CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-56719 – net: stmmac: fix TSO DMA API usage causing oops
https://notcve.org/view.php?id=CVE-2024-56719
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix TSO DMA API usage causing oops Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s members to be later in stmmac_tso_xmit(). The buf (dma cookie) and len stored in this structure are passed to dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that the dma cookie passed to dma_unmap_single() is the same as the value returned from dma_map_single(). However, by moving the assignment later, this is not the case when priv->dma_cap.addr64 > 32 as "des" is offset by proto_hdr_len. This causes problems such as: dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed and with DMA_API_DEBUG enabled: DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes] Fix this by maintaining "des" as the original DMA cookie, and use tso_des to pass the offset DMA cookie to stmmac_tso_allocator(). Full details of the crashes can be found at: https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/ • https://git.kernel.org/stable/c/07c9c26e37542486e34d767505e842f48f29c3f6 https://git.kernel.org/stable/c/66600fac7a984dea4ae095411f644770b2561ede https://git.kernel.org/stable/c/ece593fc9c00741b682869d3f3dc584d37b7c9df https://git.kernel.org/stable/c/a3ff23f7c3f0e13f718900803e090fd3997d6bc9 https://git.kernel.org/stable/c/58d23d835eb498336716cca55b5714191a309286 https://git.kernel.org/stable/c/db3667c9bbfbbf5de98e6c9542f7e03fb5243286 https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2 https://git.kernel.org/stable/c/4c49f38e20a57f8abaebdf95b369295b1 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-56718 – net/smc: protect link down work from execute after lgr freed
https://notcve.org/view.php?id=CVE-2024-56718
In the Linux kernel, the following vulnerability has been resolved: net/smc: protect link down work from execute after lgr freed link down work may be scheduled before lgr freed but execute after lgr freed, which may result in crash. So it is need to hold a reference before shedule link down work, and put the reference after work executed or canceled. The relevant crash call stack as follows: list_del corruption. prev->next should be ffffb638c9c0fe20, but was 0000000000000000 ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:51! invalid opcode: 0000 [#1] SMP NOPTI CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1 Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014 Workqueue: events smc_link_down_work [smc] RIP: 0010:__list_del_entry_valid.cold+0x31/0x47 RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086 RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000 RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38 R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002 R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0 FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: rwsem_down_write_slowpath+0x17e/0x470 smc_link_down_work+0x3c/0x60 [smc] process_one_work+0x1ac/0x350 worker_thread+0x49/0x2f0 ? rescuer_thread+0x360/0x360 kthread+0x118/0x140 ? __kthread_bind_mask+0x60/0x60 ret_from_fork+0x1f/0x30 • https://git.kernel.org/stable/c/541afa10c126b6c22c2a805a559c70cc41fd156e https://git.kernel.org/stable/c/bec2f52866d511e94c1c37cd962e4382b1b1a299 https://git.kernel.org/stable/c/2627c3e8646932dfc7b9722c88c2e1ffcf7a9fb2 https://git.kernel.org/stable/c/841b1824750d3b8d1dc0a96b14db4418b952abbc https://git.kernel.org/stable/c/2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-56717 – net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic()
https://notcve.org/view.php?id=CVE-2024-56717
In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic() Packets injected by the CPU should have a SRC_PORT field equal to the CPU port module index in the Analyzer block (ocelot->num_phys_ports). The blamed commit copied the ocelot_ifh_set_basic() call incorrectly from ocelot_xmit_common() in net/dsa/tag_ocelot.c. Instead of calling with "x", it calls with BIT_ULL(x), but the field is not a port mask, but rather a single port index. [ side note: this is the technical debt of code duplication :( ] The error used to be silent and doesn't appear to have other user-visible manifestations, but with new changes in the packing library, it now fails loudly as follows: ------------[ cut here ]------------ Cannot store 0x40 inside bits 46-43 - will truncate sja1105 spi2.0: xmit timed out WARNING: CPU: 1 PID: 102 at lib/packing.c:98 __pack+0x90/0x198 sja1105 spi2.0: timed out polling for tstamp CPU: 1 UID: 0 PID: 102 Comm: felix_xmit Tainted: G W N 6.13.0-rc1-00372-gf706b85d972d-dirty #2605 Call trace: __pack+0x90/0x198 (P) __pack+0x90/0x198 (L) packing+0x78/0x98 ocelot_ifh_set_basic+0x260/0x368 ocelot_port_inject_frame+0xa8/0x250 felix_port_deferred_xmit+0x14c/0x258 kthread_worker_fn+0x134/0x350 kthread+0x114/0x138 The code path pertains to the ocelot switchdev driver and to the felix secondary DSA tag protocol, ocelot-8021q. Here seen with ocelot-8021q. The messenger (packing) is not really to blame, so fix the original commit instead. • https://git.kernel.org/stable/c/06bcb9032e05ad717f9fd0a6e2fd3ae7f430fa31 https://git.kernel.org/stable/c/ff7f554bbd75d5cbf00cded81d05147c6617e876 https://git.kernel.org/stable/c/e1b9e80236c540fa85d76e2d510d1b38e1968c5d https://git.kernel.org/stable/c/be3a532167dd562ec38900c846e7ae6cc39aa2f1 https://git.kernel.org/stable/c/59c4ca8d8d7918eb6e2df91d2c254827264be309 https://git.kernel.org/stable/c/2f3c62ffe88116cd2a39cd73e01103535599970f https://git.kernel.org/stable/c/a8836eae3288c351acd3b2743d2fad2a4ee2bd56 https://git.kernel.org/stable/c/2d5df3a680ffdaf606baa10636bdb1daf •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-56716 – netdevsim: prevent bad user input in nsim_dev_health_break_write()
https://notcve.org/view.php?id=CVE-2024-56716
In the Linux kernel, the following vulnerability has been resolved: netdevsim: prevent bad user input in nsim_dev_health_break_write() If either a zero count or a large one is provided, kernel can crash. • https://git.kernel.org/stable/c/82c93a87bf8bc0cdb5ec2ab99da7d87715ff889f https://git.kernel.org/stable/c/d10321be26ff9e9e912697e9e8448099654ff561 https://git.kernel.org/stable/c/470c5ecbac2f19b1cdee2a6ce8d5650c3295c94b https://git.kernel.org/stable/c/8e9ef6bdf71bf25f4735e0230ce1919de8985835 https://git.kernel.org/stable/c/ee76746387f6233bdfa93d7406990f923641568f •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-56715 – ionic: Fix netdev notifier unregister on failure
https://notcve.org/view.php?id=CVE-2024-56715
In the Linux kernel, the following vulnerability has been resolved: ionic: Fix netdev notifier unregister on failure If register_netdev() fails, then the driver leaks the netdev notifier. Fix this by calling ionic_lif_unregister() on register_netdev() failure. This will also call ionic_lif_unregister_phc() if it has already been registered. • https://git.kernel.org/stable/c/30b87ab4c0b30e0f681cb7dfaab6c642dd17e454 https://git.kernel.org/stable/c/da93a12876f8b969df7316dc93aac7e725f88252 https://git.kernel.org/stable/c/da5736f516a664a9e1ff74902663c64c423045d2 https://git.kernel.org/stable/c/ee2e931b2b46de9af7f681258e8ec8e2cd81cfc6 https://git.kernel.org/stable/c/9590d32e090ea2751e131ae5273859ca22f5ac14 •