ALT-BU-2024-14788-3
Branch p10 update bulletin.
Package docs-alt-kworkstation updated to version 10.4-alt3 for branch p10 in task 358782.
Closed bugs
Документация docs-alt-kworkstation, п. 39.1.2. Использование почтового клиента: изменить в описании на "Получить помощь"
Документация docs-alt-kworkstation, п.65.4. Обновление систем, не имеющих выхода в Интернет: добавить пометку по модулю "Обновление системы"
Документация docs-alt-kworkstation, п. 53.1. Утилита для изменения брендинга: лишняя запятая в предложении
Package branding-alt-server updated to version 10.4-alt1.p10 for branch p10 in task 359928.
Closed bugs
Плохо читаемый текст при оффлайн обновлении packagekit
Package kernel-image-un-def updated to version 6.1.113-alt1 for branch p10 in task 360074.
Closed vulnerabilities
Modified: 2025-10-29
BDU:2024-08977
Уязвимость функции switchtec_ntb_remove() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2024-08978
Уязвимость функции venus_remove() драйвера Qualcomm Venus V4L2 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-05-02
BDU:2024-08981
Уязвимость функции bfq_init_rq() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2024-08982
Уязвимость функции nilfs_btree_check_delete() файловой системы nilfs2 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2024-08983
Уязвимость функции nf_reject_ip6_tcphdr_put() компонента netfilter ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность и доступность защищаемой информации
Modified: 2025-05-06
BDU:2024-08988
Уязвимость функции sd_read_block_characteristics() драйвера SCSI ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2024-08989
Уязвимость функции rtl2830_pid_filter() драйвера Realtek RTL2830 DVB-T ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2024-08990
Уязвимость функции rtl2832_pid_filter() драйвера Realtek RTL2830 DVB-T ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-05-06
BDU:2024-08991
Уязвимость функции handle_mmio() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-05-06
BDU:2024-08993
Уязвимость функции hns_roce_v2_exit() драйвера Hisilicon Hip08 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-05-06
BDU:2024-08994
Уязвимость функции kirin_pcie_parse_port() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2024-08995
Уязвимость функции efc_nport_vport_del() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-05-06
BDU:2024-08996
Уязвимость функции scmi_optee_chan_free() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2024-08997
Уязвимость функции ether3_remove() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-05-06
BDU:2024-08998
Уязвимость функции nbd_requeue_cmd() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-05-06
BDU:2024-08999
Уязвимость функции tx() драйвера ATA over Ethernet (AoE) ядра операционной системы Linux, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2024-09003
Уязвимость функции pxafb_remove() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2026-03-12
BDU:2024-09004
Уязвимость функции xenvif_flush_hash() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-05-06
BDU:2024-09006
Уязвимость функции ext4_ext_replay_update_ex() файловой системы ext4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-24
BDU:2024-09009
Уязвимость функции ltdc_plane_create() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2026-01-20
BDU:2024-09788
Уязвимость функции ext4_ext_try_to_merge_up() файловой системы ext4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2024-09789
Уязвимость функции ext4_ext_insert_extent() файловой системы ext4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-03-12
BDU:2024-09790
Уязвимость функции ext4_split_extent_at() файловой системы ext4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2026-01-20
BDU:2024-09791
Уязвимость функции ext4_ext_handle_unwritten_extents() файловой системы ext4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2024-09795
Уязвимость функции jfs_ioc_trim() файловой системы jfs ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-09-05
BDU:2025-00151
Уязвимость функции hci_user_confirm_request_evt() в модуле net/bluetooth/hci_event.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность защищаемой информации
Modified: 2025-10-29
BDU:2025-00170
Уязвимость функции sisfb_search_mode() в модуле drivers/video/fbdev/sis/sis_main.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2025-00948
Уязвимость компонента drivers/infiniband/core/iwcm.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-02966
Уязвимость функции is_dsc_need_re_compute() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-02969
Уязвимость функции ip_cmsg_recv() ядра операционной системы Linux, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Modified: 2025-06-09
BDU:2025-03031
Уязвимость функции ep93xx_div_recalc_rate() модуля arch/arm/mach-ep93xx/clock.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность и доступность защищаемой информации
Modified: 2025-06-09
BDU:2025-03034
Уязвимость функции init_conns() драйвера drivers/infiniband/ulp/rtrs/rtrs-clt.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2026-01-20
BDU:2025-03038
Уязвимость функции struct buffer_head *ext4_find_inline_entry() модуля fs/ext4/inline.c ядра операционной системы Linux позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-06-09
BDU:2025-03039
Уязвимость функции rtw_wait_firmware_completion() модуля drivers/net/wireless/realtek/rtw88/main.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-04-29
BDU:2025-03087
Уязвимость функции usbtv_video_free() модуля drivers/media/usb/usbtv/usbtv-video.c драйвера USB ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03107
Уязвимость функции dbMount() модуля fs/jfs/jfs_dmap.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании.
Modified: 2025-10-29
BDU:2025-03108
Уязвимость функции qm_soft_reset_prepare() модуля drivers/crypto/hisilicon/qm.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2026-01-20
BDU:2025-03109
Уязвимость функции _request_firmware() модуля drivers/base/firmware_loader/main.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2026-01-20
BDU:2025-03110
Уязвимость функции vhost_vdpa_vring_ioctl() модуля drivers/vhost/vdpa.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2025-03111
Уязвимость функций calculate_ttu_cursor(), calculate_ttu_cursor() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03112
Уязвимость функции init_overdrive_limits() в модуле drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03113
Уязвимость функций get_ext_path(), ext4_find_extent() и ext4_split_extent_at() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03114
Уязвимость функции acpi_device_setup_files() модуля drivers/acpi/device_sysfs.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2025-03115
Уязвимость функции cm_helper_translate_curve_to_degamma_hw_format() модуля drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2025-03116
Уязвимость функции btrfs_update_reloc_root() (fs/btrfs/relocation.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03117
Уязвимость функции efi_retrieve_tpm2_eventlog() (drivers/firmware/efi/libstub/tpm.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03118
Уязвимость функции cm3_helper_translate_curve_to_degamma_hw_format() модуля drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2026-01-20
BDU:2025-03119
Уязвимость функции __sgx_alloc_epc_page() (arch/x86/kernel/cpu/sgx/main.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03120
Уязвимость функции ea_get() модуля fs/jfs/xattr.c ядра операционной системы Linux, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации.
Modified: 2025-10-24
BDU:2025-03121
Уязвимость функции dc_allow_idle_optimizations() модуля drivers/gpu/drm/amd/display/dc/core/dc.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03123
Уязвимость функции bpf_core_apply() (kernel/bpf/btf.c) компонента BPF ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03125
Уязвимость функции EXPORT_SYMBOL_GPL() (kernel/resource.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03126
Уязвимость функции close_ctree() (fs/btrfs/disk-io.c) ядра операционной системы Linux, позволяющая нарушителю повысить свои привилегии
Modified: 2025-06-09
BDU:2025-03128
Уязвимость функции vhost_scsi_get_req() (drivers/vhost/scsi.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-03129
Уязвимость функции osnoise_hotplug_workfn() (kernel/trace/trace_osnoise.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03132
Уязвимость функций tpm2_flush_space(), tpm_dev_transmit() драйвера Trusted Platform Module (TPM) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03133
Уязвимость функции commit_planes_for_stream() модуля drivers/gpu/drm/amd/display/dc/core/dc.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03144
Уязвимость функций dbAdjTree() и dbFindLeaf() модуля fs/jfs/jfs_dmap.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03145
Уязвимость функции are_stream_backends_same() модуля drivers/gpu/drm/amd/display/dc/core/dc_resource.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-03146
Уязвимость функции _isst_if_get_pci_dev() (drivers/platform/x86/intel/speed_select_if/isst_if_common.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03147
Уязвимость функций cachefiles_open_file(), fput() и cachefiles_look_up_object() компонента CacheFiles ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03148
Уязвимость функции ocfs2_set_buffer_uptodate() кластерной файловой системы OCFS2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03149
Уязвимость демона nfsd модуля fs/nfsd/vfs.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-03150
Уязвимость функций adp5589_keypad_add() и adp5589_probe() драйвера ADP5589 (drivers/input/keyboard/adp5589-keys.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03151
Уязвимость функций omapdrm_init() и omap_gem_deinit() драйвера DRM (drivers/gpu/drm/omapdrm/omap_drv.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03277
Уязвимость компонентов RDMA/cxgb4 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03284
Уязвимость функции ib_cache_setup_one() модуля drivers/infiniband/core/cache.c - драйвера поддержки InfiniBand ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании.
Modified: 2025-10-29
BDU:2025-03285
Уязвимость функции __cld_pipe_inprogress_downcall() модуля fs/nfsd/nfs4recover.c поддержки сетевой файловой системы NFS ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании.
Modified: 2025-06-09
BDU:2025-03288
Уязвимость компонента bpf ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03289
Уязвимость компонентов block, bfq ядра операционной системы Linux, позволяющая нарушителю повысить привилегии в системе
Modified: 2025-06-09
BDU:2025-03290
Уязвимость компонента block ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03293
Уязвимость компонента WiFi ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03294
Уязвимость компонента f2fs ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03295
Уязвимость компонента sock_map ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03297
Уязвимость компонента tcp ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03356
Уязвимость компонентов nouveau/dmem ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03359
Уязвимость компонентов RDMA/mad ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-03362
Уязвимость компонента thermal ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03381
Уязвимость компонентов RDMA/rtrs-srv ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03385
Уязвимость компонента PCI ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03386
Уязвимость компонента f2fs ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03387
Уязвимость компонента KEYS ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03395
Уязвимость компонента nfsd ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03396
Уязвимость компонента padata ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03416
Уязвимость компонента nilfs2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-03-12
BDU:2025-03417
Уязвимость компонента ipv6 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03418
Уязвимость компонента can ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03419
Уязвимость компонента WiFi ядра операционной системы Linux, позволяющая нарушителю повысить привилегии в системе
Modified: 2025-06-09
BDU:2025-03423
Уязвимость компонентов drm/amd/display ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03424
Уязвимость компонентов drivers/perf ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-03425
Уязвимость компонента bonding ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03426
Уязвимость компонентов RDMA/hns ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03471
Уязвимость функции __sock_create() модуля net/socket.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-06-09
BDU:2025-03487
Уязвимость компонента remoteproc ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03488
Уязвимость компонента ceph ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-03489
Уязвимость компонента secretmem ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03490
Уязвимость компонента virtio_pmem ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03491
Уязвимость компонента mptcp ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03492
Уязвимость компонента net ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-03493
Уязвимость компонента HID ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-03494
Уязвимость компонента ext4 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03902
Уязвимость ядра операционной системы Linux, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-04154
Уязвимость компонента drm/v3d ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-04155
Уязвимость ядра операционной системы Linux, связанная с ошибками инициализации памяти, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-04156
Уязвимость ядра операционной системы Linux, связанная с ошибками управления состоянием, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-04157
Уязвимость ядра операционной системы Linux, связанная с недостатками в обработке исключительных состояний, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-04158
Уязвимость функции mlx5e_tir_builder_alloc() компонента net/mlx5e ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-04159
Уязвимость ядра операционной системы Linux, связанная с ошибками управления состоянием, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-04162
Уязвимость компонента drm/amd/display ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-04163
Уязвимость компонента drm/amd/display ядра операционной системы Linux, позволяющая нарушителю оказать влияние на доступность защищаемой информации
Modified: 2025-10-29
BDU:2025-04480
Уязвимость компонента netfilter ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-04482
Уязвимость компонентов drm/amd/display ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04484
Уязвимость компонента Bluetooth ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-04486
Уязвимость компонента i40e ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-04510
Уязвимость компонента NFSv4 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04511
Уязвимость компонента uprobes ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04513
Уязвимость компонента r8169 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-04550
Уязвимость функции ath11k_dp_process_rx() модуля drivers/net/wireless/ath/ath11k/dp_rx.c - драйвера поддержки адаптеров беспроводной связи Atheros/Qualcomm ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-24
BDU:2025-04552
Уязвимость функции cm3_helper_translate_curve_to_hw_format() компонента AMD Display драйвера /drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2025-04687
Уязвимость функции slhc_remember() драйвера /drivers/net/slip/slhc.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2025-04688
Уязвимость функции ppp_async_encode() модуля drivers/net/ppp/ppp_async.c ядра операционной системы Linux, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации или вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04700
Уязвимость функции battery_hook_unregister() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04701
Уязвимость функции ocfs2_reflink_xattr_inline() кластерной файловой системы ocfs2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-04702
Уязвимость функции ppp_channel_bridge_input() компонента ppp ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04703
Уязвимость функции qdisc_pkt_len_init() модуля net/core/dev.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-04704
Уязвимость функции exit_round_robin() компонента ACPI ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04705
