CVE-2024-56533 – ALSA: usx2y: Use snd_card_free_when_closed() at disconnection
https://notcve.org/view.php?id=CVE-2024-56533
In the Linux kernel, the following vulnerability has been resolved: ALSA: usx2y: Use snd_card_free_when_closed() at disconnection The USB disconnect callback is supposed to be short and not too-long waiting. OTOH, the current code uses snd_card_free() at disconnection, but this waits for the close of all used fds, hence it can take long. It eventually blocks the upper layer USB ioctls, which may trigger a soft lockup. An easy workaround is to replace snd_card_free() with snd_card_free_when_closed(). This variant returns immediately while the release of resources is done asynchronously by the card device release at the last close. • https://git.kernel.org/stable/c/230cd5e24853ed4dd960461989b8ed0986d37a99 https://git.kernel.org/stable/c/24fe9f7ca83ec9acf765339054951f5cd9ae5c5d https://git.kernel.org/stable/c/befcca1777525e37c659b4129d8ac7463b07ef67 https://git.kernel.org/stable/c/7bd8838c0ea886679a32834fdcacab296d072fbe https://git.kernel.org/stable/c/e07605d855c4104d981653146a330ea48f6266ed https://git.kernel.org/stable/c/ffbfc6c4330fc233698529656798bee44fea96f5 https://git.kernel.org/stable/c/e869642a77a9b3b98b0ab2c8fec7af4385140909 https://git.kernel.org/stable/c/dafb28f02be407e07a6f679e922a62659 •
CVE-2024-56532 – ALSA: us122l: Use snd_card_free_when_closed() at disconnection
https://notcve.org/view.php?id=CVE-2024-56532
In the Linux kernel, the following vulnerability has been resolved: ALSA: us122l: Use snd_card_free_when_closed() at disconnection The USB disconnect callback is supposed to be short and not too-long waiting. OTOH, the current code uses snd_card_free() at disconnection, but this waits for the close of all used fds, hence it can take long. It eventually blocks the upper layer USB ioctls, which may trigger a soft lockup. An easy workaround is to replace snd_card_free() with snd_card_free_when_closed(). This variant returns immediately while the release of resources is done asynchronously by the card device release at the last close. The loop of us122l->mmap_count check is dropped as well. The check is useless for the asynchronous operation with *_when_closed(). • https://git.kernel.org/stable/c/030a07e441296c372f946cd4065b5d831d8dc40c https://git.kernel.org/stable/c/020cbc4d7414f0962004213e2b7bc5cc607e9ec7 https://git.kernel.org/stable/c/75f418b249d84021865eaa59515d3ed9b75ce4d6 https://git.kernel.org/stable/c/bf0aa35a7cb8602cccf2387712114e836f65c154 https://git.kernel.org/stable/c/9a48bd2184b142c92a4e17eac074c61fcf975bc9 https://git.kernel.org/stable/c/bc778ad3e495333eebda36fe91d5b2c93109cc16 https://git.kernel.org/stable/c/2938dd2648522336133c151dd67bb9bf01cbd390 https://git.kernel.org/stable/c/9b27924dc8d7f8a8c35e521287d4ccb9a •
CVE-2024-56531 – ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
https://notcve.org/view.php?id=CVE-2024-56531
In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Use snd_card_free_when_closed() at disconnection The USB disconnect callback is supposed to be short and not too-long waiting. OTOH, the current code uses snd_card_free() at disconnection, but this waits for the close of all used fds, hence it can take long. It eventually blocks the upper layer USB ioctls, which may trigger a soft lockup. An easy workaround is to replace snd_card_free() with snd_card_free_when_closed(). This variant returns immediately while the release of resources is done asynchronously by the card device release at the last close. This patch also splits the code to the disconnect and the free phases; the former is called immediately at the USB disconnect callback while the latter is called from the card destructor. • https://git.kernel.org/stable/c/523f1dce37434a9a6623bf46e7893e2b4b10ac3c https://git.kernel.org/stable/c/3993edf44d3df7b6e8c753eac6ac8783473fcbab https://git.kernel.org/stable/c/ebad462eec93b0f701dfe4de98990e7355283801 https://git.kernel.org/stable/c/4dd821dcbfcecf7af6a08370b0b217cde2818acf https://git.kernel.org/stable/c/cadf1d8e9ddcd74584ec961aeac14ac549b261d8 https://git.kernel.org/stable/c/237f3faf0177bdde728fa3106d730d806436aa4d https://git.kernel.org/stable/c/4507a8b9b30344c5ddd8219945f446d47e966a6d https://git.kernel.org/stable/c/dd0de8cb708951cebf727aa045e8242ba •
CVE-2024-53239 – ALSA: 6fire: Release resources at card release
https://notcve.org/view.php?id=CVE-2024-53239
In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: Release resources at card release The current 6fire code tries to release the resources right after the call of usb6fire_chip_abort(). But at this moment, the card object might be still in use (as we're calling snd_card_free_when_closed()). For avoid potential UAFs, move the release of resources to the card's private_free instead of the manual call of usb6fire_chip_destroy() at the USB disconnect callback. • https://git.kernel.org/stable/c/c6d43ba816d1cf1d125bfbfc938f2a28a87facf9 https://git.kernel.org/stable/c/74357d0b5cd3ef544752bc9f21cbeee4902fae6c https://git.kernel.org/stable/c/273eec23467dfbfbd0e4c10302579ba441fb1e13 https://git.kernel.org/stable/c/f2d06d4e129e2508e356136f99bb20a332ff1a00 https://git.kernel.org/stable/c/b889a7d68d7e76b8795b754a75c91a2d561d5e8c https://git.kernel.org/stable/c/ea8cc56db659cf0ae57073e32a4735ead7bd7ee3 https://git.kernel.org/stable/c/b754e831a94f82f2593af806741392903f359168 https://git.kernel.org/stable/c/0df7f4b5cc10f5adf98be0845372e9eef •
CVE-2024-53227 – scsi: bfa: Fix use-after-free in bfad_im_module_exit()
https://notcve.org/view.php?id=CVE-2024-53227
In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Fix use-after-free in bfad_im_module_exit() BUG: KASAN: slab-use-after-free in __lock_acquire+0x2aca/0x3a20 Read of size 8 at addr ffff8881082d80c8 by task modprobe/25303 Call Trace: <TASK> dump_stack_lvl+0x95/0xe0 print_report+0xcb/0x620 kasan_report+0xbd/0xf0 __lock_acquire+0x2aca/0x3a20 lock_acquire+0x19b/0x520 _raw_spin_lock+0x2b/0x40 attribute_container_unregister+0x30/0x160 fc_release_transport+0x19/0x90 [scsi_transport_fc] bfad_im_module_exit+0x23/0x60 [bfa] bfad_init+0xdb/0xff0 [bfa] do_one_initcall+0xdc/0x550 do_init_module+0x22d/0x6b0 load_module+0x4e96/0x5ff0 init_module_from_file+0xcd/0x130 idempotent_init_module+0x330/0x620 __x64_sys_finit_module+0xb3/0x110 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Allocated by task 25303: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 fc_attach_transport+0x4f/0x4740 [scsi_transport_fc] bfad_im_module_init+0x17/0x80 [bfa] bfad_init+0x23/0xff0 [bfa] do_one_initcall+0xdc/0x550 do_init_module+0x22d/0x6b0 load_module+0x4e96/0x5ff0 init_module_from_file+0xcd/0x130 idempotent_init_module+0x330/0x620 __x64_sys_finit_module+0xb3/0x110 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 25303: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x38/0x50 kfree+0x212/0x480 bfad_im_module_init+0x7e/0x80 [bfa] bfad_init+0x23/0xff0 [bfa] do_one_initcall+0xdc/0x550 do_init_module+0x22d/0x6b0 load_module+0x4e96/0x5ff0 init_module_from_file+0xcd/0x130 idempotent_init_module+0x330/0x620 __x64_sys_finit_module+0xb3/0x110 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Above issue happens as follows: bfad_init error = bfad_im_module_init() fc_release_transport(bfad_im_scsi_transport_template); if (error) goto ext; ext: bfad_im_module_exit(); fc_release_transport(bfad_im_scsi_transport_template); --> Trigger double release Don't call bfad_im_module_exit() if bfad_im_module_init() failed. • https://git.kernel.org/stable/c/7725ccfda59715ecf8f99e3b520a0b84cc2ea79e https://git.kernel.org/stable/c/0ceac8012d3ddea3317f0d82934293d05feb8af1 https://git.kernel.org/stable/c/3932c753f805a02e9364a4c58b590f21901f8490 https://git.kernel.org/stable/c/ef2c2580189ea88a0dcaf56eb3a565763a900edb https://git.kernel.org/stable/c/e76181a5be90abcc3ed8a300bd13878aa214d022 https://git.kernel.org/stable/c/8f5a97443b547b4c83f876f1d6a11df0f1fd4efb https://git.kernel.org/stable/c/c28409f851abd93b37969cac7498828ad533afd9 https://git.kernel.org/stable/c/1ffdde30a90bf8efe8f270407f4867069 •