the\nsampling device driver tries to read out the remaining samples from\nthe sample data buffers (SDBs). But they have already been freed\n(and may have been re-assigned). This may lead to a use after free\nsituation in which case the samples are most likely invalid. In the\nbest case the memory has not been reassigned and still contains\nvalid data.\n\nRemedy this situation and check if the CPU is still in reserved\nstate (bit PMU_F_RESERVED set). In this case the SDBs have not been\nreleased an contain valid data. This is always the case when\nthe event is removed (and no CPU hotplug off occured).\nIf the PMU_F_RESERVED bit is not set, the SDB buffers are gone."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:56:29.911Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/238e3af849dfdcb1faed544349f7025e533f9aab"
        },
        {
          "url": "https://git.kernel.org/stable/c/99192c735ed4bfdff0d215ec85c8a87a677cb898"
        },
        {
          "url": "https://git.kernel.org/stable/c/06a92f810df8037ca36157282ddcbefdcaf049b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5be6a0bb639d165c8418d8dddd8f322587be8be"
        },
        {
          "url": "https://git.kernel.org/stable/c/a69752f1e5de817941a2ea0609254f6f25acd274"
        },
        {
          "url": "https://git.kernel.org/stable/c/be54e6e0f93a39a9c00478d70d12956a5f3d5b9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0bd7dacbd51c632b8e2c0500b479af564afadf3"
        }
      ],
      "title": "s390/cpum_sf: Handle CPU hotplug remove during sampling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57849",
    "datePublished": "2025-01-11T14:30:58.365Z",
    "dateReserved": "2025-01-11T12:33:33.699Z",
    "dateUpdated": "2026-01-05T10:56:29.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57926 (GCVE-0-2024-57926)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-05-04 10:06

Title

drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns err

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns err The pointer need to be set to NULL, otherwise KASAN complains about use-after-free. Because in mtk_drm_bind, all private's drm are set as follows. private->all_drm_private[i]->drm = drm; And drm will be released by drm_dev_put in case mtk_drm_kms_init returns failure. However, the shutdown path still accesses the previous allocated memory in drm_atomic_helper_shutdown. [ 84.874820] watchdog: watchdog0: watchdog did not stop! [ 86.512054] ================================================================== [ 86.513162] BUG: KASAN: use-after-free in drm_atomic_helper_shutdown+0x33c/0x378 [ 86.514258] Read of size 8 at addr ffff0000d46fc068 by task shutdown/1 [ 86.515213] [ 86.515455] CPU: 1 UID: 0 PID: 1 Comm: shutdown Not tainted 6.13.0-rc1-mtk+gfa1a78e5d24b-dirty #55 [ 86.516752] Hardware name: Unknown Product/Unknown Product, BIOS 2022.10 10/01/2022 [ 86.517960] Call trace: [ 86.518333] show_stack+0x20/0x38 (C) [ 86.518891] dump_stack_lvl+0x90/0xd0 [ 86.519443] print_report+0xf8/0x5b0 [ 86.519985] kasan_report+0xb4/0x100 [ 86.520526] __asan_report_load8_noabort+0x20/0x30 [ 86.521240] drm_atomic_helper_shutdown+0x33c/0x378 [ 86.521966] mtk_drm_shutdown+0x54/0x80 [ 86.522546] platform_shutdown+0x64/0x90 [ 86.523137] device_shutdown+0x260/0x5b8 [ 86.523728] kernel_restart+0x78/0xf0 [ 86.524282] __do_sys_reboot+0x258/0x2f0 [ 86.524871] __arm64_sys_reboot+0x90/0xd8 [ 86.525473] invoke_syscall+0x74/0x268 [ 86.526041] el0_svc_common.constprop.0+0xb0/0x240 [ 86.526751] do_el0_svc+0x4c/0x70 [ 86.527251] el0_svc+0x4c/0xc0 [ 86.527719] el0t_64_sync_handler+0x144/0x168 [ 86.528367] el0t_64_sync+0x198/0x1a0 [ 86.528920] [ 86.529157] The buggy address belongs to the physical page: [ 86.529972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d46fd4d0 pfn:0x1146fc [ 86.531319] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff) [ 86.532267] raw: 0bfffc0000000000 0000000000000000 dead000000000122 0000000000000000 [ 86.533390] raw: ffff0000d46fd4d0 0000000000000000 00000000ffffffff 0000000000000000 [ 86.534511] page dumped because: kasan: bad access detected [ 86.535323] [ 86.535559] Memory state around the buggy address: [ 86.536265] ffff0000d46fbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.537314] ffff0000d46fbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.538363] >ffff0000d46fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.544733] ^ [ 86.551057] ffff0000d46fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.557510] ffff0000d46fc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.563928] ================================================================== [ 86.571093] Disabling lock debugging due to kernel taint [ 86.577642] Unable to handle kernel paging request at virtual address e0e9c0920000000b [ 86.581834] KASAN: maybe wild-memory-access in range [0x0752049000000058-0x075204900000005f] ...

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7083b93e9755d60f0…
	https://git.kernel.org/stable/c/078b2ff7da200b753…
	https://git.kernel.org/stable/c/36684e9d88a2e2401…

Impacted products

Vendor

Product

Version

Linux

Affected: 1ef7ed48356cd5f9af2b7671956991b658d8c2ba , < 7083b93e9755d60f0c2bcaa9d064308108280534 (git)
Affected: 1ef7ed48356cd5f9af2b7671956991b658d8c2ba , < 078b2ff7da200b7532398e668eef723ad40fb516 (git)
Affected: 1ef7ed48356cd5f9af2b7671956991b658d8c2ba , < 36684e9d88a2e2401ae26715a2e217cb4295cea7 (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57926",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:40:53.635333Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:19.288Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/mediatek/mtk_drm_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7083b93e9755d60f0c2bcaa9d064308108280534",
              "status": "affected",
              "version": "1ef7ed48356cd5f9af2b7671956991b658d8c2ba",
              "versionType": "git"
            },
            {
              "lessThan": "078b2ff7da200b7532398e668eef723ad40fb516",
              "status": "affected",
              "version": "1ef7ed48356cd5f9af2b7671956991b658d8c2ba",
              "versionType": "git"
            },
            {
              "lessThan": "36684e9d88a2e2401ae26715a2e217cb4295cea7",
              "status": "affected",
              "version": "1ef7ed48356cd5f9af2b7671956991b658d8c2ba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/mediatek/mtk_drm_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Set private-\u003eall_drm_private[i]-\u003edrm to NULL if mtk_drm_bind returns err\n\nThe pointer need to be set to NULL, otherwise KASAN complains about\nuse-after-free. Because in mtk_drm_bind, all private\u0027s drm are set\nas follows.\n\nprivate-\u003eall_drm_private[i]-\u003edrm = drm;\n\nAnd drm will be released by drm_dev_put in case mtk_drm_kms_init returns\nfailure. However, the shutdown path still accesses the previous allocated\nmemory in drm_atomic_helper_shutdown.\n\n[   84.874820] watchdog: watchdog0: watchdog did not stop!\n[   86.512054] ==================================================================\n[   86.513162] BUG: KASAN: use-after-free in drm_atomic_helper_shutdown+0x33c/0x378\n[   86.514258] Read of size 8 at addr ffff0000d46fc068 by task shutdown/1\n[   86.515213]\n[   86.515455] CPU: 1 UID: 0 PID: 1 Comm: shutdown Not tainted 6.13.0-rc1-mtk+gfa1a78e5d24b-dirty #55\n[   86.516752] Hardware name: Unknown Product/Unknown Product, BIOS 2022.10 10/01/2022\n[   86.517960] Call trace:\n[   86.518333]  show_stack+0x20/0x38 (C)\n[   86.518891]  dump_stack_lvl+0x90/0xd0\n[   86.519443]  print_report+0xf8/0x5b0\n[   86.519985]  kasan_report+0xb4/0x100\n[   86.520526]  __asan_report_load8_noabort+0x20/0x30\n[   86.521240]  drm_atomic_helper_shutdown+0x33c/0x378\n[   86.521966]  mtk_drm_shutdown+0x54/0x80\n[   86.522546]  platform_shutdown+0x64/0x90\n[   86.523137]  device_shutdown+0x260/0x5b8\n[   86.523728]  kernel_restart+0x78/0xf0\n[   86.524282]  __do_sys_reboot+0x258/0x2f0\n[   86.524871]  __arm64_sys_reboot+0x90/0xd8\n[   86.525473]  invoke_syscall+0x74/0x268\n[   86.526041]  el0_svc_common.constprop.0+0xb0/0x240\n[   86.526751]  do_el0_svc+0x4c/0x70\n[   86.527251]  el0_svc+0x4c/0xc0\n[   86.527719]  el0t_64_sync_handler+0x144/0x168\n[   86.528367]  el0t_64_sync+0x198/0x1a0\n[   86.528920]\n[   86.529157] The buggy address belongs to the physical page:\n[   86.529972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d46fd4d0 pfn:0x1146fc\n[   86.531319] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff)\n[   86.532267] raw: 0bfffc0000000000 0000000000000000 dead000000000122 0000000000000000\n[   86.533390] raw: ffff0000d46fd4d0 0000000000000000 00000000ffffffff 0000000000000000\n[   86.534511] page dumped because: kasan: bad access detected\n[   86.535323]\n[   86.535559] Memory state around the buggy address:\n[   86.536265]  ffff0000d46fbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   86.537314]  ffff0000d46fbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   86.538363] \u003effff0000d46fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   86.544733]                                                           ^\n[   86.551057]  ffff0000d46fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   86.557510]  ffff0000d46fc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   86.563928] ==================================================================\n[   86.571093] Disabling lock debugging due to kernel taint\n[   86.577642] Unable to handle kernel paging request at virtual address e0e9c0920000000b\n[   86.581834] KASAN: maybe wild-memory-access in range [0x0752049000000058-0x075204900000005f]\n..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:47.533Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7083b93e9755d60f0c2bcaa9d064308108280534"
        },
        {
          "url": "https://git.kernel.org/stable/c/078b2ff7da200b7532398e668eef723ad40fb516"
        },
        {
          "url": "https://git.kernel.org/stable/c/36684e9d88a2e2401ae26715a2e217cb4295cea7"
        }
      ],
      "title": "drm/mediatek: Set private-\u003eall_drm_private[i]-\u003edrm to NULL if mtk_drm_bind returns err",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57926",
    "datePublished": "2025-01-19T11:52:43.915Z",
    "dateReserved": "2025-01-19T11:50:08.376Z",
    "dateUpdated": "2025-05-04T10:06:47.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-54191 (GCVE-0-2024-54191)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:29 – Updated: 2025-10-01 19:57

Title

Bluetooth: iso: Fix circular lock in iso_conn_big_sync

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Fix circular lock in iso_conn_big_sync This fixes the circular locking dependency warning below, by reworking iso_sock_recvmsg, to ensure that the socket lock is always released before calling a function that locks hdev. [ 561.670344] ====================================================== [ 561.670346] WARNING: possible circular locking dependency detected [ 561.670349] 6.12.0-rc6+ #26 Not tainted [ 561.670351] ------------------------------------------------------ [ 561.670353] iso-tester/3289 is trying to acquire lock: [ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3}, at: iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670405] but task is already holding lock: [ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: iso_sock_recvmsg+0xbf/0x500 [bluetooth] [ 561.670450] which lock already depends on the new lock. [ 561.670452] the existing dependency chain (in reverse order) is: [ 561.670453] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}: [ 561.670458] lock_acquire+0x7c/0xc0 [ 561.670463] lock_sock_nested+0x3b/0xf0 [ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth] [ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth] [ 561.670547] do_accept+0x3dd/0x610 [ 561.670550] __sys_accept4+0xd8/0x170 [ 561.670553] __x64_sys_accept+0x74/0xc0 [ 561.670556] x64_sys_call+0x17d6/0x25f0 [ 561.670559] do_syscall_64+0x87/0x150 [ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670567] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: [ 561.670571] lock_acquire+0x7c/0xc0 [ 561.670574] lock_sock_nested+0x3b/0xf0 [ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth] [ 561.670617] __sys_listen_socket+0xef/0x130 [ 561.670620] __x64_sys_listen+0xe1/0x190 [ 561.670623] x64_sys_call+0x2517/0x25f0 [ 561.670626] do_syscall_64+0x87/0x150 [ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670632] -> #0 (&hdev->lock){+.+.}-{3:3}: [ 561.670636] __lock_acquire+0x32ad/0x6ab0 [ 561.670639] lock_acquire.part.0+0x118/0x360 [ 561.670642] lock_acquire+0x7c/0xc0 [ 561.670644] __mutex_lock+0x18d/0x12f0 [ 561.670647] mutex_lock_nested+0x1b/0x30 [ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth] [ 561.670722] sock_recvmsg+0x1d5/0x240 [ 561.670725] sock_read_iter+0x27d/0x470 [ 561.670727] vfs_read+0x9a0/0xd30 [ 561.670731] ksys_read+0x1a8/0x250 [ 561.670733] __x64_sys_read+0x72/0xc0 [ 561.670736] x64_sys_call+0x1b12/0x25f0 [ 561.670738] do_syscall_64+0x87/0x150 [ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670744] other info that might help us debug this: [ 561.670745] Chain exists of: &hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH [ 561.670751] Possible unsafe locking scenario: [ 561.670753] CPU0 CPU1 [ 561.670754] ---- ---- [ 561.670756] lock(sk_lock-AF_BLUETOOTH); [ 561.670758] lock(sk_lock AF_BLUETOOTH-BTPROTO_ISO); [ 561.670761] lock(sk_lock-AF_BLUETOOTH); [ 561.670764] lock(&hdev->lock); [ 561.670767] *** DEADLOCK ***

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - Improper Locking

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cbe640d6cae590b9a…
	https://git.kernel.org/stable/c/7a17308c17880d259…

Impacted products

Vendor

Product

Version

Linux

Affected: 1360e5b6ce63d63d23223a659ca2bbafa30a53aa , < cbe640d6cae590b9a7d81ce86fe9a90e83eec1d5 (git)
Affected: 07a9342b94a91b306ed1cf6aa8254aea210764c9 , < 7a17308c17880d259105f6e591eb1bc77b9612f0 (git)
Affected: bfec1e55314896bf4a4cfdb3a9ad4872be9f06ed (git)

Linux

Affected: 6.12.2 , < 6.12.6 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-54191",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:55:33.815501Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-667",
                "description": "CWE-667 Improper Locking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:21.849Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/iso.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cbe640d6cae590b9a7d81ce86fe9a90e83eec1d5",
              "status": "affected",
              "version": "1360e5b6ce63d63d23223a659ca2bbafa30a53aa",
              "versionType": "git"
            },
            {
              "lessThan": "7a17308c17880d259105f6e591eb1bc77b9612f0",
              "status": "affected",
              "version": "07a9342b94a91b306ed1cf6aa8254aea210764c9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bfec1e55314896bf4a4cfdb3a9ad4872be9f06ed",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/iso.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.12.6",
              "status": "affected",
              "version": "6.12.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.12.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Fix circular lock in iso_conn_big_sync\n\nThis fixes the circular locking dependency warning below, by reworking\niso_sock_recvmsg, to ensure that the socket lock is always released\nbefore calling a function that locks hdev.\n\n[  561.670344] ======================================================\n[  561.670346] WARNING: possible circular locking dependency detected\n[  561.670349] 6.12.0-rc6+ #26 Not tainted\n[  561.670351] ------------------------------------------------------\n[  561.670353] iso-tester/3289 is trying to acquire lock:\n[  561.670355] ffff88811f600078 (\u0026hdev-\u003elock){+.+.}-{3:3},\n               at: iso_conn_big_sync+0x73/0x260 [bluetooth]\n[  561.670405]\n               but task is already holding lock:\n[  561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0},\n               at: iso_sock_recvmsg+0xbf/0x500 [bluetooth]\n[  561.670450]\n               which lock already depends on the new lock.\n\n[  561.670452]\n               the existing dependency chain (in reverse order) is:\n[  561.670453]\n               -\u003e #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:\n[  561.670458]        lock_acquire+0x7c/0xc0\n[  561.670463]        lock_sock_nested+0x3b/0xf0\n[  561.670467]        bt_accept_dequeue+0x1a5/0x4d0 [bluetooth]\n[  561.670510]        iso_sock_accept+0x271/0x830 [bluetooth]\n[  561.670547]        do_accept+0x3dd/0x610\n[  561.670550]        __sys_accept4+0xd8/0x170\n[  561.670553]        __x64_sys_accept+0x74/0xc0\n[  561.670556]        x64_sys_call+0x17d6/0x25f0\n[  561.670559]        do_syscall_64+0x87/0x150\n[  561.670563]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  561.670567]\n               -\u003e #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:\n[  561.670571]        lock_acquire+0x7c/0xc0\n[  561.670574]        lock_sock_nested+0x3b/0xf0\n[  561.670577]        iso_sock_listen+0x2de/0xf30 [bluetooth]\n[  561.670617]        __sys_listen_socket+0xef/0x130\n[  561.670620]        __x64_sys_listen+0xe1/0x190\n[  561.670623]        x64_sys_call+0x2517/0x25f0\n[  561.670626]        do_syscall_64+0x87/0x150\n[  561.670629]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  561.670632]\n               -\u003e #0 (\u0026hdev-\u003elock){+.+.}-{3:3}:\n[  561.670636]        __lock_acquire+0x32ad/0x6ab0\n[  561.670639]        lock_acquire.part.0+0x118/0x360\n[  561.670642]        lock_acquire+0x7c/0xc0\n[  561.670644]        __mutex_lock+0x18d/0x12f0\n[  561.670647]        mutex_lock_nested+0x1b/0x30\n[  561.670651]        iso_conn_big_sync+0x73/0x260 [bluetooth]\n[  561.670687]        iso_sock_recvmsg+0x3e9/0x500 [bluetooth]\n[  561.670722]        sock_recvmsg+0x1d5/0x240\n[  561.670725]        sock_read_iter+0x27d/0x470\n[  561.670727]        vfs_read+0x9a0/0xd30\n[  561.670731]        ksys_read+0x1a8/0x250\n[  561.670733]        __x64_sys_read+0x72/0xc0\n[  561.670736]        x64_sys_call+0x1b12/0x25f0\n[  561.670738]        do_syscall_64+0x87/0x150\n[  561.670741]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  561.670744]\n               other info that might help us debug this:\n\n[  561.670745] Chain exists of:\n\u0026hdev-\u003elock --\u003e sk_lock-AF_BLUETOOTH-BTPROTO_ISO --\u003e sk_lock-AF_BLUETOOTH\n\n[  561.670751]  Possible unsafe locking scenario:\n\n[  561.670753]        CPU0                    CPU1\n[  561.670754]        ----                    ----\n[  561.670756]   lock(sk_lock-AF_BLUETOOTH);\n[  561.670758]                                lock(sk_lock\n                                              AF_BLUETOOTH-BTPROTO_ISO);\n[  561.670761]                                lock(sk_lock-AF_BLUETOOTH);\n[  561.670764]   lock(\u0026hdev-\u003elock);\n[  561.670767]\n                *** DEADLOCK ***"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:48.976Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cbe640d6cae590b9a7d81ce86fe9a90e83eec1d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a17308c17880d259105f6e591eb1bc77b9612f0"
        }
      ],
      "title": "Bluetooth: iso: Fix circular lock in iso_conn_big_sync",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-54191",
    "datePublished": "2025-01-11T12:29:52.753Z",
    "dateReserved": "2025-01-09T09:49:29.716Z",
    "dateUpdated": "2025-10-01T19:57:21.849Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56574 (GCVE-0-2024-56574)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-11-03 20:49

Title

media: ts2020: fix null-ptr-deref in ts2020_probe()

Summary

In the Linux kernel, the following vulnerability has been resolved: media: ts2020: fix null-ptr-deref in ts2020_probe() KASAN reported a null-ptr-deref issue when executing the following command: # echo ts2020 0x20 > /sys/bus/i2c/devices/i2c-0/new_device KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009) RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020] RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809 RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010 RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6 R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790 R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001 FS: 00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ts2020_probe+0xad/0xe10 [ts2020] i2c_device_probe+0x421/0xb40 really_probe+0x266/0x850 ... The cause of the problem is that when using sysfs to dynamically register an i2c device, there is no platform data, but the probe process of ts2020 needs to use platform data, resulting in a null pointer being accessed. Solve this problem by adding checks to platform data.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ced1c04e82e3ecc24…
	https://git.kernel.org/stable/c/5a53f97cd59779118…
	https://git.kernel.org/stable/c/b6208d1567f929105…
	https://git.kernel.org/stable/c/dc03866b5f4aa2668…
	https://git.kernel.org/stable/c/a2ed3b780f34e4a64…
	https://git.kernel.org/stable/c/901070571bc191d1d…
	https://git.kernel.org/stable/c/4a058b34b52ed3feb…

Impacted products

Vendor

Product

Version

Linux

Affected: dc245a5f9b5163511e0c164c8aa47848f07b75a9 , < ced1c04e82e3ecc246b921b9733f0df0866aa50d (git)
Affected: dc245a5f9b5163511e0c164c8aa47848f07b75a9 , < 5a53f97cd5977911850b695add057f9965c1a2d6 (git)
Affected: dc245a5f9b5163511e0c164c8aa47848f07b75a9 , < b6208d1567f929105011bcdfd738f59a6bdc1088 (git)
Affected: dc245a5f9b5163511e0c164c8aa47848f07b75a9 , < dc03866b5f4aa2668946f8384a1e5286ae53bbaa (git)
Affected: dc245a5f9b5163511e0c164c8aa47848f07b75a9 , < a2ed3b780f34e4a6403064208bc2c99d1ed85026 (git)
Affected: dc245a5f9b5163511e0c164c8aa47848f07b75a9 , < 901070571bc191d1d8d7a1379bc5ba9446200999 (git)
Affected: dc245a5f9b5163511e0c164c8aa47848f07b75a9 , < 4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba (git)

Linux

Affected: 4.1
Unaffected: 0 , < 4.1 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56574",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:02:03.343164Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:15.308Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:49:48.153Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/dvb-frontends/ts2020.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ced1c04e82e3ecc246b921b9733f0df0866aa50d",
              "status": "affected",
              "version": "dc245a5f9b5163511e0c164c8aa47848f07b75a9",
              "versionType": "git"
            },
            {
              "lessThan": "5a53f97cd5977911850b695add057f9965c1a2d6",
              "status": "affected",
              "version": "dc245a5f9b5163511e0c164c8aa47848f07b75a9",
              "versionType": "git"
            },
            {
              "lessThan": "b6208d1567f929105011bcdfd738f59a6bdc1088",
              "status": "affected",
              "version": "dc245a5f9b5163511e0c164c8aa47848f07b75a9",
              "versionType": "git"
            },
            {
              "lessThan": "dc03866b5f4aa2668946f8384a1e5286ae53bbaa",
              "status": "affected",
              "version": "dc245a5f9b5163511e0c164c8aa47848f07b75a9",
              "versionType": "git"
            },
            {
              "lessThan": "a2ed3b780f34e4a6403064208bc2c99d1ed85026",
              "status": "affected",
              "version": "dc245a5f9b5163511e0c164c8aa47848f07b75a9",
              "versionType": "git"
            },
            {
              "lessThan": "901070571bc191d1d8d7a1379bc5ba9446200999",
              "status": "affected",
              "version": "dc245a5f9b5163511e0c164c8aa47848f07b75a9",
              "versionType": "git"
            },
            {
              "lessThan": "4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba",
              "status": "affected",
              "version": "dc245a5f9b5163511e0c164c8aa47848f07b75a9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/dvb-frontends/ts2020.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.1"
            },
            {
              "lessThan": "4.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ts2020: fix null-ptr-deref in ts2020_probe()\n\nKASAN reported a null-ptr-deref issue when executing the following\ncommand:\n\n  # echo ts2020 0x20 \u003e /sys/bus/i2c/devices/i2c-0/new_device\n    KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n    CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)\n    RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020]\n    RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202\n    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809\n    RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010\n    RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6\n    R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790\n    R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001\n    FS:  00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000\n    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n    CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0\n    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n    Call Trace:\n     \u003cTASK\u003e\n     ts2020_probe+0xad/0xe10 [ts2020]\n     i2c_device_probe+0x421/0xb40\n     really_probe+0x266/0x850\n    ...\n\nThe cause of the problem is that when using sysfs to dynamically register\nan i2c device, there is no platform data, but the probe process of ts2020\nneeds to use platform data, resulting in a null pointer being accessed.\n\nSolve this problem by adding checks to platform data."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:41.833Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ced1c04e82e3ecc246b921b9733f0df0866aa50d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a53f97cd5977911850b695add057f9965c1a2d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6208d1567f929105011bcdfd738f59a6bdc1088"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc03866b5f4aa2668946f8384a1e5286ae53bbaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2ed3b780f34e4a6403064208bc2c99d1ed85026"
        },
        {
          "url": "https://git.kernel.org/stable/c/901070571bc191d1d8d7a1379bc5ba9446200999"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba"
        }
      ],
      "title": "media: ts2020: fix null-ptr-deref in ts2020_probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56574",
    "datePublished": "2024-12-27T14:23:17.177Z",
    "dateReserved": "2024-12-27T14:03:05.998Z",
    "dateUpdated": "2025-11-03T20:49:48.153Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56576 (GCVE-0-2024-56576)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2025-11-03 20:49

Title

media: i2c: tc358743: Fix crash in the probe error path when using polling

Summary

In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix crash in the probe error path when using polling If an error occurs in the probe() function, we should remove the polling timer that was alarmed earlier, otherwise the timer is called with arguments that are already freed, which results in a crash. ------------[ cut here ]------------ WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268 Modules linked in: CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226 Hardware name: Diasom DS-RK3568-SOM-EVB (DT) pstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __run_timers+0x244/0x268 lr : __run_timers+0x1d4/0x268 sp : ffffff80eff2baf0 x29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00 x26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00 x23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000 x20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff x17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e x14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000 x11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009 x8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480 x5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240 x2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0 Call trace: __run_timers+0x244/0x268 timer_expire_remote+0x50/0x68 tmigr_handle_remote+0x388/0x39c run_timer_softirq+0x38/0x44 handle_softirqs+0x138/0x298 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x24/0x4c do_softirq_own_stack+0x1c/0x2c irq_exit_rcu+0x9c/0xcc el1_interrupt+0x48/0xc0 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x7c/0x80 default_idle_call+0x34/0x68 do_idle+0x23c/0x294 cpu_startup_entry+0x38/0x3c secondary_start_kernel+0x128/0x160 __secondary_switched+0xb8/0xbc ---[ end trace 0000000000000000 ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/13193a97ddd5a6a5b…
	https://git.kernel.org/stable/c/5c9ab34c87af718bd…
	https://git.kernel.org/stable/c/815d14147068347e8…
	https://git.kernel.org/stable/c/34a3466a92f50c51d…
	https://git.kernel.org/stable/c/b59ab89bc83f7bff6…
	https://git.kernel.org/stable/c/1def915b1564f4375…
	https://git.kernel.org/stable/c/869f38ae07f7df829…

Impacted products

Vendor

Product

Version

Linux

Affected: 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a , < 13193a97ddd5a6a5b11408ddbc1ae85588b1860c (git)
Affected: 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a , < 5c9ab34c87af718bdbf9faa2b1a6ba41d15380ea (git)
Affected: 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a , < 815d14147068347e88c258233eb951b41b2792a6 (git)
Affected: 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a , < 34a3466a92f50c51d984f0ec2e96864886d460eb (git)
Affected: 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a , < b59ab89bc83f7bff67f78c6caf484a84a6dd30f7 (git)
Affected: 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a , < 1def915b1564f4375330bd113ea1d768a569cfd8 (git)
Affected: 4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a , < 869f38ae07f7df829da4951c3d1f7a2be09c2e9a (git)

Linux

Affected: 4.13
Unaffected: 0 , < 4.13 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:49:52.421Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/i2c/tc358743.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "13193a97ddd5a6a5b11408ddbc1ae85588b1860c",
              "status": "affected",
              "version": "4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a",
              "versionType": "git"
            },
            {
              "lessThan": "5c9ab34c87af718bdbf9faa2b1a6ba41d15380ea",
              "status": "affected",
              "version": "4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a",
              "versionType": "git"
            },
            {
              "lessThan": "815d14147068347e88c258233eb951b41b2792a6",
              "status": "affected",
              "version": "4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a",
              "versionType": "git"
            },
            {
              "lessThan": "34a3466a92f50c51d984f0ec2e96864886d460eb",
              "status": "affected",
              "version": "4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a",
              "versionType": "git"
            },
            {
              "lessThan": "b59ab89bc83f7bff67f78c6caf484a84a6dd30f7",
              "status": "affected",
              "version": "4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a",
              "versionType": "git"
            },
            {
              "lessThan": "1def915b1564f4375330bd113ea1d768a569cfd8",
              "status": "affected",
              "version": "4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a",
              "versionType": "git"
            },
            {
              "lessThan": "869f38ae07f7df829da4951c3d1f7a2be09c2e9a",
              "status": "affected",
              "version": "4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/i2c/tc358743.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: tc358743: Fix crash in the probe error path when using polling\n\nIf an error occurs in the probe() function, we should remove the polling\ntimer that was alarmed earlier, otherwise the timer is called with\narguments that are already freed, which results in a crash.\n\n------------[ cut here ]------------\nWARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268\nModules linked in:\nCPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226\nHardware name: Diasom DS-RK3568-SOM-EVB (DT)\npstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __run_timers+0x244/0x268\nlr : __run_timers+0x1d4/0x268\nsp : ffffff80eff2baf0\nx29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00\nx26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00\nx23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000\nx20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff\nx17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e\nx14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000\nx11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009\nx8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480\nx5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240\nx2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0\nCall trace:\n\u00a0__run_timers+0x244/0x268\n\u00a0timer_expire_remote+0x50/0x68\n\u00a0tmigr_handle_remote+0x388/0x39c\n\u00a0run_timer_softirq+0x38/0x44\n\u00a0handle_softirqs+0x138/0x298\n\u00a0__do_softirq+0x14/0x20\n\u00a0____do_softirq+0x10/0x1c\n\u00a0call_on_irq_stack+0x24/0x4c\n\u00a0do_softirq_own_stack+0x1c/0x2c\n\u00a0irq_exit_rcu+0x9c/0xcc\n\u00a0el1_interrupt+0x48/0xc0\n\u00a0el1h_64_irq_handler+0x18/0x24\n\u00a0el1h_64_irq+0x7c/0x80\n\u00a0default_idle_call+0x34/0x68\n\u00a0do_idle+0x23c/0x294\n\u00a0cpu_startup_entry+0x38/0x3c\n\u00a0secondary_start_kernel+0x128/0x160\n\u00a0__secondary_switched+0xb8/0xbc\n---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:44.990Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/13193a97ddd5a6a5b11408ddbc1ae85588b1860c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c9ab34c87af718bdbf9faa2b1a6ba41d15380ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/815d14147068347e88c258233eb951b41b2792a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/34a3466a92f50c51d984f0ec2e96864886d460eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/b59ab89bc83f7bff67f78c6caf484a84a6dd30f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1def915b1564f4375330bd113ea1d768a569cfd8"
        },
        {
          "url": "https://git.kernel.org/stable/c/869f38ae07f7df829da4951c3d1f7a2be09c2e9a"
        }
      ],
      "title": "media: i2c: tc358743: Fix crash in the probe error path when using polling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56576",
    "datePublished": "2024-12-27T14:23:18.792Z",
    "dateReserved": "2024-12-27T14:03:05.999Z",
    "dateUpdated": "2025-11-03T20:49:52.421Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57798 (GCVE-0-2024-57798)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:39 – Updated: 2025-11-03 20:54

Title

drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f61b2e5e7821f868d…
	https://git.kernel.org/stable/c/9735d40f5fde9970a…
	https://git.kernel.org/stable/c/ce55818b2d3a999f8…
	https://git.kernel.org/stable/c/e54b00086f7473dbd…

Impacted products

Vendor

Product

Version

Linux

Affected: 9408cc94eb041d0c2f9f00189a613b94c0449450 , < f61b2e5e7821f868d6afc22382a66a30ee780ba0 (git)
Affected: 9408cc94eb041d0c2f9f00189a613b94c0449450 , < 9735d40f5fde9970aa46e828ecc85c32571d58a2 (git)
Affected: 9408cc94eb041d0c2f9f00189a613b94c0449450 , < ce55818b2d3a999f886af91679589e4644ff1dc8 (git)
Affected: 9408cc94eb041d0c2f9f00189a613b94c0449450 , < e54b00086f7473dbda1a7d6fc47720ced157c6a8 (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 6.1.123 , ≤ 6.1.* (semver)
Unaffected: 6.6.69 , ≤ 6.6.* (semver)
Unaffected: 6.12.8 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57798",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:08:59.297300Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:17:07.111Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:32.760Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/display/drm_dp_mst_topology.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f61b2e5e7821f868d6afc22382a66a30ee780ba0",
              "status": "affected",
              "version": "9408cc94eb041d0c2f9f00189a613b94c0449450",
              "versionType": "git"
            },
            {
              "lessThan": "9735d40f5fde9970aa46e828ecc85c32571d58a2",
              "status": "affected",
              "version": "9408cc94eb041d0c2f9f00189a613b94c0449450",
              "versionType": "git"
            },
            {
              "lessThan": "ce55818b2d3a999f886af91679589e4644ff1dc8",
              "status": "affected",
              "version": "9408cc94eb041d0c2f9f00189a613b94c0449450",
              "versionType": "git"
            },
            {
              "lessThan": "e54b00086f7473dbda1a7d6fc47720ced157c6a8",
              "status": "affected",
              "version": "9408cc94eb041d0c2f9f00189a613b94c0449450",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/display/drm_dp_mst_topology.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.69",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.123",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.69",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()\n\nWhile receiving an MST up request message from one thread in\ndrm_dp_mst_handle_up_req(), the MST topology could be removed from\nanother thread via drm_dp_mst_topology_mgr_set_mst(false), freeing\nmst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL.\nThis could lead to a NULL deref/use-after-free of mst_primary in\ndrm_dp_mst_handle_up_req().\n\nAvoid the above by holding a reference for mst_primary in\ndrm_dp_mst_handle_up_req() while it\u0027s used.\n\nv2: Fix kfreeing the request if getting an mst_primary reference fails."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T12:59:19.153Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f61b2e5e7821f868d6afc22382a66a30ee780ba0"
        },
        {
          "url": "https://git.kernel.org/stable/c/9735d40f5fde9970aa46e828ecc85c32571d58a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce55818b2d3a999f886af91679589e4644ff1dc8"
        },
        {
          "url": "https://git.kernel.org/stable/c/e54b00086f7473dbda1a7d6fc47720ced157c6a8"
        }
      ],
      "title": "drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57798",
    "datePublished": "2025-01-11T12:39:48.212Z",
    "dateReserved": "2025-01-11T12:32:49.420Z",
    "dateUpdated": "2025-11-03T20:54:32.760Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56774 (GCVE-0-2024-56774)

Vulnerability from cvelistv5 – Published: 2025-01-08 17:49 – Updated: 2025-11-03 20:54

Title

btrfs: add a sanity check for btrfs root in btrfs_search_slot()

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: add a sanity check for btrfs root in btrfs_search_slot() Syzbot reports a null-ptr-deref in btrfs_search_slot(). The reproducer is using rescue=ibadroots, and the extent tree root is corrupted thus the extent tree is NULL. When scrub tries to search the extent tree to gather the needed extent info, btrfs_search_slot() doesn't check if the target root is NULL or not, resulting the null-ptr-deref. Add sanity check for btrfs root before using it in btrfs_search_slot().

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c71d114ef68c95da5…
	https://git.kernel.org/stable/c/db66fb87c21e8ae72…
	https://git.kernel.org/stable/c/757171d1369b3b47f…
	https://git.kernel.org/stable/c/93992c3d9629b02dc…
	https://git.kernel.org/stable/c/3ed51857a50f530ac…

Impacted products

Vendor

Product

Version

Linux

Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < c71d114ef68c95da5a82ec85a721ab31f5bd905b (git)
Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < db66fb87c21e8ae724886e6a464dcbac562a64c6 (git)
Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < 757171d1369b3b47f36932d40a05a0715496dcab (git)
Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < 93992c3d9629b02dccf6849238559d5c24f2dece (git)
Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < 3ed51857a50f530ac7a1482e069dfbd1298558d4 (git)

Linux

Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56774",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:45.422669Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:24.846Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:09.775Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ctree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c71d114ef68c95da5a82ec85a721ab31f5bd905b",
              "status": "affected",
              "version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
              "versionType": "git"
            },
            {
              "lessThan": "db66fb87c21e8ae724886e6a464dcbac562a64c6",
              "status": "affected",
              "version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
              "versionType": "git"
            },
            {
              "lessThan": "757171d1369b3b47f36932d40a05a0715496dcab",
              "status": "affected",
              "version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
              "versionType": "git"
            },
            {
              "lessThan": "93992c3d9629b02dccf6849238559d5c24f2dece",
              "status": "affected",
              "version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
              "versionType": "git"
            },
            {
              "lessThan": "3ed51857a50f530ac7a1482e069dfbd1298558d4",
              "status": "affected",
              "version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ctree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: add a sanity check for btrfs root in btrfs_search_slot()\n\nSyzbot reports a null-ptr-deref in btrfs_search_slot().\n\nThe reproducer is using rescue=ibadroots, and the extent tree root is\ncorrupted thus the extent tree is NULL.\n\nWhen scrub tries to search the extent tree to gather the needed extent\ninfo, btrfs_search_slot() doesn\u0027t check if the target root is NULL or\nnot, resulting the null-ptr-deref.\n\nAdd sanity check for btrfs root before using it in btrfs_search_slot()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:25.301Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c71d114ef68c95da5a82ec85a721ab31f5bd905b"
        },
        {
          "url": "https://git.kernel.org/stable/c/db66fb87c21e8ae724886e6a464dcbac562a64c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/757171d1369b3b47f36932d40a05a0715496dcab"
        },
        {
          "url": "https://git.kernel.org/stable/c/93992c3d9629b02dccf6849238559d5c24f2dece"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ed51857a50f530ac7a1482e069dfbd1298558d4"
        }
      ],
      "title": "btrfs: add a sanity check for btrfs root in btrfs_search_slot()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56774",
    "datePublished": "2025-01-08T17:49:13.121Z",
    "dateReserved": "2024-12-29T11:26:39.766Z",
    "dateUpdated": "2025-11-03T20:54:09.775Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56633 (GCVE-0-2024-56633)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-11-03 20:51

Title

tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg

Summary

In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg The current sk memory accounting logic in __SK_REDIRECT is pre-uncharging tosend bytes, which is either msg->sg.size or a smaller value apply_bytes. Potential problems with this strategy are as follows: - If the actual sent bytes are smaller than tosend, we need to charge some bytes back, as in line 487, which is okay but seems not clean. - When tosend is set to apply_bytes, as in line 417, and (ret < 0), we may miss uncharging (msg->sg.size - apply_bytes) bytes. [...] 415 tosend = msg->sg.size; 416 if (psock->apply_bytes && psock->apply_bytes < tosend) 417 tosend = psock->apply_bytes; [...] 443 sk_msg_return(sk, msg, tosend); 444 release_sock(sk); 446 origsize = msg->sg.size; 447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress, 448 msg, tosend, flags); 449 sent = origsize - msg->sg.size; [...] 454 lock_sock(sk); 455 if (unlikely(ret < 0)) { 456 int free = sk_msg_free_nocharge(sk, msg); 458 if (!cork) 459 *copied -= free; 460 } [...] 487 if (eval == __SK_REDIRECT) 488 sk_mem_charge(sk, tosend - sent); [...] When running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply, the following warning will be reported: ------------[ cut here ]------------ WARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0 Modules linked in: CPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: events sk_psock_destroy RIP: 0010:inet_sock_destruct+0x190/0x1a0 RSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206 RAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800 RDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900 RBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0 R10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400 R13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100 FS: 0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x89/0x130 ? inet_sock_destruct+0x190/0x1a0 ? report_bug+0xfc/0x1e0 ? handle_bug+0x5c/0xa0 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x190/0x1a0 __sk_destruct+0x25/0x220 sk_psock_destroy+0x2b2/0x310 process_scheduled_works+0xa3/0x3e0 worker_thread+0x117/0x240 ? __pfx_worker_thread+0x10/0x10 kthread+0xcf/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- In __SK_REDIRECT, a more concise way is delaying the uncharging after sent bytes are finalized, and uncharge this value. When (ret < 0), we shall invoke sk_msg_free. Same thing happens in case __SK_DROP, when tosend is set to apply_bytes, we may miss uncharging (msg->sg.size - apply_bytes) bytes. The same warning will be reported in selftest. [...] 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); 473 return -EACCES; [...] So instead of sk_msg_free_partial we can do sk_msg_free here.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/905d82e6e77d16ec3…
	https://git.kernel.org/stable/c/dbedc7e142df5ea23…
	https://git.kernel.org/stable/c/0d6cd1151e26fc7c2…
	https://git.kernel.org/stable/c/456f08d24afa51b5e…
	https://git.kernel.org/stable/c/206d56f41a1509cad…
	https://git.kernel.org/stable/c/5c9e3bb43a354a224…
	https://git.kernel.org/stable/c/ca70b8baf2bd125b2…

Impacted products

Vendor

Product

Version

Linux

Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 905d82e6e77d16ec3e089c92b7b59a14899dfc1a (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < dbedc7e142df5ea238a46fdd7462c1c42cd36a10 (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 0d6cd1151e26fc7c2d5daa85e8984aaa685a1a12 (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 456f08d24afa51b5eb816c42e4ca1c44a247bd42 (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 206d56f41a1509cadd06e2178c26cb830e45057d (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 5c9e3bb43a354a2245caebbbbb4a5b8c034fdd56 (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < ca70b8baf2bd125b2a4d96e76db79375c07d7ff2 (git)

Linux

Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:30.092Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_bpf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "905d82e6e77d16ec3e089c92b7b59a14899dfc1a",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "dbedc7e142df5ea238a46fdd7462c1c42cd36a10",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "0d6cd1151e26fc7c2d5daa85e8984aaa685a1a12",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "456f08d24afa51b5eb816c42e4ca1c44a247bd42",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "206d56f41a1509cadd06e2178c26cb830e45057d",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "5c9e3bb43a354a2245caebbbbb4a5b8c034fdd56",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "ca70b8baf2bd125b2a4d96e76db79375c07d7ff2",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_bpf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg\n\nThe current sk memory accounting logic in __SK_REDIRECT is pre-uncharging\ntosend bytes, which is either msg-\u003esg.size or a smaller value apply_bytes.\n\nPotential problems with this strategy are as follows:\n\n- If the actual sent bytes are smaller than tosend, we need to charge some\n  bytes back, as in line 487, which is okay but seems not clean.\n\n- When tosend is set to apply_bytes, as in line 417, and (ret \u003c 0), we may\n  miss uncharging (msg-\u003esg.size - apply_bytes) bytes.\n\n[...]\n415 tosend = msg-\u003esg.size;\n416 if (psock-\u003eapply_bytes \u0026\u0026 psock-\u003eapply_bytes \u003c tosend)\n417   tosend = psock-\u003eapply_bytes;\n[...]\n443 sk_msg_return(sk, msg, tosend);\n444 release_sock(sk);\n446 origsize = msg-\u003esg.size;\n447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress,\n448                             msg, tosend, flags);\n449 sent = origsize - msg-\u003esg.size;\n[...]\n454 lock_sock(sk);\n455 if (unlikely(ret \u003c 0)) {\n456   int free = sk_msg_free_nocharge(sk, msg);\n458   if (!cork)\n459     *copied -= free;\n460 }\n[...]\n487 if (eval == __SK_REDIRECT)\n488   sk_mem_charge(sk, tosend - sent);\n[...]\n\nWhen running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply,\nthe following warning will be reported:\n\n------------[ cut here ]------------\nWARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0\nModules linked in:\nCPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nWorkqueue: events sk_psock_destroy\nRIP: 0010:inet_sock_destruct+0x190/0x1a0\nRSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206\nRAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800\nRDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900\nRBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0\nR10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400\nR13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100\nFS:  0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n\u003cTASK\u003e\n? __warn+0x89/0x130\n? inet_sock_destruct+0x190/0x1a0\n? report_bug+0xfc/0x1e0\n? handle_bug+0x5c/0xa0\n? exc_invalid_op+0x17/0x70\n? asm_exc_invalid_op+0x1a/0x20\n? inet_sock_destruct+0x190/0x1a0\n__sk_destruct+0x25/0x220\nsk_psock_destroy+0x2b2/0x310\nprocess_scheduled_works+0xa3/0x3e0\nworker_thread+0x117/0x240\n? __pfx_worker_thread+0x10/0x10\nkthread+0xcf/0x100\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x31/0x40\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n\u003c/TASK\u003e\n---[ end trace 0000000000000000 ]---\n\nIn __SK_REDIRECT, a more concise way is delaying the uncharging after sent\nbytes are finalized, and uncharge this value. When (ret \u003c 0), we shall\ninvoke sk_msg_free.\n\nSame thing happens in case __SK_DROP, when tosend is set to apply_bytes,\nwe may miss uncharging (msg-\u003esg.size - apply_bytes) bytes. The same\nwarning will be reported in selftest.\n\n[...]\n468 case __SK_DROP:\n469 default:\n470 sk_msg_free_partial(sk, msg, tosend);\n471 sk_msg_apply_bytes(psock, tosend);\n472 *copied -= (tosend + delta);\n473 return -EACCES;\n[...]\n\nSo instead of sk_msg_free_partial we can do sk_msg_free here."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:36.639Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/905d82e6e77d16ec3e089c92b7b59a14899dfc1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbedc7e142df5ea238a46fdd7462c1c42cd36a10"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d6cd1151e26fc7c2d5daa85e8984aaa685a1a12"
        },
        {
          "url": "https://git.kernel.org/stable/c/456f08d24afa51b5eb816c42e4ca1c44a247bd42"
        },
        {
          "url": "https://git.kernel.org/stable/c/206d56f41a1509cadd06e2178c26cb830e45057d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c9e3bb43a354a2245caebbbbb4a5b8c034fdd56"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca70b8baf2bd125b2a4d96e76db79375c07d7ff2"
        }
      ],
      "title": "tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56633",
    "datePublished": "2024-12-27T15:02:31.273Z",
    "dateReserved": "2024-12-27T15:00:39.838Z",
    "dateUpdated": "2025-11-03T20:51:30.092Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56598 (GCVE-0-2024-56598)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2026-01-05 10:56

Title

jfs: array-index-out-of-bounds fix in dtReadFirst

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: array-index-out-of-bounds fix in dtReadFirst The value of stbl can be sometimes out of bounds due to a bad filesystem. Added a check with appopriate return of error code in that case.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-129 - Improper Validation of Array Index

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/25f1e673ef61d6bf9…
	https://git.kernel.org/stable/c/8c97a4d5463a1c972…
	https://git.kernel.org/stable/c/823d573f5450ca6be…
	https://git.kernel.org/stable/c/2eea5fda5556ef03d…
	https://git.kernel.org/stable/c/fd993b2180b4c373a…
	https://git.kernel.org/stable/c/22dcbf7661c6ffc32…
	https://git.kernel.org/stable/c/ca84a2c9be482836b…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 25f1e673ef61d6bf9a6022e27936785896d74948 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8c97a4d5463a1c972ef576ac499ea9b05f956097 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 823d573f5450ca6be80b36f54d1902ac7cd23fb9 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2eea5fda5556ef03defebf07b0a12fcd2c5210f4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd993b2180b4c373af8b99aa28d4dcda5c2a8f10 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 22dcbf7661c6ffc3247978c254dc40b833a0d429 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ca84a2c9be482836b86d780244f0357e5a778c46 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56598",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:01:28.259842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-129",
                "description": "CWE-129 Improper Validation of Array Index",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:13.876Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:33.896Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dtree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "25f1e673ef61d6bf9a6022e27936785896d74948",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8c97a4d5463a1c972ef576ac499ea9b05f956097",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "823d573f5450ca6be80b36f54d1902ac7cd23fb9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2eea5fda5556ef03defebf07b0a12fcd2c5210f4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fd993b2180b4c373af8b99aa28d4dcda5c2a8f10",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "22dcbf7661c6ffc3247978c254dc40b833a0d429",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ca84a2c9be482836b86d780244f0357e5a778c46",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dtree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: array-index-out-of-bounds fix in dtReadFirst\n\nThe value of stbl can be sometimes out of bounds due\nto a bad filesystem. Added a check with appopriate return\nof error code in that case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:56:02.661Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/25f1e673ef61d6bf9a6022e27936785896d74948"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c97a4d5463a1c972ef576ac499ea9b05f956097"
        },
        {
          "url": "https://git.kernel.org/stable/c/823d573f5450ca6be80b36f54d1902ac7cd23fb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/2eea5fda5556ef03defebf07b0a12fcd2c5210f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd993b2180b4c373af8b99aa28d4dcda5c2a8f10"
        },
        {
          "url": "https://git.kernel.org/stable/c/22dcbf7661c6ffc3247978c254dc40b833a0d429"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca84a2c9be482836b86d780244f0357e5a778c46"
        }
      ],
      "title": "jfs: array-index-out-of-bounds fix in dtReadFirst",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56598",
    "datePublished": "2024-12-27T14:51:04.988Z",
    "dateReserved": "2024-12-27T14:03:06.010Z",
    "dateUpdated": "2026-01-05T10:56:02.661Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57917 (GCVE-0-2024-57917)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-11-03 20:55

Title

topology: Keep the cpumask unchanged when printing cpumap

Summary

In the Linux kernel, the following vulnerability has been resolved: topology: Keep the cpumask unchanged when printing cpumap During fuzz testing, the following warning was discovered: different return values (15 and 11) from vsnprintf("%*pbl ", ...) test:keyward is WARNING in kvasprintf WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130 Call Trace: kvasprintf+0x121/0x130 kasprintf+0xa6/0xe0 bitmap_print_to_buf+0x89/0x100 core_siblings_list_read+0x7e/0xb0 kernfs_file_read_iter+0x15b/0x270 new_sync_read+0x153/0x260 vfs_read+0x215/0x290 ksys_read+0xb9/0x160 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The call trace shows that kvasprintf() reported this warning during the printing of core_siblings_list. kvasprintf() has several steps: (1) First, calculate the length of the resulting formatted string. (2) Allocate a buffer based on the returned length. (3) Then, perform the actual string formatting. (4) Check whether the lengths of the formatted strings returned in steps (1) and (2) are consistent. If the core_cpumask is modified between steps (1) and (3), the lengths obtained in these two steps may not match. Indeed our test includes cpu hotplugging, which should modify core_cpumask while printing. To fix this issue, cache the cpumask into a temporary variable before calling cpumap_print_{list, cpumask}_to_buf(), to keep it unchanged during the printing process.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1c7818e2746e74783…
	https://git.kernel.org/stable/c/ca47e933a900492d8…
	https://git.kernel.org/stable/c/b02cf1d27e460ab2b…
	https://git.kernel.org/stable/c/360596e7fe319a5db…
	https://git.kernel.org/stable/c/cbd399f78e23ad449…

Impacted products

Vendor

Product

Version

Linux

Affected: bb9ec13d156e85dfd6a8afd0bb61ccf5736ed257 , < 1c7818e2746e747838a3de1687e89eac7b947f08 (git)
Affected: bb9ec13d156e85dfd6a8afd0bb61ccf5736ed257 , < ca47e933a900492d89dcf5db18a99c28bd4a742d (git)
Affected: bb9ec13d156e85dfd6a8afd0bb61ccf5736ed257 , < b02cf1d27e460ab2b3e1c8c9ce472d562cad2e8d (git)
Affected: bb9ec13d156e85dfd6a8afd0bb61ccf5736ed257 , < 360596e7fe319a5db1b5fb34a3952862ae53c924 (git)
Affected: bb9ec13d156e85dfd6a8afd0bb61ccf5736ed257 , < cbd399f78e23ad4492c174fc5e6b3676dba74a52 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:50.931Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/topology.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1c7818e2746e747838a3de1687e89eac7b947f08",
              "status": "affected",
              "version": "bb9ec13d156e85dfd6a8afd0bb61ccf5736ed257",
              "versionType": "git"
            },
            {
              "lessThan": "ca47e933a900492d89dcf5db18a99c28bd4a742d",
              "status": "affected",
              "version": "bb9ec13d156e85dfd6a8afd0bb61ccf5736ed257",
              "versionType": "git"
            },
            {
              "lessThan": "b02cf1d27e460ab2b3e1c8c9ce472d562cad2e8d",
              "status": "affected",
              "version": "bb9ec13d156e85dfd6a8afd0bb61ccf5736ed257",
              "versionType": "git"
            },
            {
              "lessThan": "360596e7fe319a5db1b5fb34a3952862ae53c924",
              "status": "affected",
              "version": "bb9ec13d156e85dfd6a8afd0bb61ccf5736ed257",
              "versionType": "git"
            },
            {
              "lessThan": "cbd399f78e23ad4492c174fc5e6b3676dba74a52",
              "status": "affected",
              "version": "bb9ec13d156e85dfd6a8afd0bb61ccf5736ed257",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/topology.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntopology: Keep the cpumask unchanged when printing cpumap\n\nDuring fuzz testing, the following warning was discovered:\n\n different return values (15 and 11) from vsnprintf(\"%*pbl\n \", ...)\n\n test:keyward is WARNING in kvasprintf\n WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130\n Call Trace:\n  kvasprintf+0x121/0x130\n  kasprintf+0xa6/0xe0\n  bitmap_print_to_buf+0x89/0x100\n  core_siblings_list_read+0x7e/0xb0\n  kernfs_file_read_iter+0x15b/0x270\n  new_sync_read+0x153/0x260\n  vfs_read+0x215/0x290\n  ksys_read+0xb9/0x160\n  do_syscall_64+0x56/0x100\n  entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe call trace shows that kvasprintf() reported this warning during the\nprinting of core_siblings_list. kvasprintf() has several steps:\n\n (1) First, calculate the length of the resulting formatted string.\n\n (2) Allocate a buffer based on the returned length.\n\n (3) Then, perform the actual string formatting.\n\n (4) Check whether the lengths of the formatted strings returned in\n     steps (1) and (2) are consistent.\n\nIf the core_cpumask is modified between steps (1) and (3), the lengths\nobtained in these two steps may not match. Indeed our test includes cpu\nhotplugging, which should modify core_cpumask while printing.\n\nTo fix this issue, cache the cpumask into a temporary variable before\ncalling cpumap_print_{list, cpumask}_to_buf(), to keep it unchanged\nduring the printing process."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:36.137Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1c7818e2746e747838a3de1687e89eac7b947f08"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca47e933a900492d89dcf5db18a99c28bd4a742d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b02cf1d27e460ab2b3e1c8c9ce472d562cad2e8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/360596e7fe319a5db1b5fb34a3952862ae53c924"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbd399f78e23ad4492c174fc5e6b3676dba74a52"
        }
      ],
      "title": "topology: Keep the cpumask unchanged when printing cpumap",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57917",
    "datePublished": "2025-01-19T11:52:37.866Z",
    "dateReserved": "2025-01-19T11:50:08.375Z",
    "dateUpdated": "2025-11-03T20:55:50.931Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57882 (GCVE-0-2024-57882)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-11-03 20:54

Title

mptcp: fix TCP options overflow.

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix TCP options overflow. Syzbot reported the following splat: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83 RSP: 0000:ffffc90003916c90 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007 R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_page_unref include/linux/skbuff_ref.h:43 [inline] __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb+0x55/0x70 net/core/skbuff.c:1204 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5672 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 process_backlog+0x662/0x15b0 net/core/dev.c:6117 __napi_poll+0xcb/0x490 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:7074 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0033:0x7f34f4519ad5 Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246 RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5 RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0 RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000 R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4 R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68 </TASK> Eric noted a probable shinfo->nr_frags corruption, which indeed occurs. The root cause is a buggy MPTCP option len computation in some circumstances: the ADD_ADDR option should be mutually exclusive with DSS since the blamed commit. Still, mptcp_established_options_add_addr() tries to set the relevant info in mptcp_out_options, if ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/88b01048f286bb522…
	https://git.kernel.org/stable/c/09ba95321a269019b…
	https://git.kernel.org/stable/c/53fe947f67c93a533…
	https://git.kernel.org/stable/c/fb08e6b0ba284e3dc…
	https://git.kernel.org/stable/c/cbb26f7d8451fe56c…

Impacted products

Vendor

Product

Version

Linux

Affected: 1bff1e43a30e2f7500a49d47fd26a425643a6a37 , < 88b01048f286bb522f524ad99943ba86797d6514 (git)
Affected: 1bff1e43a30e2f7500a49d47fd26a425643a6a37 , < 09ba95321a269019b5aa8e0c3bc80cf86d91fd18 (git)
Affected: 1bff1e43a30e2f7500a49d47fd26a425643a6a37 , < 53fe947f67c93a5334aed3a7259fcc8a204f8bb6 (git)
Affected: 1bff1e43a30e2f7500a49d47fd26a425643a6a37 , < fb08e6b0ba284e3dcdc9378de26dcb51d90710f5 (git)
Affected: 1bff1e43a30e2f7500a49d47fd26a425643a6a37 , < cbb26f7d8451fe56ccac802c6db48d16240feebd (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:51.339Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/01/3"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/options.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "88b01048f286bb522f524ad99943ba86797d6514",
              "status": "affected",
              "version": "1bff1e43a30e2f7500a49d47fd26a425643a6a37",
              "versionType": "git"
            },
            {
              "lessThan": "09ba95321a269019b5aa8e0c3bc80cf86d91fd18",
              "status": "affected",
              "version": "1bff1e43a30e2f7500a49d47fd26a425643a6a37",
              "versionType": "git"
            },
            {
              "lessThan": "53fe947f67c93a5334aed3a7259fcc8a204f8bb6",
              "status": "affected",
              "version": "1bff1e43a30e2f7500a49d47fd26a425643a6a37",
              "versionType": "git"
            },
            {
              "lessThan": "fb08e6b0ba284e3dcdc9378de26dcb51d90710f5",
              "status": "affected",
              "version": "1bff1e43a30e2f7500a49d47fd26a425643a6a37",
              "versionType": "git"
            },
            {
              "lessThan": "cbb26f7d8451fe56ccac802c6db48d16240feebd",
              "status": "affected",
              "version": "1bff1e43a30e2f7500a49d47fd26a425643a6a37",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/options.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix TCP options overflow.\n\nSyzbot reported the following splat:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\nRIP: 0010:_compound_head include/linux/page-flags.h:242 [inline]\nRIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552\nCode: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 \u003c80\u003e 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83\nRSP: 0000:ffffc90003916c90 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000\nRDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac\nR10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007\nR13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000\nFS:  00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n skb_page_unref include/linux/skbuff_ref.h:43 [inline]\n __skb_frag_unref include/linux/skbuff_ref.h:56 [inline]\n skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb+0x55/0x70 net/core/skbuff.c:1204\n tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline]\n tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032\n tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805\n tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939\n tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351\n ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233\n NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\n NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\n __netif_receive_skb_one_core net/core/dev.c:5672 [inline]\n __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785\n process_backlog+0x662/0x15b0 net/core/dev.c:6117\n __napi_poll+0xcb/0x490 net/core/dev.c:6883\n napi_poll net/core/dev.c:6952 [inline]\n net_rx_action+0x89b/0x1240 net/core/dev.c:7074\n handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\nRIP: 0033:0x7f34f4519ad5\nCode: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83\nRSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246\nRAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5\nRDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0\nRBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000\nR10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4\nR13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68\n \u003c/TASK\u003e\n\nEric noted a probable shinfo-\u003enr_frags corruption, which indeed\noccurs.\n\nThe root cause is a buggy MPTCP option len computation in some\ncircumstances: the ADD_ADDR option should be mutually exclusive\nwith DSS since the blamed commit.\n\nStill, mptcp_established_options_add_addr() tries to set the\nrelevant info in mptcp_out_options, if \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:47.344Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/88b01048f286bb522f524ad99943ba86797d6514"
        },
        {
          "url": "https://git.kernel.org/stable/c/09ba95321a269019b5aa8e0c3bc80cf86d91fd18"
        },
        {
          "url": "https://git.kernel.org/stable/c/53fe947f67c93a5334aed3a7259fcc8a204f8bb6"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb08e6b0ba284e3dcdc9378de26dcb51d90710f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbb26f7d8451fe56ccac802c6db48d16240feebd"
        }
      ],
      "title": "mptcp: fix TCP options overflow.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57882",
    "datePublished": "2025-01-15T13:05:35.426Z",
    "dateReserved": "2025-01-11T14:45:42.023Z",
    "dateUpdated": "2025-11-03T20:54:51.339Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56596 (GCVE-0-2024-56596)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2026-01-05 10:55

Title

jfs: fix array-index-out-of-bounds in jfs_readdir

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in jfs_readdir The stbl might contain some invalid values. Added a check to return error code in that case.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-129 - Improper Validation of Array Index

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b62f41aeec9d25014…
	https://git.kernel.org/stable/c/97e693593162eef68…
	https://git.kernel.org/stable/c/9efe72eefd4c4a7ce…
	https://git.kernel.org/stable/c/ff9fc48fab0e1ea0d…
	https://git.kernel.org/stable/c/e7d376f94f72b020f…
	https://git.kernel.org/stable/c/8ff7579554571d92e…
	https://git.kernel.org/stable/c/839f102efb168f02d…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b62f41aeec9d250144c53875b507c1d45ae8c8fc (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 97e693593162eef6851d232f0c8148169ed46a5c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9efe72eefd4c4a7ce63b3e4d667d766d2b360cb4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ff9fc48fab0e1ea0d423c23c99b91bba178f0b05 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e7d376f94f72b020f84e77278b150ec1cc27502c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8ff7579554571d92e3deab168f5a7d7b146ed368 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 839f102efb168f02dfdd46717b7c6dddb26b015e (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56596",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:01:31.920173Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-129",
                "description": "CWE-129 Improper Validation of Array Index",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:14.017Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:27.430Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dtree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b62f41aeec9d250144c53875b507c1d45ae8c8fc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "97e693593162eef6851d232f0c8148169ed46a5c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9efe72eefd4c4a7ce63b3e4d667d766d2b360cb4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ff9fc48fab0e1ea0d423c23c99b91bba178f0b05",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e7d376f94f72b020f84e77278b150ec1cc27502c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8ff7579554571d92e3deab168f5a7d7b146ed368",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "839f102efb168f02dfdd46717b7c6dddb26b015e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dtree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in jfs_readdir\n\nThe stbl might contain some invalid values. Added a check to\nreturn error code in that case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:55:58.987Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b62f41aeec9d250144c53875b507c1d45ae8c8fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/97e693593162eef6851d232f0c8148169ed46a5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9efe72eefd4c4a7ce63b3e4d667d766d2b360cb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff9fc48fab0e1ea0d423c23c99b91bba178f0b05"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7d376f94f72b020f84e77278b150ec1cc27502c"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ff7579554571d92e3deab168f5a7d7b146ed368"
        },
        {
          "url": "https://git.kernel.org/stable/c/839f102efb168f02dfdd46717b7c6dddb26b015e"
        }
      ],
      "title": "jfs: fix array-index-out-of-bounds in jfs_readdir",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56596",
    "datePublished": "2024-12-27T14:51:03.282Z",
    "dateReserved": "2024-12-27T14:03:06.010Z",
    "dateUpdated": "2026-01-05T10:55:58.987Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57899 (GCVE-0-2024-57899)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2026-01-05 10:56

Title

wifi: mac80211: fix mbss changed flags corruption on 32 bit systems

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix mbss changed flags corruption on 32 bit systems On 32-bit systems, the size of an unsigned long is 4 bytes, while a u64 is 8 bytes. Therefore, when using or_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE), the code is incorrectly searching for a bit in a 32-bit variable that is expected to be 64 bits in size, leading to incorrect bit finding. Solution: Ensure that the size of the bits variable is correctly adjusted for each architecture. Call Trace: ? show_regs+0x54/0x58 ? __warn+0x6b/0xd4 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? report_bug+0x113/0x150 ? exc_overflow+0x30/0x30 ? handle_bug+0x27/0x44 ? exc_invalid_op+0x18/0x50 ? handle_exception+0xf6/0xf6 ? exc_overflow+0x30/0x30 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? exc_overflow+0x30/0x30 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? ieee80211_mesh_work+0xff/0x260 [mac80211] ? cfg80211_wiphy_work+0x72/0x98 [cfg80211] ? process_one_work+0xf1/0x1fc ? worker_thread+0x2c0/0x3b4 ? kthread+0xc7/0xf0 ? mod_delayed_work_on+0x4c/0x4c ? kthread_complete_and_exit+0x14/0x14 ? ret_from_fork+0x24/0x38 ? kthread_complete_and_exit+0x14/0x14 ? ret_from_fork_asm+0xf/0x14 ? entry_INT80_32+0xf0/0xf0 [restore no-op path for no changes]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/86772872f9f5097cd…
	https://git.kernel.org/stable/c/36b739637d7042843…
	https://git.kernel.org/stable/c/49dba1ded8dd5a6a1…

Impacted products

Vendor

Product

Version

Linux

Affected: 15ddba5f43114c1fd9cd83676e04a9e1acf8e37f , < 86772872f9f5097cd03d0e1c6813238bd38c250b (git)
Affected: 15ddba5f43114c1fd9cd83676e04a9e1acf8e37f , < 36b739637d7042843f9df57212ecee6ed6e0d4b2 (git)
Affected: 15ddba5f43114c1fd9cd83676e04a9e1acf8e37f , < 49dba1ded8dd5a6a12748631403240b2ab245c34 (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/mesh.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "86772872f9f5097cd03d0e1c6813238bd38c250b",
              "status": "affected",
              "version": "15ddba5f43114c1fd9cd83676e04a9e1acf8e37f",
              "versionType": "git"
            },
            {
              "lessThan": "36b739637d7042843f9df57212ecee6ed6e0d4b2",
              "status": "affected",
              "version": "15ddba5f43114c1fd9cd83676e04a9e1acf8e37f",
              "versionType": "git"
            },
            {
              "lessThan": "49dba1ded8dd5a6a12748631403240b2ab245c34",
              "status": "affected",
              "version": "15ddba5f43114c1fd9cd83676e04a9e1acf8e37f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/mesh.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix mbss changed flags corruption on 32 bit systems\n\nOn 32-bit systems, the size of an unsigned long is 4 bytes,\nwhile a u64 is 8 bytes. Therefore, when using\nor_each_set_bit(bit, \u0026bits, sizeof(changed) * BITS_PER_BYTE),\nthe code is incorrectly searching for a bit in a 32-bit\nvariable that is expected to be 64 bits in size,\nleading to incorrect bit finding.\n\nSolution: Ensure that the size of the bits variable is correctly\nadjusted for each architecture.\n\n Call Trace:\n  ? show_regs+0x54/0x58\n  ? __warn+0x6b/0xd4\n  ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]\n  ? report_bug+0x113/0x150\n  ? exc_overflow+0x30/0x30\n  ? handle_bug+0x27/0x44\n  ? exc_invalid_op+0x18/0x50\n  ? handle_exception+0xf6/0xf6\n  ? exc_overflow+0x30/0x30\n  ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]\n  ? exc_overflow+0x30/0x30\n  ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]\n  ? ieee80211_mesh_work+0xff/0x260 [mac80211]\n  ? cfg80211_wiphy_work+0x72/0x98 [cfg80211]\n  ? process_one_work+0xf1/0x1fc\n  ? worker_thread+0x2c0/0x3b4\n  ? kthread+0xc7/0xf0\n  ? mod_delayed_work_on+0x4c/0x4c\n  ? kthread_complete_and_exit+0x14/0x14\n  ? ret_from_fork+0x24/0x38\n  ? kthread_complete_and_exit+0x14/0x14\n  ? ret_from_fork_asm+0xf/0x14\n  ? entry_INT80_32+0xf0/0xf0\n\n[restore no-op path for no changes]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:56:39.063Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/86772872f9f5097cd03d0e1c6813238bd38c250b"
        },
        {
          "url": "https://git.kernel.org/stable/c/36b739637d7042843f9df57212ecee6ed6e0d4b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/49dba1ded8dd5a6a12748631403240b2ab245c34"
        }
      ],
      "title": "wifi: mac80211: fix mbss changed flags corruption on 32 bit systems",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57899",
    "datePublished": "2025-01-15T13:05:50.701Z",
    "dateReserved": "2025-01-11T14:45:42.030Z",
    "dateUpdated": "2026-01-05T10:56:39.063Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56615 (GCVE-0-2024-56615)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-11-03 20:51

Title

bpf: fix OOB devmap writes when deleting elements

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: fix OOB devmap writes when deleting elements Jordy reported issue against XSKMAP which also applies to DEVMAP - the index used for accessing map entry, due to being a signed integer, causes the OOB writes. Fix is simple as changing the type from int to u32, however, when compared to XSKMAP case, one more thing needs to be addressed. When map is released from system via dev_map_free(), we iterate through all of the entries and an iterator variable is also an int, which implies OOB accesses. Again, change it to be u32. Example splat below: [ 160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000 [ 160.731662] #PF: supervisor read access in kernel mode [ 160.736876] #PF: error_code(0x0000) - not-present page [ 160.742095] PGD 0 P4D 0 [ 160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP [ 160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487 [ 160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 160.767642] Workqueue: events_unbound bpf_map_free_deferred [ 160.773308] RIP: 0010:dev_map_free+0x77/0x170 [ 160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff [ 160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202 [ 160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024 [ 160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000 [ 160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001 [ 160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122 [ 160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000 [ 160.838310] FS: 0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000 [ 160.846528] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0 [ 160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 160.874092] PKRU: 55555554 [ 160.876847] Call Trace: [ 160.879338] <TASK> [ 160.881477] ? __die+0x20/0x60 [ 160.884586] ? page_fault_oops+0x15a/0x450 [ 160.888746] ? search_extable+0x22/0x30 [ 160.892647] ? search_bpf_extables+0x5f/0x80 [ 160.896988] ? exc_page_fault+0xa9/0x140 [ 160.900973] ? asm_exc_page_fault+0x22/0x30 [ 160.905232] ? dev_map_free+0x77/0x170 [ 160.909043] ? dev_map_free+0x58/0x170 [ 160.912857] bpf_map_free_deferred+0x51/0x90 [ 160.917196] process_one_work+0x142/0x370 [ 160.921272] worker_thread+0x29e/0x3b0 [ 160.925082] ? rescuer_thread+0x4b0/0x4b0 [ 160.929157] kthread+0xd4/0x110 [ 160.932355] ? kthread_park+0x80/0x80 [ 160.936079] ret_from_fork+0x2d/0x50 [ 160.943396] ? kthread_park+0x80/0x80 [ 160.950803] ret_from_fork_asm+0x11/0x20 [ 160.958482] </TASK>

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0f170e91d3063ca60…
	https://git.kernel.org/stable/c/70f3de869865f9c3d…
	https://git.kernel.org/stable/c/ad34306ac6836e5dd…
	https://git.kernel.org/stable/c/98c03d05936d84607…
	https://git.kernel.org/stable/c/8e858930695d3ebec…
	https://git.kernel.org/stable/c/178e31df1fb3d9e08…
	https://git.kernel.org/stable/c/ab244dd7cf4c291f8…

Impacted products

Vendor

Product

Version

Linux

Affected: 546ac1ffb70d25b56c1126940e5ec639c4dd7413 , < 0f170e91d3063ca60baec4bd9f544faf3bfe29eb (git)
Affected: 546ac1ffb70d25b56c1126940e5ec639c4dd7413 , < 70f3de869865f9c3da0508a5ea29f6f4c1889057 (git)
Affected: 546ac1ffb70d25b56c1126940e5ec639c4dd7413 , < ad34306ac6836e5dd096b7d0ad4aa20cb7c8d9e5 (git)
Affected: 546ac1ffb70d25b56c1126940e5ec639c4dd7413 , < 98c03d05936d846073df8f550e9e8bf0dde1d77f (git)
Affected: 546ac1ffb70d25b56c1126940e5ec639c4dd7413 , < 8e858930695d3ebec423e85384c95427258c294f (git)
Affected: 546ac1ffb70d25b56c1126940e5ec639c4dd7413 , < 178e31df1fb3d9e0890eb471da16709cbc82edee (git)
Affected: 546ac1ffb70d25b56c1126940e5ec639c4dd7413 , < ab244dd7cf4c291f82faacdc50b45cc0f55b674d (git)

Linux

Affected: 4.14
Unaffected: 0 , < 4.14 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56615",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:01:08.212567Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:13.109Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:02.480Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/devmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0f170e91d3063ca60baec4bd9f544faf3bfe29eb",
              "status": "affected",
              "version": "546ac1ffb70d25b56c1126940e5ec639c4dd7413",
              "versionType": "git"
            },
            {
              "lessThan": "70f3de869865f9c3da0508a5ea29f6f4c1889057",
              "status": "affected",
              "version": "546ac1ffb70d25b56c1126940e5ec639c4dd7413",
              "versionType": "git"
            },
            {
              "lessThan": "ad34306ac6836e5dd096b7d0ad4aa20cb7c8d9e5",
              "status": "affected",
              "version": "546ac1ffb70d25b56c1126940e5ec639c4dd7413",
              "versionType": "git"
            },
            {
              "lessThan": "98c03d05936d846073df8f550e9e8bf0dde1d77f",
              "status": "affected",
              "version": "546ac1ffb70d25b56c1126940e5ec639c4dd7413",
              "versionType": "git"
            },
            {
              "lessThan": "8e858930695d3ebec423e85384c95427258c294f",
              "status": "affected",
              "version": "546ac1ffb70d25b56c1126940e5ec639c4dd7413",
              "versionType": "git"
            },
            {
              "lessThan": "178e31df1fb3d9e0890eb471da16709cbc82edee",
              "status": "affected",
              "version": "546ac1ffb70d25b56c1126940e5ec639c4dd7413",
              "versionType": "git"
            },
            {
              "lessThan": "ab244dd7cf4c291f82faacdc50b45cc0f55b674d",
              "status": "affected",
              "version": "546ac1ffb70d25b56c1126940e5ec639c4dd7413",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/devmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix OOB devmap writes when deleting elements\n\nJordy reported issue against XSKMAP which also applies to DEVMAP - the\nindex used for accessing map entry, due to being a signed integer,\ncauses the OOB writes. Fix is simple as changing the type from int to\nu32, however, when compared to XSKMAP case, one more thing needs to be\naddressed.\n\nWhen map is released from system via dev_map_free(), we iterate through\nall of the entries and an iterator variable is also an int, which\nimplies OOB accesses. Again, change it to be u32.\n\nExample splat below:\n\n[  160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000\n[  160.731662] #PF: supervisor read access in kernel mode\n[  160.736876] #PF: error_code(0x0000) - not-present page\n[  160.742095] PGD 0 P4D 0\n[  160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP\n[  160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487\n[  160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[  160.767642] Workqueue: events_unbound bpf_map_free_deferred\n[  160.773308] RIP: 0010:dev_map_free+0x77/0x170\n[  160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 \u003c48\u003e 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff\n[  160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202\n[  160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024\n[  160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000\n[  160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001\n[  160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122\n[  160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000\n[  160.838310] FS:  0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000\n[  160.846528] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0\n[  160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  160.874092] PKRU: 55555554\n[  160.876847] Call Trace:\n[  160.879338]  \u003cTASK\u003e\n[  160.881477]  ? __die+0x20/0x60\n[  160.884586]  ? page_fault_oops+0x15a/0x450\n[  160.888746]  ? search_extable+0x22/0x30\n[  160.892647]  ? search_bpf_extables+0x5f/0x80\n[  160.896988]  ? exc_page_fault+0xa9/0x140\n[  160.900973]  ? asm_exc_page_fault+0x22/0x30\n[  160.905232]  ? dev_map_free+0x77/0x170\n[  160.909043]  ? dev_map_free+0x58/0x170\n[  160.912857]  bpf_map_free_deferred+0x51/0x90\n[  160.917196]  process_one_work+0x142/0x370\n[  160.921272]  worker_thread+0x29e/0x3b0\n[  160.925082]  ? rescuer_thread+0x4b0/0x4b0\n[  160.929157]  kthread+0xd4/0x110\n[  160.932355]  ? kthread_park+0x80/0x80\n[  160.936079]  ret_from_fork+0x2d/0x50\n[  160.943396]  ? kthread_park+0x80/0x80\n[  160.950803]  ret_from_fork_asm+0x11/0x20\n[  160.958482]  \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:59:56.222Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0f170e91d3063ca60baec4bd9f544faf3bfe29eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/70f3de869865f9c3da0508a5ea29f6f4c1889057"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad34306ac6836e5dd096b7d0ad4aa20cb7c8d9e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/98c03d05936d846073df8f550e9e8bf0dde1d77f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e858930695d3ebec423e85384c95427258c294f"
        },
        {
          "url": "https://git.kernel.org/stable/c/178e31df1fb3d9e0890eb471da16709cbc82edee"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab244dd7cf4c291f82faacdc50b45cc0f55b674d"
        }
      ],
      "title": "bpf: fix OOB devmap writes when deleting elements",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56615",
    "datePublished": "2024-12-27T14:51:20.206Z",
    "dateReserved": "2024-12-27T14:03:06.014Z",
    "dateUpdated": "2025-11-03T20:51:02.480Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56609 (GCVE-0-2024-56609)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-11-03 19:32

Title

wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb When removing kernel modules by: rmmod rtw88_8723cs rtw88_8703b rtw88_8723x rtw88_sdio rtw88_core Driver uses skb_queue_purge() to purge TX skb, but not report tx status causing "Have pending ack frames!" warning. Use ieee80211_purge_tx_queue() to correct this. Since ieee80211_purge_tx_queue() doesn't take locks, to prevent racing between TX work and purge TX queue, flush and destroy TX work in advance. wlan0: deauthenticating from aa:f5:fd:60:4c:a8 by local choice (Reason: 3=DEAUTH_LEAVING) ------------[ cut here ]------------ Have pending ack frames! WARNING: CPU: 3 PID: 9232 at net/mac80211/main.c:1691 ieee80211_free_ack_frame+0x5c/0x90 [mac80211] CPU: 3 PID: 9232 Comm: rmmod Tainted: G C 6.10.1-200.fc40.aarch64 #1 Hardware name: pine64 Pine64 PinePhone Braveheart (1.1)/Pine64 PinePhone Braveheart (1.1), BIOS 2024.01 01/01/2024 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ieee80211_free_ack_frame+0x5c/0x90 [mac80211] lr : ieee80211_free_ack_frame+0x5c/0x90 [mac80211] sp : ffff80008c1b37b0 x29: ffff80008c1b37b0 x28: ffff000003be8000 x27: 0000000000000000 x26: 0000000000000000 x25: ffff000003dc14b8 x24: ffff80008c1b37d0 x23: ffff000000ff9f80 x22: 0000000000000000 x21: 000000007fffffff x20: ffff80007c7e93d8 x19: ffff00006e66f400 x18: 0000000000000000 x17: ffff7ffffd2b3000 x16: ffff800083fc0000 x15: 0000000000000000 x14: 0000000000000000 x13: 2173656d61726620 x12: 6b636120676e6964 x11: 0000000000000000 x10: 000000000000005d x9 : ffff8000802af2b0 x8 : ffff80008c1b3430 x7 : 0000000000000001 x6 : 0000000000000001 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000003be8000 Call trace: ieee80211_free_ack_frame+0x5c/0x90 [mac80211] idr_for_each+0x74/0x110 ieee80211_free_hw+0x44/0xe8 [mac80211] rtw_sdio_remove+0x9c/0xc0 [rtw88_sdio] sdio_bus_remove+0x44/0x180 device_remove+0x54/0x90 device_release_driver_internal+0x1d4/0x238 driver_detach+0x54/0xc0 bus_remove_driver+0x78/0x108 driver_unregister+0x38/0x78 sdio_unregister_driver+0x2c/0x40 rtw_8723cs_driver_exit+0x18/0x1000 [rtw88_8723cs] __do_sys_delete_module.isra.0+0x190/0x338 __arm64_sys_delete_module+0x1c/0x30 invoke_syscall+0x74/0x100 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x3c/0x158 el0t_64_sync_handler+0x120/0x138 el0t_64_sync+0x194/0x198 ---[ end trace 0000000000000000 ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4e8ce3978d704cb28…
	https://git.kernel.org/stable/c/3d94c4b21966b49c3…
	https://git.kernel.org/stable/c/9bca6528f20325d30…
	https://git.kernel.org/stable/c/3e5e4a801aaf42833…

