CVE-2024-41085 – cxl/mem: Fix no cxl_nvd during pmem region auto-assembling
https://notcve.org/view.php?id=CVE-2024-41085
In the Linux kernel, the following vulnerability has been resolved: cxl/mem: Fix no cxl_nvd during pmem region auto-assembling When CXL subsystem is auto-assembling a pmem region during cxl endpoint port probing, always hit below calltrace. BUG: kernel NULL pointer dereference, address: 0000000000000078 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page RIP: 0010:cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x160 ? do_user_addr_fault+0x65/0x6b0 ? exc_page_fault+0x7d/0x170 ? • https://git.kernel.org/stable/c/f17b558d6663101f876a1d9cbbad3de0c8f4ce4d https://git.kernel.org/stable/c/1d064e4fbebcf5b18dc10c1f3973487eb163b600 https://git.kernel.org/stable/c/84ec985944ef34a34a1605b93ce401aa8737af96 •
CVE-2024-41084 – cxl/region: Avoid null pointer dereference in region lookup
https://notcve.org/view.php?id=CVE-2024-41084
In the Linux kernel, the following vulnerability has been resolved: cxl/region: Avoid null pointer dereference in region lookup cxl_dpa_to_region() looks up a region based on a memdev and DPA. It wrongly assumes an endpoint found mapping the DPA is also of a fully assembled region. When not true it leads to a null pointer dereference looking up the region name. This appears during testing of region lookup after a failure to assemble a BIOS defined region or if the lookup raced with the assembly of the BIOS defined region. Failure to clean up BIOS defined regions that fail assembly is an issue in itself and a fix to that problem will alleviate some of the impact. It will not alleviate the race condition so let's harden this path. The behavior change is that the kernel oops due to a null pointer dereference is replaced with a dev_dbg() message noting that an endpoint was mapped. Additional comments are added so that future users of this function can more clearly understand what it provides. • https://git.kernel.org/stable/c/0a105ab28a4de44eb738ce64e9ac74946aa5133b https://git.kernel.org/stable/c/a9e099e29e925f8b31cfe53e8a786b9796f8e453 https://git.kernel.org/stable/c/b8a40a6dbfb0150c1081384caa9bbe28ce5d5060 https://git.kernel.org/stable/c/285f2a08841432fc3e498b1cd00cce5216cdf189 •
CVE-2024-41082 – nvme-fabrics: use reserved tag for reg read/write command
https://notcve.org/view.php?id=CVE-2024-41082
In the Linux kernel, the following vulnerability has been resolved: nvme-fabrics: use reserved tag for reg read/write command In some scenarios, if too many commands are issued by nvme command in the same time by user tasks, this may exhaust all tags of admin_q. If a reset (nvme reset or IO timeout) occurs before these commands finish, reconnect routine may fail to update nvme regs due to insufficient tags, which will cause kernel hang forever. In order to workaround this issue, maybe we can let reg_read32()/reg_read64()/reg_write32() use reserved tags. This maybe safe for nvmf: 1. For the disable ctrl path, we will not issue connect command 2. • https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa •
CVE-2024-41081 – ila: block BH in ila_output()
https://notcve.org/view.php?id=CVE-2024-41081
In the Linux kernel, the following vulnerability has been resolved: ila: block BH in ila_output() As explained in commit 1378817486d6 ("tipc: block BH before using dst_cache"), net/core/dst_cache.c helpers need to be called with BH disabled. ila_output() is called from lwtunnel_output() possibly from process context, and under rcu_read_lock(). We might be interrupted by a softirq, re-enter ila_output() and corrupt dst_cache data structures. Fix the race by using local_bh_disable(). • https://git.kernel.org/stable/c/7435bd2f84a25aba607030237261b3795ba782da https://git.kernel.org/stable/c/96103371091c6476eb07f4c66624bdd1b42f758a https://git.kernel.org/stable/c/a0cafb7b0b94d18e4813ee4b712a056f280e7b5a https://git.kernel.org/stable/c/feac2391e26b086f73be30e9b1ab215eada8d830 https://git.kernel.org/stable/c/b4eb25a3d70df925a9fa4e82d17a958a0a228f5f https://git.kernel.org/stable/c/522c3336c2025818fa05e9daf0ac35711e55e316 https://git.kernel.org/stable/c/9f9c79d8e527d867e0875868b14fb76e6011e70c https://git.kernel.org/stable/c/cf28ff8e4c02e1ffa850755288ac954b6 •
CVE-2024-41080 – io_uring: fix possible deadlock in io_register_iowq_max_workers()
https://notcve.org/view.php?id=CVE-2024-41080
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix possible deadlock in io_register_iowq_max_workers() The io_register_iowq_max_workers() function calls io_put_sq_data(), which acquires the sqd->lock without releasing the uring_lock. Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock before acquiring sqd->lock"), this can lead to a potential deadlock situation. To resolve this issue, the uring_lock is released before calling io_put_sq_data(), and then it is re-acquired after the function call. This change ensures that the locks are acquired in the correct order, preventing the possibility of a deadlock. • https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf •