CVE-2024-53071 – drm/panthor: Be stricter about IO mapping flags
https://notcve.org/view.php?id=CVE-2024-53071
In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Be stricter about IO mapping flags The current panthor_device_mmap_io() implementation has two issues: 1. ... This is a classic Linux driver gotcha. I don't think this actually has any impact in practice: When the GPU is powered, writes to the FLUSH_ID seem to be ignored; and when the GPU is not powered, the dummy_latest_flush page provided by the driver is deliberately designed to not do any flushes, so the only thing writing to the dummy_latest_flush could achieve would be to make *more* flushes happen. 2. panthor_device_mmap_io() does not block MAP_PRIVATE mappings (which are mappings without the VM_SHARED flag). MAP_PRIVATE in combination with VM_MAYWRITE indicates that the VMA has copy-on-write semantics, which for VM_PFNMAP are semi-supported but fairly cursed. In particular, in such a mapping, the driver can only install PTEs during mmap() by calling remap_pfn_range() (because remap_pfn_range() wants to **store the physical address of the mapped physical memory into the vm_pgoff of the VMA**); installing PTEs later on with a fault handler (as panthor does) is not supported in private mappings, and so if you try to fault in such a mapping, vmf_insert_pfn_prot() splats when it hits a BUG() check. Fix it by clearing the VM_MAYWRITE flag (userspace writing to the FLUSH_ID doesn't make sense) and requiring VM_SHARED (copy-on-write semantics for the FLUSH_ID don't make sense). Reproducers for both scenarios are in the notes of my patch on the mailing list; I tested that these bugs exist on a Rock 5B machine. Note that I only compile-tested the patch, I haven't tested it; I don't have a working kernel build setup for the test machine yet. • https://git.kernel.org/stable/c/5fe909cae118a757a77afb37174b99436a36d2e2 https://git.kernel.org/stable/c/2604afd65043e8f9d4be036cb1242adf6b5723cf https://git.kernel.org/stable/c/f432a1621f049bb207e78363d9d0e3c6fa2da5db •
CVE-2024-53070 – usb: dwc3: fix fault at system suspend if device was already runtime suspended
https://notcve.org/view.php?id=CVE-2024-53070
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: fix fault at system suspend if device was already runtime suspended If the device was already runtime suspended then during system suspend we cannot access the device registers else it will crash. Also we cannot access any registers after dwc3_core_exit() on some platforms so move the dwc3_enable_susphy() call to the top. • https://git.kernel.org/stable/c/073530898ebf44a9418434e899cfa9ca86945333 https://git.kernel.org/stable/c/85ca88f93162acb94dbcb26d0ee2b145864d14a1 https://git.kernel.org/stable/c/4fad7370086797afe6471493e3a5f36add8c48a7 https://git.kernel.org/stable/c/a690a9e38e6ba819789074388de7cff06425ef5b https://git.kernel.org/stable/c/d9e65d461a9de037e7c9d584776d025cfce6d86d https://git.kernel.org/stable/c/562804b1561cc248cc37746a1c96c83cab1d7209 https://git.kernel.org/stable/c/4abc5ee334fe4aba50461c45fdaaa4c5e5c57789 https://git.kernel.org/stable/c/06b98197b69e2f2af9cb1991ee0b1c876 •
CVE-2024-53069 – firmware: qcom: scm: fix a NULL-pointer dereference
https://notcve.org/view.php?id=CVE-2024-53069
In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: scm: fix a NULL-pointer dereference Some SCM calls can be invoked with __scm being NULL (the driver may not have been and will not be probed as there's no SCM entry in device-tree). Make sure we don't dereference a NULL pointer. • https://git.kernel.org/stable/c/449d0d84bcd8246b508d07995326d13c54488b8c https://git.kernel.org/stable/c/3d36e2b1d803f0d1cc674115d295a8f20ddb9268 https://git.kernel.org/stable/c/ca61d6836e6f4442a77762e1074d2706a2a6e578 •
CVE-2024-53068 – firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier()
https://notcve.org/view.php?id=CVE-2024-53068
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier() The scmi_dev->name is released prematurely in __scmi_device_destroy(), which causes slab-use-after-free when accessing scmi_dev->name in scmi_bus_notifier(). • https://git.kernel.org/stable/c/ee7a9c9f67c59008b330deff2762bd8cf1407eec https://git.kernel.org/stable/c/15b17bbcea07d49c43d21aa700485cbd9f9d00d8 https://git.kernel.org/stable/c/1e1f523b185a8ccdcba625b31ff0312d052900e2 https://git.kernel.org/stable/c/295416091e44806760ccf753aeafdafc0ae268f3 •
CVE-2024-53067 – scsi: ufs: core: Start the RTC update work later
https://notcve.org/view.php?id=CVE-2024-53067
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Start the RTC update work later The RTC update work involves runtime resuming the UFS controller. • https://git.kernel.org/stable/c/6bf999e0eb41850d5c857102535d5c53b2ede224 https://git.kernel.org/stable/c/4c25f784fba81227e0437337f962d34380d1c250 https://git.kernel.org/stable/c/54c814c8b23bc7617be3d46abdb896937695dbfa •