CVE-2024-50266 – clk: qcom: videocc-sm8350: use HW_CTRL_TRIGGER for vcodec GDSCs
https://notcve.org/view.php?id=CVE-2024-50266
In the Linux kernel, the following vulnerability has been resolved: clk: qcom: videocc-sm8350: use HW_CTRL_TRIGGER for vcodec GDSCs A recent change in the venus driver results in a stuck clock on the Lenovo ThinkPad X13s, for example, when streaming video in firefox: video_cc_mvs0_clk status stuck at 'off' WARNING: CPU: 6 PID: 2885 at drivers/clk/qcom/clk-branch.c:87 clk_branch_wait+0x144/0x15c ... Call trace: clk_branch_wait+0x144/0x15c clk_branch2_enable+0x30/0x40 clk_core_enable+0xd8/0x29c clk_enable+0x2c/0x4c vcodec_clks_enable.isra.0+0x94/0xd8 [venus_core] coreid_power_v4+0x464/0x628 [venus_core] vdec_start_streaming+0xc4/0x510 [venus_dec] vb2_start_streaming+0x6c/0x180 [videobuf2_common] vb2_core_streamon+0x120/0x1dc [videobuf2_common] vb2_streamon+0x1c/0x6c [videobuf2_v4l2] v4l2_m2m_ioctl_streamon+0x30/0x80 [v4l2_mem2mem] v4l_streamon+0x24/0x30 [videodev] using the out-of-tree sm8350/sc8280xp venus support. [1] Update also the sm8350/sc8280xp GDSC definitions so that the hw control mode can be changed at runtime as the venus driver now requires. • https://git.kernel.org/stable/c/ec9a652e514903df887791b669b70e86ab4e3ec5 https://git.kernel.org/stable/c/d055f6f2bdfb8b9c9bc071f748c16bd3afb2db0f https://git.kernel.org/stable/c/f903663a8dcd6e1656e52856afbf706cc14cbe6d •
CVE-2024-50265 – ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
https://notcve.org/view.php?id=CVE-2024-50265
In the Linux kernel, the following vulnerability has been resolved: ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove(): [ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12 [ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry [ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004 [...] [ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [...] [ 57.331328] Call Trace: [ 57.331477] <TASK> [...] [ 57.333511] ? do_user_addr_fault+0x3e5/0x740 [ 57.333778] ? exc_page_fault+0x70/0x170 [ 57.334016] ? asm_exc_page_fault+0x2b/0x30 [ 57.334263] ? • https://git.kernel.org/stable/c/399ff3a748cf4c8c853e96dd477153202636527b https://git.kernel.org/stable/c/38cbf13b2e7a31362babe411f7c2c3c52cd2734b https://git.kernel.org/stable/c/168a9b8303fcb0317db4c06b23ce1c0ce2af4e10 https://git.kernel.org/stable/c/6a7e6dcf90fe7721d0863067b6ca9a9442134692 https://git.kernel.org/stable/c/dcc8fe8c83145041cb6c80cac21f6173a3ff0204 https://git.kernel.org/stable/c/86dd0e8d42828923c68ad506933336bcd6f2317d https://git.kernel.org/stable/c/dd73c942eed76a014c7a5597e6926435274d2c4c https://git.kernel.org/stable/c/2b5369528ee63c88371816178a05b5e66 •
CVE-2024-50264 – vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
https://notcve.org/view.php?id=CVE-2024-50264
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL. • https://git.kernel.org/stable/c/06a8fc78367d070720af960dcecec917d3ae5f3b https://git.kernel.org/stable/c/5f092a4271f6dccf88fe0d132475a17b69ef71df https://git.kernel.org/stable/c/fd8ae346692a56b4437d626c5460c7104980f389 https://git.kernel.org/stable/c/eb1bdcb7dfc30b24495ee4c5533af0ed135cb5f1 https://git.kernel.org/stable/c/2a6a4e69f255b7aed17f93995691ab4f0d3c2203 https://git.kernel.org/stable/c/44d29897eafd0e1196453d3003a4d5e0b968eeab https://git.kernel.org/stable/c/b110196fec44fe966952004bd426967c2a8fd358 https://git.kernel.org/stable/c/5f970935d09934222fdef3d0e20c648ea • CWE-416: Use After Free •
CVE-2024-50263 – fork: only invoke khugepaged, ksm hooks if no error
https://notcve.org/view.php?id=CVE-2024-50263
In the Linux kernel, the following vulnerability has been resolved: fork: only invoke khugepaged, ksm hooks if no error There is no reason to invoke these hooks early against an mm that is in an incomplete state. The change in commit d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") makes this more pertinent as we may be in a state where entries in the maple tree are not yet consistent. Their placement early in dup_mmap() only appears to have been meaningful for early error checking, and since functionally it'd require a very small allocation to fail (in practice 'too small to fail') that'd only occur in the most dire circumstances, meaning the fork would fail or be OOM'd in any case. Since both khugepaged and KSM tracking are there to provide optimisations to memory performance rather than critical functionality, it doesn't really matter all that much if, under such dire memory pressure, we fail to register an mm with these. As a result, we follow the example of commit d2081b2bf819 ("mm: khugepaged: make khugepaged_enter() void function") and make ksm_fork() a void function also. We only expose the mm to these functions once we are done with them and only if no error occurred in the fork operation. • https://git.kernel.org/stable/c/d2406291483775ecddaee929231a39c70c08fda2 https://git.kernel.org/stable/c/3b85aa0da8cd01173b9afd1f70080fbb9576c4b0 https://git.kernel.org/stable/c/985da552a98e27096444508ce5d853244019111f https://project-zero.issues.chromium.org/issues/373391951 •
CVE-2024-50262 – bpf: Fix out-of-bounds write in trie_get_next_key()
https://notcve.org/view.php?id=CVE-2024-50262
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with .prefixlen = 8 make 9 nodes be written on the node stack with size 8. • https://git.kernel.org/stable/c/b471f2f1de8b816f1e799b80aa92588f3566e4bd https://git.kernel.org/stable/c/e8494ac079814a53fbc2258d2743e720907488ed https://git.kernel.org/stable/c/91afbc0eb3c90258ae378ae3c6ead3d2371e926d https://git.kernel.org/stable/c/590976f921723d53ac199c01d5b7b73a94875e68 https://git.kernel.org/stable/c/86c8ebe02d8806dd8878d0063e8e185622ab6ea6 https://git.kernel.org/stable/c/a035df0b98df424559fd383e8e1a268f422ea2ba https://git.kernel.org/stable/c/90a6e0e1e151ef7a9282e78f54c3091de2dcc99c https://git.kernel.org/stable/c/c4b4f9a9ab82238cb158fa4fe61a8c0ae • CWE-787: Out-of-bounds Write •