Уязвимость функции __skb_set_length() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04990
Уязвимость функции ocfs2_global_read_info() модуля /fs/ocfs2/quota_local.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2025-05118
Уязвимость компонента ACPICA ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05126
Уязвимость компонента mailbox ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05127
Уязвимость компонента ocfs2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05135
Уязвимость функции spin_lock() компонента vfs ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-02-09
BDU:2025-05136
Уязвимость функции __jbd2_log_wait_for_space() модуля fs/jbd2/checkpoint.c поддержки файловой системы ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05137
Уязвимость функции ocfs2_journal_shutdown() компонента ocfs2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05138
Уязвимость функции qdisc_pkt_len_init() компонента net ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-05139
Уязвимость функции ioc_forgive_debts() компонента blk_iocost ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-07-01
BDU:2025-05183
Уязвимость функции static_call_module_notify() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05184
Уязвимость функции sctp_listen_start() компонента sctp ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05185
Уязвимость функций nf_dup_ipv4() и nf_dup_ipv6() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-02-17
BDU:2025-06407
Уязвимость компонента Bluetooth ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-06998
Уязвимость функции HPIMSGX__init() в модуле sound/pci/asihpi/hpimsgx.c компонента asihpi модуля /sound/pci/asihpi/hpimsgx.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2025-06999
Уязвимость функции skb_put_padto() компонента Ethernet Frame Handler драйвера /drivers/net/ethernet/lantiq_etop.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-24
BDU:2025-07592
Уязвимость модуля arch/x86/kernel/apic/io_apic.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07911
Уязвимость компонента drivers/gpu/drm/vc4 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07912
Уязвимость компонента drivers/scsi/lpfc ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07935
Уязвимость ядра операционной системы Linux, связанная с ошибками управления состоянием, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07937
Уязвимость ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании(DoS)
Modified: 2025-10-29
BDU:2025-07938
Уязвимость компонента net/sched ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07939
Уязвимость компонента net/netfilter/xt_cluster.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07976
Уязвимость ядра операционной системы Linux, связанная с чрезмерным итерированием, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07978
Уязвимость функции exfat_load_bitmap() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-07982
Уязвимость функции mwifiex_cmd_802_11_scan_ext() компонента drivers/net/wireless/marvell/mwifiex/scan.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-07983
Уязвимость функции ext4_ind_migrate() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07984
Уязвимость компонента drm/amd/display ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07985
Уязвимость компонента net/mlx5 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-07987
Уязвимость ядра операционной системы Linux, связанная с недостаточной блокировкой, позволяющая нарушителю вызвать отказ в обслуживании(DoS)
Modified: 2025-10-24
BDU:2025-07989
Уязвимость ядра операционной системы Linux, связанная с ошибками разыменования указателя NULL, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-03-19
BDU:2025-07990
Уязвимость ядра операционной системы Linux, связанная с отсутствием проверки деления на ноль, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07993
Уязвимость ядра операционной системы Linux, связанная с ошибками разыменования нулевого указателя, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-08000
Уязвимость компонента fs/f2fs/file.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-08019
Уязвимость компонента net/mac80211 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-08027
Уязвимость компонента drivers/net/ethernet/mellanox/mlx5 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-08523
Уязвимость ядра операционной системы Linux, связанная с ошибками при освобождении ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-08536
Уязвимость ядра операционной системы Linux, связанная с ошибками при освобождении ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-11-12
CVE-2023-53071
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: do not run mt76_unregister_device() on unregistered hw Trying to probe a mt7921e pci card without firmware results in a successful probe where ieee80211_register_hw hasn't been called. When removing the driver, ieee802111_unregister_hw is called unconditionally leading to a kernel NULL pointer dereference. Fix the issue running mt76_unregister_device routine just for registered hw.
Modified: 2025-11-03
CVE-2024-27072
In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Remove useless locks in usbtv_video_free() Remove locks calls in usbtv_video_free() because are useless and may led to a deadlock as reported here: https://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000 Also remove usbtv_stop() call since it will be called when unregistering the device. Before 'c838530d230b' this issue would only be noticed if you disconnect while streaming and now it is noticeable even when disconnecting while not streaming. [hverkuil: fix minor spelling mistake in log message]
- https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2
- https://git.kernel.org/stable/c/4ec4641df57cbdfdc51bb4959afcdbcf5003ddb9
- https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895
- https://git.kernel.org/stable/c/bdd82c47b22a8befd617b723098b2a41b77373c7
- https://git.kernel.org/stable/c/d5ed208d04acf06781d63d30f9fa991e8d609ebd
- https://git.kernel.org/stable/c/dea46e246ef0f98d89d59a4229157cd9ffb636bf
- https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2
- https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-35963
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Fix not validating setsockopt user input Check user input length before copying data.
- https://git.kernel.org/stable/c/0c18a64039aa3f1c16f208d197c65076da798137
- https://git.kernel.org/stable/c/50173882bb187e70e37bac01385b9b114019bee2
- https://git.kernel.org/stable/c/781f3a97a38a338bc893b6db7f9f9670bf1a9e37
- https://git.kernel.org/stable/c/b2186061d6043d6345a97100460363e990af0d46
- https://git.kernel.org/stable/c/50173882bb187e70e37bac01385b9b114019bee2
- https://git.kernel.org/stable/c/b2186061d6043d6345a97100460363e990af0d46
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-43866
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always drain health in shutdown callback There is no point in recovery during device shutdown. if health work started need to wait for it to avoid races and NULL pointer access. Hence, drain health WQ on shutdown callback.
- https://git.kernel.org/stable/c/1b75da22ed1e6171e261bc9265370162553d5393
- https://git.kernel.org/stable/c/5005e2e159b300c1b8c6820a1e13a62eb0127b9b
- https://git.kernel.org/stable/c/6048dec754554a1303d632be6042d3feb3295285
- https://git.kernel.org/stable/c/6b6c2ebd83f2bf97e8f221479372aaca97a4a9b2
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47678
In the Linux kernel, the following vulnerability has been resolved: icmp: change the order of rate limits ICMP messages are ratelimited : After the blamed commits, the two rate limiters are applied in this order: 1) host wide ratelimit (icmp_global_allow()) 2) Per destination ratelimit (inetpeer based) In order to avoid side-channels attacks, we need to apply the per destination check first. This patch makes the following change : 1) icmp_global_allow() checks if the host wide limit is reached. But credits are not yet consumed. This is deferred to 3) 2) The per destination limit is checked/updated. This might add a new node in inetpeer tree. 3) icmp_global_consume() consumes tokens if prior operations succeeded. This means that host wide ratelimit is still effective in keeping inetpeer tree small even under DDOS. As a bonus, I removed icmp_global.lock as the fast path can use a lock-free operation.
- https://git.kernel.org/stable/c/483397b4ba280813e4a9c161a0a85172ddb43d19
- https://git.kernel.org/stable/c/662ec52260cc07b9ae53ecd3925183c29d34288b
- https://git.kernel.org/stable/c/8c2bd38b95f75f3d2a08c93e35303e26d480d24e
- https://git.kernel.org/stable/c/997ba8889611891f91e8ad83583466aeab6239a3
- https://git.kernel.org/stable/c/a7722921adb046e3836eb84372241f32584bdb07
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47679
In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between evice_inodes() and find_inode()&iput() Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug.
