CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-49960 – ext4: fix timer use-after-free on failed mount
https://notcve.org/view.php?id=CVE-2024-49960
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix timer use-after-free on failed mount Syzbot has found an ODEBUG bug in ext4_fill_super The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi). When filesystem mounting fails, the flow goes to failed_mount3, where an error occurs when ext4_stop_mmpd is called, causing a read I/O failure. This triggers the ext4_handl... • https://git.kernel.org/stable/c/cf3196e5e2f36cd80dab91ffae402e13935724bc •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49959 – jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error
https://notcve.org/view.php?id=CVE-2024-49959
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail() to recover some journal space. But if an error occurs while executing jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free space right away, we try other branches, and if j_committing_transaction is NULL (i.e., the tid is 0), we will get the following complain: ==========... • https://git.kernel.org/stable/c/8c3f25d8950c3e9fe6c9849f88679b3f2a071550 •
CVSS: 5.5EPSS: 0%CPEs: 14EXPL: 0CVE-2024-49958 – ocfs2: reserve space for inline xattr before attaching reflink tree
https://notcve.org/view.php?id=CVE-2024-49958
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: reserve space for inline xattr before attaching reflink tree One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat out... • https://git.kernel.org/stable/c/ef962df057aaafd714f5c22ba3de1be459571fdf •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49957 – ocfs2: fix null-ptr-deref when journal load failed.
https://notcve.org/view.php?id=CVE-2024-49957
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix null-ptr-deref when journal load failed. During the mounting process, if journal_reset() fails because of too short journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. Subsequently, ocfs2_journal_shutdown() calls jbd2_journal_flush()->jbd2_cleanup_journal_tail()-> __jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail() ->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer dereference error. To re... • https://git.kernel.org/stable/c/f6f50e28f0cb8d7bcdfaacc83129f005dede11b1 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49956 – gfs2: fix double destroy_workqueue error
https://notcve.org/view.php?id=CVE-2024-49956
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: gfs2: fix double destroy_workqueue error When gfs2_fill_super() fails, destroy_workqueue() is called within gfs2_gl_hash_clear(), and the subsequent code path calls destroy_workqueue() on the same work queue again. This issue can be fixed by setting the work queue pointer to NULL after the first destroy_workqueue() call and checking for a NULL pointer before attempting to destroy the work queue again. In the Linux kernel, the following vuln... • https://git.kernel.org/stable/c/30e388d573673474cbd089dec83688331c117add •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49955 – ACPI: battery: Fix possible crash when unregistering a battery hook
https://notcve.org/view.php?id=CVE-2024-49955
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ACPI: battery: Fix possible crash when unregistering a battery hook When a battery hook returns an error when adding a new battery, then the battery hook is automatically unregistered. However the battery hook provider cannot know that, so it will later call battery_hook_unregister() on the already unregistered battery hook, resulting in a crash. Fix this by using the list head to mark already unregistered battery hooks as already being unr... • https://git.kernel.org/stable/c/fa93854f7a7ed63d054405bf3779247d5300edd3 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-49954 – static_call: Replace pointless WARN_ON() in static_call_module_notify()
https://notcve.org/view.php?id=CVE-2024-49954
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: static_call: Replace pointless WARN_ON() in static_call_module_notify() static_call_module_notify() triggers a WARN_ON(), when memory allocation fails in __static_call_add_module(). That's not really justified, because the failure case must be correctly handled by the well known call chain and the error code is passed through to the initiating userspace application. A memory allocation fail is not a fatal problem, but the WARN_ON() takes th... • https://git.kernel.org/stable/c/9183c3f9ed710a8edf1a61e8a96d497258d26e08 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-49953 – net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice
https://notcve.org/view.php?id=CVE-2024-49953
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice The km.state is not checked in driver's delayed work. When xfrm_state_check_expire() is called, the state can be reset to XFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This happens when xfrm state is deleted, but not freed yet. As __xfrm_state_delete() is called again in xfrm timer, the following crash occurs. To fix this issue, skip xfrm_state_check_expire() if... • https://git.kernel.org/stable/c/b2f7b01d36a9b94fbd7489bd1228025ea7e7a2f4 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-49952 – netfilter: nf_tables: prevent nf_skb_duplicated corruption
https://notcve.org/view.php?id=CVE-2024-49952
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: prevent nf_skb_duplicated corruption syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write per-cpu variable nf_skb_duplicated in an unsafe way [1]. Disabling preemption as hinted by the splat is not enough, we have to disable soft interrupts as well. [1] BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316 caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 CPU: 0 UID: 0... • https://git.kernel.org/stable/c/d877f07112f1e5a247c6b585c971a93895c9f738 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-49951 – Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
https://notcve.org/view.php?id=CVE-2024-49951
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible crash on mgmt_index_removed If mgmt_index_removed is called while there are commands queued on cmd_sync it could lead to crashes like the bellow trace: 0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc 0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth] 0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth] 0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth] So while handling mgmt_index_rem... • https://git.kernel.org/stable/c/7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c •