CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56582 – btrfs: fix use-after-free in btrfs_encoded_read_endio()
https://notcve.org/view.php?id=CVE-2024-56582
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free in btrfs_encoded_read_endio() Shinichiro reported the following use-after free that sometimes is happening in our CI system when running fstests' btrfs/284 on a TCMU runner device: BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780 Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219 CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 ? lock_release+0x708/0x780 print_report+0x174/0x505 ? lock_release+0x708/0x780 ? __virt_addr_valid+0x224/0x410 ? lock_release+0x708/0x780 kasan_report+0xda/0x1b0 ? • https://git.kernel.org/stable/c/1881fba89bd5dcd364d2e1bf561912a90a11c21a https://git.kernel.org/stable/c/f8a5129e4a9fc3f6aa3f137513253b51b31b94d4 https://git.kernel.org/stable/c/05b36b04d74a517d6675bf2f90829ff1ac7e28dc •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56581 – btrfs: ref-verify: fix use-after-free after invalid ref action
https://notcve.org/view.php?id=CVE-2024-56581
In the Linux kernel, the following vulnerability has been resolved: btrfs: ref-verify: fix use-after-free after invalid ref action At btrfs_ref_tree_mod() after we successfully inserted the new ref entry (local variable 'ref') into the respective block entry's rbtree (local variable 'be'), if we find an unexpected action of BTRFS_DROP_DELAYED_REF, we error out and free the ref entry without removing it from the block entry's rbtree. Then in the error path of btrfs_ref_tree_mod() we call btrfs_free_ref_cache(), which iterates over all block entries and then calls free_block_entry() for each one, and there we will trigger a use-after-free when we are called against the block entry to which we added the freed ref entry to its rbtree, since the rbtree still points to the block entry, as we didn't remove it from the rbtree before freeing it in the error path at btrfs_ref_tree_mod(). Fix this by removing the new ref entry from the rbtree before freeing it. Syzbot report this with the following stack traces: BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615 __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_insert_empty_items+0x9c/0x1a0 fs/btrfs/ctree.c:4314 btrfs_insert_empty_item fs/btrfs/ctree.h:669 [inline] btrfs_insert_orphan_item+0x1f1/0x320 fs/btrfs/orphan.c:23 btrfs_orphan_add+0x6d/0x1a0 fs/btrfs/inode.c:3482 btrfs_unlink+0x267/0x350 fs/btrfs/inode.c:4293 vfs_unlink+0x365/0x650 fs/namei.c:4469 do_unlinkat+0x4ae/0x830 fs/namei.c:4533 __do_sys_unlinkat fs/namei.c:4576 [inline] __se_sys_unlinkat fs/namei.c:4569 [inline] __x64_sys_unlinkat+0xcc/0xf0 fs/namei.c:4569 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f BTRFS error (device loop0 state EA): Ref action 1, root 5, ref_root 5, parent 0, owner 260, offset 0, num_refs 1 __btrfs_mod_ref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521 update_ref_for_cow+0x96a/0x11f0 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411 __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline] __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137 __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171 btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313 prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586 relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611 btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081 btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377 __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161 btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538 BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615 __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411 __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfs_update_delayed_i ---truncated--- • https://git.kernel.org/stable/c/fd708b81d972a0714b02a60eb4792fdbf15868c4 https://git.kernel.org/stable/c/dfb9fe7de61f34cc241ab3900bdde93341096e0e https://git.kernel.org/stable/c/6fd018aa168e472ce35be32296d109db6adb87ea https://git.kernel.org/stable/c/d2b85ce0561fde894e28fa01bd5d32820d585006 https://git.kernel.org/stable/c/6370db28af9a8ae3bbdfe97f8a48f8f995e144cf https://git.kernel.org/stable/c/4275ac2741941c9c7c2293619fdbacb9f70ba85b https://git.kernel.org/stable/c/a6f9e7a0bf1185c9070c0de03bb85eafb9abd650 https://git.kernel.org/stable/c/7c4e39f9d2af4abaf82ca0e315d1fd340 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-56579 – media: amphion: Set video drvdata before register video device
https://notcve.org/view.php?id=CVE-2024-56579
In the Linux kernel, the following vulnerability has been resolved: media: amphion: Set video drvdata before register video device The video drvdata should be set before the video device is registered, otherwise video_drvdata() may return NULL in the open() file ops, and led to oops. • https://git.kernel.org/stable/c/3cd084519c6f91cbef9d604bcf26844fa81d4922 https://git.kernel.org/stable/c/cfe96c7c3382293179e291f66644d789e39e99f3 https://git.kernel.org/stable/c/988cc10ddbdee0369fe1f193d389da38ad760492 https://git.kernel.org/stable/c/182b9edc02c4cbb6fe6b97105c23c7047a3340d2 https://git.kernel.org/stable/c/8cbb1a7bd5973b57898b26eb804fe44af440bb63 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-56578 – media: imx-jpeg: Set video drvdata before register video device
https://notcve.org/view.php?id=CVE-2024-56578
In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Set video drvdata before register video device The video drvdata should be set before the video device is registered, otherwise video_drvdata() may return NULL in the open() file ops, and led to oops. • https://git.kernel.org/stable/c/2db16c6ed72ce644d5639b3ed15e5817442db4ba https://git.kernel.org/stable/c/f68bb1210fbea252552d97242757f69a219e942b https://git.kernel.org/stable/c/b88556e82dc18cb708744d062770853a2d5095b2 https://git.kernel.org/stable/c/68efeff2f7fccdfedc55f92e92be32997127d16e https://git.kernel.org/stable/c/5ade59d28eade49194eb09765afdeb0ba717c39a https://git.kernel.org/stable/c/d2b7ecc26bd5406d5ba927be1748aa99c568696c •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56576 – media: i2c: tc358743: Fix crash in the probe error path when using polling
https://notcve.org/view.php?id=CVE-2024-56576
In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix crash in the probe error path when using polling If an error occurs in the probe() function, we should remove the polling timer that was alarmed earlier, otherwise the timer is called with arguments that are already freed, which results in a crash. ------------[ cut here ]------------ WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268 Modules linked in: CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226 Hardware name: Diasom DS-RK3568-SOM-EVB (DT) pstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __run_timers+0x244/0x268 lr : __run_timers+0x1d4/0x268 sp : ffffff80eff2baf0 x29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00 x26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00 x23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000 x20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff x17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e x14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000 x11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009 x8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480 x5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240 x2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0 Call trace: __run_timers+0x244/0x268 timer_expire_remote+0x50/0x68 tmigr_handle_remote+0x388/0x39c run_timer_softirq+0x38/0x44 handle_softirqs+0x138/0x298 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x24/0x4c do_softirq_own_stack+0x1c/0x2c irq_exit_rcu+0x9c/0xcc el1_interrupt+0x48/0xc0 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x7c/0x80 default_idle_call+0x34/0x68 do_idle+0x23c/0x294 cpu_startup_entry+0x38/0x3c secondary_start_kernel+0x128/0x160 __secondary_switched+0xb8/0xbc ---[ end trace 0000000000000000 ]--- • https://git.kernel.org/stable/c/4e66a52a2e4c832dfa35a39204d0f7ce717d4a4a https://git.kernel.org/stable/c/13193a97ddd5a6a5b11408ddbc1ae85588b1860c https://git.kernel.org/stable/c/5c9ab34c87af718bdbf9faa2b1a6ba41d15380ea https://git.kernel.org/stable/c/815d14147068347e88c258233eb951b41b2792a6 https://git.kernel.org/stable/c/34a3466a92f50c51d984f0ec2e96864886d460eb https://git.kernel.org/stable/c/b59ab89bc83f7bff67f78c6caf484a84a6dd30f7 https://git.kernel.org/stable/c/1def915b1564f4375330bd113ea1d768a569cfd8 https://git.kernel.org/stable/c/869f38ae07f7df829da4951c3d1f7a2be •