- https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb
- https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1
- https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b
- https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195
- https://git.kernel.org/stable/c/489faddb1ae75b0e1a741fe5ca2542a2b5e794a5
- https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1
- https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11
- https://git.kernel.org/stable/c/6cc13a80a26e6b48f78c725c01b91987d61563ef
- https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47682
In the Linux kernel, the following vulnerability has been resolved: scsi: sd: Fix off-by-one error in sd_read_block_characteristics() Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for example), sd_read_block_characteristics() may attempt an out-of-bounds memory access when accessing the zoned field at offset 8.
- https://git.kernel.org/stable/c/413df704f149dec585df07466d2401bbd1f490a0
- https://git.kernel.org/stable/c/568c7c4c77eee6df7677bb861b7cee7398a3255d
- https://git.kernel.org/stable/c/60312ae7392f9c75c6591a52fc359cf7f810d48f
- https://git.kernel.org/stable/c/a776050373893e4c847a49abeae2ccb581153df0
- https://git.kernel.org/stable/c/f81eaf08385ddd474a2f41595a7757502870c0eb
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-12-29
CVE-2024-47683
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Skip Recompute DSC Params if no Stream on Link
[why]
Encounter NULL pointer dereference uner mst + dsc setup.
BUG: kernel NULL pointer dereference, address: 0000000000000008
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2
Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022
RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0
Call Trace:
- https://git.kernel.org/stable/c/282f0a482ee61d5e863512f3c4fcec90216c20d9
- https://git.kernel.org/stable/c/50e376f1fe3bf571d0645ddf48ad37eb58323919
- https://git.kernel.org/stable/c/70275bb960c71d313254473d38c14e7101cee5ad
- https://git.kernel.org/stable/c/718d83f66fb07b2cab89a1fc984613a00e3db18f
- https://git.kernel.org/stable/c/7c887efda1201110211fed8921a92a713e0b6bcd
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47684
In the Linux kernel, the following vulnerability has been resolved: tcp: check skb is non-NULL in tcp_rto_delta_us() We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic kernel that are running ceph and recently hit a null ptr dereference in tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also saw it getting hit from the RACK case as well. Here are examples of the oops messages we saw in each of those cases: Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020 Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0 Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246 Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8 Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900 Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000 Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0 Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554 Jul 26 15:05:02 rx [11061395.916786] Call Trace: Jul 26 15:05:02 rx [11061395.919488] Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9 Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380 Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50 Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0 Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20 Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450 Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140 Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90 Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0 Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40 Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220 Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240 Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0 Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240 Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130 Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280 Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10 Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30 Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_even ---truncated---
- https://git.kernel.org/stable/c/09aea49fbc7e755a915c405644f347137cdb62b0
- https://git.kernel.org/stable/c/16e0387d87fc858e34449fdf2b14ed5837f761db
- https://git.kernel.org/stable/c/570f7d8c9bf14f041152ba8353d4330ef7575915
- https://git.kernel.org/stable/c/5c4c03288a4aea705e36aa44119c13d7ee4dce99
- https://git.kernel.org/stable/c/81d18c152e3f82bacadf83bc0a471b2363b9cc18
- https://git.kernel.org/stable/c/96c4983eab2a5da235f7fff90beaf17b008ba029
- https://git.kernel.org/stable/c/ad4f0a14d6856e68f023fc4e5017cfd881a3dfbc
- https://git.kernel.org/stable/c/c8770db2d54437a5f49417ae7b46f7de23d14db6
- https://git.kernel.org/stable/c/ec31cf42fc4e35bb1248ce6eb1de6de9f851ac86
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-18
CVE-2024-47685
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 do_softirq+0x9a/0x100 kernel/softirq.c:455 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 __sys_connect_file net/socket.c:2061 [inline] __sys_connect+0x606/0x690 net/socket.c:2078 __do_sys_connect net/socket.c:2088 [inline] __se_sys_connect net/socket.c:2085 [inline] __x64_sys_connect+0x91/0xe0 net/socket.c:2085 x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core ---truncated---
- https://git.kernel.org/stable/c/10210658f827ad45061581cbfc05924b723e8922
- https://git.kernel.org/stable/c/7a7b5a27c53b55e91eecf646d1b204e73fa4af93
- https://git.kernel.org/stable/c/7bcbc4cda777d26c88500d973fad0d497fc8a82e
- https://git.kernel.org/stable/c/7ea2bcfd9bf4c3dbbf22546162226fd1c14d8ad2
- https://git.kernel.org/stable/c/872eca64c3267dbc5836b715716fc6c03a18eda7
- https://git.kernel.org/stable/c/9c778fe48d20ef362047e3376dee56d77f8500d4
- https://git.kernel.org/stable/c/af4b8a704f26f38310655bad67fd8096293275a2
- https://git.kernel.org/stable/c/dcf48ab3ca2c55b09c8f9c8de0df01c1943bc4e5
- https://git.kernel.org/stable/c/fbff87d682e57ddbbe82abf6d0a1a4a36a98afcd
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47686
In the Linux kernel, the following vulnerability has been resolved: ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() The psc->div[] array has psc->num_div elements. These values come from when we call clk_hw_register_div(). It's adc_divisors and ARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >= instead of > to prevent an out of bounds read.
- https://git.kernel.org/stable/c/27f493e141823db052586010c1532b70b164507c
- https://git.kernel.org/stable/c/66e78ade976dbd9bea09166aa8d66afc0963cde4
- https://git.kernel.org/stable/c/7a5bd2fb92388c51d267f6ce57c40f1cca8af1e0
- https://git.kernel.org/stable/c/ae59eaf36a1ad396e9f657ec9b8b52da6206ed5f
- https://git.kernel.org/stable/c/c7f06284a6427475e3df742215535ec3f6cd9662
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47690
In the Linux kernel, the following vulnerability has been resolved: f2fs: get rid of online repaire on corrupted directory syzbot reports a f2fs bug as below: kernel BUG at fs/f2fs/inode.c:896! RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896 Call Trace: evict+0x532/0x950 fs/inode.c:704 dispose_list fs/inode.c:747 [inline] evict_inodes+0x5f9/0x690 fs/inode.c:797 generic_shutdown_super+0x9d/0x2d0 fs/super.c:627 kill_block_super+0x44/0x90 fs/super.c:1696 kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898 deactivate_locked_super+0xc4/0x130 fs/super.c:473 cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373 task_work_run+0x24f/0x310 kernel/task_work.c:228 ptrace_notify+0x2d2/0x380 kernel/signal.c:2402 ptrace_report_syscall include/linux/ptrace.h:415 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline] syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline] syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896 Online repaire on corrupted directory in f2fs_lookup() can generate dirty data/meta while racing w/ readonly remount, it may leave dirty inode after filesystem becomes readonly, however, checkpoint() will skips flushing dirty inode in a state of readonly mode, result in above panic. Let's get rid of online repaire in f2fs_lookup(), and leave the work to fsck.f2fs.
