CVE-2024-43892 – memcg: protect concurrent access to mem_cgroup_idr
https://notcve.org/view.php?id=CVE-2024-43892
In the Linux kernel, the following vulnerability has been resolved: memcg: protect concurrent access to mem_cgroup_idr Commit 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after many small jobs") decoupled the memcg IDs from the CSS ID space to fix the cgroup creation failures. It introduced IDR to maintain the memcg ID space. The IDR depends on external synchronization mechanisms for modifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace() happen within css callback and thus are protected through cgroup_mutex from concurrent modifications. However idr_remove() for mem_cgroup_idr was not protected against concurrency and can be run concurrently for different memcgs when they hit their refcnt to zero. • https://git.kernel.org/stable/c/73f576c04b9410ed19660f74f97521bee6e1c546 https://git.kernel.org/stable/c/8627c7750a66a46d56d3564e1e881aa53764497c https://git.kernel.org/stable/c/db70cd18d3da727a3a59694de428a9e41c620de7 https://git.kernel.org/stable/c/912736a0435ef40e6a4ae78197ccb5553cb80b05 https://git.kernel.org/stable/c/e6cc9ff2ac0b5df9f25eb790934c3104f6710278 https://git.kernel.org/stable/c/56fd70f4aa8b82199dbe7e99366b1fd7a04d86fb https://git.kernel.org/stable/c/37a060b64ae83b76600d187d76591ce488ab836b https://git.kernel.org/stable/c/51c0b1bb7541f8893ec1accba59eb0436 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2024-43890 – tracing: Fix overflow in get_free_elt()
https://notcve.org/view.php?id=CVE-2024-43890
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix overflow in get_free_elt() "tracing_map->next_elt" in get_free_elt() is at risk of overflowing. Once it overflows, new elements can still be inserted into the tracing_map even though the maximum number of elements (`max_elts`) has been reached. Continuing to insert elements after the overflow could result in the tracing_map containing "tracing_map->max_size" elements, leaving no empty entries. If any attempt is made to insert an element into a full tracing_map using `__tracing_map_insert()`, it will cause an infinite loop with preemption disabled, leading to a CPU hang problem. Fix this by preventing any further increments to "tracing_map->next_elt" once it reaches "tracing_map->max_elt". • https://git.kernel.org/stable/c/08d43a5fa063e03c860f2f391a30c388bcbc948e https://git.kernel.org/stable/c/302ceb625d7b990db205a15e371f9a71238de91c https://git.kernel.org/stable/c/d3e4dbc2858fe85d1dbd2e72a9fc5dea988b5c18 https://git.kernel.org/stable/c/eb223bf01e688dfe37e813c8988ee11c8c9f8d0a https://git.kernel.org/stable/c/cd10d186a5409a1fe6e976df82858e9773a698da https://git.kernel.org/stable/c/788ea62499b3c18541fd6d621964d8fafbc4aec5 https://git.kernel.org/stable/c/a172c7b22bc2feaf489cfc6d6865f7237134fdf8 https://git.kernel.org/stable/c/236bb4690773ab6869b40bedc7bc8d889 •
CVE-2024-43889 – padata: Fix possible divide-by-0 panic in padata_mt_helper()
https://notcve.org/view.php?id=CVE-2024-43889
In the Linux kernel, the following vulnerability has been resolved: padata: Fix possible divide-by-0 panic in padata_mt_helper() We are hit with a not easily reproducible divide-by-0 panic in padata.c at bootup time. [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1 [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021 [ 10.017908] Workqueue: events_unbound padata_mt_helper [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0 : [ 10.017963] Call Trace: [ 10.017968] <TASK> [ 10.018004] ? padata_mt_helper+0x39/0xb0 [ 10.018084] process_one_work+0x174/0x330 [ 10.018093] worker_thread+0x266/0x3a0 [ 10.018111] kthread+0xcf/0x100 [ 10.018124] ret_from_fork+0x31/0x50 [ 10.018138] ret_from_fork_asm+0x1a/0x30 [ 10.018147] </TASK> Looking at the padata_mt_helper() function, the only way a divide-by-0 panic can happen is when ps->chunk_size is 0. The way that chunk_size is initialized in padata_do_multithreaded(), chunk_size can be 0 when the min_chunk in the passed-in padata_mt_job structure is 0. Fix this divide-by-0 panic by making sure that chunk_size will be at least 1 no matter what the input parameters are. A denial of service vulnerability exists in the Linux kernel. A possible divide-by-0 is in the padata_mt_helper() function when the ps->chunk_size is 0. • https://git.kernel.org/stable/c/004ed42638f4428e70ead59d170f3d17ff761a0f https://git.kernel.org/stable/c/ab8b397d5997d8c37610252528edc54bebf9f6d3 https://git.kernel.org/stable/c/8f5ffd2af7274853ff91d6cd62541191d9fbd10d https://git.kernel.org/stable/c/a29cfcb848c31f22b4de6a531c3e1d68c9bfe09f https://git.kernel.org/stable/c/924f788c906dccaca30acab86c7124371e1d6f2c https://git.kernel.org/stable/c/da0ffe84fcc1627a7dff82c80b823b94236af905 https://git.kernel.org/stable/c/6d45e1c948a8b7ed6ceddb14319af69424db730c https://access.redhat.com/security/cve/CVE-2024-43889 • CWE-369: Divide By Zero •
CVE-2024-43886 – drm/amd/display: Add null check in resource_log_pipe_topology_update
https://notcve.org/view.php?id=CVE-2024-43886
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check in resource_log_pipe_topology_update [WHY] When switching from "Extend" to "Second Display Only" we sometimes call resource_get_otg_master_for_stream on a stream for the eDP, which is disconnected. This leads to a null pointer dereference. [HOW] Added a null check in dc_resource.c/resource_log_pipe_topology_update. • https://git.kernel.org/stable/c/c36e922a36bdf69765c340a0857ca74092003bee https://git.kernel.org/stable/c/899d92fd26fe780aad711322aa671f68058207a6 •
CVE-2024-43884 – Bluetooth: MGMT: Add error handling to pair_device()
https://notcve.org/view.php?id=CVE-2024-43884
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Add error handling to pair_device() hci_conn_params_add() never checks for a NULL value and could lead to a NULL pointer dereference causing a crash. Fixed by adding error handling in the function. • https://git.kernel.org/stable/c/5157b8a503fa834e8569c7fed06981e3d3d53db0 https://git.kernel.org/stable/c/11b4b0e63f2621b33b2e107407a7d67a65994ca1 https://git.kernel.org/stable/c/90e1ff1c15e5a8f3023ca8266e3a85869ed03ee9 https://git.kernel.org/stable/c/9df9783bd85610d3d6e126a1aca221531f6f6dcb https://git.kernel.org/stable/c/951d6cb5eaac5130d076c728f2a6db420621afdb https://git.kernel.org/stable/c/5da2884292329bc9be32a7778e0e119f06abe503 https://git.kernel.org/stable/c/064dd929c76532359d2905d90a7c12348043cfd4 https://git.kernel.org/stable/c/ee0799103b1ae4bcfd80dc11a15df085f •