CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-40983 – tipc: force a dst refcount before doing decryption
https://notcve.org/view.php?id=CVE-2024-40983
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: tipc: force a dst refcount before doing decryption As it says in commit 3bc07321ccc2 ("xfrm: Force a dst refcount before entering the xfrm type handlers"): "Crypto requests might return asynchronous. In this case we leave the rcu protected region, so force a refcount on the skb's destination entry before we enter the xfrm type input/output handlers." On TIPC decryption path it has the same problem, and skb_dst_force() should be called befor... • https://git.kernel.org/stable/c/fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 • CWE-911: Improper Update of Reference Count •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-40982 – ssb: Fix potential NULL pointer dereference in ssb_device_uevent()
https://notcve.org/view.php?id=CVE-2024-40982
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ssb: Fix potential NULL pointer dereference in ssb_device_uevent() The ssb_device_uevent() function first attempts to convert the 'dev' pointer to 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before performing the NULL check, potentially leading to a NULL pointer dereference if 'dev' is NULL. To fix this issue, move the NULL check before dereferencing the 'dev' pointer, ensuring that the pointer is valid before attemptin... • https://git.kernel.org/stable/c/c5dc2d8eb3981bae261ea7d1060a80868e886813 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40981 – batman-adv: bypass empty buckets in batadv_purge_orig_ref()
https://notcve.org/view.php?id=CVE-2024-40981
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: bypass empty buckets in batadv_purge_orig_ref() Many syzbot reports are pointing to soft lockups in batadv_purge_orig_ref() [1] Root cause is unknown, but we can avoid spending too much time there and perhaps get more interesting reports. [1] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621] Modules linked in: irq event stamp: 6182794 hardirqs last enabled at (6182793): [
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-40980 – drop_monitor: replace spin_lock by raw_spin_lock
https://notcve.org/view.php?id=CVE-2024-40980
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: drop_monitor: replace spin_lock by raw_spin_lock trace_drop_common() is called with preemption disabled, and it acquires a spin_lock. This is problematic for RT kernels because spin_locks are sleeping locks in this configuration, which causes the following splat: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47 preempt_count: 1, ex... • https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-40979 – wifi: ath12k: fix kernel crash during resume
https://notcve.org/view.php?id=CVE-2024-40979
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix kernel crash during resume Currently during resume, QMI target memory is not properly handled, resulting in kernel crash in case DMA remap is not supported: BUG: Bad page state in process kworker/u16:54 pfn:36e80 page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80 page dumped because: nonzero _refcount Call Trace: bad_page free_page_is_bad_report __free_pages_ok __free_pages dma_direct_free dma_free_... • https://git.kernel.org/stable/c/d889913205cf7ebda905b1e62c5867ed4e39f6c2 •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40978 – scsi: qedi: Fix crash while reading debugfs attribute
https://notcve.org/view.php?id=CVE-2024-40978
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: qedi: Fix crash while reading debugfs attribute The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly on a __user pointer, which results into the crash. To fix this issue, use a small local stack buffer for sprintf() and then call simple_read_from_buffer(), which in turns make the copy_to_user() call. BUG: unable to handle page fault for address: 00007f4801111000 PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df... • https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0 • CWE-822: Untrusted Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-40977 – wifi: mt76: mt7921s: fix potential hung tasks during chip recovery
https://notcve.org/view.php?id=CVE-2024-40977
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921s: fix potential hung tasks during chip recovery During chip recovery (e.g. chip reset), there is a possible situation that kernel worker reset_work is holding the lock and waiting for kernel thread stat_worker to be parked, while stat_worker is waiting for the release of the same lock. It causes a deadlock resulting in the dumping of hung tasks messages and possible rebooting of the device. This patch prevents the executi... • https://git.kernel.org/stable/c/0b81faa05b0b9feb3ae2d69be1d21f0d126ecb08 • CWE-833: Deadlock •
CVSS: 4.7EPSS: 0%CPEs: 6EXPL: 0CVE-2024-40976 – drm/lima: mask irqs in timeout path before hard reset
https://notcve.org/view.php?id=CVE-2024-40976
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/lima: mask irqs in timeout path before hard reset There is a race condition in which a rendering job might take just long enough to trigger the drm sched job timeout handler but also still complete before the hard reset is done by the timeout handler. This runs into race conditions not expected by the timeout handler. In some very specific cases it currently may result in a refcount imbalance on lima_pm_idle, with a stack dump such as: ... • https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a •
CVSS: 2.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-40975 – platform/x86: x86-android-tablets: Unregister devices in reverse order
https://notcve.org/view.php?id=CVE-2024-40975
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: x86-android-tablets: Unregister devices in reverse order Not all subsystems support a device getting removed while there are still consumers of the device with a reference to the device. One example of this is the regulator subsystem. If a regulator gets unregistered while there are still drivers holding a reference a WARN() at drivers/regulator/core.c:5829 triggers, e.g.: WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:... • https://git.kernel.org/stable/c/36ff963c133a25ed1166a25c3ba8b357ea010fda •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2024-40974 – powerpc/pseries: Enforce hcall result buffer validity and size
https://notcve.org/view.php?id=CVE-2024-40974
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Enforce hcall result buffer validity and size plpar_hcall(), plpar_hcall9(), and related functions expect callers to provide valid result buffers of certain minimum size. Currently this is communicated only through comments in the code and the compiler has no idea. For example, if I write a bug like this: long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...); Th... • https://git.kernel.org/stable/c/acf2b80c31c37acab040baa3cf5f19fbd5140b18 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •