CVE-2024-46831 – net: microchip: vcap: Fix use-after-free error in kunit test
https://notcve.org/view.php?id=CVE-2024-46831
In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule. • https://git.kernel.org/stable/c/c956b9b318d9036701c471dd458f9ed31defc629 https://git.kernel.org/stable/c/b0804c286ccfcf5f5c004d5bf8a54c0508b5e86b https://git.kernel.org/stable/c/f7fe95f40c85311c98913fe6ae2c56adb7f767a7 https://git.kernel.org/stable/c/a3c1e45156ad39f225cd7ddae0f81230a3b1e657 •
CVE-2024-46830 – KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS
https://notcve.org/view.php?id=CVE-2024-46830
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX reads guest memory. Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN via sync_regs(), which already holds SRCU. I.e. trying to precisely use kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause problems. Acquiring SRCU isn't all that expensive, so for simplicity, grab it unconditionally for KVM_SET_VCPU_EVENTS. ============================= WARNING: suspicious RCU usage 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted ----------------------------- include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by repro/1071: #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm] stack backtrace: CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x13f/0x1a0 kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel] load_vmcs12_host_state+0x432/0xb40 [kvm_intel] vmx_leave_nested+0x30/0x40 [kvm_intel] kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? mark_held_locks+0x49/0x70 ? • https://git.kernel.org/stable/c/f7e570780efc5cec9b2ed1e0472a7da14e864fdb https://git.kernel.org/stable/c/080dbe7e9b86a0392d8dffc00d9971792afc121f https://git.kernel.org/stable/c/e302786233e6bc512986d007c96458ccf5ca21c7 https://git.kernel.org/stable/c/b4c0d89c92e957ecccce12e66b63875d0cc7af7e https://git.kernel.org/stable/c/fa297c33faefe51e10244e8a378837fca4963228 https://git.kernel.org/stable/c/939375737b5a0b1bf9b1e75129054e11bc9ca65e https://git.kernel.org/stable/c/ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9 https://git.kernel.org/stable/c/4bcdd831d9d01e0fb64faea50732b59b2 •
CVE-2024-46829 – rtmutex: Drop rt_mutex::wait_lock before scheduling
https://notcve.org/view.php?id=CVE-2024-46829
In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the good case it returns with the lock held and in the deadlock case it emits a warning and goes into an endless scheduling loop with the lock held, which triggers the 'scheduling in atomic' warning. Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning and dropping into the schedule for ever loop. [ tglx: Moved unlock before the WARN(), removed the pointless comment, massaged changelog, added Fixes tag ] • https://git.kernel.org/stable/c/3d5c9340d1949733eb37616abd15db36aef9a57c https://git.kernel.org/stable/c/95f9aded9436aa3ce714aeff3f45fcc1431df7d2 https://git.kernel.org/stable/c/ea018da95368adfb700689bd9842714f7c3db665 https://git.kernel.org/stable/c/1201613a70dd34bd347ba2970919b3f1d5fbfb4a https://git.kernel.org/stable/c/a2e64fcdc83c645813f7b93e4df291841ba7c625 https://git.kernel.org/stable/c/fb52f40e085ef4074f1335672cd62c1f832af13b https://git.kernel.org/stable/c/2b1f3807ed9cafb59c956ce76a05d25e67103f2e https://git.kernel.org/stable/c/432efdbe7da5ecfcbc0c2180cfdbab144 •
CVE-2024-46828 – sched: sch_cake: fix bulk flow accounting logic for host fairness
https://notcve.org/view.php?id=CVE-2024-46828
In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). • https://git.kernel.org/stable/c/712639929912c5eefb09facccb48d55b3f72c9f8 https://git.kernel.org/stable/c/4a4eeefa514db570be025ab46d779af180e2c9bb https://git.kernel.org/stable/c/7725152b54d295b7da5e34c2f419539b30d017bd https://git.kernel.org/stable/c/cde71a5677971f4f1b69b25e854891dbe78066a4 https://git.kernel.org/stable/c/549e407569e08459d16122341d332cb508024094 https://git.kernel.org/stable/c/d4a9039a7b3d8005b90c7b1a55a306444f0e5447 https://git.kernel.org/stable/c/d7c01c0714c04431b5e18cf17a9ea68a553d1c3c https://git.kernel.org/stable/c/546ea84d07e3e324644025e2aae2d12ea •
CVE-2024-46827 – wifi: ath12k: fix firmware crash due to invalid peer nss
https://notcve.org/view.php?id=CVE-2024-46827
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an association request containing an Extended HE Capabilities Information Element with an invalid MCS-NSS, it triggers a firmware crash. This issue arises when EHT-PHY capabilities shows support for a bandwidth and MCS-NSS set for that particular bandwidth is filled by zeros and due to this, driver obtains peer_nss as 0 and sending this value to firmware causes crash. Address this issue by implementing a validation step for the peer_nss value before passing it to the firmware. If the value is greater than zero, proceed with forwarding it to the firmware. However, if the value is invalid, reject the association request to prevent potential firmware crashes. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 • https://git.kernel.org/stable/c/838c2cfdb6be7d7d8c06c711edf893eb34ca2e7c https://git.kernel.org/stable/c/25a15f80253a7c8776e4e4880d797d20ec864154 https://git.kernel.org/stable/c/db163a463bb93cd3e37e1e7b10b9726fb6f95857 •