- https://git.kernel.org/stable/c/884ee6dc85b959bc152f15bca80c30f06069e6c4
- https://git.kernel.org/stable/c/8be95cd607478d85fa4626e86f811e785905bcbf
- https://git.kernel.org/stable/c/bcefd0b0611f35b560d0a7281d87529fbe7a1e32
- https://git.kernel.org/stable/c/e8d64f598eeb079c42a52deaa3a91312c736a49d
- https://git.kernel.org/stable/c/f4746f2d79507f65cfbde11d3c39ee8338aa50af
- https://git.kernel.org/stable/c/f9ce2f550d53d044ecfb5ce996406cf42cd6b84d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47692
In the Linux kernel, the following vulnerability has been resolved: nfsd: return -EINVAL when namelen is 0 When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may result in namelen being 0, which will cause memdup_user() to return ZERO_SIZE_PTR. When we access the name.data that has been assigned the value of ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is triggered. [ T1205] ================================================================== [ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260 [ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205 [ T1205] [ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406 [ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ T1205] Call Trace: [ T1205] dump_stack+0x9a/0xd0 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] __kasan_report.cold+0x34/0x84 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] kasan_report+0x3a/0x50 [ T1205] nfs4_client_to_reclaim+0xe9/0x260 [ T1205] ? nfsd4_release_lockowner+0x410/0x410 [ T1205] cld_pipe_downcall+0x5ca/0x760 [ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0 [ T1205] ? down_write_killable_nested+0x170/0x170 [ T1205] ? avc_policy_seqno+0x28/0x40 [ T1205] ? selinux_file_permission+0x1b4/0x1e0 [ T1205] rpc_pipe_write+0x84/0xb0 [ T1205] vfs_write+0x143/0x520 [ T1205] ksys_write+0xc9/0x170 [ T1205] ? __ia32_sys_read+0x50/0x50 [ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110 [ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110 [ T1205] do_syscall_64+0x33/0x40 [ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ T1205] RIP: 0033:0x7fdbdb761bc7 [ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514 [ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7 [ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008 [ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001 [ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b [ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000 [ T1205] ================================================================== Fix it by checking namelen.
- https://git.kernel.org/stable/c/0f1d007bbea38a61cf9c5392708dc70ae9d84a3d
- https://git.kernel.org/stable/c/1ff8be8d008b9ddc8e7043fbddd37d5d451b271b
- https://git.kernel.org/stable/c/22451a16b7ab7debefce660672566be887db1637
- https://git.kernel.org/stable/c/318f70857caab3da9a6ada9bc8c1f4f7591b695e
- https://git.kernel.org/stable/c/6d07040ae5c2214e39c7444d898039c9e655a79a
- https://git.kernel.org/stable/c/766d5fbd78f7a52b3888449a0358760477b74602
- https://git.kernel.org/stable/c/84a563d136faf514fdad1ade28d7a142fd313cb8
- https://git.kernel.org/stable/c/b7b7a8df41ef18862dd6b22289fb46c2c12398af
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47693
In the Linux kernel, the following vulnerability has been resolved:
IB/core: Fix ib_cache_setup_one error flow cleanup
When ib_cache_update return an error, we exit ib_cache_setup_one
instantly with no proper cleanup, even though before this we had
already successfully done gid_table_setup_one, that results in
the kernel WARN below.
Do proper cleanup using gid_table_cleanup_one before returning
the err in order to fix the issue.
WARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0
Modules linked in:
CPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:gid_table_release_one+0x181/0x1a0
Code: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41
RSP: 0018:ffffc90002b835b0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527
RDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001
RBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631
R10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001
R13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001
FS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
- https://git.kernel.org/stable/c/1403c8b14765eab805377dd3b75e96ace8747aed
- https://git.kernel.org/stable/c/1730d47d1865af89efd01cf0469a9a739cbf60f2
- https://git.kernel.org/stable/c/290fe42fe0165205c4451334d8833a9202ae1d52
- https://git.kernel.org/stable/c/45f63f4bb9a7128a6209d766c2fc02b3d42fbf3e
- https://git.kernel.org/stable/c/af633fd9d9fff59e31c804f47ca0c8a784977773
- https://git.kernel.org/stable/c/d08754be993f270e3d296d8f5d8e071fe6638651
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47695
In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds In the function init_conns(), after the create_con() and create_cm() for loop if something fails. In the cleanup for loop after the destroy tag, we access out of bound memory because cid is set to clt_path->s.con_num. This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds in the cleanup loop later.
- https://git.kernel.org/stable/c/01b9be936ee8839ab9f83a7e84ee02ac6c8303c4
- https://git.kernel.org/stable/c/0429a4e972082e3a2351da414b1c017daaf8aed2
- https://git.kernel.org/stable/c/1c50e0265fa332c94a4a182e4efa0fc70d8fad94
- https://git.kernel.org/stable/c/3e4289b29e216a55d08a89e126bc0b37cbad9f38
- https://git.kernel.org/stable/c/5ac73f8191f3de41fef4f934d84d97f3aadb301f
- https://git.kernel.org/stable/c/c8b7f3d9fada0d4b4b7db86bf7345cd61f1d972e
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47696
In the Linux kernel, the following vulnerability has been resolved:
RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency
In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to
destroying CM IDs"), the function flush_workqueue is invoked to flush the
work queue iwcm_wq.
But at that time, the work queue iwcm_wq was created via the function
alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.
Because the current process is trying to flush the whole iwcm_wq, if
iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current
process is not reclaiming memory or running on a workqueue which doesn't
have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee
leading to a deadlock.
The call trace is as below:
[ 125.350876][ T1430] Call Trace:
[ 125.356281][ T1430]
- https://git.kernel.org/stable/c/29b3bbd912b8db86df7a3c180b910ccb621f5635
- https://git.kernel.org/stable/c/2efe8da2ddbf873385b4bc55366d09350b408df6
- https://git.kernel.org/stable/c/86dfdd8288907f03c18b7fb462e0e232c4f98d89
- https://git.kernel.org/stable/c/8b7df76356d098f85f3bd2c7cf6fb43f531893d7
- https://git.kernel.org/stable/c/a09dc967b3c58899e259c0aea092f421d22a0b04
- https://git.kernel.org/stable/c/a64f30db12bdc937c5108158d98c8eab1925c548
- https://git.kernel.org/stable/c/c8b18a75282cfd27822a8cc3c1f005c1ac8d1a58
- https://git.kernel.org/stable/c/da0392698c62397c19deb1b9e9bdf2fbb5a9420e
- https://git.kernel.org/stable/c/da2708a19f45b4a7278adf523837c8db21d1e2b5
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47697
In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Ensure index in rtl2830_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue.
- https://git.kernel.org/stable/c/042b101d7bf70616c4967c286ffa6fcca65babfb
- https://git.kernel.org/stable/c/3dba83d3c81de1368d15a39f22df7b53e306052f
- https://git.kernel.org/stable/c/46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14
- https://git.kernel.org/stable/c/58f31be7dfbc0c84a6497ad51924949cf64b86a2
- https://git.kernel.org/stable/c/7fd6aae7e53b94f4035b1bfce28b8dfa0d0ae470
- https://git.kernel.org/stable/c/86d920d2600c3a48efc2775c1666c1017eec6956
- https://git.kernel.org/stable/c/883f794c6e498ae24680aead55c16f66b06cfc30
- https://git.kernel.org/stable/c/8ffbe7d07b8e76193b151107878ddc1ccc94deb5
- https://git.kernel.org/stable/c/badbd736e6649c4e6d7b4ff7e2b9857acfa9ea94
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47698
In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Ensure index in rtl2832_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue. [hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]
- https://git.kernel.org/stable/c/15bea004e939d938a6771dfcf2a26cc899ffd20a
- https://git.kernel.org/stable/c/49b33c38d202d3327dcfd058e27f541dcc308b92
- https://git.kernel.org/stable/c/527ab3eb3b0b4a6ee00e183c1de6a730239e2835
- https://git.kernel.org/stable/c/66dbe0df6eccc7ee53a2c35016ce81e13b3ff447
- https://git.kernel.org/stable/c/6ae3b9aee42616ee93c4585174f40c767828006d
- https://git.kernel.org/stable/c/7065c05c6d58b9b9a98127aa14e9a5ec68173918
- https://git.kernel.org/stable/c/8ae06f360cfaca2b88b98ca89144548b3186aab1
- https://git.kernel.org/stable/c/a879b6cdd48134a3d58949ea4f075c75fa2d7d71
- https://git.kernel.org/stable/c/bedd42e07988dbdd124b23e758ffef7a681b9c60
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47699
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() Patch series "nilfs2: fix potential issues with empty b-tree nodes". This series addresses three potential issues with empty b-tree nodes that can occur with corrupted filesystem images, including one recently discovered by syzbot. This patch (of 3): If a b-tree is broken on the device, and the b-tree height is greater than 2 (the level of the root node is greater than 1) even if the number of child nodes of the b-tree root is 0, a NULL pointer dereference occurs in nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert(). This is because, when the number of child nodes of the b-tree root is 0, nilfs_btree_do_lookup() does not set the block buffer head in any of path[x].bp_bh, leaving it as the initial value of NULL, but if the level of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(), which accesses the buffer memory of path[x].bp_bh, is called. Fix this issue by adding a check to nilfs_btree_root_broken(), which performs sanity checks when reading the root node from the device, to detect this inconsistency. Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause early on.
- https://git.kernel.org/stable/c/1d94dbdfbb64cc48d10dec65cc3c4fbf2497b343
- https://git.kernel.org/stable/c/21839b6fbc3c41b3e374ecbdb0cabbbb2c53cf34
- https://git.kernel.org/stable/c/24bf40740a3da6b4056721da34997ae6938f3da1
- https://git.kernel.org/stable/c/2b78e9df10fb7f4e9d3d7a18417dd72fbbc1dfd0
- https://git.kernel.org/stable/c/3644554d308ddf2669e459a1551a7edf60b2d62b
- https://git.kernel.org/stable/c/73d23ecf234b7a6d47fb883f2dabe10e3230b31d
- https://git.kernel.org/stable/c/9403001ad65ae4f4c5de368bdda3a0636b51d51a
- https://git.kernel.org/stable/c/db73500d3f0e558eb642aae1d4782e7726b4a03f
- https://git.kernel.org/stable/c/f68523e0f26faade18833fbef577a4295d8e2c94
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47701
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid OOB when system.data xattr changes underneath the filesystem
When looking up for an entry in an inlined directory, if e_value_offs is
changed underneath the filesystem by some change in the block device, it
will lead to an out-of-bounds access that KASAN detects as an UAF.
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
loop0: detected capacity change from 2048 to 2047
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103
CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
- https://git.kernel.org/stable/c/2a6579ef5f2576a940125729f7409cc182f1c8df
- https://git.kernel.org/stable/c/371d0bacecd529f887ea2547333d9173e7bcdc0a
- https://git.kernel.org/stable/c/5b076d37e8d99918e9294bd6b35a8bbb436819b0
- https://git.kernel.org/stable/c/7fc22c3b3ffc0e952f5e0062dd11aa6ae76affba
- https://git.kernel.org/stable/c/8adf0eb4e361a9e060d54f4bd0ac9c5d85277d20
- https://git.kernel.org/stable/c/be2e9b111e2790962cc66a177869b4e9717b4e29
- https://git.kernel.org/stable/c/c6b72f5d82b1017bad80f9ebf502832fc321d796
- https://git.kernel.org/stable/c/ccb8c18076e2e630fea23fbec583cdad61787fc5
- https://git.kernel.org/stable/c/ea32883e4a03ed575a2eb7a66542022312bde477
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47705
In the Linux kernel, the following vulnerability has been resolved: block: fix potential invalid pointer dereference in blk_add_partition The blk_add_partition() function initially used a single if-condition (IS_ERR(part)) to check for errors when adding a partition. This was modified to handle the specific case of -ENXIO separately, allowing the function to proceed without logging the error in this case. However, this change unintentionally left a path where md_autodetect_dev() could be called without confirming that part is a valid pointer. This commit separates the error handling logic by splitting the initial if-condition, improving code readability and handling specific error scenarios explicitly. The function now distinguishes the general error case from -ENXIO without altering the existing behavior of md_autodetect_dev() calls.
- https://git.kernel.org/stable/c/26e197b7f9240a4ac301dd0ad520c0c697c2ea7d
- https://git.kernel.org/stable/c/4bc4272e2506941c3f3d4fb8b0c659ee814dcf6f
- https://git.kernel.org/stable/c/64cf2a39202ca2d9df5ee70eb310b6141ce2b8ed
- https://git.kernel.org/stable/c/652039ba477c9a4ab43740cf2cb0d068d53508c2
- https://git.kernel.org/stable/c/80f5bfbb80ea1615290dbc24f49d3d8c86db58fe
- https://git.kernel.org/stable/c/afe53ea9b378c376101d99d216f13b6256f75189
- https://git.kernel.org/stable/c/cc4d21d9492db4e534d3e01253cf885c90dd2a8b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47706
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix possible UAF for bfqq->bic with merge chain
1) initial state, three tasks:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
| Λ | Λ | Λ
| | | | | |
V | V | V |
bfqq1 bfqq2 bfqq3
process ref: 1 1 1
2) bfqq1 merged to bfqq2:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
| | | Λ
\--------------\| | |
V V |
bfqq1--------->bfqq2 bfqq3
process ref: 0 2 1
3) bfqq2 merged to bfqq3:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
here -> Λ | |
\--------------\ \-------------\|
V V
bfqq1--------->bfqq2---------->bfqq3
process ref: 0 1 3
In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
get bfqq3 through merge chain, and finially handle IO by bfqq3.
