CVE-2024-39509 – HID: core: remove unnecessary WARN_ON() in implement()
https://notcve.org/view.php?id=CVE-2024-39509
In the Linux kernel, the following vulnerability has been resolved: HID: core: remove unnecessary WARN_ON() in implement() Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 Modules linked in: CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline] RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 ... Call Trace: <TASK> __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline] usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636 hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... • https://git.kernel.org/stable/c/95d1c8951e5bd50bb89654a99a7012b1e75646bd https://git.kernel.org/stable/c/955b3764671f3f157215194972d9c01a3a4bd316 https://git.kernel.org/stable/c/f9db5fbeffb951cac3f0fb1c2eeffb79785399ca https://git.kernel.org/stable/c/33f6832798dd3297317901cc1db556ac3ae80c24 https://git.kernel.org/stable/c/8bac61934cd563b073cd30b8cf6d5c758ab5ab26 https://git.kernel.org/stable/c/bfd546fc7fd76076f81bf41b85b51ceda30949fd https://git.kernel.org/stable/c/30f76bc468b9b2cbbd5d3eb482661e3e4798893f https://git.kernel.org/stable/c/655c6de2f215b61d0708db6b06305eee9 •
CVE-2024-39508 – io_uring/io-wq: Use set_bit() and test_bit() at worker->flags
https://notcve.org/view.php?id=CVE-2024-39508
In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq to address potential data races. The structure io_worker->flags may be accessed through various data paths, leading to concurrency issues. When KCSAN is enabled, it reveals data races occurring in io_worker_handle_work and io_wq_activate_free_worker functions. BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28: io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569) io_wq_worker (io_uring/io-wq.c:?) <snip> read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5: io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285) io_wq_enqueue (io_uring/io-wq.c:947) io_queue_iowq (io_uring/io_uring.c:524) io_req_task_submit (io_uring/io_uring.c:1511) io_handle_tw_list (io_uring/io_uring.c:1198) <snip> Line numbers against commit 18daea77cca6 ("Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm"). These races involve writes and reads to the same memory location by different tasks running on different CPUs. To mitigate this, refactor the code to use atomic operations such as set_bit(), test_bit(), and clear_bit() instead of basic "and" and "or" operations. • https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0 https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab https://access.redhat.com/security/cve/CVE-2024-39508 https://bugzilla.redhat.com/show_bug.cgi?id=2297480 • CWE-364: Signal Handler Race Condition •
CVE-2024-39507 – net: hns3: fix kernel crash problem in concurrent scenario
https://notcve.org/view.php?id=CVE-2024-39507
In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash problem in concurrent scenario When link status change, the nic driver need to notify the roce driver to handle this event, but at this time, the roce driver may uninit, then cause kernel crash. To fix the problem, when link status change, need to check whether the roce registered, and when uninit, need to wait link update finish. • https://git.kernel.org/stable/c/45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48 https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63 https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4 https://access.redhat.com/security/cve/CVE-2024-39507 https://bugzilla.redhat.com/show_bug.cgi?id=2297702 •
CVE-2024-39506 – liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
https://notcve.org/view.php?id=CVE-2024-39506
In the Linux kernel, the following vulnerability has been resolved: liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value, but then it is unconditionally passed to skb_add_rx_frag() which looks strange and could lead to null pointer dereference. lio_vf_rep_copy_packet() call trace looks like: octeon_droq_process_packets octeon_droq_fast_process_packets octeon_droq_dispatch_pkt octeon_create_recv_info ...search in the dispatch_list... ->disp_fn(rdisp->rinfo, ...) lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...) In this path there is no code which sets pg_info->page to NULL. So this check looks unneeded and doesn't solve potential problem. But I guess the author had reason to add a check and I have no such card and can't do real test. In addition, the code in the function liquidio_push_packet() in liquidio/lio_core.c does exactly the same. Based on this, I consider the most acceptable compromise solution to adjust this issue by moving skb_add_rx_frag() into conditional scope. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/1f233f327913f3dee0602cba9c64df1903772b55 https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2 https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79 https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347 https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989 • CWE-476: NULL Pointer Dereference •
CVE-2024-39505 – drm/komeda: check for error-valued pointer
https://notcve.org/view.php?id=CVE-2024-39505
In the Linux kernel, the following vulnerability has been resolved: drm/komeda: check for error-valued pointer komeda_pipeline_get_state() may return an error-valued pointer, thus check the pointer for negative or null value before dereferencing. • https://git.kernel.org/stable/c/502932a03fceca1cb161eba5f30b18eb640aa8de https://git.kernel.org/stable/c/0674ed1e58e2fdcc155e7d944f8aad007a94ac69 https://git.kernel.org/stable/c/bda7cdaeebf57e46c1a488ae7a15f6f264691f59 https://git.kernel.org/stable/c/86042e3d16b7e0686db835c9e7af0f9044dd3a56 https://git.kernel.org/stable/c/3b1cf943b029c147bfacfd53dc28ffa632c0a622 https://git.kernel.org/stable/c/9460961d82134ceda7377b77a3e3e3531b625dfe https://git.kernel.org/stable/c/99392c98b9be0523fe76944b2264b1847512ad23 https://git.kernel.org/stable/c/b880018edd3a577e50366338194dee9b8 •