Impacted products

Vendor

Product

Version

Linux

Affected: e3037485c68ec1a299ff41160d8fedbd4abc29b9 , < 4e8ce3978d704cb28678355d294e10a008b6230a (git)
Affected: e3037485c68ec1a299ff41160d8fedbd4abc29b9 , < 3d94c4b21966b49c3e26ceeefacaa11ff7ee6d68 (git)
Affected: e3037485c68ec1a299ff41160d8fedbd4abc29b9 , < 9bca6528f20325d30c22236b23116f161d418f6d (git)
Affected: e3037485c68ec1a299ff41160d8fedbd4abc29b9 , < 3e5e4a801aaf4283390cc34959c6c48f910ca5ea (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 6.1.136 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:32:28.553Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw88/sdio.c",
            "drivers/net/wireless/realtek/rtw88/usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4e8ce3978d704cb28678355d294e10a008b6230a",
              "status": "affected",
              "version": "e3037485c68ec1a299ff41160d8fedbd4abc29b9",
              "versionType": "git"
            },
            {
              "lessThan": "3d94c4b21966b49c3e26ceeefacaa11ff7ee6d68",
              "status": "affected",
              "version": "e3037485c68ec1a299ff41160d8fedbd4abc29b9",
              "versionType": "git"
            },
            {
              "lessThan": "9bca6528f20325d30c22236b23116f161d418f6d",
              "status": "affected",
              "version": "e3037485c68ec1a299ff41160d8fedbd4abc29b9",
              "versionType": "git"
            },
            {
              "lessThan": "3e5e4a801aaf4283390cc34959c6c48f910ca5ea",
              "status": "affected",
              "version": "e3037485c68ec1a299ff41160d8fedbd4abc29b9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw88/sdio.c",
            "drivers/net/wireless/realtek/rtw88/usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.136",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb\n\nWhen removing kernel modules by:\n   rmmod rtw88_8723cs rtw88_8703b rtw88_8723x rtw88_sdio rtw88_core\n\nDriver uses skb_queue_purge() to purge TX skb, but not report tx status\ncausing \"Have pending ack frames!\" warning. Use ieee80211_purge_tx_queue()\nto correct this.\n\nSince ieee80211_purge_tx_queue() doesn\u0027t take locks, to prevent racing\nbetween TX work and purge TX queue, flush and destroy TX work in advance.\n\n   wlan0: deauthenticating from aa:f5:fd:60:4c:a8 by local\n     choice (Reason: 3=DEAUTH_LEAVING)\n   ------------[ cut here ]------------\n   Have pending ack frames!\n   WARNING: CPU: 3 PID: 9232 at net/mac80211/main.c:1691\n       ieee80211_free_ack_frame+0x5c/0x90 [mac80211]\n   CPU: 3 PID: 9232 Comm: rmmod Tainted: G         C\n       6.10.1-200.fc40.aarch64 #1\n   Hardware name: pine64 Pine64 PinePhone Braveheart\n      (1.1)/Pine64 PinePhone Braveheart (1.1), BIOS 2024.01 01/01/2024\n   pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n   pc : ieee80211_free_ack_frame+0x5c/0x90 [mac80211]\n   lr : ieee80211_free_ack_frame+0x5c/0x90 [mac80211]\n   sp : ffff80008c1b37b0\n   x29: ffff80008c1b37b0 x28: ffff000003be8000 x27: 0000000000000000\n   x26: 0000000000000000 x25: ffff000003dc14b8 x24: ffff80008c1b37d0\n   x23: ffff000000ff9f80 x22: 0000000000000000 x21: 000000007fffffff\n   x20: ffff80007c7e93d8 x19: ffff00006e66f400 x18: 0000000000000000\n   x17: ffff7ffffd2b3000 x16: ffff800083fc0000 x15: 0000000000000000\n   x14: 0000000000000000 x13: 2173656d61726620 x12: 6b636120676e6964\n   x11: 0000000000000000 x10: 000000000000005d x9 : ffff8000802af2b0\n   x8 : ffff80008c1b3430 x7 : 0000000000000001 x6 : 0000000000000001\n   x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n   x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000003be8000\n   Call trace:\n    ieee80211_free_ack_frame+0x5c/0x90 [mac80211]\n    idr_for_each+0x74/0x110\n    ieee80211_free_hw+0x44/0xe8 [mac80211]\n    rtw_sdio_remove+0x9c/0xc0 [rtw88_sdio]\n    sdio_bus_remove+0x44/0x180\n    device_remove+0x54/0x90\n    device_release_driver_internal+0x1d4/0x238\n    driver_detach+0x54/0xc0\n    bus_remove_driver+0x78/0x108\n    driver_unregister+0x38/0x78\n    sdio_unregister_driver+0x2c/0x40\n    rtw_8723cs_driver_exit+0x18/0x1000 [rtw88_8723cs]\n    __do_sys_delete_module.isra.0+0x190/0x338\n    __arm64_sys_delete_module+0x1c/0x30\n    invoke_syscall+0x74/0x100\n    el0_svc_common.constprop.0+0x48/0xf0\n    do_el0_svc+0x24/0x38\n    el0_svc+0x3c/0x158\n    el0t_64_sync_handler+0x120/0x138\n    el0t_64_sync+0x194/0x198\n   ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:59:40.547Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4e8ce3978d704cb28678355d294e10a008b6230a"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d94c4b21966b49c3e26ceeefacaa11ff7ee6d68"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bca6528f20325d30c22236b23116f161d418f6d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e5e4a801aaf4283390cc34959c6c48f910ca5ea"
        }
      ],
      "title": "wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56609",
    "datePublished": "2024-12-27T14:51:14.155Z",
    "dateReserved": "2024-12-27T14:03:06.013Z",
    "dateUpdated": "2025-11-03T19:32:28.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57802 (GCVE-0-2024-57802)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:10 – Updated: 2025-11-03 20:54

Title

netrom: check buffer length before accessing it

Summary

In the Linux kernel, the following vulnerability has been resolved: netrom: check buffer length before accessing it Syzkaller reports an uninit value read from ax25cmp when sending raw message through ieee802154 implementation. ===================================================== BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601 nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774 nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299 ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282 ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== This issue occurs because the skb buffer is too small, and it's actual allocation is aligned. This hides an actual issue, which is that nr_route_frame does not validate the buffer size before using it. Fix this issue by checking skb->len before accessing any fields in skb->data. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/64e9f54a14f2887be…
	https://git.kernel.org/stable/c/cf6befa7c569787f5…
	https://git.kernel.org/stable/c/769e36c2119a51070…
	https://git.kernel.org/stable/c/78a110332ae268d0b…
	https://git.kernel.org/stable/c/f647d72245aadce30…
	https://git.kernel.org/stable/c/3ba7f80d98d496534…
	https://git.kernel.org/stable/c/a4fd163aed2edd967…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 64e9f54a14f2887be8634fb85cd2f13bec18a184 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cf6befa7c569787f53440274bbed1405fc07738d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 769e36c2119a51070faf58819c58274f57a088db (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 78a110332ae268d0b005247c3b9a7d703b875c49 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f647d72245aadce30618f4c8fd3803904418dbec (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3ba7f80d98d4965349cfcd258dd78418496c1625 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a4fd163aed2edd967a244499754dec991d8b4c7d (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.289 , ≤ 5.4.* (semver)
Unaffected: 5.10.233 , ≤ 5.10.* (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57802",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:26.486373Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:18.705Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:35.577Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netrom/nr_route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "64e9f54a14f2887be8634fb85cd2f13bec18a184",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cf6befa7c569787f53440274bbed1405fc07738d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "769e36c2119a51070faf58819c58274f57a088db",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "78a110332ae268d0b005247c3b9a7d703b875c49",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f647d72245aadce30618f4c8fd3803904418dbec",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3ba7f80d98d4965349cfcd258dd78418496c1625",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a4fd163aed2edd967a244499754dec991d8b4c7d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netrom/nr_route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.289",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.289",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: check buffer length before accessing it\n\nSyzkaller reports an uninit value read from ax25cmp when sending raw message\nthrough ieee802154 implementation.\n\n=====================================================\nBUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119\n ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119\n nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601\n nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774\n nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299\n ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780\n sock_alloc_send_skb include/net/sock.h:1884 [inline]\n raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282\n ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\n=====================================================\n\nThis issue occurs because the skb buffer is too small, and it\u0027s actual\nallocation is aligned. This hides an actual issue, which is that nr_route_frame\ndoes not validate the buffer size before using it.\n\nFix this issue by checking skb-\u003elen before accessing any fields in skb-\u003edata.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:09.847Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/64e9f54a14f2887be8634fb85cd2f13bec18a184"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf6befa7c569787f53440274bbed1405fc07738d"
        },
        {
          "url": "https://git.kernel.org/stable/c/769e36c2119a51070faf58819c58274f57a088db"
        },
        {
          "url": "https://git.kernel.org/stable/c/78a110332ae268d0b005247c3b9a7d703b875c49"
        },
        {
          "url": "https://git.kernel.org/stable/c/f647d72245aadce30618f4c8fd3803904418dbec"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ba7f80d98d4965349cfcd258dd78418496c1625"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4fd163aed2edd967a244499754dec991d8b4c7d"
        }
      ],
      "title": "netrom: check buffer length before accessing it",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57802",
    "datePublished": "2025-01-15T13:10:25.685Z",
    "dateReserved": "2025-01-15T13:08:59.709Z",
    "dateUpdated": "2025-11-03T20:54:35.577Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57879 (GCVE-0-2024-57879)

Vulnerability from cvelistv5 – Published: 2025-01-11 15:05 – Updated: 2025-05-04 13:01

Title

Bluetooth: iso: Always release hdev at the end of iso_listen_bis

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Always release hdev at the end of iso_listen_bis Since hci_get_route holds the device before returning, the hdev should be released with hci_dev_put at the end of iso_listen_bis even if the function returns with an error.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4ca50db1c567d658d…
	https://git.kernel.org/stable/c/9c76fff747a73ba01…

Impacted products

Vendor

Product

Version

Linux

Affected: 02171da6e86a73e1b343b36722f5d9d5c04b3539 , < 4ca50db1c567d658d173c5ef3ee6c52b0b03603c (git)
Affected: 02171da6e86a73e1b343b36722f5d9d5c04b3539 , < 9c76fff747a73ba01d1d87ed53dd9c00cb40ba05 (git)
Affected: a6c3af0a620082d191dabc69c4925b3e6c26dd48 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/iso.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4ca50db1c567d658d173c5ef3ee6c52b0b03603c",
              "status": "affected",
              "version": "02171da6e86a73e1b343b36722f5d9d5c04b3539",
              "versionType": "git"
            },
            {
              "lessThan": "9c76fff747a73ba01d1d87ed53dd9c00cb40ba05",
              "status": "affected",
              "version": "02171da6e86a73e1b343b36722f5d9d5c04b3539",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a6c3af0a620082d191dabc69c4925b3e6c26dd48",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/iso.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Always release hdev at the end of iso_listen_bis\n\nSince hci_get_route holds the device before returning, the hdev\nshould be released with hci_dev_put at the end of iso_listen_bis\neven if the function returns with an error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:28.577Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4ca50db1c567d658d173c5ef3ee6c52b0b03603c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c76fff747a73ba01d1d87ed53dd9c00cb40ba05"
        }
      ],
      "title": "Bluetooth: iso: Always release hdev at the end of iso_listen_bis",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57879",
    "datePublished": "2025-01-11T15:05:22.760Z",
    "dateReserved": "2025-01-11T14:45:42.023Z",
    "dateUpdated": "2025-05-04T13:01:28.577Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56675 (GCVE-0-2024-56675)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2025-11-03 20:52

Title

bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU protection. But it is possible to attach a non-sleepable BPF program to a uprobe, and non-sleepable BPF programs are freed via normal RCU (see __bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal RCU grace period does not imply a tasks-trace-RCU grace period. Fix it by explicitly waiting for a tasks-trace-RCU grace period after removing the attachment of a bpf_prog to a perf_event.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9245459a992d22fe0…
	https://git.kernel.org/stable/c/f9f85df30118f3f41…
	https://git.kernel.org/stable/c/9b53d2c2a38a1effc…
	https://git.kernel.org/stable/c/ef1b808e3b7c98612…

Impacted products

Vendor

Product

Version

Linux

Affected: 8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 , < 9245459a992d22fe0e92e988f49db1fec82c184a (git)
Affected: 8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 , < f9f85df30118f3f4112761e6682fc60ebcce23e5 (git)
Affected: 8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 , < 9b53d2c2a38a1effc341d99be3f99fa7ef17047d (git)
Affected: 8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 , < ef1b808e3b7c98612feceedf985c2fbbeb28f956 (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.121 , ≤ 6.1.* (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56675",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:12:26.615244Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:21:07.132Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:52:21.551Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/bpf_trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9245459a992d22fe0e92e988f49db1fec82c184a",
              "status": "affected",
              "version": "8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9",
              "versionType": "git"
            },
            {
              "lessThan": "f9f85df30118f3f4112761e6682fc60ebcce23e5",
              "status": "affected",
              "version": "8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9",
              "versionType": "git"
            },
            {
              "lessThan": "9b53d2c2a38a1effc341d99be3f99fa7ef17047d",
              "status": "affected",
              "version": "8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9",
              "versionType": "git"
            },
            {
              "lessThan": "ef1b808e3b7c98612feceedf985c2fbbeb28f956",
              "status": "affected",
              "version": "8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/bpf_trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.121",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors\n\nUprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU\nprotection. But it is possible to attach a non-sleepable BPF program to a\nuprobe, and non-sleepable BPF programs are freed via normal RCU (see\n__bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal\nRCU grace period does not imply a tasks-trace-RCU grace period.\n\nFix it by explicitly waiting for a tasks-trace-RCU grace period after\nremoving the attachment of a bpf_prog to a perf_event."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:01:53.460Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9245459a992d22fe0e92e988f49db1fec82c184a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9f85df30118f3f4112761e6682fc60ebcce23e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b53d2c2a38a1effc341d99be3f99fa7ef17047d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef1b808e3b7c98612feceedf985c2fbbeb28f956"
        }
      ],
      "title": "bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56675",
    "datePublished": "2024-12-27T15:06:36.183Z",
    "dateReserved": "2024-12-27T15:00:39.845Z",
    "dateUpdated": "2025-11-03T20:52:21.551Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57906 (GCVE-0-2024-57906)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2025-11-03 20:55

Title

iio: adc: ti-ads8688: fix information leak in triggered buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: adc: ti-ads8688: fix information leak in triggered buffer The 'buffer' local array is used to push data to user space from a triggered buffer, but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the array to zero before using it to avoid pushing uninitialized information to userspace.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1c80a0985a9a14f33…
	https://git.kernel.org/stable/c/3bf8d1e87939b8a19…
	https://git.kernel.org/stable/c/aae96738006840533…
	https://git.kernel.org/stable/c/ebe2672bc42a0dfe3…
	https://git.kernel.org/stable/c/455df95eb8f24a37a…
	https://git.kernel.org/stable/c/485570ed82b7a6bb1…
	https://git.kernel.org/stable/c/2a7377ccfd940cd6e…

Impacted products

Vendor

Product

Version

Linux

Affected: 26aa12ef64ee997d293659bbf645c6df99fb73e5 , < 1c80a0985a9a14f33dbf63cd703ca010f094f878 (git)
Affected: c923e9effe50b0a83e74e1940afbecef5456bfda , < 3bf8d1e87939b8a19c9b738564fddf5b73322f2f (git)
Affected: 61fa5dfa5f52806f5ce37a0ba5712c271eb22f98 , < aae96738006840533cf147ffd5f41830987f21c5 (git)
Affected: 61fa5dfa5f52806f5ce37a0ba5712c271eb22f98 , < ebe2672bc42a0dfe31bb539f8ce79d024aa7e46d (git)
Affected: 61fa5dfa5f52806f5ce37a0ba5712c271eb22f98 , < 455df95eb8f24a37abc549d6738fc8ee07eb623b (git)
Affected: 61fa5dfa5f52806f5ce37a0ba5712c271eb22f98 , < 485570ed82b7a6bb109fa1d0a79998e21f7f4c73 (git)
Affected: 61fa5dfa5f52806f5ce37a0ba5712c271eb22f98 , < 2a7377ccfd940cd6e9201756aff1e7852c266e69 (git)
Affected: 91664385e6c49f1e961e822f2d024776ac22102a (git)
Affected: a65024fc5754f2fca73541373a2502bef603565b (git)
Affected: 3563bb70d6baa0a5e8082397e13f62f26053c04d (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57906",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:53:43.080798Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:16.648Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:55:31.340Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/adc/ti-ads8688.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1c80a0985a9a14f33dbf63cd703ca010f094f878",
              "status": "affected",
              "version": "26aa12ef64ee997d293659bbf645c6df99fb73e5",
              "versionType": "git"
            },
            {
              "lessThan": "3bf8d1e87939b8a19c9b738564fddf5b73322f2f",
              "status": "affected",
              "version": "c923e9effe50b0a83e74e1940afbecef5456bfda",
              "versionType": "git"
            },
            {
              "lessThan": "aae96738006840533cf147ffd5f41830987f21c5",
              "status": "affected",
              "version": "61fa5dfa5f52806f5ce37a0ba5712c271eb22f98",
              "versionType": "git"
            },
            {
              "lessThan": "ebe2672bc42a0dfe31bb539f8ce79d024aa7e46d",
              "status": "affected",
              "version": "61fa5dfa5f52806f5ce37a0ba5712c271eb22f98",
              "versionType": "git"
            },
            {
              "lessThan": "455df95eb8f24a37abc549d6738fc8ee07eb623b",
              "status": "affected",
              "version": "61fa5dfa5f52806f5ce37a0ba5712c271eb22f98",
              "versionType": "git"
            },
            {
              "lessThan": "485570ed82b7a6bb109fa1d0a79998e21f7f4c73",
              "status": "affected",
              "version": "61fa5dfa5f52806f5ce37a0ba5712c271eb22f98",
              "versionType": "git"
            },
            {
              "lessThan": "2a7377ccfd940cd6e9201756aff1e7852c266e69",
              "status": "affected",
              "version": "61fa5dfa5f52806f5ce37a0ba5712c271eb22f98",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "91664385e6c49f1e961e822f2d024776ac22102a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a65024fc5754f2fca73541373a2502bef603565b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3563bb70d6baa0a5e8082397e13f62f26053c04d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/adc/ti-ads8688.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "5.4.132",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.10.50",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.198",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.12.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ti-ads8688: fix information leak in triggered buffer\n\nThe \u0027buffer\u0027 local array is used to push data to user space from a\ntriggered buffer, but it does not set values for inactive channels, as\nit only uses iio_for_each_active_channel() to assign new values.\n\nInitialize the array to zero before using it to avoid pushing\nuninitialized information to userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:34.404Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1c80a0985a9a14f33dbf63cd703ca010f094f878"
        },
        {
          "url": "https://git.kernel.org/stable/c/3bf8d1e87939b8a19c9b738564fddf5b73322f2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/aae96738006840533cf147ffd5f41830987f21c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebe2672bc42a0dfe31bb539f8ce79d024aa7e46d"
        },
        {
          "url": "https://git.kernel.org/stable/c/455df95eb8f24a37abc549d6738fc8ee07eb623b"
        },
        {
          "url": "https://git.kernel.org/stable/c/485570ed82b7a6bb109fa1d0a79998e21f7f4c73"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a7377ccfd940cd6e9201756aff1e7852c266e69"
        }
      ],
      "title": "iio: adc: ti-ads8688: fix information leak in triggered buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57906",
    "datePublished": "2025-01-19T11:52:30.365Z",
    "dateReserved": "2025-01-19T11:50:08.372Z",
    "dateUpdated": "2025-11-03T20:55:31.340Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56570 (GCVE-0-2024-56570)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:23 – Updated: 2026-01-05 10:55

Title

ovl: Filter invalid inodes with missing lookup function

Summary

In the Linux kernel, the following vulnerability has been resolved: ovl: Filter invalid inodes with missing lookup function Add a check to the ovl_dentry_weird() function to prevent the processing of directory inodes that lack the lookup function. This is important because such inodes can cause errors in overlayfs when passed to the lowerstack.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f9248e2f73fb4afe0…
	https://git.kernel.org/stable/c/5f86e79c0b2287ffd…
	https://git.kernel.org/stable/c/749eac5a6687ec991…
	https://git.kernel.org/stable/c/ff43d008bbf9b27ad…
	https://git.kernel.org/stable/c/065bf5dd21639f80e…
	https://git.kernel.org/stable/c/72014e7745cc8250b…
	https://git.kernel.org/stable/c/c8b359dddb418c60d…

Impacted products

Vendor

Product

Version

Linux

Affected: e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c , < f9248e2f73fb4afe08324485e98c815ac084d166 (git)
Affected: e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c , < 5f86e79c0b2287ffdabe6c1b305a36c4e0f40fe3 (git)
Affected: e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c , < 749eac5a6687ec99116e0691d0d71225254654e3 (git)
Affected: e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c , < ff43d008bbf9b27ada434d6455f039a5ef6cee53 (git)
Affected: e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c , < 065bf5dd21639f80e68450de16bda829784dbb8c (git)
Affected: e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c , < 72014e7745cc8250bb8f27bd78694dfd3f1b5773 (git)
Affected: e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c , < c8b359dddb418c60df1a69beea01d1b3322bfe83 (git)

Linux

Affected: 3.18
Unaffected: 0 , < 3.18 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:49:43.264Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/overlayfs/util.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f9248e2f73fb4afe08324485e98c815ac084d166",
              "status": "affected",
              "version": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c",
              "versionType": "git"
            },
            {
              "lessThan": "5f86e79c0b2287ffdabe6c1b305a36c4e0f40fe3",
              "status": "affected",
              "version": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c",
              "versionType": "git"
            },
            {
              "lessThan": "749eac5a6687ec99116e0691d0d71225254654e3",
              "status": "affected",
              "version": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c",
              "versionType": "git"
            },
            {
              "lessThan": "ff43d008bbf9b27ada434d6455f039a5ef6cee53",
              "status": "affected",
              "version": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c",
              "versionType": "git"
            },
            {
              "lessThan": "065bf5dd21639f80e68450de16bda829784dbb8c",
              "status": "affected",
              "version": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c",
              "versionType": "git"
            },
            {
              "lessThan": "72014e7745cc8250bb8f27bd78694dfd3f1b5773",
              "status": "affected",
              "version": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c",
              "versionType": "git"
            },
            {
              "lessThan": "c8b359dddb418c60df1a69beea01d1b3322bfe83",
              "status": "affected",
              "version": "e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/overlayfs/util.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.18"
            },
            {
              "lessThan": "3.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: Filter invalid inodes with missing lookup function\n\nAdd a check to the ovl_dentry_weird() function to prevent the\nprocessing of directory inodes that lack the lookup function.\nThis is important because such inodes can cause errors in overlayfs\nwhen passed to the lowerstack."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:55:50.528Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f9248e2f73fb4afe08324485e98c815ac084d166"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f86e79c0b2287ffdabe6c1b305a36c4e0f40fe3"
        },
        {
          "url": "https://git.kernel.org/stable/c/749eac5a6687ec99116e0691d0d71225254654e3"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff43d008bbf9b27ada434d6455f039a5ef6cee53"
        },
        {
          "url": "https://git.kernel.org/stable/c/065bf5dd21639f80e68450de16bda829784dbb8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/72014e7745cc8250bb8f27bd78694dfd3f1b5773"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8b359dddb418c60df1a69beea01d1b3322bfe83"
        }
      ],
      "title": "ovl: Filter invalid inodes with missing lookup function",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56570",
    "datePublished": "2024-12-27T14:23:13.273Z",
    "dateReserved": "2024-12-27T14:03:05.997Z",
    "dateUpdated": "2026-01-05T10:55:50.528Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56663 (GCVE-0-2024-56663)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2025-11-03 20:52

Title

wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one Since the netlink attribute range validation provides inclusive checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. One crash stack for demonstration: ================================================================== BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 Read of size 6 at addr 001102080000000c by task fuzzer.386/9508 CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_report+0xe0/0x750 mm/kasan/report.c:398 kasan_report+0x139/0x170 mm/kasan/report.c:495 kasan_check_range+0x287/0x290 mm/kasan/generic.c:189 memcpy+0x25/0x60 mm/kasan/shadow.c:65 ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline] nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453 genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Update the policy to ensure correct validation.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-193 - Off-by-one Error

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/29e640ae641b9f5ff…
	https://git.kernel.org/stable/c/f3412522f78826fef…
	https://git.kernel.org/stable/c/f850d1d9f1106f528…
	https://git.kernel.org/stable/c/2e3dbf938656986cc…

Impacted products

Vendor

Product

Version

Linux

Affected: 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 , < 29e640ae641b9f5ffc666049426d2b16c98d9963 (git)
Affected: 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 , < f3412522f78826fef1dfae40ef378a863df2591c (git)
Affected: 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 , < f850d1d9f1106f528dfc5807565f2d1fa9a397d3 (git)
Affected: 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 , < 2e3dbf938656986cce73ac4083500d0bcfbffe24 (git)
Affected: 7a53ad13c09150076b7ddde96c2dfc5622c90b45 (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.121 , ≤ 6.1.* (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56663",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:59:54.860579Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-193",
                "description": "CWE-193 Off-by-one Error",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:09.931Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:52:11.640Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/wireless/nl80211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "29e640ae641b9f5ffc666049426d2b16c98d9963",
              "status": "affected",
              "version": "7b0a0e3c3a88260b6fcb017e49f198463aa62ed1",
              "versionType": "git"
            },
            {
              "lessThan": "f3412522f78826fef1dfae40ef378a863df2591c",
              "status": "affected",
              "version": "7b0a0e3c3a88260b6fcb017e49f198463aa62ed1",
              "versionType": "git"
            },
            {
              "lessThan": "f850d1d9f1106f528dfc5807565f2d1fa9a397d3",
              "status": "affected",
              "version": "7b0a0e3c3a88260b6fcb017e49f198463aa62ed1",
              "versionType": "git"
            },
            {
              "lessThan": "2e3dbf938656986cce73ac4083500d0bcfbffe24",
              "status": "affected",
              "version": "7b0a0e3c3a88260b6fcb017e49f198463aa62ed1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7a53ad13c09150076b7ddde96c2dfc5622c90b45",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/wireless/nl80211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.121",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.19.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one\n\nSince the netlink attribute range validation provides inclusive\nchecking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be\nIEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one.\n\nOne crash stack for demonstration:\n==================================================================\nBUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939\nRead of size 6 at addr 001102080000000c by task fuzzer.386/9508\n\nCPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106\n print_report+0xe0/0x750 mm/kasan/report.c:398\n kasan_report+0x139/0x170 mm/kasan/report.c:495\n kasan_check_range+0x287/0x290 mm/kasan/generic.c:189\n memcpy+0x25/0x60 mm/kasan/shadow.c:65\n ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939\n rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline]\n nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453\n genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756\n genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]\n genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850\n netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508\n genl_rcv+0x24/0x40 net/netlink/genetlink.c:861\n netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]\n netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352\n netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874\n sock_sendmsg_nosec net/socket.c:716 [inline]\n __sock_sendmsg net/socket.c:728 [inline]\n ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499\n ___sys_sendmsg+0x21c/0x290 net/socket.c:2553\n __sys_sendmsg net/socket.c:2582 [inline]\n __do_sys_sendmsg net/socket.c:2591 [inline]\n __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUpdate the policy to ensure correct validation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:11.192Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/29e640ae641b9f5ffc666049426d2b16c98d9963"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3412522f78826fef1dfae40ef378a863df2591c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f850d1d9f1106f528dfc5807565f2d1fa9a397d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e3dbf938656986cce73ac4083500d0bcfbffe24"
        }
      ],
      "title": "wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56663",
    "datePublished": "2024-12-27T15:06:25.403Z",
    "dateReserved": "2024-12-27T15:00:39.843Z",
    "dateUpdated": "2025-11-03T20:52:11.640Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57889 (GCVE-0-2024-57889)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-11-03 20:54

Title

pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking

Summary

In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock. It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional locking. In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/788d9e9a41b81893d…
	https://git.kernel.org/stable/c/c55d186376a87b468…
	https://git.kernel.org/stable/c/9372e160d8211a7e1…
	https://git.kernel.org/stable/c/0310cbad163a908d0…
	https://git.kernel.org/stable/c/8c6fd5803b988a5e7…
	https://git.kernel.org/stable/c/830f838589522404c…
	https://git.kernel.org/stable/c/a37eecb705f33726f…

Impacted products

Vendor

Product

Version

Linux

Affected: 8f38910ba4f662222157ce07a0d5becc4328c46a , < 788d9e9a41b81893d6bb8faa05f045c975278318 (git)
Affected: 8f38910ba4f662222157ce07a0d5becc4328c46a , < c55d186376a87b468c9ee30f2195e0f3857f61a0 (git)
Affected: 8f38910ba4f662222157ce07a0d5becc4328c46a , < 9372e160d8211a7e17f2abff8370794f182df785 (git)
Affected: 8f38910ba4f662222157ce07a0d5becc4328c46a , < 0310cbad163a908d09d99c26827859365cd71fcb (git)
Affected: 8f38910ba4f662222157ce07a0d5becc4328c46a , < 8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec (git)
Affected: 8f38910ba4f662222157ce07a0d5becc4328c46a , < 830f838589522404cd7c2f0f540602f25034af61 (git)
Affected: 8f38910ba4f662222157ce07a0d5becc4328c46a , < a37eecb705f33726f1fb7cd2a67e514a15dfe693 (git)

Linux

Affected: 4.13
Unaffected: 0 , < 4.13 (semver)
Unaffected: 5.4.289 , ≤ 5.4.* (semver)
Unaffected: 5.10.233 , ≤ 5.10.* (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.124 , ≤ 6.1.* (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:59.702Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pinctrl/pinctrl-mcp23s08.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "788d9e9a41b81893d6bb8faa05f045c975278318",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "c55d186376a87b468c9ee30f2195e0f3857f61a0",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "9372e160d8211a7e17f2abff8370794f182df785",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "0310cbad163a908d09d99c26827859365cd71fcb",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "830f838589522404cd7c2f0f540602f25034af61",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "a37eecb705f33726f1fb7cd2a67e514a15dfe693",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pinctrl/pinctrl-mcp23s08.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.289",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.289",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking\n\nIf a device uses MCP23xxx IO expander to receive IRQs, the following\nbug can happen:\n\n  BUG: sleeping function called from invalid context\n    at kernel/locking/mutex.c:283\n  in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...\n  preempt_count: 1, expected: 0\n  ...\n  Call Trace:\n  ...\n  __might_resched+0x104/0x10e\n  __might_sleep+0x3e/0x62\n  mutex_lock+0x20/0x4c\n  regmap_lock_mutex+0x10/0x18\n  regmap_update_bits_base+0x2c/0x66\n  mcp23s08_irq_set_type+0x1ae/0x1d6\n  __irq_set_trigger+0x56/0x172\n  __setup_irq+0x1e6/0x646\n  request_threaded_irq+0xb6/0x160\n  ...\n\nWe observed the problem while experimenting with a touchscreen driver which\nused MCP23017 IO expander (I2C).\n\nThe regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from\nconcurrent accesses, which is the default for regmaps without .fast_io,\n.disable_locking, etc.\n\nmcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter\nlocks the mutex.\n\nHowever, __setup_irq() locks desc-\u003elock spinlock before calling these\nfunctions. As a result, the system tries to lock the mutex whole holding\nthe spinlock.\n\nIt seems, the internal regmap locks are not needed in this driver at all.\nmcp-\u003elock seems to protect the regmap from concurrent accesses already,\nexcept, probably, in mcp_pinconf_get/set.\n\nmcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under\nchip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes\nmcp-\u003elock and enables regmap caching, so that the potentially slow I2C\naccesses are deferred until chip_bus_unlock().\n\nThe accesses to the regmap from mcp23s08_probe_one() do not need additional\nlocking.\n\nIn all remaining places where the regmap is accessed, except\nmcp_pinconf_get/set(), the driver already takes mcp-\u003elock.\n\nThis patch adds locking in mcp_pinconf_get/set() and disables internal\nlocking in the regmap config. Among other things, it fixes the sleeping\nin atomic context described above."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:57.500Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/788d9e9a41b81893d6bb8faa05f045c975278318"
        },
        {
          "url": "https://git.kernel.org/stable/c/c55d186376a87b468c9ee30f2195e0f3857f61a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/9372e160d8211a7e17f2abff8370794f182df785"
        },
        {
          "url": "https://git.kernel.org/stable/c/0310cbad163a908d09d99c26827859365cd71fcb"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/830f838589522404cd7c2f0f540602f25034af61"
        },
        {
          "url": "https://git.kernel.org/stable/c/a37eecb705f33726f1fb7cd2a67e514a15dfe693"
        }
      ],
      "title": "pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57889",
    "datePublished": "2025-01-15T13:05:41.769Z",
    "dateReserved": "2025-01-11T14:45:42.027Z",
    "dateUpdated": "2025-11-03T20:54:59.702Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56550 (GCVE-0-2024-56550)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:22 – Updated: 2025-05-04 13:00

Title

s390/stacktrace: Use break instead of return statement

Summary

In the Linux kernel, the following vulnerability has been resolved: s390/stacktrace: Use break instead of return statement arch_stack_walk_user_common() contains a return statement instead of a break statement in case store_ip() fails while trying to store a callchain entry of a user space process. This may lead to a missing pagefault_enable() call. If this happens any subsequent page fault of the process won't be resolved by the page fault handler and this in turn will lead to the process being killed. Use a break instead of a return statement to fix this.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/20c26357826457dc7…
	https://git.kernel.org/stable/c/588a9836a4ef7ec3b…

Impacted products

Vendor

Product

Version

Linux

Affected: ebd912ff9919a10609511383d94942362234c077 , < 20c26357826457dc7c8145297e60ddc012e18914 (git)
Affected: ebd912ff9919a10609511383d94942362234c077 , < 588a9836a4ef7ec3bfcffda526dfa399637e6cfc (git)
Affected: dd69165ac3dc12d8550aeec3fc4439c084ded3d8 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.4 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/s390/kernel/stacktrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "20c26357826457dc7c8145297e60ddc012e18914",
              "status": "affected",
              "version": "ebd912ff9919a10609511383d94942362234c077",
              "versionType": "git"
            },
            {
              "lessThan": "588a9836a4ef7ec3bfcffda526dfa399637e6cfc",
              "status": "affected",
              "version": "ebd912ff9919a10609511383d94942362234c077",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dd69165ac3dc12d8550aeec3fc4439c084ded3d8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/s390/kernel/stacktrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.9.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/stacktrace: Use break instead of return statement\n\narch_stack_walk_user_common() contains a return statement instead of a\nbreak statement in case store_ip() fails while trying to store a callchain\nentry of a user space process.\nThis may lead to a missing pagefault_enable() call.\n\nIf this happens any subsequent page fault of the process won\u0027t be resolved\nby the page fault handler and this in turn will lead to the process being\nkilled.\n\nUse a break instead of a return statement to fix this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:52.163Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/20c26357826457dc7c8145297e60ddc012e18914"
        },
        {
          "url": "https://git.kernel.org/stable/c/588a9836a4ef7ec3bfcffda526dfa399637e6cfc"
        }
      ],
      "title": "s390/stacktrace: Use break instead of return statement",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56550",
    "datePublished": "2024-12-27T14:22:52.403Z",
    "dateReserved": "2024-12-27T14:03:05.989Z",
    "dateUpdated": "2025-05-04T13:00:52.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56761 (GCVE-0-2024-56761)

Vulnerability from cvelistv5 – Published: 2025-01-06 16:20 – Updated: 2025-05-04 10:04

Title

x86/fred: Clear WFE in missing-ENDBRANCH #CPs

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/fred: Clear WFE in missing-ENDBRANCH #CPs An indirect branch instruction sets the CPU indirect branch tracker (IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted across the instruction boundary. When the decoder finds an inappropriate instruction while WFE is set ENDBR, the CPU raises a #CP fault. For the "kernel IBT no ENDBR" selftest where #CPs are deliberately triggered, the WFE state of the interrupted context needs to be cleared to let execution continue. Otherwise when the CPU resumes from the instruction that just caused the previous #CP, another missing-ENDBRANCH #CP is raised and the CPU enters a dead loop. This is not a problem with IDT because it doesn't preserve WFE and IRET doesn't set WFE. But FRED provides space on the entry stack (in an expanded CS area) to save and restore the WFE state, thus the WFE state is no longer clobbered, so software must clear it. Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the !ibt_fatal code path when execution is allowed to continue. Clobbering WFE in any other circumstance is a security-relevant bug. [ dhansen: changelog rewording ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/151447859d6fb0dcc…
	https://git.kernel.org/stable/c/b939f108e86b76119…
	https://git.kernel.org/stable/c/dc81e556f2a017d68…

Impacted products

Vendor

Product

Version

Linux

Affected: a5f6c2ace9974adf92ce65dacca8126d90adabfe , < 151447859d6fb0dcce8259f0971c6e94fb801661 (git)
Affected: a5f6c2ace9974adf92ce65dacca8126d90adabfe , < b939f108e86b76119428a6fa4e92491e09ac7867 (git)
Affected: a5f6c2ace9974adf92ce65dacca8126d90adabfe , < dc81e556f2a017d681251ace21bf06c126d5a192 (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.8 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "151447859d6fb0dcce8259f0971c6e94fb801661",
              "status": "affected",
              "version": "a5f6c2ace9974adf92ce65dacca8126d90adabfe",
              "versionType": "git"
            },
            {
              "lessThan": "b939f108e86b76119428a6fa4e92491e09ac7867",
              "status": "affected",
              "version": "a5f6c2ace9974adf92ce65dacca8126d90adabfe",
              "versionType": "git"
            },
            {
              "lessThan": "dc81e556f2a017d681251ace21bf06c126d5a192",
              "status": "affected",
              "version": "a5f6c2ace9974adf92ce65dacca8126d90adabfe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Clear WFE in missing-ENDBRANCH #CPs\n\nAn indirect branch instruction sets the CPU indirect branch tracker\n(IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted\nacross the instruction boundary.  When the decoder finds an\ninappropriate instruction while WFE is set ENDBR, the CPU raises a #CP\nfault.\n\nFor the \"kernel IBT no ENDBR\" selftest where #CPs are deliberately\ntriggered, the WFE state of the interrupted context needs to be\ncleared to let execution continue.  Otherwise when the CPU resumes\nfrom the instruction that just caused the previous #CP, another\nmissing-ENDBRANCH #CP is raised and the CPU enters a dead loop.\n\nThis is not a problem with IDT because it doesn\u0027t preserve WFE and\nIRET doesn\u0027t set WFE.  But FRED provides space on the entry stack\n(in an expanded CS area) to save and restore the WFE state, thus the\nWFE state is no longer clobbered, so software must clear it.\n\nClear WFE to avoid dead looping in ibt_clear_fred_wfe() and the\n!ibt_fatal code path when execution is allowed to continue.\n\nClobbering WFE in any other circumstance is a security-relevant bug.\n\n[ dhansen: changelog rewording ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:07.795Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/151447859d6fb0dcce8259f0971c6e94fb801661"
        },
        {
          "url": "https://git.kernel.org/stable/c/b939f108e86b76119428a6fa4e92491e09ac7867"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc81e556f2a017d681251ace21bf06c126d5a192"
        }
      ],
      "title": "x86/fred: Clear WFE in missing-ENDBRANCH #CPs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56761",
    "datePublished": "2025-01-06T16:20:41.112Z",
    "dateReserved": "2024-12-29T11:26:39.762Z",
    "dateUpdated": "2025-05-04T10:04:07.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56787 (GCVE-0-2024-56787)

Vulnerability from cvelistv5 – Published: 2025-01-08 17:52 – Updated: 2025-11-03 20:54

Title

soc: imx8m: Probe the SoC driver as platform driver

Summary

In the Linux kernel, the following vulnerability has been resolved: soc: imx8m: Probe the SoC driver as platform driver With driver_async_probe=* on kernel command line, the following trace is produced because on i.MX8M Plus hardware because the soc-imx8m.c driver calls of_clk_get_by_name() which returns -EPROBE_DEFER because the clock driver is not yet probed. This was not detected during regular testing without driver_async_probe. Convert the SoC code to platform driver and instantiate a platform device in its current device_initcall() to probe the platform driver. Rework .soc_revision callback to always return valid error code and return SoC revision via parameter. This way, if anything in the .soc_revision callback return -EPROBE_DEFER, it gets propagated to .probe and the .probe will get retried later. " ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1 at drivers/soc/imx/soc-imx8m.c:115 imx8mm_soc_revision+0xdc/0x180 CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-next-20240924-00002-g2062bb554dea #603 Hardware name: DH electronics i.MX8M Plus DHCOM Premium Developer Kit (3) (DT) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : imx8mm_soc_revision+0xdc/0x180 lr : imx8mm_soc_revision+0xd0/0x180 sp : ffff8000821fbcc0 x29: ffff8000821fbce0 x28: 0000000000000000 x27: ffff800081810120 x26: ffff8000818a9970 x25: 0000000000000006 x24: 0000000000824311 x23: ffff8000817f42c8 x22: ffff0000df8be210 x21: fffffffffffffdfb x20: ffff800082780000 x19: 0000000000000001 x18: ffffffffffffffff x17: ffff800081fff418 x16: ffff8000823e1000 x15: ffff0000c03b65e8 x14: ffff0000c00051b0 x13: ffff800082790000 x12: 0000000000000801 x11: ffff80008278ffff x10: ffff80008209d3a6 x9 : ffff80008062e95c x8 : ffff8000821fb9a0 x7 : 0000000000000000 x6 : 00000000000080e3 x5 : ffff0000df8c03d8 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : fffffffffffffdfb x0 : fffffffffffffdfb Call trace: imx8mm_soc_revision+0xdc/0x180 imx8_soc_init+0xb0/0x1e0 do_one_initcall+0x94/0x1a8 kernel_init_freeable+0x240/0x2a8 kernel_init+0x28/0x140 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- SoC: i.MX8MP revision 1.1 "

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e497edb8f31ec2c2b…
	https://git.kernel.org/stable/c/ea2ff66feb5f9b183…
	https://git.kernel.org/stable/c/2129f6faa5dfe8c6b…
	https://git.kernel.org/stable/c/997a3c04d7fa3d1d3…
	https://git.kernel.org/stable/c/9cc832d37799dbea9…

Impacted products

Vendor

Product

Version

Linux

Affected: a7e26f356ca12906a164d83c9e9f8527ee7da022 , < e497edb8f31ec2c2b6f4ce930e175aa2da8be334 (git)
Affected: a7e26f356ca12906a164d83c9e9f8527ee7da022 , < ea2ff66feb5f9b183f9e2f9d06c21340bd88de12 (git)
Affected: a7e26f356ca12906a164d83c9e9f8527ee7da022 , < 2129f6faa5dfe8c6b87aad11720bf75edd77d3e4 (git)
Affected: a7e26f356ca12906a164d83c9e9f8527ee7da022 , < 997a3c04d7fa3d1d385c14691350d096fada648c (git)
Affected: a7e26f356ca12906a164d83c9e9f8527ee7da022 , < 9cc832d37799dbea950c4c8a34721b02b8b5a8ff (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56787",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:05.585007Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:23.089Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:54:25.388Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/imx/soc-imx8m.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e497edb8f31ec2c2b6f4ce930e175aa2da8be334",
              "status": "affected",
              "version": "a7e26f356ca12906a164d83c9e9f8527ee7da022",
              "versionType": "git"
            },
            {
              "lessThan": "ea2ff66feb5f9b183f9e2f9d06c21340bd88de12",
              "status": "affected",
              "version": "a7e26f356ca12906a164d83c9e9f8527ee7da022",
              "versionType": "git"
            },
            {
              "lessThan": "2129f6faa5dfe8c6b87aad11720bf75edd77d3e4",
              "status": "affected",
              "version": "a7e26f356ca12906a164d83c9e9f8527ee7da022",
              "versionType": "git"
            },
            {
              "lessThan": "997a3c04d7fa3d1d385c14691350d096fada648c",
              "status": "affected",
              "version": "a7e26f356ca12906a164d83c9e9f8527ee7da022",
              "versionType": "git"
            },
            {
              "lessThan": "9cc832d37799dbea950c4c8a34721b02b8b5a8ff",
              "status": "affected",
              "version": "a7e26f356ca12906a164d83c9e9f8527ee7da022",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/imx/soc-imx8m.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: imx8m: Probe the SoC driver as platform driver\n\nWith driver_async_probe=* on kernel command line, the following trace is\nproduced because on i.MX8M Plus hardware because the soc-imx8m.c driver\ncalls of_clk_get_by_name() which returns -EPROBE_DEFER because the clock\ndriver is not yet probed. This was not detected during regular testing\nwithout driver_async_probe.\n\nConvert the SoC code to platform driver and instantiate a platform device\nin its current device_initcall() to probe the platform driver. Rework\n.soc_revision callback to always return valid error code and return SoC\nrevision via parameter. This way, if anything in the .soc_revision callback\nreturn -EPROBE_DEFER, it gets propagated to .probe and the .probe will get\nretried later.\n\n\"\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1 at drivers/soc/imx/soc-imx8m.c:115 imx8mm_soc_revision+0xdc/0x180\nCPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-next-20240924-00002-g2062bb554dea #603\nHardware name: DH electronics i.MX8M Plus DHCOM Premium Developer Kit (3) (DT)\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : imx8mm_soc_revision+0xdc/0x180\nlr : imx8mm_soc_revision+0xd0/0x180\nsp : ffff8000821fbcc0\nx29: ffff8000821fbce0 x28: 0000000000000000 x27: ffff800081810120\nx26: ffff8000818a9970 x25: 0000000000000006 x24: 0000000000824311\nx23: ffff8000817f42c8 x22: ffff0000df8be210 x21: fffffffffffffdfb\nx20: ffff800082780000 x19: 0000000000000001 x18: ffffffffffffffff\nx17: ffff800081fff418 x16: ffff8000823e1000 x15: ffff0000c03b65e8\nx14: ffff0000c00051b0 x13: ffff800082790000 x12: 0000000000000801\nx11: ffff80008278ffff x10: ffff80008209d3a6 x9 : ffff80008062e95c\nx8 : ffff8000821fb9a0 x7 : 0000000000000000 x6 : 00000000000080e3\nx5 : ffff0000df8c03d8 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : fffffffffffffdfb x0 : fffffffffffffdfb\nCall trace:\n imx8mm_soc_revision+0xdc/0x180\n imx8_soc_init+0xb0/0x1e0\n do_one_initcall+0x94/0x1a8\n kernel_init_freeable+0x240/0x2a8\n kernel_init+0x28/0x140\n ret_from_fork+0x10/0x20\n---[ end trace 0000000000000000 ]---\nSoC: i.MX8MP revision 1.1\n\""
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:43.762Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e497edb8f31ec2c2b6f4ce930e175aa2da8be334"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea2ff66feb5f9b183f9e2f9d06c21340bd88de12"
        },
        {
          "url": "https://git.kernel.org/stable/c/2129f6faa5dfe8c6b87aad11720bf75edd77d3e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/997a3c04d7fa3d1d385c14691350d096fada648c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cc832d37799dbea950c4c8a34721b02b8b5a8ff"
        }
      ],
      "title": "soc: imx8m: Probe the SoC driver as platform driver",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56787",
    "datePublished": "2025-01-08T17:52:03.420Z",
    "dateReserved": "2024-12-29T11:26:39.770Z",
    "dateUpdated": "2025-11-03T20:54:25.388Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21663 (GCVE-0-2025-21663)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-05-04 07:18

Title

net: stmmac: dwmac-tegra: Read iommu stream id from device tree

Summary

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: dwmac-tegra: Read iommu stream id from device tree Nvidia's Tegra MGBE controllers require the IOMMU "Stream ID" (SID) to be written to the MGBE_WRAP_AXI_ASID0_CTRL register. The current driver is hard coded to use MGBE0's SID for all controllers. This causes softirq time outs and kernel panics when using controllers other than MGBE0. Example dmesg errors when an ethernet cable is connected to MGBE1: [ 116.133290] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx [ 121.851283] tegra-mgbe 6910000.ethernet eth1: NETDEV WATCHDOG: CPU: 5: transmit queue 0 timed out 5690 ms [ 121.851782] tegra-mgbe 6910000.ethernet eth1: Reset adapter. [ 121.892464] tegra-mgbe 6910000.ethernet eth1: Register MEM_TYPE_PAGE_POOL RxQ-0 [ 121.905920] tegra-mgbe 6910000.ethernet eth1: PHY [stmmac-1:00] driver [Aquantia AQR113] (irq=171) [ 121.907356] tegra-mgbe 6910000.ethernet eth1: Enabling Safety Features [ 121.907578] tegra-mgbe 6910000.ethernet eth1: IEEE 1588-2008 Advanced Timestamp supported [ 121.908399] tegra-mgbe 6910000.ethernet eth1: registered PTP clock [ 121.908582] tegra-mgbe 6910000.ethernet eth1: configuring for phy/10gbase-r link mode [ 125.961292] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx [ 181.921198] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: [ 181.921404] rcu: 7-....: (1 GPs behind) idle=540c/1/0x4000000000000002 softirq=1748/1749 fqs=2337 [ 181.921684] rcu: (detected by 4, t=6002 jiffies, g=1357, q=1254 ncpus=8) [ 181.921878] Sending NMI from CPU 4 to CPUs 7: [ 181.921886] NMI backtrace for cpu 7 [ 181.922131] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Kdump: loaded Not tainted 6.13.0-rc3+ #6 [ 181.922390] Hardware name: NVIDIA CTI Forge + Orin AGX/Jetson, BIOS 202402.1-Unknown 10/28/2024 [ 181.922658] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 181.922847] pc : handle_softirqs+0x98/0x368 [ 181.922978] lr : __do_softirq+0x18/0x20 [ 181.923095] sp : ffff80008003bf50 [ 181.923189] x29: ffff80008003bf50 x28: 0000000000000008 x27: 0000000000000000 [ 181.923379] x26: ffffce78ea277000 x25: 0000000000000000 x24: 0000001c61befda0 [ 181.924486] x23: 0000000060400009 x22: ffffce78e99918bc x21: ffff80008018bd70 [ 181.925568] x20: ffffce78e8bb00d8 x19: ffff80008018bc20 x18: 0000000000000000 [ 181.926655] x17: ffff318ebe7d3000 x16: ffff800080038000 x15: 0000000000000000 [ 181.931455] x14: ffff000080816680 x13: ffff318ebe7d3000 x12: 000000003464d91d [ 181.938628] x11: 0000000000000040 x10: ffff000080165a70 x9 : ffffce78e8bb0160 [ 181.945804] x8 : ffff8000827b3160 x7 : f9157b241586f343 x6 : eeb6502a01c81c74 [ 181.953068] x5 : a4acfcdd2e8096bb x4 : ffffce78ea277340 x3 : 00000000ffffd1e1 [ 181.960329] x2 : 0000000000000101 x1 : ffffce78ea277340 x0 : ffff318ebe7d3000 [ 181.967591] Call trace: [ 181.970043] handle_softirqs+0x98/0x368 (P) [ 181.974240] __do_softirq+0x18/0x20 [ 181.977743] ____do_softirq+0x14/0x28 [ 181.981415] call_on_irq_stack+0x24/0x30 [ 181.985180] do_softirq_own_stack+0x20/0x30 [ 181.989379] __irq_exit_rcu+0x114/0x140 [ 181.993142] irq_exit_rcu+0x14/0x28 [ 181.996816] el1_interrupt+0x44/0xb8 [ 182.000316] el1h_64_irq_handler+0x14/0x20 [ 182.004343] el1h_64_irq+0x80/0x88 [ 182.007755] cpuidle_enter_state+0xc4/0x4a8 (P) [ 182.012305] cpuidle_enter+0x3c/0x58 [ 182.015980] cpuidle_idle_call+0x128/0x1c0 [ 182.020005] do_idle+0xe0/0xf0 [ 182.023155] cpu_startup_entry+0x3c/0x48 [ 182.026917] secondary_start_kernel+0xdc/0x120 [ 182.031379] __secondary_switched+0x74/0x78 [ 212.971162] rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 7-.... } 6103 jiffies s: 417 root: 0x80/. [ 212.985935] rcu: blocking rcu_node structures (internal RCU debug): [ 212.992758] Sending NMI from CPU 0 to CPUs 7: [ 212.998539] NMI backtrace for cpu 7 [ 213.004304] CPU: 7 UID: 0 PI ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/235419f0956e8c60e…
	https://git.kernel.org/stable/c/b04d33cdbc958a3fd…
	https://git.kernel.org/stable/c/426046e2d62dd1953…

Impacted products

Vendor

Product

Version

Linux

Affected: d8ca113724e79b324f553914cefa9dd6961de152 , < 235419f0956e8c60e597aa1619ded8bda7460bb4 (git)
Affected: d8ca113724e79b324f553914cefa9dd6961de152 , < b04d33cdbc958a3fd57f3544d4f78b99d9d11909 (git)
Affected: d8ca113724e79b324f553914cefa9dd6961de152 , < 426046e2d62dd19533808661e912b8e8a9eaec16 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "235419f0956e8c60e597aa1619ded8bda7460bb4",
              "status": "affected",
              "version": "d8ca113724e79b324f553914cefa9dd6961de152",
              "versionType": "git"
            },
            {
              "lessThan": "b04d33cdbc958a3fd57f3544d4f78b99d9d11909",
              "status": "affected",
              "version": "d8ca113724e79b324f553914cefa9dd6961de152",
              "versionType": "git"
            },
            {
              "lessThan": "426046e2d62dd19533808661e912b8e8a9eaec16",
              "status": "affected",
              "version": "d8ca113724e79b324f553914cefa9dd6961de152",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: dwmac-tegra: Read iommu stream id from device tree\n\nNvidia\u0027s Tegra MGBE controllers require the IOMMU \"Stream ID\" (SID) to be\nwritten to the MGBE_WRAP_AXI_ASID0_CTRL register.\n\nThe current driver is hard coded to use MGBE0\u0027s SID for all controllers.\nThis causes softirq time outs and kernel panics when using controllers\nother than MGBE0.\n\nExample dmesg errors when an ethernet cable is connected to MGBE1:\n\n[  116.133290] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx\n[  121.851283] tegra-mgbe 6910000.ethernet eth1: NETDEV WATCHDOG: CPU: 5: transmit queue 0 timed out 5690 ms\n[  121.851782] tegra-mgbe 6910000.ethernet eth1: Reset adapter.\n[  121.892464] tegra-mgbe 6910000.ethernet eth1: Register MEM_TYPE_PAGE_POOL RxQ-0\n[  121.905920] tegra-mgbe 6910000.ethernet eth1: PHY [stmmac-1:00] driver [Aquantia AQR113] (irq=171)\n[  121.907356] tegra-mgbe 6910000.ethernet eth1: Enabling Safety Features\n[  121.907578] tegra-mgbe 6910000.ethernet eth1: IEEE 1588-2008 Advanced Timestamp supported\n[  121.908399] tegra-mgbe 6910000.ethernet eth1: registered PTP clock\n[  121.908582] tegra-mgbe 6910000.ethernet eth1: configuring for phy/10gbase-r link mode\n[  125.961292] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx\n[  181.921198] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:\n[  181.921404] rcu: \t7-....: (1 GPs behind) idle=540c/1/0x4000000000000002 softirq=1748/1749 fqs=2337\n[  181.921684] rcu: \t(detected by 4, t=6002 jiffies, g=1357, q=1254 ncpus=8)\n[  181.921878] Sending NMI from CPU 4 to CPUs 7:\n[  181.921886] NMI backtrace for cpu 7\n[  181.922131] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Kdump: loaded Not tainted 6.13.0-rc3+ #6\n[  181.922390] Hardware name: NVIDIA CTI Forge + Orin AGX/Jetson, BIOS 202402.1-Unknown 10/28/2024\n[  181.922658] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  181.922847] pc : handle_softirqs+0x98/0x368\n[  181.922978] lr : __do_softirq+0x18/0x20\n[  181.923095] sp : ffff80008003bf50\n[  181.923189] x29: ffff80008003bf50 x28: 0000000000000008 x27: 0000000000000000\n[  181.923379] x26: ffffce78ea277000 x25: 0000000000000000 x24: 0000001c61befda0\n[  181.924486] x23: 0000000060400009 x22: ffffce78e99918bc x21: ffff80008018bd70\n[  181.925568] x20: ffffce78e8bb00d8 x19: ffff80008018bc20 x18: 0000000000000000\n[  181.926655] x17: ffff318ebe7d3000 x16: ffff800080038000 x15: 0000000000000000\n[  181.931455] x14: ffff000080816680 x13: ffff318ebe7d3000 x12: 000000003464d91d\n[  181.938628] x11: 0000000000000040 x10: ffff000080165a70 x9 : ffffce78e8bb0160\n[  181.945804] x8 : ffff8000827b3160 x7 : f9157b241586f343 x6 : eeb6502a01c81c74\n[  181.953068] x5 : a4acfcdd2e8096bb x4 : ffffce78ea277340 x3 : 00000000ffffd1e1\n[  181.960329] x2 : 0000000000000101 x1 : ffffce78ea277340 x0 : ffff318ebe7d3000\n[  181.967591] Call trace:\n[  181.970043]  handle_softirqs+0x98/0x368 (P)\n[  181.974240]  __do_softirq+0x18/0x20\n[  181.977743]  ____do_softirq+0x14/0x28\n[  181.981415]  call_on_irq_stack+0x24/0x30\n[  181.985180]  do_softirq_own_stack+0x20/0x30\n[  181.989379]  __irq_exit_rcu+0x114/0x140\n[  181.993142]  irq_exit_rcu+0x14/0x28\n[  181.996816]  el1_interrupt+0x44/0xb8\n[  182.000316]  el1h_64_irq_handler+0x14/0x20\n[  182.004343]  el1h_64_irq+0x80/0x88\n[  182.007755]  cpuidle_enter_state+0xc4/0x4a8 (P)\n[  182.012305]  cpuidle_enter+0x3c/0x58\n[  182.015980]  cpuidle_idle_call+0x128/0x1c0\n[  182.020005]  do_idle+0xe0/0xf0\n[  182.023155]  cpu_startup_entry+0x3c/0x48\n[  182.026917]  secondary_start_kernel+0xdc/0x120\n[  182.031379]  __secondary_switched+0x74/0x78\n[  212.971162] rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 7-.... } 6103 jiffies s: 417 root: 0x80/.\n[  212.985935] rcu: blocking rcu_node structures (internal RCU debug):\n[  212.992758] Sending NMI from CPU 0 to CPUs 7:\n[  212.998539] NMI backtrace for cpu 7\n[  213.004304] CPU: 7 UID: 0 PI\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:29.588Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/235419f0956e8c60e597aa1619ded8bda7460bb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/b04d33cdbc958a3fd57f3544d4f78b99d9d11909"
        },
        {
          "url": "https://git.kernel.org/stable/c/426046e2d62dd19533808661e912b8e8a9eaec16"
        }
      ],
      "title": "net: stmmac: dwmac-tegra: Read iommu stream id from device tree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21663",
    "datePublished": "2025-01-21T12:18:18.347Z",
    "dateReserved": "2024-12-29T08:45:45.732Z",
    "dateUpdated": "2025-05-04T07:18:29.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21658 (GCVE-0-2025-21658)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-10-01 19:57

Title

btrfs: avoid NULL pointer dereference if no valid extent tree

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid extent tree [BUG] Syzbot reported a crash with the following call trace: BTRFS info (device loop0): scrub: started on devid 1 BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs] scrub_simple_mirror+0x175/0x260 [btrfs] scrub_stripe+0x5d4/0x6c0 [btrfs] scrub_chunk+0xbb/0x170 [btrfs] scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs] btrfs_scrub_dev+0x240/0x600 [btrfs] btrfs_ioctl+0x1dc8/0x2fa0 [btrfs] ? do_sys_openat2+0xa5/0xf0 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [CAUSE] The reproducer is using a corrupted image where extent tree root is corrupted, thus forcing to use "rescue=all,ro" mount option to mount the image. Then it triggered a scrub, but since scrub relies on extent tree to find where the data/metadata extents are, scrub_find_fill_first_stripe() relies on an non-empty extent root. But unfortunately scrub_find_fill_first_stripe() doesn't really expect an NULL pointer for extent root, it use extent_root to grab fs_info and triggered a NULL pointer dereference. [FIX] Add an extra check for a valid extent root at the beginning of scrub_find_fill_first_stripe(). The new error path is introduced by 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots"), but that's pretty old, and later commit b979547513ff ("btrfs: scrub: introduce helper to find and fill sector info for a scrub_stripe") changed how we do scrub. So for kernels older than 6.6, the fix will need manual backport.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/24b85a8b0310e0144…
	https://git.kernel.org/stable/c/aee5f69f3e6cd82bf…
	https://git.kernel.org/stable/c/6aecd91a5c5b68939…

Impacted products

Vendor

Product

Version

Linux

Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < 24b85a8b0310e0144da9ab30be42e87e6476638a (git)
Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < aee5f69f3e6cd82bfefaca1b70b40b6cd8f3f784 (git)
Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < 6aecd91a5c5b68939cf4169e32bc49f3cd2dd329 (git)

Linux

Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21658",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:52:37.080379Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:13.496Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/scrub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "24b85a8b0310e0144da9ab30be42e87e6476638a",
              "status": "affected",
              "version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
              "versionType": "git"
            },
            {
              "lessThan": "aee5f69f3e6cd82bfefaca1b70b40b6cd8f3f784",
              "status": "affected",
              "version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
              "versionType": "git"
            },
            {
              "lessThan": "6aecd91a5c5b68939cf4169e32bc49f3cd2dd329",
              "status": "affected",
              "version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/scrub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid NULL pointer dereference if no valid extent tree\n\n[BUG]\nSyzbot reported a crash with the following call trace:\n\n  BTRFS info (device loop0): scrub: started on devid 1\n  BUG: kernel NULL pointer dereference, address: 0000000000000208\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0\n  Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n  CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G           O       6.13.0-rc4-custom+ #206\n  Tainted: [O]=OOT_MODULE\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n  RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs]\n  Call Trace:\n   \u003cTASK\u003e\n   scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs]\n   scrub_simple_mirror+0x175/0x260 [btrfs]\n   scrub_stripe+0x5d4/0x6c0 [btrfs]\n   scrub_chunk+0xbb/0x170 [btrfs]\n   scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs]\n   btrfs_scrub_dev+0x240/0x600 [btrfs]\n   btrfs_ioctl+0x1dc8/0x2fa0 [btrfs]\n   ? do_sys_openat2+0xa5/0xf0\n   __x64_sys_ioctl+0x97/0xc0\n   do_syscall_64+0x4f/0x120\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   \u003c/TASK\u003e\n\n[CAUSE]\nThe reproducer is using a corrupted image where extent tree root is\ncorrupted, thus forcing to use \"rescue=all,ro\" mount option to mount the\nimage.\n\nThen it triggered a scrub, but since scrub relies on extent tree to find\nwhere the data/metadata extents are, scrub_find_fill_first_stripe()\nrelies on an non-empty extent root.\n\nBut unfortunately scrub_find_fill_first_stripe() doesn\u0027t really expect\nan NULL pointer for extent root, it use extent_root to grab fs_info and\ntriggered a NULL pointer dereference.\n\n[FIX]\nAdd an extra check for a valid extent root at the beginning of\nscrub_find_fill_first_stripe().\n\nThe new error path is introduced by 42437a6386ff (\"btrfs: introduce\nmount option rescue=ignorebadroots\"), but that\u0027s pretty old, and later\ncommit b979547513ff (\"btrfs: scrub: introduce helper to find and fill\nsector info for a scrub_stripe\") changed how we do scrub.\n\nSo for kernels older than 6.6, the fix will need manual backport."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:24.189Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/24b85a8b0310e0144da9ab30be42e87e6476638a"
        },
        {
          "url": "https://git.kernel.org/stable/c/aee5f69f3e6cd82bfefaca1b70b40b6cd8f3f784"
        },
        {
          "url": "https://git.kernel.org/stable/c/6aecd91a5c5b68939cf4169e32bc49f3cd2dd329"
        }
      ],
      "title": "btrfs: avoid NULL pointer dereference if no valid extent tree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21658",
    "datePublished": "2025-01-21T12:18:14.578Z",
    "dateReserved": "2024-12-29T08:45:45.731Z",
    "dateUpdated": "2025-10-01T19:57:13.496Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53104 (GCVE-0-2024-53104)

Vulnerability from cvelistv5 – Published: 2024-12-02 07:29 – Updated: 2025-11-03 22:29

Title

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

Summary

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/95edf13a48e75dc2c…
	https://git.kernel.org/stable/c/684022f81f128338f…
	https://git.kernel.org/stable/c/faff5bbb2762c44ec…
	https://git.kernel.org/stable/c/467d84dc78c9abf6b…
	https://git.kernel.org/stable/c/beced2cb09b58c124…
	https://git.kernel.org/stable/c/575a562f7a3ec2d54…
	https://git.kernel.org/stable/c/622ad10aae5f5e03b…
	https://git.kernel.org/stable/c/1ee9d9122801eb688…
	https://git.kernel.org/stable/c/ecf2b43018da95798…

Impacted products

Vendor

Product

Version

Linux

Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 95edf13a48e75dc2cc5b0bc57bf90d6948a22fe8 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 684022f81f128338fe3587ec967459669a1204ae (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < faff5bbb2762c44ec7426037b3000e77a11d6773 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 467d84dc78c9abf6b217ada22b3fdba336262e29 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < beced2cb09b58c1243733f374c560a55382003d6 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 575a562f7a3ec2d54ff77ab6810e3fbceef2a91d (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 622ad10aae5f5e03b7927ea95f7f32812f692bb5 (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < 1ee9d9122801eb688783acd07791f2906b87cb4f (git)
Affected: c0efd232929c2cd87238de2cccdaf4e845be5b0c , < ecf2b43018da9579842c774b7f35dbe11b5c38dd (git)

Linux

Affected: 2.6.26
Unaffected: 0 , < 2.6.26 (semver)
Unaffected: 4.19.324 , ≤ 4.19.* (semver)
Unaffected: 5.4.286 , ≤ 5.4.* (semver)
Unaffected: 5.10.230 , ≤ 5.10.* (semver)
Unaffected: 5.15.172 , ≤ 5.15.* (semver)
Unaffected: 6.1.117 , ≤ 6.1.* (semver)
Unaffected: 6.6.61 , ≤ 6.6.* (semver)
Unaffected: 6.11.8 , ≤ 6.11.* (semver)
Unaffected: 6.12.1 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-53104",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T13:29:32.093245Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-02-05",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53104"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:34.852Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53104"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-02-05T00:00:00+00:00",
            "value": "CVE-2024-53104 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:29:17.000Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_driver.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "95edf13a48e75dc2cc5b0bc57bf90d6948a22fe8",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "684022f81f128338fe3587ec967459669a1204ae",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "faff5bbb2762c44ec7426037b3000e77a11d6773",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "467d84dc78c9abf6b217ada22b3fdba336262e29",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "beced2cb09b58c1243733f374c560a55382003d6",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "575a562f7a3ec2d54ff77ab6810e3fbceef2a91d",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "622ad10aae5f5e03b7927ea95f7f32812f692bb5",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "1ee9d9122801eb688783acd07791f2906b87cb4f",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            },
            {
              "lessThan": "ecf2b43018da9579842c774b7f35dbe11b5c38dd",
              "status": "affected",
              "version": "c0efd232929c2cd87238de2cccdaf4e845be5b0c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_driver.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.26"
            },
            {
              "lessThan": "2.6.26",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.324",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.286",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.230",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.172",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.324",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.286",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.230",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.172",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.117",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.61",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.8",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.1",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format\n\nThis can lead to out of bounds writes since frames of this type were not\ntaken into account when calculating the size of the frames buffer in\nuvc_parse_streaming."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:53:07.798Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/95edf13a48e75dc2cc5b0bc57bf90d6948a22fe8"
        },
        {
          "url": "https://git.kernel.org/stable/c/684022f81f128338fe3587ec967459669a1204ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/faff5bbb2762c44ec7426037b3000e77a11d6773"
        },
        {
          "url": "https://git.kernel.org/stable/c/467d84dc78c9abf6b217ada22b3fdba336262e29"
        },
        {
          "url": "https://git.kernel.org/stable/c/beced2cb09b58c1243733f374c560a55382003d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/575a562f7a3ec2d54ff77ab6810e3fbceef2a91d"
        },
        {
          "url": "https://git.kernel.org/stable/c/622ad10aae5f5e03b7927ea95f7f32812f692bb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1ee9d9122801eb688783acd07791f2906b87cb4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecf2b43018da9579842c774b7f35dbe11b5c38dd"
        }
      ],
      "title": "media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53104",
    "datePublished": "2024-12-02T07:29:27.261Z",
    "dateReserved": "2024-11-19T17:17:24.985Z",
    "dateUpdated": "2025-11-03T22:29:17.000Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56589 (GCVE-0-2024-56589)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:50 – Updated: 2025-11-03 20:50

Title

scsi: hisi_sas: Add cond_resched() for no forced preemption model

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Add cond_resched() for no forced preemption model For no forced preemption model kernel, in the scenario where the expander is connected to 12 high performance SAS SSDs, the following call trace may occur: [ 214.409199][ C240] watchdog: BUG: soft lockup - CPU#240 stuck for 22s! [irq/149-hisi_sa:3211] [ 214.568533][ C240] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) [ 214.575224][ C240] pc : fput_many+0x8c/0xdc [ 214.579480][ C240] lr : fput+0x1c/0xf0 [ 214.583302][ C240] sp : ffff80002de2b900 [ 214.587298][ C240] x29: ffff80002de2b900 x28: ffff1082aa412000 [ 214.593291][ C240] x27: ffff3062a0348c08 x26: ffff80003a9f6000 [ 214.599284][ C240] x25: ffff1062bbac5c40 x24: 0000000000001000 [ 214.605277][ C240] x23: 000000000000000a x22: 0000000000000001 [ 214.611270][ C240] x21: 0000000000001000 x20: 0000000000000000 [ 214.617262][ C240] x19: ffff3062a41ae580 x18: 0000000000010000 [ 214.623255][ C240] x17: 0000000000000001 x16: ffffdb3a6efe5fc0 [ 214.629248][ C240] x15: ffffffffffffffff x14: 0000000003ffffff [ 214.635241][ C240] x13: 000000000000ffff x12: 000000000000029c [ 214.641234][ C240] x11: 0000000000000006 x10: ffff80003a9f7fd0 [ 214.647226][ C240] x9 : ffffdb3a6f0482fc x8 : 0000000000000001 [ 214.653219][ C240] x7 : 0000000000000002 x6 : 0000000000000080 [ 214.659212][ C240] x5 : ffff55480ee9b000 x4 : fffffde7f94c6554 [ 214.665205][ C240] x3 : 0000000000000002 x2 : 0000000000000020 [ 214.671198][ C240] x1 : 0000000000000021 x0 : ffff3062a41ae5b8 [ 214.677191][ C240] Call trace: [ 214.680320][ C240] fput_many+0x8c/0xdc [ 214.684230][ C240] fput+0x1c/0xf0 [ 214.687707][ C240] aio_complete_rw+0xd8/0x1fc [ 214.692225][ C240] blkdev_bio_end_io+0x98/0x140 [ 214.696917][ C240] bio_endio+0x160/0x1bc [ 214.701001][ C240] blk_update_request+0x1c8/0x3bc [ 214.705867][ C240] scsi_end_request+0x3c/0x1f0 [ 214.710471][ C240] scsi_io_completion+0x7c/0x1a0 [ 214.715249][ C240] scsi_finish_command+0x104/0x140 [ 214.720200][ C240] scsi_softirq_done+0x90/0x180 [ 214.724892][ C240] blk_mq_complete_request+0x5c/0x70 [ 214.730016][ C240] scsi_mq_done+0x48/0xac [ 214.734194][ C240] sas_scsi_task_done+0xbc/0x16c [libsas] [ 214.739758][ C240] slot_complete_v3_hw+0x260/0x760 [hisi_sas_v3_hw] [ 214.746185][ C240] cq_thread_v3_hw+0xbc/0x190 [hisi_sas_v3_hw] [ 214.752179][ C240] irq_thread_fn+0x34/0xa4 [ 214.756435][ C240] irq_thread+0xc4/0x130 [ 214.760520][ C240] kthread+0x108/0x13c [ 214.764430][ C240] ret_from_fork+0x10/0x18 This is because in the hisi_sas driver, both the hardware interrupt handler and the interrupt thread are executed on the same CPU. In the performance test scenario, function irq_wait_for_interrupt() will always return 0 if lots of interrupts occurs and the CPU will be continuously consumed. As a result, the CPU cannot run the watchdog thread. When the watchdog time exceeds the specified time, call trace occurs. To fix it, add cond_resched() to execute the watchdog thread.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3dd2c5cb2c698a02a…
	https://git.kernel.org/stable/c/2174bbc235f79fce8…
	https://git.kernel.org/stable/c/2991a023896b79e67…
	https://git.kernel.org/stable/c/50ddf4b0e1a4cb5e9…
	https://git.kernel.org/stable/c/601f8001373fc3fba…
	https://git.kernel.org/stable/c/2233c4a0b94821174…

Impacted products

Vendor

Product

Version

Linux

Affected: 47caad1577cd7a39e2048c5e4edbce4b863dc12b , < 3dd2c5cb2c698a02a4ed2ea0acb7c9909374a8bf (git)
Affected: 47caad1577cd7a39e2048c5e4edbce4b863dc12b , < 2174bbc235f79fce88ea71fd08cf836568fcad5f (git)
Affected: 47caad1577cd7a39e2048c5e4edbce4b863dc12b , < 2991a023896b79e6753813ed88fbc98979713c73 (git)
Affected: 47caad1577cd7a39e2048c5e4edbce4b863dc12b , < 50ddf4b0e1a4cb5e9ca0aac3d0a73202b903c87f (git)
Affected: 47caad1577cd7a39e2048c5e4edbce4b863dc12b , < 601f8001373fc3fbad498f9be427254908b7fcce (git)
Affected: 47caad1577cd7a39e2048c5e4edbce4b863dc12b , < 2233c4a0b948211743659b24c13d6bd059fa75fc (git)

Linux

Affected: 4.5
Unaffected: 0 , < 4.5 (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:50:12.609Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hisi_sas/hisi_sas_v3_hw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3dd2c5cb2c698a02a4ed2ea0acb7c9909374a8bf",
              "status": "affected",
              "version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
              "versionType": "git"
            },
            {
              "lessThan": "2174bbc235f79fce88ea71fd08cf836568fcad5f",
              "status": "affected",
              "version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
              "versionType": "git"
            },
            {
              "lessThan": "2991a023896b79e6753813ed88fbc98979713c73",
              "status": "affected",
              "version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
              "versionType": "git"
            },
            {
              "lessThan": "50ddf4b0e1a4cb5e9ca0aac3d0a73202b903c87f",
              "status": "affected",
              "version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
              "versionType": "git"
            },
            {
              "lessThan": "601f8001373fc3fbad498f9be427254908b7fcce",
              "status": "affected",
              "version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
              "versionType": "git"
            },
            {
              "lessThan": "2233c4a0b948211743659b24c13d6bd059fa75fc",
              "status": "affected",
              "version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hisi_sas/hisi_sas_v3_hw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Add cond_resched() for no forced preemption model\n\nFor no forced preemption model kernel, in the scenario where the\nexpander is connected to 12 high performance SAS SSDs, the following\ncall trace may occur:\n\n[  214.409199][  C240] watchdog: BUG: soft lockup - CPU#240 stuck for 22s! [irq/149-hisi_sa:3211]\n[  214.568533][  C240] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[  214.575224][  C240] pc : fput_many+0x8c/0xdc\n[  214.579480][  C240] lr : fput+0x1c/0xf0\n[  214.583302][  C240] sp : ffff80002de2b900\n[  214.587298][  C240] x29: ffff80002de2b900 x28: ffff1082aa412000\n[  214.593291][  C240] x27: ffff3062a0348c08 x26: ffff80003a9f6000\n[  214.599284][  C240] x25: ffff1062bbac5c40 x24: 0000000000001000\n[  214.605277][  C240] x23: 000000000000000a x22: 0000000000000001\n[  214.611270][  C240] x21: 0000000000001000 x20: 0000000000000000\n[  214.617262][  C240] x19: ffff3062a41ae580 x18: 0000000000010000\n[  214.623255][  C240] x17: 0000000000000001 x16: ffffdb3a6efe5fc0\n[  214.629248][  C240] x15: ffffffffffffffff x14: 0000000003ffffff\n[  214.635241][  C240] x13: 000000000000ffff x12: 000000000000029c\n[  214.641234][  C240] x11: 0000000000000006 x10: ffff80003a9f7fd0\n[  214.647226][  C240] x9 : ffffdb3a6f0482fc x8 : 0000000000000001\n[  214.653219][  C240] x7 : 0000000000000002 x6 : 0000000000000080\n[  214.659212][  C240] x5 : ffff55480ee9b000 x4 : fffffde7f94c6554\n[  214.665205][  C240] x3 : 0000000000000002 x2 : 0000000000000020\n[  214.671198][  C240] x1 : 0000000000000021 x0 : ffff3062a41ae5b8\n[  214.677191][  C240] Call trace:\n[  214.680320][  C240]  fput_many+0x8c/0xdc\n[  214.684230][  C240]  fput+0x1c/0xf0\n[  214.687707][  C240]  aio_complete_rw+0xd8/0x1fc\n[  214.692225][  C240]  blkdev_bio_end_io+0x98/0x140\n[  214.696917][  C240]  bio_endio+0x160/0x1bc\n[  214.701001][  C240]  blk_update_request+0x1c8/0x3bc\n[  214.705867][  C240]  scsi_end_request+0x3c/0x1f0\n[  214.710471][  C240]  scsi_io_completion+0x7c/0x1a0\n[  214.715249][  C240]  scsi_finish_command+0x104/0x140\n[  214.720200][  C240]  scsi_softirq_done+0x90/0x180\n[  214.724892][  C240]  blk_mq_complete_request+0x5c/0x70\n[  214.730016][  C240]  scsi_mq_done+0x48/0xac\n[  214.734194][  C240]  sas_scsi_task_done+0xbc/0x16c [libsas]\n[  214.739758][  C240]  slot_complete_v3_hw+0x260/0x760 [hisi_sas_v3_hw]\n[  214.746185][  C240]  cq_thread_v3_hw+0xbc/0x190 [hisi_sas_v3_hw]\n[  214.752179][  C240]  irq_thread_fn+0x34/0xa4\n[  214.756435][  C240]  irq_thread+0xc4/0x130\n[  214.760520][  C240]  kthread+0x108/0x13c\n[  214.764430][  C240]  ret_from_fork+0x10/0x18\n\nThis is because in the hisi_sas driver, both the hardware interrupt\nhandler and the interrupt thread are executed on the same CPU. In the\nperformance test scenario, function irq_wait_for_interrupt() will always\nreturn 0 if lots of interrupts occurs and the CPU will be continuously\nconsumed. As a result, the CPU cannot run the watchdog thread. When the\nwatchdog time exceeds the specified time, call trace occurs.\n\nTo fix it, add cond_resched() to execute the watchdog thread."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:59:09.845Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3dd2c5cb2c698a02a4ed2ea0acb7c9909374a8bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/2174bbc235f79fce88ea71fd08cf836568fcad5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2991a023896b79e6753813ed88fbc98979713c73"
        },
        {
          "url": "https://git.kernel.org/stable/c/50ddf4b0e1a4cb5e9ca0aac3d0a73202b903c87f"
        },
        {
          "url": "https://git.kernel.org/stable/c/601f8001373fc3fbad498f9be427254908b7fcce"
        },
        {
          "url": "https://git.kernel.org/stable/c/2233c4a0b948211743659b24c13d6bd059fa75fc"
        }
      ],
      "title": "scsi: hisi_sas: Add cond_resched() for no forced preemption model",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56589",
    "datePublished": "2024-12-27T14:50:56.983Z",
    "dateReserved": "2024-12-27T14:03:06.002Z",
    "dateUpdated": "2025-11-03T20:50:12.609Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56618 (GCVE-0-2024-56618)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-10-01 20:07

Title

pmdomain: imx: gpcv2: Adjust delay after power up handshake

Summary

In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx: gpcv2: Adjust delay after power up handshake The udelay(5) is not enough, sometimes below kernel panic still be triggered: [ 4.012973] Kernel panic - not syncing: Asynchronous SError Interrupt [ 4.012976] CPU: 2 UID: 0 PID: 186 Comm: (udev-worker) Not tainted 6.12.0-rc2-0.0.0-devel-00004-g8b1b79e88956 #1 [ 4.012982] Hardware name: Toradex Verdin iMX8M Plus WB on Dahlia Board (DT) [ 4.012985] Call trace: [...] [ 4.013029] arm64_serror_panic+0x64/0x70 [ 4.013034] do_serror+0x3c/0x70 [ 4.013039] el1h_64_error_handler+0x30/0x54 [ 4.013046] el1h_64_error+0x64/0x68 [ 4.013050] clk_imx8mp_audiomix_runtime_resume+0x38/0x48 [ 4.013059] __genpd_runtime_resume+0x30/0x80 [ 4.013066] genpd_runtime_resume+0x114/0x29c [ 4.013073] __rpm_callback+0x48/0x1e0 [ 4.013079] rpm_callback+0x68/0x80 [ 4.013084] rpm_resume+0x3bc/0x6a0 [ 4.013089] __pm_runtime_resume+0x50/0x9c [ 4.013095] pm_runtime_get_suppliers+0x60/0x8c [ 4.013101] __driver_probe_device+0x4c/0x14c [ 4.013108] driver_probe_device+0x3c/0x120 [ 4.013114] __driver_attach+0xc4/0x200 [ 4.013119] bus_for_each_dev+0x7c/0xe0 [ 4.013125] driver_attach+0x24/0x30 [ 4.013130] bus_add_driver+0x110/0x240 [ 4.013135] driver_register+0x68/0x124 [ 4.013142] __platform_driver_register+0x24/0x30 [ 4.013149] sdma_driver_init+0x20/0x1000 [imx_sdma] [ 4.013163] do_one_initcall+0x60/0x1e0 [ 4.013168] do_init_module+0x5c/0x21c [ 4.013175] load_module+0x1a98/0x205c [ 4.013181] init_module_from_file+0x88/0xd4 [ 4.013187] __arm64_sys_finit_module+0x258/0x350 [ 4.013194] invoke_syscall.constprop.0+0x50/0xe0 [ 4.013202] do_el0_svc+0xa8/0xe0 [ 4.013208] el0_svc+0x3c/0x140 [ 4.013215] el0t_64_sync_handler+0x120/0x12c [ 4.013222] el0t_64_sync+0x190/0x194 [ 4.013228] SMP: stopping secondary CPUs The correct way is to wait handshake, but it needs BUS clock of BLK-CTL be enabled, which is in separate driver. So delay is the only option here. The udelay(10) is a data got by experiment.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a63907c8c71241464…
	https://git.kernel.org/stable/c/2379fb937de533399…

Impacted products

Vendor

Product

Version

Linux

Affected: e8dc41afca161b988e6d462f4d0803d247e22250 , < a63907c8c712414643b597debcd09d16b6827b23 (git)
Affected: e8dc41afca161b988e6d462f4d0803d247e22250 , < 2379fb937de5333991c567eefd7d11b98977d059 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56618",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:01:00.196210Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:12.826Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pmdomain/imx/gpcv2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a63907c8c712414643b597debcd09d16b6827b23",
              "status": "affected",
              "version": "e8dc41afca161b988e6d462f4d0803d247e22250",
              "versionType": "git"
            },
            {
              "lessThan": "2379fb937de5333991c567eefd7d11b98977d059",
              "status": "affected",
              "version": "e8dc41afca161b988e6d462f4d0803d247e22250",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pmdomain/imx/gpcv2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx: gpcv2: Adjust delay after power up handshake\n\nThe udelay(5) is not enough, sometimes below kernel panic\nstill be triggered:\n\n[    4.012973] Kernel panic - not syncing: Asynchronous SError Interrupt\n[    4.012976] CPU: 2 UID: 0 PID: 186 Comm: (udev-worker) Not tainted 6.12.0-rc2-0.0.0-devel-00004-g8b1b79e88956 #1\n[    4.012982] Hardware name: Toradex Verdin iMX8M Plus WB on Dahlia Board (DT)\n[    4.012985] Call trace:\n[...]\n[    4.013029]  arm64_serror_panic+0x64/0x70\n[    4.013034]  do_serror+0x3c/0x70\n[    4.013039]  el1h_64_error_handler+0x30/0x54\n[    4.013046]  el1h_64_error+0x64/0x68\n[    4.013050]  clk_imx8mp_audiomix_runtime_resume+0x38/0x48\n[    4.013059]  __genpd_runtime_resume+0x30/0x80\n[    4.013066]  genpd_runtime_resume+0x114/0x29c\n[    4.013073]  __rpm_callback+0x48/0x1e0\n[    4.013079]  rpm_callback+0x68/0x80\n[    4.013084]  rpm_resume+0x3bc/0x6a0\n[    4.013089]  __pm_runtime_resume+0x50/0x9c\n[    4.013095]  pm_runtime_get_suppliers+0x60/0x8c\n[    4.013101]  __driver_probe_device+0x4c/0x14c\n[    4.013108]  driver_probe_device+0x3c/0x120\n[    4.013114]  __driver_attach+0xc4/0x200\n[    4.013119]  bus_for_each_dev+0x7c/0xe0\n[    4.013125]  driver_attach+0x24/0x30\n[    4.013130]  bus_add_driver+0x110/0x240\n[    4.013135]  driver_register+0x68/0x124\n[    4.013142]  __platform_driver_register+0x24/0x30\n[    4.013149]  sdma_driver_init+0x20/0x1000 [imx_sdma]\n[    4.013163]  do_one_initcall+0x60/0x1e0\n[    4.013168]  do_init_module+0x5c/0x21c\n[    4.013175]  load_module+0x1a98/0x205c\n[    4.013181]  init_module_from_file+0x88/0xd4\n[    4.013187]  __arm64_sys_finit_module+0x258/0x350\n[    4.013194]  invoke_syscall.constprop.0+0x50/0xe0\n[    4.013202]  do_el0_svc+0xa8/0xe0\n[    4.013208]  el0_svc+0x3c/0x140\n[    4.013215]  el0t_64_sync_handler+0x120/0x12c\n[    4.013222]  el0t_64_sync+0x190/0x194\n[    4.013228] SMP: stopping secondary CPUs\n\nThe correct way is to wait handshake, but it needs BUS clock of\nBLK-CTL be enabled, which is in separate driver. So delay is the\nonly option here. The udelay(10) is a data got by experiment."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:03.875Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a63907c8c712414643b597debcd09d16b6827b23"
        },
        {
          "url": "https://git.kernel.org/stable/c/2379fb937de5333991c567eefd7d11b98977d059"
        }
      ],
      "title": "pmdomain: imx: gpcv2: Adjust delay after power up handshake",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56618",
    "datePublished": "2024-12-27T14:51:22.592Z",
    "dateReserved": "2024-12-27T14:03:06.016Z",
    "dateUpdated": "2025-10-01T20:07:12.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56607 (GCVE-0-2024-56607)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-05-04 09:59

Title

wifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask() When I try to manually set bitrates: iw wlan0 set bitrates legacy-2.4 1 I get sleeping from invalid context error, see below. Fix that by switching to use recently introduced ieee80211_iterate_stations_mtx(). Do note that WCN6855 firmware is still crashing, I'm not sure if that firmware even supports bitrate WMI commands and should we consider disabling ath12k_mac_op_set_bitrate_mask() for WCN6855? But that's for another patch. BUG: sleeping function called from invalid context at drivers/net/wireless/ath/ath12k/wmi.c:420 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 2236, name: iw preempt_count: 0, expected: 0 RCU nest depth: 1, expected: 0 3 locks held by iw/2236: #0: ffffffffabc6f1d8 (cb_lock){++++}-{3:3}, at: genl_rcv+0x14/0x40 #1: ffff888138410810 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_pre_doit+0x54d/0x800 [cfg80211] #2: ffffffffab2cfaa0 (rcu_read_lock){....}-{1:2}, at: ieee80211_iterate_stations_atomic+0x2f/0x200 [mac80211] CPU: 3 UID: 0 PID: 2236 Comm: iw Not tainted 6.11.0-rc7-wt-ath+ #1772 Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 Call Trace: <TASK> dump_stack_lvl+0xa4/0xe0 dump_stack+0x10/0x20 __might_resched+0x363/0x5a0 ? __alloc_skb+0x165/0x340 __might_sleep+0xad/0x160 ath12k_wmi_cmd_send+0xb1/0x3d0 [ath12k] ? ath12k_wmi_init_wcn7850+0xa40/0xa40 [ath12k] ? __netdev_alloc_skb+0x45/0x7b0 ? __asan_memset+0x39/0x40 ? ath12k_wmi_alloc_skb+0xf0/0x150 [ath12k] ? reacquire_held_locks+0x4d0/0x4d0 ath12k_wmi_set_peer_param+0x340/0x5b0 [ath12k] ath12k_mac_disable_peer_fixed_rate+0xa3/0x110 [ath12k] ? ath12k_mac_vdev_stop+0x4f0/0x4f0 [ath12k] ieee80211_iterate_stations_atomic+0xd4/0x200 [mac80211] ath12k_mac_op_set_bitrate_mask+0x5d2/0x1080 [ath12k] ? ath12k_mac_vif_chan+0x320/0x320 [ath12k] drv_set_bitrate_mask+0x267/0x470 [mac80211] ieee80211_set_bitrate_mask+0x4cc/0x8a0 [mac80211] ? __this_cpu_preempt_check+0x13/0x20 nl80211_set_tx_bitrate_mask+0x2bc/0x530 [cfg80211] ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211] ? trace_contention_end+0xef/0x140 ? rtnl_unlock+0x9/0x10 ? nl80211_pre_doit+0x557/0x800 [cfg80211] genl_family_rcv_msg_doit+0x1f0/0x2e0 ? genl_family_rcv_msg_attrs_parse.isra.0+0x250/0x250 ? ns_capable+0x57/0xd0 genl_family_rcv_msg+0x34c/0x600 ? genl_family_rcv_msg_dumpit+0x310/0x310 ? __lock_acquire+0xc62/0x1de0 ? he_set_mcs_mask.isra.0+0x8d0/0x8d0 [cfg80211] ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211] ? cfg80211_external_auth_request+0x690/0x690 [cfg80211] genl_rcv_msg+0xa0/0x130 netlink_rcv_skb+0x14c/0x400 ? genl_family_rcv_msg+0x600/0x600 ? netlink_ack+0xd70/0xd70 ? rwsem_optimistic_spin+0x4f0/0x4f0 ? genl_rcv+0x14/0x40 ? down_read_killable+0x580/0x580 ? netlink_deliver_tap+0x13e/0x350 ? __this_cpu_preempt_check+0x13/0x20 genl_rcv+0x23/0x40 netlink_unicast+0x45e/0x790 ? netlink_attachskb+0x7f0/0x7f0 netlink_sendmsg+0x7eb/0xdb0 ? netlink_unicast+0x790/0x790 ? __this_cpu_preempt_check+0x13/0x20 ? selinux_socket_sendmsg+0x31/0x40 ? netlink_unicast+0x790/0x790 __sock_sendmsg+0xc9/0x160 ____sys_sendmsg+0x620/0x990 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x410/0x410 ? __kasan_check_read+0x11/0x20 ? mark_lock+0xe6/0x1470 ___sys_sendmsg+0xe9/0x170 ? copy_msghdr_from_user+0x120/0x120 ? __lock_acquire+0xc62/0x1de0 ? do_fault_around+0x2c6/0x4e0 ? do_user_addr_fault+0x8c1/0xde0 ? reacquire_held_locks+0x220/0x4d0 ? do_user_addr_fault+0x8c1/0xde0 ? __kasan_check_read+0x11/0x20 ? __fdget+0x4e/0x1d0 ? sockfd_lookup_light+0x1a/0x170 __sys_sendmsg+0xd2/0x180 ? __sys_sendmsg_sock+0x20/0x20 ? reacquire_held_locks+0x4d0/0x4d0 ? debug_smp_processor_id+0x17/0x20 __x64_sys_sendmsg+0x72/0xb0 ? lockdep_hardirqs_on+0x7d/0x100 x64_sys_call+0x894/0x9f0 do_syscall_64+0x64/0x130 entry_SYSCALL_64_after_ ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3ed6b2daa4e902998…
	https://git.kernel.org/stable/c/2093f062b26805789…
	https://git.kernel.org/stable/c/8fac3266c68a8e647…

Impacted products

Vendor

Product

Version

Linux

Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 3ed6b2daa4e9029987885f86835ffbc003d11c01 (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 2093f062b26805789b73f2af214691475d9baa29 (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 8fac3266c68a8e647240b8ac8d0b82f1821edf85 (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.70 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3ed6b2daa4e9029987885f86835ffbc003d11c01",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "2093f062b26805789b73f2af214691475d9baa29",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "8fac3266c68a8e647240b8ac8d0b82f1821edf85",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask()\n\nWhen I try to manually set bitrates:\n\niw wlan0 set bitrates legacy-2.4 1\n\nI get sleeping from invalid context error, see below. Fix that by switching to\nuse recently introduced ieee80211_iterate_stations_mtx().\n\nDo note that WCN6855 firmware is still crashing, I\u0027m not sure if that firmware\neven supports bitrate WMI commands and should we consider disabling\nath12k_mac_op_set_bitrate_mask() for WCN6855? But that\u0027s for another patch.\n\nBUG: sleeping function called from invalid context at drivers/net/wireless/ath/ath12k/wmi.c:420\nin_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 2236, name: iw\npreempt_count: 0, expected: 0\nRCU nest depth: 1, expected: 0\n3 locks held by iw/2236:\n #0: ffffffffabc6f1d8 (cb_lock){++++}-{3:3}, at: genl_rcv+0x14/0x40\n #1: ffff888138410810 (\u0026rdev-\u003ewiphy.mtx){+.+.}-{3:3}, at: nl80211_pre_doit+0x54d/0x800 [cfg80211]\n #2: ffffffffab2cfaa0 (rcu_read_lock){....}-{1:2}, at: ieee80211_iterate_stations_atomic+0x2f/0x200 [mac80211]\nCPU: 3 UID: 0 PID: 2236 Comm: iw Not tainted 6.11.0-rc7-wt-ath+ #1772\nHardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xa4/0xe0\n dump_stack+0x10/0x20\n __might_resched+0x363/0x5a0\n ? __alloc_skb+0x165/0x340\n __might_sleep+0xad/0x160\n ath12k_wmi_cmd_send+0xb1/0x3d0 [ath12k]\n ? ath12k_wmi_init_wcn7850+0xa40/0xa40 [ath12k]\n ? __netdev_alloc_skb+0x45/0x7b0\n ? __asan_memset+0x39/0x40\n ? ath12k_wmi_alloc_skb+0xf0/0x150 [ath12k]\n ? reacquire_held_locks+0x4d0/0x4d0\n ath12k_wmi_set_peer_param+0x340/0x5b0 [ath12k]\n ath12k_mac_disable_peer_fixed_rate+0xa3/0x110 [ath12k]\n ? ath12k_mac_vdev_stop+0x4f0/0x4f0 [ath12k]\n ieee80211_iterate_stations_atomic+0xd4/0x200 [mac80211]\n ath12k_mac_op_set_bitrate_mask+0x5d2/0x1080 [ath12k]\n ? ath12k_mac_vif_chan+0x320/0x320 [ath12k]\n drv_set_bitrate_mask+0x267/0x470 [mac80211]\n ieee80211_set_bitrate_mask+0x4cc/0x8a0 [mac80211]\n ? __this_cpu_preempt_check+0x13/0x20\n nl80211_set_tx_bitrate_mask+0x2bc/0x530 [cfg80211]\n ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211]\n ? trace_contention_end+0xef/0x140\n ? rtnl_unlock+0x9/0x10\n ? nl80211_pre_doit+0x557/0x800 [cfg80211]\n genl_family_rcv_msg_doit+0x1f0/0x2e0\n ? genl_family_rcv_msg_attrs_parse.isra.0+0x250/0x250\n ? ns_capable+0x57/0xd0\n genl_family_rcv_msg+0x34c/0x600\n ? genl_family_rcv_msg_dumpit+0x310/0x310\n ? __lock_acquire+0xc62/0x1de0\n ? he_set_mcs_mask.isra.0+0x8d0/0x8d0 [cfg80211]\n ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211]\n ? cfg80211_external_auth_request+0x690/0x690 [cfg80211]\n genl_rcv_msg+0xa0/0x130\n netlink_rcv_skb+0x14c/0x400\n ? genl_family_rcv_msg+0x600/0x600\n ? netlink_ack+0xd70/0xd70\n ? rwsem_optimistic_spin+0x4f0/0x4f0\n ? genl_rcv+0x14/0x40\n ? down_read_killable+0x580/0x580\n ? netlink_deliver_tap+0x13e/0x350\n ? __this_cpu_preempt_check+0x13/0x20\n genl_rcv+0x23/0x40\n netlink_unicast+0x45e/0x790\n ? netlink_attachskb+0x7f0/0x7f0\n netlink_sendmsg+0x7eb/0xdb0\n ? netlink_unicast+0x790/0x790\n ? __this_cpu_preempt_check+0x13/0x20\n ? selinux_socket_sendmsg+0x31/0x40\n ? netlink_unicast+0x790/0x790\n __sock_sendmsg+0xc9/0x160\n ____sys_sendmsg+0x620/0x990\n ? kernel_sendmsg+0x30/0x30\n ? __copy_msghdr+0x410/0x410\n ? __kasan_check_read+0x11/0x20\n ? mark_lock+0xe6/0x1470\n ___sys_sendmsg+0xe9/0x170\n ? copy_msghdr_from_user+0x120/0x120\n ? __lock_acquire+0xc62/0x1de0\n ? do_fault_around+0x2c6/0x4e0\n ? do_user_addr_fault+0x8c1/0xde0\n ? reacquire_held_locks+0x220/0x4d0\n ? do_user_addr_fault+0x8c1/0xde0\n ? __kasan_check_read+0x11/0x20\n ? __fdget+0x4e/0x1d0\n ? sockfd_lookup_light+0x1a/0x170\n __sys_sendmsg+0xd2/0x180\n ? __sys_sendmsg_sock+0x20/0x20\n ? reacquire_held_locks+0x4d0/0x4d0\n ? debug_smp_processor_id+0x17/0x20\n __x64_sys_sendmsg+0x72/0xb0\n ? lockdep_hardirqs_on+0x7d/0x100\n x64_sys_call+0x894/0x9f0\n do_syscall_64+0x64/0x130\n entry_SYSCALL_64_after_\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:59:37.858Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3ed6b2daa4e9029987885f86835ffbc003d11c01"
        },
        {
          "url": "https://git.kernel.org/stable/c/2093f062b26805789b73f2af214691475d9baa29"
        },
        {
          "url": "https://git.kernel.org/stable/c/8fac3266c68a8e647240b8ac8d0b82f1821edf85"
        }
      ],
      "title": "wifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56607",
    "datePublished": "2024-12-27T14:51:12.143Z",
    "dateReserved": "2024-12-27T14:03:06.013Z",
    "dateUpdated": "2025-05-04T09:59:37.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56619 (GCVE-0-2024-56619)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-11-03 20:51

Title

nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()

Summary

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() Syzbot reported that when searching for records in a directory where the inode's i_size is corrupted and has a large value, memory access outside the folio/page range may occur, or a use-after-free bug may be detected if KASAN is enabled. This is because nilfs_last_byte(), which is called by nilfs_find_entry() and others to calculate the number of valid bytes of directory data in a page from i_size and the page index, loses the upper 32 bits of the 64-bit size information due to an inappropriate type of local variable to which the i_size value is assigned. This caused a large byte offset value due to underflow in the end address calculation in the calling nilfs_find_entry(), resulting in memory access that exceeds the folio/page size. Fix this issue by changing the type of the local variable causing the bit loss from "unsigned int" to "u64". The return value of nilfs_last_byte() is also of type "unsigned int", but it is truncated so as not to exceed PAGE_SIZE and no bit loss occurs, so no change is required.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/09d6d05579fd46e61…
	https://git.kernel.org/stable/c/e3732102a9d638d86…
	https://git.kernel.org/stable/c/48eb6e7404948032b…
	https://git.kernel.org/stable/c/5af8366625182f01f…
	https://git.kernel.org/stable/c/c3afea07477baccdb…
	https://git.kernel.org/stable/c/31f7b57a77d4c82a3…
	https://git.kernel.org/stable/c/985ebec4ab0a28bb5…

Impacted products

Vendor

Product

Version

Linux

Affected: 2ba466d74ed74f073257f86e61519cb8f8f46184 , < 09d6d05579fd46e61abf6e457bb100ff11f3a9d3 (git)
Affected: 2ba466d74ed74f073257f86e61519cb8f8f46184 , < e3732102a9d638d8627d14fdf7b208462f0520e0 (git)
Affected: 2ba466d74ed74f073257f86e61519cb8f8f46184 , < 48eb6e7404948032bbe811c5affbe39f6b316951 (git)
Affected: 2ba466d74ed74f073257f86e61519cb8f8f46184 , < 5af8366625182f01f6d8465c9a3210574673af57 (git)
Affected: 2ba466d74ed74f073257f86e61519cb8f8f46184 , < c3afea07477baccdbdec4483f8d5e59d42a3f67f (git)
Affected: 2ba466d74ed74f073257f86e61519cb8f8f46184 , < 31f7b57a77d4c82a34ddcb6ff35b5aa577ef153e (git)
Affected: 2ba466d74ed74f073257f86e61519cb8f8f46184 , < 985ebec4ab0a28bb5910c3b1481a40fbf7f9e61d (git)

Linux

Affected: 2.6.30
Unaffected: 0 , < 2.6.30 (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56619",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:59.486282Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:22.383Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:08.191Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "09d6d05579fd46e61abf6e457bb100ff11f3a9d3",
              "status": "affected",
              "version": "2ba466d74ed74f073257f86e61519cb8f8f46184",
              "versionType": "git"
            },
            {
              "lessThan": "e3732102a9d638d8627d14fdf7b208462f0520e0",
              "status": "affected",
              "version": "2ba466d74ed74f073257f86e61519cb8f8f46184",
              "versionType": "git"
            },
            {
              "lessThan": "48eb6e7404948032bbe811c5affbe39f6b316951",
              "status": "affected",
              "version": "2ba466d74ed74f073257f86e61519cb8f8f46184",
              "versionType": "git"
            },
            {
              "lessThan": "5af8366625182f01f6d8465c9a3210574673af57",
              "status": "affected",
              "version": "2ba466d74ed74f073257f86e61519cb8f8f46184",
              "versionType": "git"
            },
            {
              "lessThan": "c3afea07477baccdbdec4483f8d5e59d42a3f67f",
              "status": "affected",
              "version": "2ba466d74ed74f073257f86e61519cb8f8f46184",
              "versionType": "git"
            },
            {
              "lessThan": "31f7b57a77d4c82a34ddcb6ff35b5aa577ef153e",
              "status": "affected",
              "version": "2ba466d74ed74f073257f86e61519cb8f8f46184",
              "versionType": "git"
            },
            {
              "lessThan": "985ebec4ab0a28bb5910c3b1481a40fbf7f9e61d",
              "status": "affected",
              "version": "2ba466d74ed74f073257f86e61519cb8f8f46184",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()\n\nSyzbot reported that when searching for records in a directory where the\ninode\u0027s i_size is corrupted and has a large value, memory access outside\nthe folio/page range may occur, or a use-after-free bug may be detected if\nKASAN is enabled.\n\nThis is because nilfs_last_byte(), which is called by nilfs_find_entry()\nand others to calculate the number of valid bytes of directory data in a\npage from i_size and the page index, loses the upper 32 bits of the 64-bit\nsize information due to an inappropriate type of local variable to which\nthe i_size value is assigned.\n\nThis caused a large byte offset value due to underflow in the end address\ncalculation in the calling nilfs_find_entry(), resulting in memory access\nthat exceeds the folio/page size.\n\nFix this issue by changing the type of the local variable causing the bit\nloss from \"unsigned int\" to \"u64\".  The return value of nilfs_last_byte()\nis also of type \"unsigned int\", but it is truncated so as not to exceed\nPAGE_SIZE and no bit loss occurs, so no change is required."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:06.030Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/09d6d05579fd46e61abf6e457bb100ff11f3a9d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3732102a9d638d8627d14fdf7b208462f0520e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/48eb6e7404948032bbe811c5affbe39f6b316951"
        },
        {
          "url": "https://git.kernel.org/stable/c/5af8366625182f01f6d8465c9a3210574673af57"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3afea07477baccdbdec4483f8d5e59d42a3f67f"
        },
        {
          "url": "https://git.kernel.org/stable/c/31f7b57a77d4c82a34ddcb6ff35b5aa577ef153e"
        },
        {
          "url": "https://git.kernel.org/stable/c/985ebec4ab0a28bb5910c3b1481a40fbf7f9e61d"
        }
      ],
      "title": "nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56619",
    "datePublished": "2024-12-27T14:51:23.516Z",
    "dateReserved": "2024-12-27T14:03:06.016Z",
    "dateUpdated": "2025-11-03T20:51:08.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56611 (GCVE-0-2024-56611)

Vulnerability from cvelistv5 – Published: 2024-12-27 14:51 – Updated: 2025-10-01 20:07

Title

mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM We currently assume that there is at least one VMA in a MM, which isn't true. So we might end up having find_vma() return NULL, to then de-reference NULL. So properly handle find_vma() returning NULL. This fixes the report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 RIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline] RIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194 Code: ... RSP: 0018:ffffc9000375fd08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000 RDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044 RBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1 R10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003 R13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8 FS: 00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709 __do_sys_migrate_pages mm/mempolicy.c:1727 [inline] __se_sys_migrate_pages mm/mempolicy.c:1723 [inline] __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [akpm@linux-foundation.org: add unlikely()]

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a13b2b9b0b0b04612…
	https://git.kernel.org/stable/c/42d9fe2adf8613f9e…
	https://git.kernel.org/stable/c/091c1dd2d4df6edd1…

Impacted products

Vendor

Product

Version

Linux

Affected: 39743889aaf76725152f16aa90ca3c45f6d52da3 , < a13b2b9b0b0b04612c7d81e3b3dfb485c5f7abc3 (git)
Affected: 39743889aaf76725152f16aa90ca3c45f6d52da3 , < 42d9fe2adf8613f9eea1f0c2619c9e2611eae0ea (git)
Affected: 39743889aaf76725152f16aa90ca3c45f6d52da3 , < 091c1dd2d4df6edd1beebe0e5863d4034ade9572 (git)

Linux

Affected: 2.6.16
Unaffected: 0 , < 2.6.16 (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56611",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:01:24.636376Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:07:13.756Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/mempolicy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a13b2b9b0b0b04612c7d81e3b3dfb485c5f7abc3",
              "status": "affected",
              "version": "39743889aaf76725152f16aa90ca3c45f6d52da3",
              "versionType": "git"
            },
            {
              "lessThan": "42d9fe2adf8613f9eea1f0c2619c9e2611eae0ea",
              "status": "affected",
              "version": "39743889aaf76725152f16aa90ca3c45f6d52da3",
              "versionType": "git"
            },
            {
              "lessThan": "091c1dd2d4df6edd1beebe0e5863d4034ade9572",
              "status": "affected",
              "version": "39743889aaf76725152f16aa90ca3c45f6d52da3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/mempolicy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.16"
            },
            {
              "lessThan": "2.6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM\n\nWe currently assume that there is at least one VMA in a MM, which isn\u0027t\ntrue.\n\nSo we might end up having find_vma() return NULL, to then de-reference\nNULL.  So properly handle find_vma() returning NULL.\n\nThis fixes the report:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nRIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline]\nRIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194\nCode: ...\nRSP: 0018:ffffc9000375fd08 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000\nRDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044\nRBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1\nR10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003\nR13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8\nFS:  00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709\n __do_sys_migrate_pages mm/mempolicy.c:1727 [inline]\n __se_sys_migrate_pages mm/mempolicy.c:1723 [inline]\n __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[akpm@linux-foundation.org: add unlikely()]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:59:49.322Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a13b2b9b0b0b04612c7d81e3b3dfb485c5f7abc3"
        },
        {
          "url": "https://git.kernel.org/stable/c/42d9fe2adf8613f9eea1f0c2619c9e2611eae0ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/091c1dd2d4df6edd1beebe0e5863d4034ade9572"
        }
      ],
      "title": "mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56611",
    "datePublished": "2024-12-27T14:51:16.163Z",
    "dateReserved": "2024-12-27T14:03:06.013Z",
    "dateUpdated": "2025-10-01T20:07:13.756Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56638 (GCVE-0-2024-56638)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:02 – Updated: 2025-05-04 10:00

