CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49932 – btrfs: don't readahead the relocation inode on RST
https://notcve.org/view.php?id=CVE-2024-49932
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't readahead the relocation inode on RST On relocation we're doing readahead on the relocation inode, but if the filesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to preallocated extents not being mapped in the RST) from the lookup. But readahead doesn't handle the error and submits invalid reads to the device, causing an assertion in the scatter-gather list code: BTRFS info (device nvme1n1): balance: start -d -m -s BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0 BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0 ------------[ cut here ]------------ kernel BUG at include/linux/scatterlist.h:115! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567 RIP: 0010:__blk_rq_map_sg+0x339/0x4a0 RSP: 0018:ffffc90001a43820 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802 RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000 RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8 R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000 FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0 Call Trace: <TASK> ? __die_body.cold+0x14/0x25 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? • https://git.kernel.org/stable/c/f7a1218a983ab98aba140dc20b25f60b39ee4033 https://git.kernel.org/stable/c/04915240e2c3a018e4c7f23418478d27226c8957 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-49931 – wifi: ath12k: fix array out-of-bound access in SoC stats
https://notcve.org/view.php?id=CVE-2024-49931
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix array out-of-bound access in SoC stats Currently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process() function access ath12k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath12k_dp_rx_process() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 • https://git.kernel.org/stable/c/d0e4274d9dc9f8409d56d622cd3ecf7b6fd49e2f https://git.kernel.org/stable/c/a4aef827a41cdaf6201bbaf773c1eae4e20e967b https://git.kernel.org/stable/c/ad791e3ec60cb66c1e4dc121ffbf872df312427d https://git.kernel.org/stable/c/e106b7ad13c1d246adaa57df73edb8f8b8acb240 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-49930 – wifi: ath11k: fix array out-of-bound access in SoC stats
https://notcve.org/view.php?id=CVE-2024-49930
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix array out-of-bound access in SoC stats Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() function access ath11k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath11k_dp_process_rx() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 • https://git.kernel.org/stable/c/0f26f26944035ec67546a944f182cbad6577a9c0 https://git.kernel.org/stable/c/4dd732893bd38cec51f887244314e2b47f0d658f https://git.kernel.org/stable/c/73e235728e515faccc104b0153b47d0f263b3344 https://git.kernel.org/stable/c/7a552bc2f3efe2aaf77a85cb34cdf4a63d81a1a7 https://git.kernel.org/stable/c/6045ef5b4b00fee3629689f791992900a1c94009 https://git.kernel.org/stable/c/01b77f5ee11c89754fb836af8f76799d3b72ae2f https://git.kernel.org/stable/c/69f253e46af98af17e3efa3e5dfa72fcb7d1983d •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-49929 – wifi: iwlwifi: mvm: avoid NULL pointer dereference
https://notcve.org/view.php?id=CVE-2024-49929
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: avoid NULL pointer dereference iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta pointer is not NULL. It retrieves this pointer using iwl_mvm_sta_from_mac80211, which is dereferencing the ieee80211_sta pointer. If sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL pointer. Fix this by checking the sta pointer before retrieving the mvmsta from it. If sta is not NULL, then mvmsta isn't either. • https://git.kernel.org/stable/c/6dcadb2ed3b76623ab96e3e7fbeda1a374d01c28 https://git.kernel.org/stable/c/cdbf51bfa4b0411820806777da36d93d49bc49a1 https://git.kernel.org/stable/c/c0b4f5d94934c290479180868a32c15ba36a6d9e https://git.kernel.org/stable/c/557a6cd847645e667f3b362560bd7e7c09aac284 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-49928 – wifi: rtw89: avoid reading out of bounds when loading TX power FW elements
https://notcve.org/view.php?id=CVE-2024-49928
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Because the loop-expression will do one more time before getting false from cond-expression, the original code copied one more entry size beyond valid region. Fix it by moving the entry copy to loop-body. • https://git.kernel.org/stable/c/83c84cdb75572048b67d6a3916283aeac865996e https://git.kernel.org/stable/c/4007c3d2da31d0c755ea3fcf55e395118e5d5621 https://git.kernel.org/stable/c/ed2e4bb17a4884cf29c3347353d8aabb7265b46c •