CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-49939 – wifi: rtw89: avoid to add interface to list twice when SER
https://notcve.org/view.php?id=CVE-2024-49939
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid to add interface to list twice when SER If SER L2 occurs during the WoWLAN resume flow, the add interface flow is triggered by ieee80211_reconfig(). However, due to rtw89_wow_resume() return failure, it will cause the add interface flow to be executed again, resulting in a double add list and causing a kernel panic. Therefore, we have added a check to prevent double adding of the list. list_add double add: new=ffff99d6992e2010, prev=ffff99d6992e2010, next=ffff99d695302628. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:37! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W O 6.6.30-02659-gc18865c4dfbd #1 770df2933251a0e3c888ba69d1053a817a6376a7 Hardware name: HP Grunt/Grunt, BIOS Google_Grunt.11031.169.0 06/24/2021 Workqueue: events_freezable ieee80211_restart_work [mac80211] RIP: 0010:__list_add_valid_or_report+0x5e/0xb0 Code: c7 74 18 48 39 ce 74 13 b0 01 59 5a 5e 5f 41 58 41 59 41 5a 5d e9 e2 d6 03 00 cc 48 c7 c7 8d 4f 17 83 48 89 c2 e8 02 c0 00 00 <0f> 0b 48 c7 c7 aa 8c 1c 83 e8 f4 bf 00 00 0f 0b 48 c7 c7 c8 bc 12 RSP: 0018:ffffa91b8007bc50 EFLAGS: 00010246 RAX: 0000000000000058 RBX: ffff99d6992e0900 RCX: a014d76c70ef3900 RDX: ffffa91b8007bae8 RSI: 00000000ffffdfff RDI: 0000000000000001 RBP: ffffa91b8007bc88 R08: 0000000000000000 R09: ffffa91b8007bae0 R10: 00000000ffffdfff R11: ffffffff83a79800 R12: ffff99d695302060 R13: ffff99d695300900 R14: ffff99d6992e1be0 R15: ffff99d6992e2010 FS: 0000000000000000(0000) GS:ffff99d6aac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000078fbdba43480 CR3: 000000010e464000 CR4: 00000000001506f0 Call Trace: <TASK> ? __die_body+0x1f/0x70 ? • https://git.kernel.org/stable/c/fdc73f2cfbe897f4733156df211d79ced649b23c https://git.kernel.org/stable/c/37c319503023de49a4c87301c8998c8d928112cb https://git.kernel.org/stable/c/490eddc836b2a6ec286e5df14bed4c7cf5e1f475 https://git.kernel.org/stable/c/7dd5d2514a8ea58f12096e888b0bd050d7eae20a •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-49938 – wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit
https://notcve.org/view.php?id=CVE-2024-49938
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Syzbot points out that skb_trim() has a sanity check on the existing length of the skb, which can be uninitialised in some error paths. The intent here is clearly just to reset the length to zero before resubmitting, so switch to calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length() already contains a call to skb_reset_tail_pointer(), so remove the redundant call. The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it. • https://git.kernel.org/stable/c/b02eb7c86ff2ef1411c3095ec8a52b13f68db04f https://git.kernel.org/stable/c/012ae530afa0785102360de452745d33c99a321b https://git.kernel.org/stable/c/6a875220670475d9247e576c15dc29823100a4e4 https://git.kernel.org/stable/c/e37e348835032d6940ec89308cc8996ded691d2d https://git.kernel.org/stable/c/2c230210ec0ae6ed08306ac70dc21c24b817bb95 https://git.kernel.org/stable/c/a9f4e28e8adaf0715bd4e01462af0a52ee46b01f https://git.kernel.org/stable/c/94745807f3ebd379f23865e6dab196f220664179 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-49937 – wifi: cfg80211: Set correct chandef when starting CAC
https://notcve.org/view.php?id=CVE-2024-49937
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Set correct chandef when starting CAC When starting CAC in a mode other than AP mode, it return a "WARNING: CPU: 0 PID: 63 at cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]" caused by the chandef.chan being null at the end of CAC. Solution: Ensure the channel definition is set for the different modes when starting CAC to avoid getting a NULL 'chan' at the end of CAC. Call Trace: ? show_regs.part.0+0x14/0x16 ? __warn+0x67/0xc0 ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211] ? report_bug+0xa7/0x130 ? • https://git.kernel.org/stable/c/95f32191e50b75e0f75fae1bb925cdf51d8df0a3 https://git.kernel.org/stable/c/04053e55dd50741cf6c59b9bbaa4238218c05c70 https://git.kernel.org/stable/c/f4dbfda159e43d49b43003cc3c2914751939035f https://git.kernel.org/stable/c/c628026563f4ea9e0413dd4b69429e4a1db240b1 https://git.kernel.org/stable/c/20361712880396e44ce80aaeec2d93d182035651 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-49936 – net/xen-netback: prevent UAF in xenvif_flush_hash()
https://notcve.org/view.php?id=CVE-2024-49936
In the Linux kernel, the following vulnerability has been resolved: net/xen-netback: prevent UAF in xenvif_flush_hash() During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe. • https://git.kernel.org/stable/c/a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c https://git.kernel.org/stable/c/a0465723b8581cad27164c9073fd780904cd22d4 https://git.kernel.org/stable/c/efcff6ce7467f01f0753609f420333f3f2ceceda https://git.kernel.org/stable/c/143edf098b80669d05245b2f2367dd156a83a2c5 https://git.kernel.org/stable/c/d408889d4b54f5501e4becc4dbbb9065143fbf4e https://git.kernel.org/stable/c/54d8639af5568fc41c0e274fc3ec9cf86c59fcbb https://git.kernel.org/stable/c/0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-49935 – ACPI: PAD: fix crash in exit_round_robin()
https://notcve.org/view.php?id=CVE-2024-49935
In the Linux kernel, the following vulnerability has been resolved: ACPI: PAD: fix crash in exit_round_robin() The kernel occasionally crashes in cpumask_clear_cpu(), which is called within exit_round_robin(), because when executing clear_bit(nr, addr) with nr set to 0xffffffff, the address calculation may cause misalignment within the memory, leading to access to an invalid memory address. ---------- BUG: unable to handle kernel paging request at ffffffffe0740618 ... CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1 ... RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad] Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31 RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202 RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? acpi_pad_add+0x120/0x120 [acpi_pad] kthread+0x10b/0x130 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x1f/0x40 ... CR2: ffffffffe0740618 crash> dis -lr ffffffffc0726923 ... /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114 0xffffffffc0726918 <power_saving_thread+776>: mov %r12d,%r12d /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325 0xffffffffc072691b <power_saving_thread+779>: mov -0x3f8d7de0(,%r12,4),%eax /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/. • https://git.kernel.org/stable/c/92e5661b7d0727ab912b76625a88b33fdb9b609a https://git.kernel.org/stable/c/68a599da16ebad442ce295d8d2d5c488e3992822 https://git.kernel.org/stable/c/68a8e45743d6a120f863fb14b72dc59616597019 https://git.kernel.org/stable/c/03593dbb0b272ef7b0358b099841e65735422aca https://git.kernel.org/stable/c/27c045f868f0e5052c6b532868a65e0cd250c8fc https://git.kernel.org/stable/c/0a2ed70a549e61c5181bad5db418d223b68ae932 •