Howerver, current code will think bfqq2 is owned by BIC1, like initial
state, and set bfqq2->bic to BIC1.
bfq_insert_request
-> by Process 1
bfqq = bfq_init_rq(rq)
bfqq = bfq_get_bfqq_handle_split
bfqq = bic_to_bfqq
-> get bfqq2 from BIC1
bfqq->ref++
rq->elv.priv[0] = bic
rq->elv.priv[1] = bfqq
if (bfqq_process_refs(bfqq) == 1)
bfqq->bic = bic
-> record BIC1 to bfqq2
__bfq_insert_request
new_bfqq = bfq_setup_cooperator
-> get bfqq3 from bfqq2->new_bfqq
bfqq_request_freed(bfqq)
new_bfqq->ref++
rq->elv.priv[1] = new_bfqq
-> handle IO by bfqq3
Fix the problem by checking bfqq is from merge chain fist. And this
might fix a following problem reported by our syzkaller(unreproducible):
==================================================================
BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595
CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_requeue_work
Call Trace:
- https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7
- https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048
- https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa
- https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5
- https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3
- https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587
- https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777
- https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0
- https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47707
In the Linux kernel, the following vulnerability has been resolved:
ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
Blamed commit accidentally removed a check for rt->rt6i_idev being NULL,
as spotted by syzbot:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c
R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18
R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930
FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
- https://git.kernel.org/stable/c/04ccecfa959d3b9ae7348780d8e379c6486176ac
- https://git.kernel.org/stable/c/08409e401622e2896b4313be9f781bde8a2a6a53
- https://git.kernel.org/stable/c/0ceb2f2b5c813f932d6e60d3feec5e7e713da783
- https://git.kernel.org/stable/c/8a8b83016f06805775db099c8377024b6fa5b975
- https://git.kernel.org/stable/c/9a0ddc73be37d19dff1ba08290af34e707d18e50
- https://git.kernel.org/stable/c/a61a174280dad99f25a7dee920310885daf2552b
- https://git.kernel.org/stable/c/e43dd28405e6b9935279996725ee11e6306547a5
- https://git.kernel.org/stable/c/f2bd9635543ca41533b870f420872819f8331823
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47709
In the Linux kernel, the following vulnerability has been resolved:
can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().
syzbot reported a warning in bcm_release(). [0]
The blamed change fixed another warning that is triggered when
connect() is issued again for a socket whose connect()ed device has
been unregistered.
However, if the socket is just close()d without the 2nd connect(), the
remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
in bcm_release().
Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().
[0]
name '4986'
WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
Modules linked in:
CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
- https://git.kernel.org/stable/c/5cc00913c1fdcab861c4e65fa20d1f1e1bbbf977
- https://git.kernel.org/stable/c/770b463264426cc3c167b1d44efa85f6a526ce5b
- https://git.kernel.org/stable/c/7a145d6ec2124bdb94bd6fc436b342ff6ddf2b70
- https://git.kernel.org/stable/c/94b0818fa63555a65f6ba107080659ea6bcca63e
- https://git.kernel.org/stable/c/9550baada4c8ef8cebefccc746384842820b4dff
- https://git.kernel.org/stable/c/a833da8eec20b51af39643faa7067b25c8b20f3e
- https://git.kernel.org/stable/c/b02ed2f01240b226570b4a19b5041d61f5125784
- https://git.kernel.org/stable/c/c3d941cc734e0c8dc486c062926d5249070af5e4
- https://git.kernel.org/stable/c/f5059fae5ed518fc56494ce5bdd4f5360de4b3bc
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47710
In the Linux kernel, the following vulnerability has been resolved: sock_map: Add a cond_resched() in sock_hash_free() Several syzbot soft lockup reports all have in common sock_hash_free() If a map with a large number of buckets is destroyed, we need to yield the cpu when needed.
- https://git.kernel.org/stable/c/04f62c012e0e4683e572b30baf6004ca0a3f6772
- https://git.kernel.org/stable/c/1a11a1a53255ddab8a903cdae01b9d3eb2c1a47b
- https://git.kernel.org/stable/c/80bd490ac0a3b662a489e17d8eedeb1e905a3d40
- https://git.kernel.org/stable/c/984648aac87a6a1c8fd61663bec3f7b61eafad5e
- https://git.kernel.org/stable/c/ae8c1b3e7353ad240b829eabac7ba2584b2c6bdc
- https://git.kernel.org/stable/c/b1339be951ad31947ae19bc25cb08769bf255100
- https://git.kernel.org/stable/c/bc05f6855642cff3c0eeb63060b35d8c4f8a851d
- https://git.kernel.org/stable/c/cd10abf41bae55c9d2b93f34a516dbf52626bcb7
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47712
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param In the `wilc_parse_join_bss_param` function, the TSF field of the `ies` structure is accessed after the RCU read-side critical section is unlocked. According to RCU usage rules, this is illegal. Reusing this pointer can lead to unpredictable behavior, including accessing memory that has been updated or causing use-after-free issues. This possible bug was identified using a static analysis tool developed by myself, specifically designed to detect RCU-related issues. To address this, the TSF value is now stored in a local variable `ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is then assigned using this local variable, ensuring that the TSF value is safely accessed.
- https://git.kernel.org/stable/c/2f944e6255c2fc1c9bd9ee32f6b14ee0b2a51eb5
- https://git.kernel.org/stable/c/557418e1704605a81c9e26732449f71b1d40ba1e
- https://git.kernel.org/stable/c/5a24cedc243ace5ed7c1016f52a7bfc8f5b07815
- https://git.kernel.org/stable/c/6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8
- https://git.kernel.org/stable/c/79510414a7626317f13cc9073244ab7a8deb3192
- https://git.kernel.org/stable/c/84398204c5df5aaf89453056cf0647cda9664d2b
- https://git.kernel.org/stable/c/b040b71d99ee5e17bb7a743dc01cbfcae8908ce1
- https://git.kernel.org/stable/c/bf090f4fe935294361eabd9dc5a949fdd77d3d1b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47713
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() Since '__dev_queue_xmit()' should be called with interrupts enabled, the following backtrace: ieee80211_do_stop() ... spin_lock_irqsave(&local->queue_stop_reason_lock, flags) ... ieee80211_free_txskb() ieee80211_report_used_skb() ieee80211_report_ack_skb() cfg80211_mgmt_tx_status_ext() nl80211_frame_tx_status() genlmsg_multicast_netns() genlmsg_multicast_netns_filtered() nlmsg_multicast_filtered() netlink_broadcast_filtered() do_one_broadcast() netlink_broadcast_deliver() __netlink_sendskb() netlink_deliver_tap() __netlink_deliver_tap_skb() dev_queue_xmit() __dev_queue_xmit() ; with IRQS disabled ... spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags) issues the warning (as reported by syzbot reproducer): WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120 Fix this by implementing a two-phase skb reclamation in 'ieee80211_do_stop()', where actual work is performed outside of a section with interrupts disabled.
