CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-39508 – io_uring/io-wq: Use set_bit() and test_bit() at worker->flags
https://notcve.org/view.php?id=CVE-2024-39508
In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq to address potential data races. The structure io_worker->flags may be accessed through various data paths, leading to concurrency issues. When KCSAN is enabled, it reveals data races occurring in io_worker_handle_work and io_wq_activate_free_worker functions. BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28: io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569) io_wq_worker (io_uring/io-wq.c:?) <snip> read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5: io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285) io_wq_enqueue (io_uring/io-wq.c:947) io_queue_iowq (io_uring/io_uring.c:524) io_req_task_submit (io_uring/io_uring.c:1511) io_handle_tw_list (io_uring/io_uring.c:1198) <snip> Line numbers against commit 18daea77cca6 ("Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm"). These races involve writes and reads to the same memory location by different tasks running on different CPUs. To mitigate this, refactor the code to use atomic operations such as set_bit(), test_bit(), and clear_bit() instead of basic "and" and "or" operations. • https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0 https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-39507 – net: hns3: fix kernel crash problem in concurrent scenario
https://notcve.org/view.php?id=CVE-2024-39507
In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash problem in concurrent scenario When link status change, the nic driver need to notify the roce driver to handle this event, but at this time, the roce driver may uninit, then cause kernel crash. To fix the problem, when link status change, need to check whether the roce registered, and when uninit, need to wait link update finish. • https://git.kernel.org/stable/c/45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48 https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63 https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-39506 – liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
https://notcve.org/view.php?id=CVE-2024-39506
In the Linux kernel, the following vulnerability has been resolved: liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value, but then it is unconditionally passed to skb_add_rx_frag() which looks strange and could lead to null pointer dereference. lio_vf_rep_copy_packet() call trace looks like: octeon_droq_process_packets octeon_droq_fast_process_packets octeon_droq_dispatch_pkt octeon_create_recv_info ...search in the dispatch_list... ->disp_fn(rdisp->rinfo, ...) lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...) In this path there is no code which sets pg_info->page to NULL. So this check looks unneeded and doesn't solve potential problem. But I guess the author had reason to add a check and I have no such card and can't do real test. In addition, the code in the function liquidio_push_packet() in liquidio/lio_core.c does exactly the same. Based on this, I consider the most acceptable compromise solution to adjust this issue by moving skb_add_rx_frag() into conditional scope. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/1f233f327913f3dee0602cba9c64df1903772b55 https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2 https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79 https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347 https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989 • CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-39505 – drm/komeda: check for error-valued pointer
https://notcve.org/view.php?id=CVE-2024-39505
In the Linux kernel, the following vulnerability has been resolved: drm/komeda: check for error-valued pointer komeda_pipeline_get_state() may return an error-valued pointer, thus check the pointer for negative or null value before dereferencing. • https://git.kernel.org/stable/c/502932a03fceca1cb161eba5f30b18eb640aa8de https://git.kernel.org/stable/c/0674ed1e58e2fdcc155e7d944f8aad007a94ac69 https://git.kernel.org/stable/c/bda7cdaeebf57e46c1a488ae7a15f6f264691f59 https://git.kernel.org/stable/c/86042e3d16b7e0686db835c9e7af0f9044dd3a56 https://git.kernel.org/stable/c/3b1cf943b029c147bfacfd53dc28ffa632c0a622 https://git.kernel.org/stable/c/9460961d82134ceda7377b77a3e3e3531b625dfe https://git.kernel.org/stable/c/99392c98b9be0523fe76944b2264b1847512ad23 https://git.kernel.org/stable/c/b880018edd3a577e50366338194dee9b8 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-39503 – netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
https://notcve.org/view.php?id=CVE-2024-39503
In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Lion Ackermann reported that there is a race condition between namespace cleanup in ipset and the garbage collection of the list:set type. The namespace cleanup can destroy the list:set type of sets while the gc of the set type is waiting to run in rcu cleanup. The latter uses data from the destroyed set which thus leads use after free. The patch contains the following parts: - When destroying all sets, first remove the garbage collectors, then wait if needed and then destroy the sets. - Fix the badly ordered "wait then remove gc" for the destroy a single set case. - Fix the missing rcu locking in the list:set type in the userspace test case. - Use proper RCU list handlings in the list:set type. The patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc). • https://git.kernel.org/stable/c/c7f2733e5011bfd136f1ca93497394d43aa76225 https://git.kernel.org/stable/c/a24d5f2ac8ef702a58e55ec276aad29b4bd97e05 https://git.kernel.org/stable/c/c2dc077d8f722a1c73a24e674f925602ee5ece49 https://git.kernel.org/stable/c/653bc5e6d9995d7d5f497c665b321875a626161c https://git.kernel.org/stable/c/b93a6756a01f4fd2f329a39216f9824c56a66397 https://git.kernel.org/stable/c/97f7cf1cd80eeed3b7c808b7c12463295c751001 https://git.kernel.org/stable/c/970709a67696b100a57b33af1a3d75fc34b747eb https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12d •