CVE-2024-43884 – Bluetooth: MGMT: Add error handling to pair_device()
https://notcve.org/view.php?id=CVE-2024-43884
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Add error handling to pair_device() hci_conn_params_add() never checks for a NULL value and could lead to a NULL pointer dereference causing a crash. Fixed by adding error handling in the function. • https://git.kernel.org/stable/c/5157b8a503fa834e8569c7fed06981e3d3d53db0 https://git.kernel.org/stable/c/11b4b0e63f2621b33b2e107407a7d67a65994ca1 https://git.kernel.org/stable/c/90e1ff1c15e5a8f3023ca8266e3a85869ed03ee9 https://git.kernel.org/stable/c/9df9783bd85610d3d6e126a1aca221531f6f6dcb https://git.kernel.org/stable/c/951d6cb5eaac5130d076c728f2a6db420621afdb https://git.kernel.org/stable/c/5da2884292329bc9be32a7778e0e119f06abe503 https://git.kernel.org/stable/c/064dd929c76532359d2905d90a7c12348043cfd4 https://git.kernel.org/stable/c/ee0799103b1ae4bcfd80dc11a15df085f •
CVE-2024-43883 – usb: vhci-hcd: Do not drop references before new references are gained
https://notcve.org/view.php?id=CVE-2024-43883
In the Linux kernel, the following vulnerability has been resolved: usb: vhci-hcd: Do not drop references before new references are gained At a few places the driver carries stale pointers to references that can still be used. Make sure that does not happen. This strictly speaking closes ZDI-CAN-22273, though there may be similar races in the driver. • https://git.kernel.org/stable/c/5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89 https://git.kernel.org/stable/c/9c3746ce8d8fcb3a2405644fc0eec7fc5312de80 https://git.kernel.org/stable/c/4dacdb9720aaab10b6be121eae55820174d97174 https://git.kernel.org/stable/c/e8c1e606dab8c56cf074b43b98d0805de7322ba2 https://git.kernel.org/stable/c/585e6bc7d0a9bf73a8be3d3fb34e86b90cc61a14 https://git.kernel.org/stable/c/128e82e41cf7d74a562726c1587d9d2ede1a0a37 https://git.kernel.org/stable/c/c3d0857b7fc2c49f68f89128a5440176089a8f54 https://git.kernel.org/stable/c/afdcfd3d6fcdeca2735ca8d994c5f2d24 •
CVE-2022-48938 – CDC-NCM: avoid overflow in sanity checking
https://notcve.org/view.php?id=CVE-2022-48938
In the Linux kernel, the following vulnerability has been resolved: CDC-NCM: avoid overflow in sanity checking A broken device may give an extreme offset like 0xFFF0 and a reasonable length for a fragment. In the sanity check as formulated now, this will create an integer overflow, defeating the sanity check. Both offset and offset + len need to be checked in such a manner that no overflow can occur. And those quantities should be unsigned. • https://git.kernel.org/stable/c/a612395c7631918e0e10ea48b9ce5ab4340f26a6 https://git.kernel.org/stable/c/9957fbf34f52a4d8945d1bf39aae400ef9a11246 https://git.kernel.org/stable/c/69560efa001397ebb8dc1c3e6a3ce00302bb9f7f https://git.kernel.org/stable/c/49909c9f8458cacb5b241106cba65aba5a6d8f4c https://git.kernel.org/stable/c/7b737e47b87589031f0d4657f6d7b0b770474925 https://git.kernel.org/stable/c/8d2b1a1ec9f559d30b724877da4ce592edc41fdc •
CVE-2022-48931 – configfs: fix a race in configfs_{,un}register_subsystem()
https://notcve.org/view.php?id=CVE-2022-48931
In the Linux kernel, the following vulnerability has been resolved: configfs: fix a race in configfs_{,un}register_subsystem() When configfs_register_subsystem() or configfs_unregister_subsystem() is executing link_group() or unlink_group(), it is possible that two processes add or delete list concurrently. Some unfortunate interleavings of them can cause kernel panic. One of cases is: A --> B --> C --> D A <-- B <-- C <-- D delete list_head *B | delete list_head *C --------------------------------|----------------------------------- configfs_unregister_subsystem | configfs_unregister_subsystem unlink_group | unlink_group unlink_obj | unlink_obj list_del_init | list_del_init __list_del_entry | __list_del_entry __list_del | __list_del // next == C | next->prev = prev | | next->prev = prev prev->next = next | | // prev == B | prev->next = next Fix this by adding mutex when calling link_group() or unlink_group(), but parent configfs_subsystem is NULL when config_item is root. So I create a mutex configfs_subsystem_mutex. • https://git.kernel.org/stable/c/7063fbf2261194f72ee75afca67b3b38b554b5fa https://git.kernel.org/stable/c/40805099af11f68c5ca7dbcfacf455da8f99f622 https://git.kernel.org/stable/c/d1654de19d42f513b6cfe955cc77e7f427e05a77 https://git.kernel.org/stable/c/a37024f7757c25550accdebf49e497ad6ae239fe https://git.kernel.org/stable/c/b7e2b91fcb5c78c414e33dc8d50642e307ca0c5a https://git.kernel.org/stable/c/a7ab53d3c27dfe83bb594456b9f38a37796ec39b https://git.kernel.org/stable/c/e7a66dd2687758718eddd79b542a95cf3aa488cc https://git.kernel.org/stable/c/3aadfd46858b1f64d4d6a0654b863e21a •
CVE-2022-48930 – RDMA/ib_srp: Fix a deadlock
https://notcve.org/view.php?id=CVE-2022-48930
In the Linux kernel, the following vulnerability has been resolved: RDMA/ib_srp: Fix a deadlock Remove the flush_workqueue(system_long_wq) call since flushing system_long_wq is deadlock-prone and since that call is redundant with a preceding cancel_work_sync() • https://git.kernel.org/stable/c/ef6c49d87c3418c442a22e55e3ce2f91b163d69e https://git.kernel.org/stable/c/8cc342508f9e7fdccd2e9758ae9d52aff72dab7f https://git.kernel.org/stable/c/4752fafb461821f8c8581090c923ababba68c5bd https://git.kernel.org/stable/c/d7997d19dfa7001ca41e971cd9efd091bb195b51 https://git.kernel.org/stable/c/901206f71e6ad2b2e7accefc5199a438d173c25f https://git.kernel.org/stable/c/99eb8d694174c777558dc902d575d1997d5ca650 https://git.kernel.org/stable/c/c8b56e51aa91b8e7df3a98388dce3fdabd15c1d4 https://git.kernel.org/stable/c/98d056603ce55ceb90631b3927151c190 •