CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2024-40910 – ax25: Fix refcount imbalance on inbound connections
https://notcve.org/view.php?id=CVE-2024-40910
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? • https://git.kernel.org/stable/c/9fd75b66b8f68498454d685dc4ba13192ae069b0 https://git.kernel.org/stable/c/c44a453ffe16eb08acdc6129ac4fa0192dbc0456 https://git.kernel.org/stable/c/de55a1338e6a48ff1e41ea8db1432496fbe2a62b https://git.kernel.org/stable/c/9e1e088a57c23251f1cfe9601bbd90ade2ea73b9 https://git.kernel.org/stable/c/b20a5ab0f5fb175750c6bafd4cf12daccf00c738 https://git.kernel.org/stable/c/452ae92b99062d2f6a34324eaf705a3b7eac9f8b https://git.kernel.org/stable/c/534156dd4ed768e30a43de0036f45dca7c54818f https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-40909 – bpf: Fix a potential use-after-free in bpf_link_free()
https://notcve.org/view.php?id=CVE-2024-40909
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a potential use-after-free in bpf_link_free() After commit 1a80dbcb2dba, bpf_link can be freed by link->ops->dealloc_deferred, but the code still tests and uses link->ops->dealloc afterward, which leads to a use-after-free as reported by syzbot. Actually, one of them should be sufficient, so just call one of them instead of both. Also add a WARN_ON() in case of any problematic implementation. • https://git.kernel.org/stable/c/876941f533e7b47fc69977fc4551c02f2d18af97 https://git.kernel.org/stable/c/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce https://git.kernel.org/stable/c/5d8d447777564b35f67000e7838e7ccb64d525c8 https://git.kernel.org/stable/c/91cff53136daeff50816b0baeafd38a6976f6209 https://git.kernel.org/stable/c/fa97b8fed9896f1e89cb657513e483a152d4c382 https://git.kernel.org/stable/c/2884dc7d08d98a89d8d65121524bb7533183a63a •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-40908 – bpf: Set run context for rawtp test_run callback
https://notcve.org/view.php?id=CVE-2024-40908
In the Linux kernel, the following vulnerability has been resolved: bpf: Set run context for rawtp test_run callback syzbot reported crash when rawtp program executed through the test_run interface calls bpf_get_attach_cookie helper or any other helper that touches task->bpf_ctx pointer. Setting the run context (task->bpf_ctx pointer) for test_run callback. • https://git.kernel.org/stable/c/7adfc6c9b315e174cf8743b21b7b691c8766791b https://git.kernel.org/stable/c/789bd77c9342aa6125003871ae5c6034d0f6f9d2 https://git.kernel.org/stable/c/3708b6c2546c9eb34aead8a34a17e8ae69004e4d https://git.kernel.org/stable/c/d387805d4b4a46ee01e3dae133c81b6d80195e5b https://git.kernel.org/stable/c/ae0ba0ab7475a129ef7d449966edf677367efeb4 https://git.kernel.org/stable/c/d0d1df8ba18abc57f28fb3bc053b2bf319367f2c •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-40907 – ionic: fix kernel panic in XDP_TX action
https://notcve.org/view.php?id=CVE-2024-40907
In the Linux kernel, the following vulnerability has been resolved: ionic: fix kernel panic in XDP_TX action In the XDP_TX path, ionic driver sends a packet to the TX path with rx page and corresponding dma address. After tx is done, ionic_tx_clean() frees that page. But RX ring buffer isn't reset to NULL. So, it uses a freed page, which causes kernel panic. BUG: unable to handle page fault for address: ffff8881576c110c PGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060 Oops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI CPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11 Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f Code: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8 RSP: 0018:ffff888104e6fa28 EFLAGS: 00010283 RAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002 RDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e RBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8 R13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100 FS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x254/0x790 ? __pfx_page_fault_oops+0x10/0x10 ? __pfx_is_prefetch.constprop.0+0x10/0x10 ? • https://git.kernel.org/stable/c/8eeed8373e1cca836799bf8e4a05cffa8e444908 https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21 https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-40906 – net/mlx5: Always stop health timer during driver removal
https://notcve.org/view.php?id=CVE-2024-40906
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always stop health timer during driver removal Currently, if teardown_hca fails to execute during driver removal, mlx5 does not stop the health timer. Afterwards, mlx5 continue with driver teardown. This may lead to a UAF bug, which results in page fault Oops[1], since the health timer invokes after resources were freed. Hence, stop the health monitor even if teardown_hca fails. [1] mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: cleanup mlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource mlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup BUG: unable to handle page fault for address: ffffa26487064230 PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1 Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020 RIP: 0010:ioread32be+0x34/0x60 RSP: 0018:ffffa26480003e58 EFLAGS: 00010292 RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0 RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230 RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8 R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0 R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0 FS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? __die+0x23/0x70 ? • https://git.kernel.org/stable/c/9b98d395b85dd042fe83fb696b1ac02e6c93a520 https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9 https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8 https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f •