CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2024-46782 – ila: call nf_unregister_net_hooks() sooner
https://notcve.org/view.php?id=CVE-2024-46782
In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated--- • https://git.kernel.org/stable/c/7f00feaf107645d95a6d87e99b4d141ac0a08efd https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6 https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673 https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2 https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2024-46781 – nilfs2: fix missing cleanup on rollforward recovery error
https://notcve.org/view.php?id=CVE-2024-46781
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts. • https://git.kernel.org/stable/c/0f3e1c7f23f8a6f8224fa1d275381f6d9279ad4b https://git.kernel.org/stable/c/35a9a7a7d94662146396199b0cfd95f9517cdd14 https://git.kernel.org/stable/c/da02f9eb333333b2e4f25d2a14967cff785ac82e https://git.kernel.org/stable/c/07e4dc2fe000ab008bcfe90be4324ef56b5b4355 https://git.kernel.org/stable/c/8e2d1e9d93c4ec51354229361ac3373058529ec4 https://git.kernel.org/stable/c/ca92c4bff2833cb30d493b935168d6cccd5c805d https://git.kernel.org/stable/c/9d8c3a585d564d776ee60d4aabec59b404be7403 https://git.kernel.org/stable/c/1cf1f7e8cd47244fa947d357ef1f642d9 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2024-46780 – nilfs2: protect references to superblock parameters exposed in sysfs
https://notcve.org/view.php?id=CVE-2024-46780
In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore "nilfs->ns_sem". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it. • https://git.kernel.org/stable/c/da7141fb78db915680616e15677539fc8140cf53 https://git.kernel.org/stable/c/b90beafac05931cbfcb6b1bd4f67c1923f47040e https://git.kernel.org/stable/c/ba97ba173f9625d5f34a986088979eae8b80d38e https://git.kernel.org/stable/c/157c0d94b4c40887329418c70ef4edd1a8d6b4ed https://git.kernel.org/stable/c/b14e7260bb691d7f563f61da07d61e3c8b59a614 https://git.kernel.org/stable/c/19cfeba0e4b8eda51484fcf8cf7d150418e1d880 https://git.kernel.org/stable/c/8c6e43b3d5f109cf9c61bc188fcc8175404e924f https://git.kernel.org/stable/c/962562d4c70c5cdeb4e955d63ff2017c4 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2024-46779 – drm/imagination: Free pvr_vm_gpuva after unlink
https://notcve.org/view.php?id=CVE-2024-46779
In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the leaks occurs in a high-usage codepath (remapping or unmapping device memory) so they add up quickly. • https://git.kernel.org/stable/c/ff5f643de0bf27874c4033cd57a0bd034b5c7d11 https://git.kernel.org/stable/c/1cc695be8920df234f83270d789078cb2d3bc564 https://git.kernel.org/stable/c/3f6b2f60b4631cd0c368da6a1587ab55a696164d •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2024-46778 – drm/amd/display: Check UnboundedRequestEnabled's value
https://notcve.org/view.php?id=CVE-2024-46778
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity. • https://git.kernel.org/stable/c/4e2b49a85e7974d21364798c5d4aa8070aa864d9 https://git.kernel.org/stable/c/a7b38c7852093385d0605aa3c8a2efd6edd1edfd •