CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2024-50044 – Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
https://notcve.org/view.php?id=CVE-2024-50044
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change rfcomm_sk_state_change attempts to use sock_lock so it must never be called with it locked but rfcomm_sock_ioctl always attempt to lock it causing the following trace: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted ------------------------------------------------------ syz-executor386/5093 is trying to acquire lock: ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline] ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73 but task is already holding lock: ffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491 • https://git.kernel.org/stable/c/3241ad820dbb172021e0268b5611031991431626 https://git.kernel.org/stable/c/ef44274dae9b0a90d1a97ce8b242a3b8243a7745 https://git.kernel.org/stable/c/496b2ab0fd10f205e08909a125485fdc98843dbe https://git.kernel.org/stable/c/ced98072d3511b232ae1d3347945f35f30c0e303 https://git.kernel.org/stable/c/38b2d5a57d125e1c17661b8308c0240c4a43b534 https://git.kernel.org/stable/c/4cb9807c9b53bf1e5560420d26f319f528b50268 https://git.kernel.org/stable/c/08d1914293dae38350b8088980e59fbc699a72fe •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2024-50043 – nfsd: fix possible badness in FREE_STATEID
https://notcve.org/view.php?id=CVE-2024-50043
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix possible badness in FREE_STATEID When multiple FREE_STATEIDs are sent for the same delegation stateid, it can lead to a possible either use-after-free or counter refcount underflow errors. In nfsd4_free_stateid() under the client lock we find a delegation stateid, however the code drops the lock before calling nfs4_put_stid(), that allows another FREE_STATE to find the stateid again. The first one will proceed to then free the stateid which leads to either use-after-free or decrementing already zeroed counter. • https://git.kernel.org/stable/c/3f29cc82a84c23cfd12b903029dd26002ca825f5 https://git.kernel.org/stable/c/7ca9e472ce5c67daa3188a348ece8c02a0765039 https://git.kernel.org/stable/c/c88c150a467fcb670a1608e2272beeee3e86df6e •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2024-50042 – ice: Fix increasing MSI-X on VF
https://notcve.org/view.php?id=CVE-2024-50042
In the Linux kernel, the following vulnerability has been resolved: ice: Fix increasing MSI-X on VF Increasing MSI-X value on a VF leads to invalid memory operations. This is caused by not reallocating some arrays. Reproducer: modprobe ice echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count Default MSI-X is 16, so 17 and above triggers this issue. KASAN reports: BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] Read of size 8 at addr ffff8888b937d180 by task bash/28433 (...) Call Trace: (...) ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] kasan_report+0xed/0x120 ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] ice_vsi_cfg_def+0x3360/0x4770 [ice] ? mutex_unlock+0x83/0xd0 ? • https://git.kernel.org/stable/c/2a2cb4c6c18130e9f14d2e39deb75590744d98ef https://git.kernel.org/stable/c/8910b1cef190545085e9bb486f35dd30ad928a05 https://git.kernel.org/stable/c/cbda6197929418fabf0e45ecf9b7a76360944c70 https://git.kernel.org/stable/c/bce9af1b030bf59d51bbabf909a3ef164787e44e •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2024-50041 – i40e: Fix macvlan leak by synchronizing access to mac_filter_hash
https://notcve.org/view.php?id=CVE-2024-50041
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix macvlan leak by synchronizing access to mac_filter_hash This patch addresses a macvlan leak issue in the i40e driver caused by concurrent access to vsi->mac_filter_hash. The leak occurs when multiple threads attempt to modify the mac_filter_hash simultaneously, leading to inconsistent state and potential memory leaks. To fix this, we now wrap the calls to i40e_del_mac_filter() and zeroing vf->default_lan_addr.addr with spin_lock/unlock_bh(&vsi->mac_filter_hash_lock), ensuring atomic operations and preventing concurrent access. Additionally, we add lockdep_assert_held(&vsi->mac_filter_hash_lock) in i40e_add_mac_filter() to help catch similar issues in the future. Reproduction steps: 1. Spawn VFs and configure port vlan on them. 2. Trigger concurrent macvlan operations (e.g., adding and deleting portvlan and/or mac filters). 3. Observe the potential memory leak and inconsistent state in the mac_filter_hash. This synchronization ensures the integrity of the mac_filter_hash and prevents the described leak. • https://git.kernel.org/stable/c/ddec6cbbe22781d17965f1e6386e5a6363c058d2 https://git.kernel.org/stable/c/fed0d9f13266a22ce1fc9a97521ef9cdc6271a23 https://git.kernel.org/stable/c/8bfcbaa379694e05290fcff21f4bd40afcf88776 https://git.kernel.org/stable/c/9db6ce9e2738b05a3672aff4d42169cf3bb5a3e3 https://git.kernel.org/stable/c/9a9747288ba0a9ad4f5c9877f18dd245770ad64e https://git.kernel.org/stable/c/703c4d820b31bcadf465288d5746c53445f02a55 https://git.kernel.org/stable/c/8831abff1bd5b6bc8224f0c0671f46fbd702b5b2 https://git.kernel.org/stable/c/dac6c7b3d33756d6ce09f00a96ea2ecd7 •
CVSS: -EPSS: %CPEs: 10EXPL: 0CVE-2024-50040 – igb: Do not bring the device up after non-fatal error
https://notcve.org/view.php?id=CVE-2024-50040
In the Linux kernel, the following vulnerability has been resolved: igb: Do not bring the device up after non-fatal error Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal") changed igb_io_error_detected() to ignore non-fatal pcie errors in order to avoid hung task that can happen when igb_down() is called multiple times. This caused an issue when processing transient non-fatal errors. igb_io_resume(), which is called after igb_io_error_detected(), assumes that device is brought down by igb_io_error_detected() if the interface is up. This resulted in panic with stacktrace below. [ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down [ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0 [ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID) [ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000 [ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000 [ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message [ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported. [ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message [ T292] pcieport 0000:00:1c.5: AER: broadcast resume message [ T292] ------------[ cut here ]------------ [ T292] kernel BUG at net/core/dev.c:6539! [ T292] invalid opcode: 0000 [#1] PREEMPT SMP [ T292] RIP: 0010:napi_enable+0x37/0x40 [ T292] Call Trace: [ T292] <TASK> [ T292] ? die+0x33/0x90 [ T292] ? • https://git.kernel.org/stable/c/994c2ceb70ea99264ccc6f09e6703ca267dad63c https://git.kernel.org/stable/c/fa92c463eba75dcedbd8d689ffdcb83293aaa0c3 https://git.kernel.org/stable/c/39695e87d86f0e7d897fba1d2559f825aa20caeb https://git.kernel.org/stable/c/004d25060c78fc31f66da0fa439c544dda1ac9d5 https://git.kernel.org/stable/c/c2312e1d12b1c3ee4100c173131b102e2aed4d04 https://git.kernel.org/stable/c/124e39a734cb90658b8f0dc110847bbfc6e33792 https://git.kernel.org/stable/c/c9f56f3c7bc908caa772112d3ae71cdd5d18c257 https://git.kernel.org/stable/c/41f63b72a01c0e0ac59ab83fd2d921fcc •