CVE-2024-41087 – ata: libata-core: Fix double free on error
https://notcve.org/view.php?id=CVE-2024-41087
In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780 R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006 FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? • https://git.kernel.org/stable/c/dafd6c496381c1cd1f5ba9ad953e810bdcc931bc https://git.kernel.org/stable/c/290073b2b557e4dc21ee74a1e403d9ae79e393a2 https://git.kernel.org/stable/c/56f1c7e290cd6c69c948fcd2e2a49e6a637ec38f https://git.kernel.org/stable/c/010de9acbea58fbcbda08e3793d6262086a493fe https://git.kernel.org/stable/c/5dde5f8b790274723640d29a07c5a97d57d62047 https://git.kernel.org/stable/c/702c1edbafb2e6f9d20f6d391273b5be09d366a5 https://git.kernel.org/stable/c/062e256516d7db5e7dcdef117f52025cd5c456e3 https://git.kernel.org/stable/c/8106da4d88bbaed809e023cc8014b7662 •
CVE-2024-41082 – nvme-fabrics: use reserved tag for reg read/write command
https://notcve.org/view.php?id=CVE-2024-41082
In the Linux kernel, the following vulnerability has been resolved: nvme-fabrics: use reserved tag for reg read/write command In some scenarios, if too many commands are issued by nvme command in the same time by user tasks, this may exhaust all tags of admin_q. If a reset (nvme reset or IO timeout) occurs before these commands finish, reconnect routine may fail to update nvme regs due to insufficient tags, which will cause kernel hang forever. In order to workaround this issue, maybe we can let reg_read32()/reg_read64()/reg_write32() use reserved tags. This maybe safe for nvmf: 1. For the disable ctrl path, we will not issue connect command 2. • https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa •
CVE-2024-41081 – ila: block BH in ila_output()
https://notcve.org/view.php?id=CVE-2024-41081
In the Linux kernel, the following vulnerability has been resolved: ila: block BH in ila_output() As explained in commit 1378817486d6 ("tipc: block BH before using dst_cache"), net/core/dst_cache.c helpers need to be called with BH disabled. ila_output() is called from lwtunnel_output() possibly from process context, and under rcu_read_lock(). We might be interrupted by a softirq, re-enter ila_output() and corrupt dst_cache data structures. Fix the race by using local_bh_disable(). • https://git.kernel.org/stable/c/7435bd2f84a25aba607030237261b3795ba782da https://git.kernel.org/stable/c/96103371091c6476eb07f4c66624bdd1b42f758a https://git.kernel.org/stable/c/a0cafb7b0b94d18e4813ee4b712a056f280e7b5a https://git.kernel.org/stable/c/feac2391e26b086f73be30e9b1ab215eada8d830 https://git.kernel.org/stable/c/b4eb25a3d70df925a9fa4e82d17a958a0a228f5f https://git.kernel.org/stable/c/522c3336c2025818fa05e9daf0ac35711e55e316 https://git.kernel.org/stable/c/9f9c79d8e527d867e0875868b14fb76e6011e70c https://git.kernel.org/stable/c/cf28ff8e4c02e1ffa850755288ac954b6 •
CVE-2024-41080 – io_uring: fix possible deadlock in io_register_iowq_max_workers()
https://notcve.org/view.php?id=CVE-2024-41080
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix possible deadlock in io_register_iowq_max_workers() The io_register_iowq_max_workers() function calls io_put_sq_data(), which acquires the sqd->lock without releasing the uring_lock. Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock before acquiring sqd->lock"), this can lead to a potential deadlock situation. To resolve this issue, the uring_lock is released before calling io_put_sq_data(), and then it is re-acquired after the function call. This change ensures that the locks are acquired in the correct order, preventing the possibility of a deadlock. • https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf •
CVE-2024-41079 – nvmet: always initialize cqe.result
https://notcve.org/view.php?id=CVE-2024-41079
In the Linux kernel, the following vulnerability has been resolved: nvmet: always initialize cqe.result The spec doesn't mandate that the first two double words (aka results) for the command queue entry need to be set to 0 when they are not used (not specified). Though, the target implemention returns 0 for TCP and FC but not for RDMA. Let's make RDMA behave the same and thus explicitly initializing the result field. This prevents leaking any data from the stack. • https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2 https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319 https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426 •