
CVE-2024-39495 – greybus: Fix use-after-free bug in gb_interface_release due to race condition.
https://notcve.org/view.php?id=CVE-2024-39495
12 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: greybus: Fix use-after-free bug in gb_interface_release due to race condition. In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. • https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201 • CWE-416: Use After Free •

CVE-2024-39482 – bcache: fix variable length array abuse in btree_iter
https://notcve.org/view.php?id=CVE-2024-39482
05 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: bcache: fix variable length array abuse in btree_iter btree_iter is used in two ways: either allocated on the stack with a fixed size MAX_BSETS, or from a mempool with a dynamic size based on the specific cache set. Previously, the struct had a fixed-length array of size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized iterators, which causes UBSAN to complain. This patch uses the same approach as in bcachefs's sort_iter ... • https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b • CWE-770: Allocation of Resources Without Limits or Throttling •

CVE-2024-39480 – kdb: Fix buffer overflow during tab-complete
https://notcve.org/view.php?id=CVE-2024-39480
05 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: kdb: Fix buffer overflow during tab-complete Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then w... • https://git.kernel.org/stable/c/fb824a99e148ff272a53d71d84122728b5f00992 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow •

CVE-2024-39479 – drm/i915/hwmon: Get rid of devm
https://notcve.org/view.php?id=CVE-2024-39479
05 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/hwmon: Get rid of devm When both hwmon and hwmon drvdata (on which hwmon depends) are device managed resources, the expectation, on device unbind, is that hwmon will be released before drvdata. However, in i915 there are two separate code paths, which both release either drvdata or hwmon and either can be released before the other. These code paths (for device unbind) are as follows (see also the bug referenced below): Call Trace: ... • https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 • CWE-400: Uncontrolled Resource Consumption CWE-416: Use After Free •

CVE-2024-39467 – f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
https://notcve.org/view.php?id=CVE-2024-39467
25 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() syzbot reports a kernel bug as below: F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 ================================================================== BUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline] BUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline] BUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0x... • https://git.kernel.org/stable/c/c559a8d840562fbfce9f318448dda2f7d3e6d8e8 •

CVE-2024-38661 – s390/ap: Fix crash in AP internal function modify_bitmap()
https://notcve.org/view.php?id=CVE-2024-38661
25 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: s390/ap: Fix crash in AP internal function modify_bitmap() A system crash like this Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403 Fault in home space mode while using kernel ASCE. AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d Oops: 0038 ilc:3 [#1] PREEMPT SMP Modules linked in: mlx5_ib ... CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8 Hardware name: IBM 3931 A01 704 (LPAR) Krnl PSW : 0704e00... • https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558 •

CVE-2024-37354 – btrfs: fix crash on racing fsync and size-extending write into prealloc
https://notcve.org/view.php?id=CVE-2024-37354
25 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix crash on racing fsync and size-extending write into prealloc We have been seeing crashes on duplicate keys in btrfs_set_item_key_safe(): BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192) ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:2620! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6 Hardware name: QEMU Standard PC (i440... • https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428 •

CVE-2022-48772 – media: lgdt3306a: Add a check against null-pointer-def
https://notcve.org/view.php?id=CVE-2022-48772
25 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: media: lgdt3306a: Add a check against null-pointer-def The driver should check whether the client provides the platform_data. The following log reveals it: [ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40 [ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414 [ 29.612820] Call Trace: [ 29.613030]

CVE-2024-38635 – soundwire: cadence: fix invalid PDI offset
https://notcve.org/view.php?id=CVE-2024-38635
21 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: soundwire: cadence: fix invalid PDI offset For some reason, we add an offset to the PDI, presumably to skip the PDI0 and PDI1 which are reserved for BPT. This code is however completely wrong and leads to an out-of-bounds access. We were just lucky so far since we used only a couple of PDIs and remained within the PDI array bounds. A Fixes: tag is not provided since there are no known platforms where the out-of-bounds would be accessed, and... • https://git.kernel.org/stable/c/002364b2d594a9afc0385c09e00994c510b1d089 • CWE-125: Out-of-bounds Read •

CVE-2024-38630 – watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger
https://notcve.org/view.php?id=CVE-2024-38630
21 Jun 2024 — In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. C... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •