CVE-2024-38629 – dmaengine: idxd: Avoid unnecessary destruction of file_ida
https://notcve.org/view.php?id=CVE-2024-38629
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Avoid unnecessary destruction of file_ida file_ida is allocated during cdev open and is freed accordingly during cdev release. This sequence is guaranteed by driver file operations. Therefore, there is no need to destroy an already empty file_ida when the WQ cdev is removed. Worse, ida_free() in cdev release may happen after destruction of file_ida per WQ cdev. This can lead to accessing an id in file_ida after it has been destroyed, resulting in a kernel panic. Remove ida_destroy(&file_ida) to address these issues. • https://git.kernel.org/stable/c/e6fd6d7e5f0fe4a17a08e892afb5db800e7794ec https://git.kernel.org/stable/c/9eb15f24a0b9b017b39cde8b8c07243676b63687 https://git.kernel.org/stable/c/15edb906211bf53e7b5574f7326ab734d6bff4f9 https://git.kernel.org/stable/c/76e43fa6a456787bad31b8d0daeabda27351a480 https://access.redhat.com/security/cve/CVE-2024-38629 https://bugzilla.redhat.com/show_bug.cgi?id=2293698 • CWE-416: Use After Free •
CVE-2024-38628 – usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.
https://notcve.org/view.php?id=CVE-2024-38628
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind. Hang on to the control IDs instead of pointers since those are correctly handled with locks. • https://git.kernel.org/stable/c/02de698ca8123782c0c6fb8ed99080e2f032b0d2 https://git.kernel.org/stable/c/89e66809684485590ea0b32c3178e42cba36ac09 https://git.kernel.org/stable/c/453d3fa9266e53f85377b911c19b9a4563fa88c0 https://git.kernel.org/stable/c/bea73b58ab67fe581037ad9cdb93c2557590c068 https://git.kernel.org/stable/c/1b739388aa3f8dfb63a9fca777e6dfa6912d0464 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2024-38627 – stm class: Fix a double free in stm_register_device()
https://notcve.org/view.php?id=CVE-2024-38627
In the Linux kernel, the following vulnerability has been resolved: stm class: Fix a double free in stm_register_device() The put_device(&stm->dev) call will trigger stm_device_release() which frees "stm" so the vfree(stm) on the next line is a double free. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clase stm: corrige un doble free en stm_register_device() La llamada put_device(&stm->dev) activará stm_device_release() que libera "stm" para que vfree(stm) en el La siguiente línea es un doble libre. A vulnerability was found in the Linux kernel's stm class, where an improper memory management sequence in stm_register_device() could lead to a double-free error. This issue occurs when the put_device(&stm->dev) call triggers stm_device_release() to free "stm", making the subsequent vfree(stm) call redundant and potentially harmful. • https://git.kernel.org/stable/c/389b6699a2aa0b457aa69986e9ddf39f3b4030fd https://git.kernel.org/stable/c/b0351a51ffda593b2b1b35dd0c00a73505edb256 https://git.kernel.org/stable/c/6cc30ef8eb6d8f8d6df43152264bbf8835d99931 https://git.kernel.org/stable/c/a0450d3f38e7c6c0a7c0afd4182976ee15573695 https://git.kernel.org/stable/c/713fc00c571dde4af3db2dbd5d1b0eadc327817b https://git.kernel.org/stable/c/7419df1acffbcc90037f6b5a2823e81389659b36 https://git.kernel.org/stable/c/4bfd48bb6e62512b9c392c5002c11e1e3b18d247 https://git.kernel.org/stable/c/370c480410f60b90ba3e96abe73ead21e • CWE-415: Double Free •
CVE-2024-38626 – fuse: clear FR_SENT when re-adding requests into pending list
https://notcve.org/view.php?id=CVE-2024-38626
In the Linux kernel, the following vulnerability has been resolved: fuse: clear FR_SENT when re-adding requests into pending list The following warning was reported by lee bruce: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300 fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 Modules linked in: CPU: 0 PID: 8264 Comm: ab2 Not tainted 6.9.0-rc7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 ...... Call Trace: <TASK> fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334 fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367 call_read_iter include/linux/fs.h:2104 [inline] new_sync_read fs/read_write.c:395 [inline] vfs_read+0x85b/0xba0 fs/read_write.c:476 ksys_read+0x12f/0x260 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ...... </TASK> The warning is due to the FUSE_NOTIFY_RESEND notify sent by the write() syscall in the reproducer program and it happens as follows: (1) calls fuse_dev_read() to read the INIT request The read succeeds. During the read, bit FR_SENT will be set on the request. (2) calls fuse_dev_write() to send an USE_NOTIFY_RESEND notify The resend notify will resend all processing requests, so the INIT request is moved from processing list to pending list again. (3) calls fuse_dev_read() with an invalid output address fuse_dev_read() will try to copy the same INIT request to the output address, but it will fail due to the invalid address, so the INIT request is ended and triggers the warning in fuse_request_end(). Fix it by clearing FR_SENT when re-adding requests into pending list. • https://git.kernel.org/stable/c/760eac73f9f69aa28fcb3050b4946c2dcc656d12 https://git.kernel.org/stable/c/533070db659a9589310a743e9de14cf9d651ffaf https://git.kernel.org/stable/c/246014876d782bbf2e652267482cd2e799fb5fcd •
CVE-2024-38625 – fs/ntfs3: Check 'folio' pointer for NULL
https://notcve.org/view.php?id=CVE-2024-38625
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Check 'folio' pointer for NULL It can be NULL if bmap is called. • https://git.kernel.org/stable/c/82cae269cfa953032fbb8980a7d554d60fb00b17 https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8 https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641 https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803 •