Title

netfilter: nft_inner: incorrect percpu area handling under softirq

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: incorrect percpu area handling under softirq Softirq can interrupt ongoing packet from process context that is walking over the percpu area that contains inner header offsets. Disable bh and perform three checks before restoring the percpu inner header offsets to validate that the percpu area is valid for this skbuff: 1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff has already been parsed before for inner header fetching to register. 2) Validate that the percpu area refers to this skbuff using the skbuff pointer as a cookie. If there is a cookie mismatch, then this skbuff needs to be parsed again. 3) Finally, validate if the percpu area refers to this tunnel type. Only after these three checks the percpu area is restored to a on-stack copy and bh is enabled again. After inner header fetching, the on-stack copy is stored back to the percpu area.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/53c7314208c865086…
	https://git.kernel.org/stable/c/da5cc778e7bf78fe5…
	https://git.kernel.org/stable/c/7b1d83da254be3bf0…

Impacted products

Vendor

Product

Version

Linux

Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < 53c7314208c865086d78b4e88da53bc33da0b603 (git)
Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < da5cc778e7bf78fe525bc90ec2043f41415c31d9 (git)
Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < 7b1d83da254be3bf054965c8f3b1ad976f460ae5 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_tables_core.h",
            "net/netfilter/nft_inner.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "53c7314208c865086d78b4e88da53bc33da0b603",
              "status": "affected",
              "version": "3a07327d10a09379315c844c63f27941f5081e0a",
              "versionType": "git"
            },
            {
              "lessThan": "da5cc778e7bf78fe525bc90ec2043f41415c31d9",
              "status": "affected",
              "version": "3a07327d10a09379315c844c63f27941f5081e0a",
              "versionType": "git"
            },
            {
              "lessThan": "7b1d83da254be3bf054965c8f3b1ad976f460ae5",
              "status": "affected",
              "version": "3a07327d10a09379315c844c63f27941f5081e0a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_tables_core.h",
            "net/netfilter/nft_inner.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: incorrect percpu area handling under softirq\n\nSoftirq can interrupt ongoing packet from process context that is\nwalking over the percpu area that contains inner header offsets.\n\nDisable bh and perform three checks before restoring the percpu inner\nheader offsets to validate that the percpu area is valid for this\nskbuff:\n\n1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff\n   has already been parsed before for inner header fetching to\n   register.\n\n2) Validate that the percpu area refers to this skbuff using the\n   skbuff pointer as a cookie. If there is a cookie mismatch, then\n   this skbuff needs to be parsed again.\n\n3) Finally, validate if the percpu area refers to this tunnel type.\n\nOnly after these three checks the percpu area is restored to a on-stack\ncopy and bh is enabled again.\n\nAfter inner header fetching, the on-stack copy is stored back to the\npercpu area."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:44.112Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/53c7314208c865086d78b4e88da53bc33da0b603"
        },
        {
          "url": "https://git.kernel.org/stable/c/da5cc778e7bf78fe525bc90ec2043f41415c31d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b1d83da254be3bf054965c8f3b1ad976f460ae5"
        }
      ],
      "title": "netfilter: nft_inner: incorrect percpu area handling under softirq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56638",
    "datePublished": "2024-12-27T15:02:40.796Z",
    "dateReserved": "2024-12-27T15:00:39.839Z",
    "dateUpdated": "2025-05-04T10:00:44.112Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57883 (GCVE-0-2024-57883)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:05 – Updated: 2025-11-03 17:31

Title

mm: hugetlb: independent PMD page table shared count

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: independent PMD page table shared count The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by the above caller, and this can cause the page table leaked: BUG: Bad page state in process sh pfn:109324 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff) page_type: f2(table) raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000 page dumped because: nonzero mapcount ... CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7 Tainted: [B]=BAD_PAGE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 dump_stack+0x18/0x28 bad_page+0x8c/0x130 free_page_is_bad_report+0xa4/0xb0 free_unref_page+0x3cc/0x620 __folio_put+0xf4/0x158 split_huge_pages_all+0x1e0/0x3e8 split_huge_pages_write+0x25c/0x2d8 full_proxy_write+0x64/0xd8 vfs_write+0xcc/0x280 ksys_write+0x70/0x110 __arm64_sys_write+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 The issue may be triggered by damon, offline_page, page_idle, etc, which will increase the refcount of page table. 1. The page table itself will be discarded after reporting the "nonzero mapcount". 2. The HugeTLB page mapped by the page table miss freeing since we treat the page table as shared and a shared page table will not be unmapped. Fix it by introducing independent PMD page table shared count. As described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390 gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv pmds, so we can reuse the field as pt_share_count.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/94b4b41d0cdf5cfd4…
	https://git.kernel.org/stable/c/8410996eb6fea116f…
	https://git.kernel.org/stable/c/02333ac1c35370517…
	https://git.kernel.org/stable/c/56b274473d6e7e737…
	https://git.kernel.org/stable/c/2e31443a0d18ae43b…
	https://git.kernel.org/stable/c/59d9094df3d794439…

Impacted products

Vendor

Product

Version

Linux

Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133 (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 8410996eb6fea116fe1483ed977aacf580eee7b4 (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 02333ac1c35370517a19a4a131332a9690c6a5c7 (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 56b274473d6e7e7375f2d0a2b4aca11d67c6b52f (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 2e31443a0d18ae43b9d29e02bf0563f07772193d (git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 59d9094df3d79443937add8700b2ef1a866b1081 (git)

Linux

Affected: 2.6.20
Unaffected: 0 , < 2.6.20 (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.9 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:29.588Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/mm.h",
            "include/linux/mm_types.h",
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "8410996eb6fea116fe1483ed977aacf580eee7b4",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "02333ac1c35370517a19a4a131332a9690c6a5c7",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "56b274473d6e7e7375f2d0a2b4aca11d67c6b52f",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "2e31443a0d18ae43b9d29e02bf0563f07772193d",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            },
            {
              "lessThan": "59d9094df3d79443937add8700b2ef1a866b1081",
              "status": "affected",
              "version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/mm.h",
            "include/linux/mm_types.h",
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.20"
            },
            {
              "lessThan": "2.6.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: independent PMD page table shared count\n\nThe folio refcount may be increased unexpectly through try_get_folio() by\ncaller such as split_huge_pages.  In huge_pmd_unshare(), we use refcount\nto check whether a pmd page table is shared.  The check is incorrect if\nthe refcount is increased by the above caller, and this can cause the page\ntable leaked:\n\n BUG: Bad page state in process sh  pfn:109324\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324\n flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)\n page_type: f2(table)\n raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000\n raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000\n page dumped because: nonzero mapcount\n ...\n CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G    B              6.13.0-rc2master+ #7\n Tainted: [B]=BAD_PAGE\n Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n Call trace:\n  show_stack+0x20/0x38 (C)\n  dump_stack_lvl+0x80/0xf8\n  dump_stack+0x18/0x28\n  bad_page+0x8c/0x130\n  free_page_is_bad_report+0xa4/0xb0\n  free_unref_page+0x3cc/0x620\n  __folio_put+0xf4/0x158\n  split_huge_pages_all+0x1e0/0x3e8\n  split_huge_pages_write+0x25c/0x2d8\n  full_proxy_write+0x64/0xd8\n  vfs_write+0xcc/0x280\n  ksys_write+0x70/0x110\n  __arm64_sys_write+0x24/0x38\n  invoke_syscall+0x50/0x120\n  el0_svc_common.constprop.0+0xc8/0xf0\n  do_el0_svc+0x24/0x38\n  el0_svc+0x34/0x128\n  el0t_64_sync_handler+0xc8/0xd0\n  el0t_64_sync+0x190/0x198\n\nThe issue may be triggered by damon, offline_page, page_idle, etc, which\nwill increase the refcount of page table.\n\n1. The page table itself will be discarded after reporting the\n   \"nonzero mapcount\".\n\n2. The HugeTLB page mapped by the page table miss freeing since we\n   treat the page table as shared and a shared page table will not be\n   unmapped.\n\nFix it by introducing independent PMD page table shared count.  As\ndescribed by comment, pt_index/pt_mm/pt_frag_refcount are used for s390\ngmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv\npmds, so we can reuse the field as pt_share_count."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-27T10:21:12.793Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133"
        },
        {
          "url": "https://git.kernel.org/stable/c/8410996eb6fea116fe1483ed977aacf580eee7b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/02333ac1c35370517a19a4a131332a9690c6a5c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/56b274473d6e7e7375f2d0a2b4aca11d67c6b52f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e31443a0d18ae43b9d29e02bf0563f07772193d"
        },
        {
          "url": "https://git.kernel.org/stable/c/59d9094df3d79443937add8700b2ef1a866b1081"
        }
      ],
      "title": "mm: hugetlb: independent PMD page table shared count",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57883",
    "datePublished": "2025-01-15T13:05:36.352Z",
    "dateReserved": "2025-01-11T14:45:42.024Z",
    "dateUpdated": "2025-11-03T17:31:29.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57935 (GCVE-0-2024-57935)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:01 – Updated: 2025-05-04 13:01

Title

RDMA/hns: Fix accessing invalid dip_ctx during destroying QP

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix accessing invalid dip_ctx during destroying QP If it fails to modify QP to RTR, dip_ctx will not be attached. And during detroying QP, the invalid dip_ctx pointer will be accessed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a448c775f0aec6cfb…
	https://git.kernel.org/stable/c/0572eccf239ce4bd8…

Impacted products

Vendor

Product

Version

Linux

Affected: f48084857b9e3d73c1d290307b5a11f61e6f666a , < a448c775f0aec6cfbee4bda561447c707153504a (git)
Affected: faa62440a5772b40bb7d78bf9e29556a82ecf153 , < 0572eccf239ce4bd89bd531767ec5ab20e249290 (git)
Affected: 84707ec6f651df98a141cad59f726d30e6f15574 (git)

Linux

Affected: 6.12.2 , < 6.12.9 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hns/hns_roce_hw_v2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a448c775f0aec6cfbee4bda561447c707153504a",
              "status": "affected",
              "version": "f48084857b9e3d73c1d290307b5a11f61e6f666a",
              "versionType": "git"
            },
            {
              "lessThan": "0572eccf239ce4bd89bd531767ec5ab20e249290",
              "status": "affected",
              "version": "faa62440a5772b40bb7d78bf9e29556a82ecf153",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "84707ec6f651df98a141cad59f726d30e6f15574",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hns/hns_roce_hw_v2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.12.9",
              "status": "affected",
              "version": "6.12.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.12.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix accessing invalid dip_ctx during destroying QP\n\nIf it fails to modify QP to RTR, dip_ctx will not be attached. And\nduring detroying QP, the invalid dip_ctx pointer will be accessed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:41.875Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a448c775f0aec6cfbee4bda561447c707153504a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0572eccf239ce4bd89bd531767ec5ab20e249290"
        }
      ],
      "title": "RDMA/hns: Fix accessing invalid dip_ctx during destroying QP",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57935",
    "datePublished": "2025-01-21T12:01:31.236Z",
    "dateReserved": "2025-01-19T11:50:08.377Z",
    "dateUpdated": "2025-05-04T13:01:41.875Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21660 (GCVE-0-2025-21660)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-11-03 20:58

Title

ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked When `ksmbd_vfs_kern_path_locked` met an error and it is not the last entry, it will exit without restoring changed path buffer. But later this buffer may be used as the filename for creation.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/13e41c58c74baa71f…
	https://git.kernel.org/stable/c/65b31b9d992c0fb06…
	https://git.kernel.org/stable/c/51669f4af5f795956…
	https://git.kernel.org/stable/c/2ac538e40278a2c0c…

Impacted products

Vendor

Product

Version

Linux

Affected: d1b2d2a9c912fc7b788985fbaf944e80f4b3f2af , < 13e41c58c74baa71f34c0830eaa3c29d53a6e964 (git)
Affected: 6ab95e27b77730de3fa2d601db3764490c5eede2 , < 65b31b9d992c0fb0685c51a0cf09993832734fc4 (git)
Affected: c5a709f08d40b1a082e44ffcde1aea4d2822ddd5 , < 51669f4af5f7959565b48e55691ba92fabf5c587 (git)
Affected: c5a709f08d40b1a082e44ffcde1aea4d2822ddd5 , < 2ac538e40278a2c0c051cca81bcaafc547d61372 (git)
Affected: d205cb1a13b37b2660df70a972dedc8c4ba1c2e8 (git)
Affected: c1e27b70e79050530c671b9dab688386c86f039a (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:36.129Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/vfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "13e41c58c74baa71f34c0830eaa3c29d53a6e964",
              "status": "affected",
              "version": "d1b2d2a9c912fc7b788985fbaf944e80f4b3f2af",
              "versionType": "git"
            },
            {
              "lessThan": "65b31b9d992c0fb0685c51a0cf09993832734fc4",
              "status": "affected",
              "version": "6ab95e27b77730de3fa2d601db3764490c5eede2",
              "versionType": "git"
            },
            {
              "lessThan": "51669f4af5f7959565b48e55691ba92fabf5c587",
              "status": "affected",
              "version": "c5a709f08d40b1a082e44ffcde1aea4d2822ddd5",
              "versionType": "git"
            },
            {
              "lessThan": "2ac538e40278a2c0c051cca81bcaafc547d61372",
              "status": "affected",
              "version": "c5a709f08d40b1a082e44ffcde1aea4d2822ddd5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d205cb1a13b37b2660df70a972dedc8c4ba1c2e8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c1e27b70e79050530c671b9dab688386c86f039a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/vfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "6.1.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.6.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked\n\nWhen `ksmbd_vfs_kern_path_locked` met an error and it is not the last\nentry, it will exit without restoring changed path buffer. But later this\nbuffer may be used as the filename for creation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:12.428Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/13e41c58c74baa71f34c0830eaa3c29d53a6e964"
        },
        {
          "url": "https://git.kernel.org/stable/c/65b31b9d992c0fb0685c51a0cf09993832734fc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/51669f4af5f7959565b48e55691ba92fabf5c587"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ac538e40278a2c0c051cca81bcaafc547d61372"
        }
      ],
      "title": "ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21660",
    "datePublished": "2025-01-21T12:18:16.062Z",
    "dateReserved": "2024-12-29T08:45:45.732Z",
    "dateUpdated": "2025-11-03T20:58:36.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-41935 (GCVE-0-2024-41935)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2025-07-11 17:19

Title

f2fs: fix to shrink read extent node in batches

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to shrink read extent node in batches We use rwlock to protect core structure data of extent tree during its shrink, however, if there is a huge number of extent nodes in extent tree, during shrink of extent tree, it may hold rwlock for a very long time, which may trigger kernel hang issue. This patch fixes to shrink read extent node in batches, so that, critical region of the rwlock can be shrunk to avoid its extreme long time hold.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/295b50e95e900da31…
	https://git.kernel.org/stable/c/924f7dd1e832e4e45…
	https://git.kernel.org/stable/c/3fc5d5a182f6a1f8b…

Impacted products

Vendor

Product

Version

Linux

Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 295b50e95e900da31ff237e46e04525fa799b2cf (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 924f7dd1e832e4e4530d14711db223d2803f7b61 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343 (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 6.6.66 , ≤ 6.6.* (semver)
Unaffected: 6.12.5 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/extent_cache.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "295b50e95e900da31ff237e46e04525fa799b2cf",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "924f7dd1e832e4e4530d14711db223d2803f7b61",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/extent_cache.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to shrink read extent node in batches\n\nWe use rwlock to protect core structure data of extent tree during\nits shrink, however, if there is a huge number of extent nodes in\nextent tree, during shrink of extent tree, it may hold rwlock for\na very long time, which may trigger kernel hang issue.\n\nThis patch fixes to shrink read extent node in batches, so that,\ncritical region of the rwlock can be shrunk to avoid its extreme\nlong time hold."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T17:19:54.101Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/295b50e95e900da31ff237e46e04525fa799b2cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/924f7dd1e832e4e4530d14711db223d2803f7b61"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343"
        }
      ],
      "title": "f2fs: fix to shrink read extent node in batches",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-41935",
    "datePublished": "2025-01-11T12:25:09.701Z",
    "dateReserved": "2025-01-09T09:49:29.702Z",
    "dateUpdated": "2025-07-11T17:19:54.101Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-54680 (GCVE-0-2024-54680)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:35 – Updated: 2025-04-02 15:20

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2025-04-02T15:20:35.748Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-54680",
    "datePublished": "2025-01-11T12:35:43.170Z",
    "dateRejected": "2025-04-02T15:20:35.748Z",
    "dateReserved": "2025-01-11T12:33:33.715Z",
    "dateUpdated": "2025-04-02T15:20:35.748Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-47408 (GCVE-0-2024-47408)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:35 – Updated: 2025-11-03 20:39

Title

net/smc: check smcd_v2_ext_offset when receiving proposal msg

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: check smcd_v2_ext_offset when receiving proposal msg When receiving proposal msg in server, the field smcd_v2_ext_offset in proposal msg is from the remote client and can not be fully trusted. Once the value of smcd_v2_ext_offset exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the value of smcd_v2_ext_offset before using it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a36364d8d4fabb105…
	https://git.kernel.org/stable/c/e1cc8be2a785a8f1c…
	https://git.kernel.org/stable/c/935caf324b445fe73…
	https://git.kernel.org/stable/c/48d5a8a304a643613…
	https://git.kernel.org/stable/c/9ab332deb671d8f7e…

Impacted products

Vendor

Product

Version

Linux

Affected: 5c21c4ccafe85906db809de3af391fd434df8a27 , < a36364d8d4fabb105001f992fb8ff2d3546203d6 (git)
Affected: 5c21c4ccafe85906db809de3af391fd434df8a27 , < e1cc8be2a785a8f1ce1f597f3e608602c5fccd46 (git)
Affected: 5c21c4ccafe85906db809de3af391fd434df8a27 , < 935caf324b445fe73d7708fae6f7176fb243f357 (git)
Affected: 5c21c4ccafe85906db809de3af391fd434df8a27 , < 48d5a8a304a643613dab376a278f29d3e22f7c34 (git)
Affected: 5c21c4ccafe85906db809de3af391fd434df8a27 , < 9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.15.176 , ≤ 5.15.* (semver)
Unaffected: 6.1.122 , ≤ 6.1.* (semver)
Unaffected: 6.6.68 , ≤ 6.6.* (semver)
Unaffected: 6.12.7 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:39:33.276Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c",
            "net/smc/smc_clc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a36364d8d4fabb105001f992fb8ff2d3546203d6",
              "status": "affected",
              "version": "5c21c4ccafe85906db809de3af391fd434df8a27",
              "versionType": "git"
            },
            {
              "lessThan": "e1cc8be2a785a8f1ce1f597f3e608602c5fccd46",
              "status": "affected",
              "version": "5c21c4ccafe85906db809de3af391fd434df8a27",
              "versionType": "git"
            },
            {
              "lessThan": "935caf324b445fe73d7708fae6f7176fb243f357",
              "status": "affected",
              "version": "5c21c4ccafe85906db809de3af391fd434df8a27",
              "versionType": "git"
            },
            {
              "lessThan": "48d5a8a304a643613dab376a278f29d3e22f7c34",
              "status": "affected",
              "version": "5c21c4ccafe85906db809de3af391fd434df8a27",
              "versionType": "git"
            },
            {
              "lessThan": "9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad",
              "status": "affected",
              "version": "5c21c4ccafe85906db809de3af391fd434df8a27",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c",
            "net/smc/smc_clc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: check smcd_v2_ext_offset when receiving proposal msg\n\nWhen receiving proposal msg in server, the field smcd_v2_ext_offset in\nproposal msg is from the remote client and can not be fully trusted.\nOnce the value of smcd_v2_ext_offset exceed the max value, there has\nthe chance to access wrong address, and crash may happen.\n\nThis patch checks the value of smcd_v2_ext_offset before using it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:36:30.974Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a36364d8d4fabb105001f992fb8ff2d3546203d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1cc8be2a785a8f1ce1f597f3e608602c5fccd46"
        },
        {
          "url": "https://git.kernel.org/stable/c/935caf324b445fe73d7708fae6f7176fb243f357"
        },
        {
          "url": "https://git.kernel.org/stable/c/48d5a8a304a643613dab376a278f29d3e22f7c34"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad"
        }
      ],
      "title": "net/smc: check smcd_v2_ext_offset when receiving proposal msg",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-47408",
    "datePublished": "2025-01-11T12:35:35.284Z",
    "dateReserved": "2025-01-11T12:34:02.588Z",
    "dateUpdated": "2025-11-03T20:39:33.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21834 (GCVE-0-2025-21834)

Vulnerability from cvelistv5 – Published: 2025-03-06 16:22 – Updated: 2025-05-04 07:22

Title

seccomp: passthrough uretprobe systemcall without filtering

Summary

In the Linux kernel, the following vulnerability has been resolved: seccomp: passthrough uretprobe systemcall without filtering When attaching uretprobes to processes running inside docker, the attached process is segfaulted when encountering the retprobe. The reason is that now that uretprobe is a system call the default seccomp filters in docker block it as they only allow a specific set of known syscalls. This is true for other userspace applications which use seccomp to control their syscall surface. Since uretprobe is a "kernel implementation detail" system call which is not used by userspace application code directly, it is impractical and there's very little point in forcing all userspace applications to explicitly allow it in order to avoid crashing tracked processes. Pass this systemcall through seccomp without depending on configuration. Note: uretprobe is currently only x86_64 and isn't expected to ever be supported in i386. [kees: minimized changes for easier backporting, tweaked commit log]

Severity

CERTFR-2025-AVI-0254

Solutions

Action not permitted

CERTFR-2025-AVI-0254

Solutions

CVE-2024-57908 (GCVE-0-2024-57908)

CVE-2024-56626 (GCVE-0-2024-56626)

CVE-2024-56599 (GCVE-0-2024-56599)

CVE-2024-57805 (GCVE-0-2024-57805)

CVE-2024-56776 (GCVE-0-2024-56776)

CVE-2025-21634 (GCVE-0-2025-21634)

CVE-2024-56568 (GCVE-0-2024-56568)

CVE-2024-56670 (GCVE-0-2024-56670)

CVE-2024-56777 (GCVE-0-2024-56777)

CVE-2024-56640 (GCVE-0-2024-56640)

CVE-2024-52332 (GCVE-0-2024-52332)

CVE-2024-56624 (GCVE-0-2024-56624)

CVE-2024-57872 (GCVE-0-2024-57872)

CVE-2024-56558 (GCVE-0-2024-56558)

CVE-2024-55639 (GCVE-0-2024-55639)

CVE-2024-57887 (GCVE-0-2024-57887)

CVE-2024-56768 (GCVE-0-2024-56768)

CVE-2024-56372 (GCVE-0-2024-56372)

CVE-2024-53682 (GCVE-0-2024-53682)

CVE-2024-56652 (GCVE-0-2024-56652)

CVE-2024-56602 (GCVE-0-2024-56602)

CVE-2024-50051 (GCVE-0-2024-50051)

CVE-2024-56718 (GCVE-0-2024-56718)

CVE-2024-56711 (GCVE-0-2024-56711)

CVE-2024-57880 (GCVE-0-2024-57880)

CVE-2024-57929 (GCVE-0-2024-57929)

CVE-2024-56573 (GCVE-0-2024-56573)

CVE-2024-57913 (GCVE-0-2024-57913)

CVE-2024-57799 (GCVE-0-2024-57799)

CVE-2024-57921 (GCVE-0-2024-57921)

CVE-2024-57910 (GCVE-0-2024-57910)

CVE-2024-55641 (GCVE-0-2024-55641)

CVE-2024-56649 (GCVE-0-2024-56649)

CVE-2024-57925 (GCVE-0-2024-57925)

CVE-2025-21662 (GCVE-0-2025-21662)

CVE-2024-57857 (GCVE-0-2024-57857)

CVE-2024-57874 (GCVE-0-2024-57874)

CVE-2024-56780 (GCVE-0-2024-56780)

CVE-2024-57912 (GCVE-0-2024-57912)

CVE-2024-56631 (GCVE-0-2024-56631)

CVE-2024-55881 (GCVE-0-2024-55881)

CVE-2024-56621 (GCVE-0-2024-56621)

CVE-2024-47143 (GCVE-0-2024-47143)

CVE-2024-57918 (GCVE-0-2024-57918)

CVE-2024-57945 (GCVE-0-2024-57945)

CVE-2025-21636 (GCVE-0-2025-21636)

CVE-2024-56637 (GCVE-0-2024-56637)

CVE-2024-57878 (GCVE-0-2024-57878)

CVE-2024-56605 (GCVE-0-2024-56605)

CVE-2025-21643 (GCVE-0-2025-21643)

CVE-2024-56715 (GCVE-0-2024-56715)

CVE-2024-56635 (GCVE-0-2024-56635)

CVE-2025-21646 (GCVE-0-2025-21646)

CVE-2024-56775 (GCVE-0-2024-56775)

CVE-2025-21653 (GCVE-0-2025-21653)

CVE-2024-57843 (GCVE-0-2024-57843)

CVE-2024-56770 (GCVE-0-2024-56770)

CVE-2024-53680 (GCVE-0-2024-53680)

CVE-2024-57907 (GCVE-0-2024-57907)

CVE-2024-56593 (GCVE-0-2024-56593)

CVE-2024-56669 (GCVE-0-2024-56669)

CVE-2024-56717 (GCVE-0-2024-56717)

CVE-2024-57897 (GCVE-0-2024-57897)

CVE-2024-56758 (GCVE-0-2024-56758)

CVE-2025-21639 (GCVE-0-2025-21639)

CVE-2024-56719 (GCVE-0-2024-56719)

CVE-2025-21654 (GCVE-0-2025-21654)

CVE-2024-56552 (GCVE-0-2024-56552)

CVE-2024-57932 (GCVE-0-2024-57932)

CVE-2024-56645 (GCVE-0-2024-56645)

CVE-2024-56623 (GCVE-0-2024-56623)

CVE-2024-56760 (GCVE-0-2024-56760)

CVE-2024-57896 (GCVE-0-2024-57896)

CVE-2024-56636 (GCVE-0-2024-56636)

CVE-2024-56561 (GCVE-0-2024-56561)

CVE-2024-56712 (GCVE-0-2024-56712)

CVE-2024-56766 (GCVE-0-2024-56766)