CVE-2024-41086 – bcachefs: Fix sb_field_downgrade validation
https://notcve.org/view.php?id=CVE-2024-41086
In the Linux kernel, the following vulnerability has been resolved: bcachefs: Fix sb_field_downgrade validation - bch2_sb_downgrade_validate() wasn't checking for a downgrade entry extending past the end of the superblock section - for_each_downgrade_entry() is used in to_text() and needs to work on malformed input; it also was missing a check for a field extending past the end of the section • https://git.kernel.org/stable/c/84f1638795da1ff2084597de4251e9054f1ad728 https://git.kernel.org/stable/c/bf920ed92ef24dcd6970c88881cd4700b3acf05b https://git.kernel.org/stable/c/692aa7a54b2b28d59f24b3bf8250837805484b99 •
CVE-2024-41085 – cxl/mem: Fix no cxl_nvd during pmem region auto-assembling
https://notcve.org/view.php?id=CVE-2024-41085
In the Linux kernel, the following vulnerability has been resolved: cxl/mem: Fix no cxl_nvd during pmem region auto-assembling When CXL subsystem is auto-assembling a pmem region during cxl endpoint port probing, always hit below calltrace. BUG: kernel NULL pointer dereference, address: 0000000000000078 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page RIP: 0010:cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x160 ? do_user_addr_fault+0x65/0x6b0 ? exc_page_fault+0x7d/0x170 ? • https://git.kernel.org/stable/c/f17b558d6663101f876a1d9cbbad3de0c8f4ce4d https://git.kernel.org/stable/c/1d064e4fbebcf5b18dc10c1f3973487eb163b600 https://git.kernel.org/stable/c/84ec985944ef34a34a1605b93ce401aa8737af96 https://access.redhat.com/security/cve/CVE-2024-41085 https://bugzilla.redhat.com/show_bug.cgi?id=2300481 • CWE-476: NULL Pointer Dereference •
CVE-2024-41084 – cxl/region: Avoid null pointer dereference in region lookup
https://notcve.org/view.php?id=CVE-2024-41084
In the Linux kernel, the following vulnerability has been resolved: cxl/region: Avoid null pointer dereference in region lookup cxl_dpa_to_region() looks up a region based on a memdev and DPA. It wrongly assumes an endpoint found mapping the DPA is also of a fully assembled region. When not true it leads to a null pointer dereference looking up the region name. This appears during testing of region lookup after a failure to assemble a BIOS defined region or if the lookup raced with the assembly of the BIOS defined region. Failure to clean up BIOS defined regions that fail assembly is an issue in itself and a fix to that problem will alleviate some of the impact. It will not alleviate the race condition so let's harden this path. The behavior change is that the kernel oops due to a null pointer dereference is replaced with a dev_dbg() message noting that an endpoint was mapped. Additional comments are added so that future users of this function can more clearly understand what it provides. • https://git.kernel.org/stable/c/0a105ab28a4de44eb738ce64e9ac74946aa5133b https://git.kernel.org/stable/c/a9e099e29e925f8b31cfe53e8a786b9796f8e453 https://git.kernel.org/stable/c/b8a40a6dbfb0150c1081384caa9bbe28ce5d5060 https://git.kernel.org/stable/c/285f2a08841432fc3e498b1cd00cce5216cdf189 https://access.redhat.com/security/cve/CVE-2024-41084 https://bugzilla.redhat.com/show_bug.cgi?id=2300480 • CWE-476: NULL Pointer Dereference •
CVE-2024-41083 – netfs: Fix netfs_page_mkwrite() to check folio->mapping is valid
https://notcve.org/view.php?id=CVE-2024-41083
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix netfs_page_mkwrite() to check folio->mapping is valid Fix netfs_page_mkwrite() to check that folio->mapping is valid once it has taken the folio lock (as filemap_page_mkwrite() does). Without this, generic/247 occasionally oopses with something like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page RIP: 0010:trace_event_raw_event_netfs_folio+0x61/0xc0 ... Call Trace: <TASK> ? __die_body+0x1a/0x60 ? page_fault_oops+0x6e/0xa0 ? exc_page_fault+0xc2/0xe0 ? • https://git.kernel.org/stable/c/102a7e2c598c22bd2621fa97eb1c93c89d469a12 https://git.kernel.org/stable/c/3473eb87afd402e415a8ca885b284ea0420dde25 https://git.kernel.org/stable/c/a81c98bfa40c11f8ea79b5a9b3f5fda73bfbb4d2 •
CVE-2024-41082 – nvme-fabrics: use reserved tag for reg read/write command
https://notcve.org/view.php?id=CVE-2024-41082
In the Linux kernel, the following vulnerability has been resolved: nvme-fabrics: use reserved tag for reg read/write command In some scenarios, if too many commands are issued by nvme command in the same time by user tasks, this may exhaust all tags of admin_q. If a reset (nvme reset or IO timeout) occurs before these commands finish, reconnect routine may fail to update nvme regs due to insufficient tags, which will cause kernel hang forever. In order to workaround this issue, maybe we can let reg_read32()/reg_read64()/reg_write32() use reserved tags. This maybe safe for nvmf: 1. For the disable ctrl path, we will not issue connect command 2. • https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa https://access.redhat.com/security/cve/CVE-2024-41082 https://bugzilla.redhat.com/show_bug.cgi?id=2300459 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •