CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2024-56688 – sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport
https://notcve.org/view.php?id=CVE-2024-56688
In the Linux kernel, the following vulnerability has been resolved: sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport Since transport->sock has been set to NULL during reset transport, XPRT_SOCK_UPD_TIMEOUT also needs to be cleared. Otherwise, the xs_tcp_set_socket_timeouts() may be triggered in xs_tcp_send_request() to dereference the transport->sock that has been set to NULL. • https://git.kernel.org/stable/c/7196dbb02ea05835b9ee56910ee82cb55422c7f1 https://git.kernel.org/stable/c/cc91d59d34ff6a6fee1c0b48612081a451e05e9a https://git.kernel.org/stable/c/86a1f9fa24804cd7f9d7dd3f24af84fc7f8ec02e https://git.kernel.org/stable/c/fe6cbf0b2ac3cf4e21824a44eaa336564ed5e960 https://git.kernel.org/stable/c/87a95ee34a48dfad198a2002e4966e1d63d53f2b https://git.kernel.org/stable/c/3811172e8c98ceebd12fe526ca6cb37a1263c964 https://git.kernel.org/stable/c/638a8fa5a7e641f9401346c57e236f02379a0c40 https://git.kernel.org/stable/c/66d11ca91bf5100ae2e6b5efad97e58d8 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2024-56687 – usb: musb: Fix hardware lockup on first Rx endpoint request
https://notcve.org/view.php?id=CVE-2024-56687
In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix hardware lockup on first Rx endpoint request There is a possibility that a request's callback could be invoked from usb_ep_queue() (call trace below, supplemented with missing calls): req->complete from usb_gadget_giveback_request (drivers/usb/gadget/udc/core.c:999) usb_gadget_giveback_request from musb_g_giveback (drivers/usb/musb/musb_gadget.c:147) musb_g_giveback from rxstate (drivers/usb/musb/musb_gadget.c:784) rxstate from musb_ep_restart (drivers/usb/musb/musb_gadget.c:1169) musb_ep_restart from musb_ep_restart_resume_work (drivers/usb/musb/musb_gadget.c:1176) musb_ep_restart_resume_work from musb_queue_resume_work (drivers/usb/musb/musb_core.c:2279) musb_queue_resume_work from musb_gadget_queue (drivers/usb/musb/musb_gadget.c:1241) musb_gadget_queue from usb_ep_queue (drivers/usb/gadget/udc/core.c:300) According to the docstring of usb_ep_queue(), this should not happen: "Note that @req's ->complete() callback must never be called from within usb_ep_queue() as that can create deadlock situations." In fact, a hardware lockup might occur in the following sequence: 1. The gadget is initialized using musb_gadget_enable(). 2. Meanwhile, a packet arrives, and the RXPKTRDY flag is set, raising an interrupt. 3. If IRQs are enabled, the interrupt is handled, but musb_g_rx() finds an empty queue (next_request() returns NULL). • https://git.kernel.org/stable/c/baebdf48c360080710f80699eea3affbb13d6c65 https://git.kernel.org/stable/c/c749500b28cae67410792096133ee7f282439c51 https://git.kernel.org/stable/c/5906ee3693674d734177df13a519a21bb03f730d https://git.kernel.org/stable/c/f05ad9755bb294328c3d0f429164ac6d4d08c548 https://git.kernel.org/stable/c/0c89445e6d475b78d37b64ae520831cd43af7db4 https://git.kernel.org/stable/c/3fc137386c4620305bbc2a216868c53f9245670a •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2024-56686 – ext4: fix race in buffer_head read fault injection
https://notcve.org/view.php?id=CVE-2024-56686
In the Linux kernel, the following vulnerability has been resolved: ext4: fix race in buffer_head read fault injection When I enabled ext4 debug for fault injection testing, I encountered the following warning: EXT4-fs error (device sda): ext4_read_inode_bitmap:201: comm fsstress: Cannot read inode bitmap - block_group = 8, inode_bitmap = 1051 WARNING: CPU: 0 PID: 511 at fs/buffer.c:1181 mark_buffer_dirty+0x1b3/0x1d0 The root cause of the issue lies in the improper implementation of ext4's buffer_head read fault injection. The actual completion of buffer_head read and the buffer_head fault injection are not atomic, which can lead to the uptodate flag being cleared on normally used buffer_heads in race conditions. [CPU0] [CPU1] [CPU2] ext4_read_inode_bitmap ext4_read_bh() <bh read complete> ext4_read_inode_bitmap if (buffer_uptodate(bh)) return bh jbd2_journal_commit_transaction __jbd2_journal_refile_buffer __jbd2_journal_unfile_buffer __jbd2_journal_temp_unlink_buffer ext4_simulate_fail_bh() clear_buffer_uptodate mark_buffer_dirty <report warning> WARN_ON_ONCE(!buffer_uptodate(bh)) The best approach would be to perform fault injection in the IO completion callback function, rather than after IO completion. However, the IO completion callback function cannot get the fault injection code in sb. Fix it by passing the result of fault injection into the bh read function, we simulate faults within the bh read function itself. This requires adding an extra parameter to the bh read functions that need fault injection. • https://git.kernel.org/stable/c/46f870d690fecc792a66730dcbbf0aa109f5f9ab https://git.kernel.org/stable/c/77035e4d27e15f87ea55929c8bb8fb1970129e2f https://git.kernel.org/stable/c/25a5acf88fed59e060405bbb48098f4a3a2c2adc https://git.kernel.org/stable/c/61832ee7fa2fbd569d129379e795038abfb0d128 https://git.kernel.org/stable/c/2f3d93e210b9c2866c8b3662adae427d5bf511ec •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2024-56685 – ASoC: mediatek: Check num_codecs is not zero to avoid panic during probe
https://notcve.org/view.php?id=CVE-2024-56685
In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: Check num_codecs is not zero to avoid panic during probe Following commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()"), COMP_DUMMY() became an array with zero length, and only gets populated with the dummy struct after the card is registered. Since the sound card driver's probe happens before the card registration, accessing any of the members of a dummy component during probe will result in undefined behavior. This can be observed in the mt8188 and mt8195 machine sound drivers. By omitting a dai link subnode in the sound card's node in the Devicetree, the default uninitialized dummy codec is used, and when its dai_name pointer gets passed to strcmp() it results in a null pointer dereference and a kernel panic. In addition to that, set_card_codec_info() in the generic helpers file, mtk-soundcard-driver.c, will populate a dai link with a dummy codec when a dai link node is present in DT but with no codec property. The result is that at probe time, a dummy codec can either be uninitialized with num_codecs = 0, or be an initialized dummy codec, with num_codecs = 1 and dai_name = "snd-soc-dummy-dai". In order to accommodate for both situations, check that num_codecs is not zero before accessing the codecs' fields but still check for the codec's dai name against "snd-soc-dummy-dai" as needed. While at it, also drop the check that dai_name is not null in the mt8192 driver, introduced in commit 4d4e1b6319e5 ("ASoC: mediatek: mt8192: Check existence of dai_name before dereferencing"), as it is actually redundant given the preceding num_codecs != 0 check. • https://git.kernel.org/stable/c/13f58267cda3d6946c8f4de368ad5d4a003baa61 https://git.kernel.org/stable/c/376f4800f34a28def026ff5c5d4fc5e54e1744ff https://git.kernel.org/stable/c/550279449ff54c5aa28cfca5c567308cbfb145f0 https://git.kernel.org/stable/c/2f2020327cc8561d7c520d2f2d9acea84fa7b3a3 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2024-56683 – drm/vc4: hdmi: Avoid hang with debug registers when suspended
https://notcve.org/view.php?id=CVE-2024-56683
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: hdmi: Avoid hang with debug registers when suspended Trying to read /sys/kernel/debug/dri/1/hdmi1_regs when the hdmi is disconnected results in a fatal system hang. This is due to the pm suspend code disabling the dvp clock. That is just a gate of the 108MHz clock in DVP_HT_RPI_MISC_CONFIG, which results in accesses hanging AXI bus. Protect against this. • https://git.kernel.org/stable/c/25eb441d55d479581a65bcc9de88bc1d86bf76c1 https://git.kernel.org/stable/c/1da00a63f0e798f0fd0dcf623b16c16e13f93615 https://git.kernel.org/stable/c/f70c25cf34f91cc6f40e79a5b7565fd0272d7396 https://git.kernel.org/stable/c/0ea29bd7d9400d3629683244d609358ed1b12075 https://git.kernel.org/stable/c/c7d474974954d9af7e0092021223d58f2de128df https://git.kernel.org/stable/c/16f351adf733a182224ad24916d7673aa6df02df https://git.kernel.org/stable/c/74f21be9990a42dc2357bcf87a13e16c6998b90e https://git.kernel.org/stable/c/223ee2567a55e4f80315c768d2969e6a3 •