CVE-2024-40939 – net: wwan: iosm: Fix tainted pointer delete is case of region creation fail
https://notcve.org/view.php?id=CVE-2024-40939
In the Linux kernel, the following vulnerability has been resolved: net: wwan: iosm: Fix tainted pointer delete is case of region creation fail In case of region creation fail in ipc_devlink_create_region(), previously created regions delete process starts from tainted pointer which actually holds error code value. Fix this bug by decreasing region index before delete. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/4dcd183fbd67b105decc8be262311937730ccdbf https://git.kernel.org/stable/c/fe394d59cdae81389dbf995e87c83c1acd120597 https://git.kernel.org/stable/c/040d9384870386eb5dc55472ac573ac7756b2050 https://git.kernel.org/stable/c/37a438704d19bdbe246d51d3749b6b3a8fe65afd https://git.kernel.org/stable/c/b0c9a26435413b81799047a7be53255640432547 https://access.redhat.com/security/cve/CVE-2024-40939 https://bugzilla.redhat.com/show_bug.cgi?id=2297523 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVE-2024-40938 – landlock: Fix d_parent walk
https://notcve.org/view.php?id=CVE-2024-40938
In the Linux kernel, the following vulnerability has been resolved: landlock: Fix d_parent walk The WARN_ON_ONCE() in collect_domain_accesses() can be triggered when trying to link a root mount point. This cannot work in practice because this directory is mounted, but the VFS check is done after the call to security_path_link(). Do not use source directory's d_parent when the source directory is the mount point. [mic: Fix commit message] • https://git.kernel.org/stable/c/b91c3e4ea756b12b7d992529226edce1cfd854d7 https://git.kernel.org/stable/c/b6e5e696435832b33e40775f060ef5c95f4fda1f https://git.kernel.org/stable/c/cc30d05b34f9a087a6928d09b131f7b491e9ab11 https://git.kernel.org/stable/c/c7618c7b0b8c45bcef34410cc1d1e953eb17f8f6 https://git.kernel.org/stable/c/88da52ccd66e65f2e63a6c35c9dff55d448ef4dc •
CVE-2024-40937 – gve: Clear napi->skb before dev_kfree_skb_any()
https://notcve.org/view.php?id=CVE-2024-40937
In the Linux kernel, the following vulnerability has been resolved: gve: Clear napi->skb before dev_kfree_skb_any() gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it is freed with dev_kfree_skb_any(). This can result in a subsequent call to napi_get_frags returning a dangling pointer. Fix this by clearing napi->skb before the skb is freed. • https://git.kernel.org/stable/c/9b8dd5e5ea48bbb7532d20c4093a79d8283e4029 https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442 https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037 https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50 https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e •
CVE-2024-40935 – cachefiles: flush all requests after setting CACHEFILES_DEAD
https://notcve.org/view.php?id=CVE-2024-40935
In the Linux kernel, the following vulnerability has been resolved: cachefiles: flush all requests after setting CACHEFILES_DEAD In ondemand mode, when the daemon is processing an open request, if the kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write() will always return -EIO, so the daemon can't pass the copen to the kernel. Then the kernel process that is waiting for the copen triggers a hung_task. Since the DEAD state is irreversible, it can only be exited by closing /dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark the cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to avoid the above hungtask. We may still be able to read some of the cached data before closing the fd of /dev/cachefiles. Note that this relies on the patch that adds reference counting to the req, otherwise it may UAF. • https://git.kernel.org/stable/c/c8383054506c77b814489c09877b5db83fd4abf2 https://git.kernel.org/stable/c/320ba9cbca78be79c912143bbba1d1b35ca55cf0 https://git.kernel.org/stable/c/3bf0b8030296e9ee60d3d4c15849ad9ac0b47081 https://git.kernel.org/stable/c/e73fac95084839c5178d97e81c6a2051251bdc00 https://git.kernel.org/stable/c/85e833cd7243bda7285492b0653c3abb1e2e757b •
CVE-2024-40934 – HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()
https://notcve.org/view.php?id=CVE-2024-40934
In the Linux kernel, the following vulnerability has been resolved: HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Fix a memory leak on logi_dj_recv_send_report() error path. • https://git.kernel.org/stable/c/cf48a7ba5c095f76bb9c1951f120fa048442422f https://git.kernel.org/stable/c/e38a6f12685d8a2189b72078f6254b069ff84650 https://git.kernel.org/stable/c/4fb28379b3c735398b252a979c991b340baa6b5b https://git.kernel.org/stable/c/6e59609541514d2ed3472f5bc999c55bdb6144ee https://git.kernel.org/stable/c/6f20d3261265885f6a6be4cda49d7019728760e0 https://git.kernel.org/stable/c/144becd79c196f02143ca71fc10766bd0cc660a1 https://git.kernel.org/stable/c/00ab92481d3a40a5ad323df4c518068f66ce49f1 https://git.kernel.org/stable/c/15122dc140d82c51c216535c57b044c45 •