- https://git.kernel.org/stable/c/04f75f5bae33349283d6886901d9acd2f110c024
- https://git.kernel.org/stable/c/058c9026ad79dc98572442fd4c7e9a36aba6f596
- https://git.kernel.org/stable/c/07eb0bd7b0a8abed9d45e0f567c9af1dc83e5268
- https://git.kernel.org/stable/c/9d301de12da6e1bb069a9835c38359b8e8135121
- https://git.kernel.org/stable/c/acb53a716e492a02479345157c43f21edc8bc64b
- https://git.kernel.org/stable/c/ad4b7068b101fbbb4a9ca4b99b25eb051a9482ec
- https://git.kernel.org/stable/c/db5ca4b42ccfa42d2af7b335ff12578e57775c02
- https://git.kernel.org/stable/c/eab272972cffff9cd973b8e4055a8e81c64f7e6a
- https://git.kernel.org/stable/c/f232916fab67ca1c3425926df4a866e59ff26908
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47718
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: always wait for both firmware loading attempts In 'rtw_wait_firmware_completion()', always wait for both (regular and wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue 'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually the wowlan one) is still in progress, causing UAF detected by KASAN.
- https://git.kernel.org/stable/c/0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d
- https://git.kernel.org/stable/c/1b8178a2ae272256ea0dc4f940320a81003535e2
- https://git.kernel.org/stable/c/7887ad11995a4142671cc49146db536f923c8568
- https://git.kernel.org/stable/c/9432185540bafd42b7bfac6e6ef2f0a0fb4be447
- https://git.kernel.org/stable/c/a0c1e2da652cf70825739bc12d49ea15805690bf
- https://git.kernel.org/stable/c/ceaab3fb64d6a5426a3db8f87f3e5757964f2532
- https://git.kernel.org/stable/c/e9a78d9417e167410d6fb83c4e908b077ad8ba6d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47720
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func This commit adds a null check for the set_output_gamma function pointer in the dcn30_set_output_transfer_func function. Previously, set_output_gamma was being checked for nullity at line 386, but then it was being dereferenced without any nullity check at line 401. This could potentially lead to a null pointer dereference error if set_output_gamma is indeed null. To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a nullity check for set_output_gamma before the call to set_output_gamma at line 401. If set_output_gamma is null, we log an error message and do not call the function. This fix prevents a potential null pointer dereference error. drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func() error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc *dc, 374 struct pipe_ctx *pipe_ctx, 375 const struct dc_stream_state *stream) 376 { 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; 379 const struct pwl_params *params = NULL; 380 bool ret = false; 381 382 /* program OGAM or 3DLUT only for the top pipe*/ 383 if (pipe_ctx->top_pipe == NULL) { 384 /*program rmu shaper and 3dlut in MPC*/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 if (ret == false && mpc->funcs->set_output_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL) 388 params = &stream->out_transfer_func.pwl; 389 else if (pipe_ctx->stream->out_transfer_func.type == 390 TF_TYPE_DISTRIBUTED_POINTS && 391 cm3_helper_translate_curve_to_hw_format( 392 &stream->out_transfer_func, 393 &mpc->blender_params, false)) 394 params = &mpc->blender_params; 395 /* there are no ROM LUTs in OUTGAM */ 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED) 397 BREAK_TO_DEBUGGER(); 398 } 399 } 400 --> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash 402 return ret; 403 }
- https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2
- https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1
- https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a
- https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e
- https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9
- https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47723
In the Linux kernel, the following vulnerability has been resolved: jfs: fix out-of-bounds in dbNextAG() and diAlloc() In dbNextAG() , there is no check for the case where bmp->db_numag is greater or same than MAXAG due to a polluted image, which causes an out-of-bounds. Therefore, a bounds check should be added in dbMount(). And in dbNextAG(), a check for the case where agpref is greater than bmp->db_numag should be added, so an out-of-bounds exception should be prevented. Additionally, a check for the case where agno is greater or same than MAXAG should be added in diAlloc() to prevent out-of-bounds.
- https://git.kernel.org/stable/c/0338e66cba272351ca9d7d03f3628e390e70963b
- https://git.kernel.org/stable/c/128d5cfdcf844cb690c9295a3a1c1114c21fc15a
- https://git.kernel.org/stable/c/5ad6284c8d433f8a213111c5c44ead4d9705b622
- https://git.kernel.org/stable/c/6ce8b6ab44a8b5918c0ee373d4ad19d19017931b
- https://git.kernel.org/stable/c/96855f40e152989c9e7c20c4691ace5581098acc
- https://git.kernel.org/stable/c/c1ba4b8ca799ff1d99d01f37d7ccb7d5ba5533d2
- https://git.kernel.org/stable/c/d1017d2a0f3f16dc1db5120e7ddbe7c6680425b0
- https://git.kernel.org/stable/c/e63866a475562810500ea7f784099bfe341e761a
- https://git.kernel.org/stable/c/ead82533278502428883085a787d5a00f15e5eb9
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47727
In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix "in-kernel MMIO" check TDX only supports kernel-initiated MMIO operations. The handle_mmio() function checks if the #VE exception occurred in the kernel and rejects the operation if it did not. However, userspace can deceive the kernel into performing MMIO on its behalf. For example, if userspace can point a syscall to an MMIO address, syscall does get_user() or put_user() on it, triggering MMIO #VE. The kernel will treat the #VE as in-kernel MMIO. Ensure that the target MMIO address is within the kernel before decoding instruction.
- https://git.kernel.org/stable/c/18ecd5b74682839e7cdafb7cd1ec106df7baa18c
- https://git.kernel.org/stable/c/25703a3c980e21548774eea8c8a87a75c5c8f58c
- https://git.kernel.org/stable/c/4c0c5dcb5471de5fc8f0a1c4980e5815339e1cee
- https://git.kernel.org/stable/c/bca2e29f7e26ce7c3522f8b324c0bd85612f68e3
- https://git.kernel.org/stable/c/d4fc4d01471528da8a9797a065982e05090e1d81
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47728
In the Linux kernel, the following vulnerability has been resolved: bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input arguments, zero the value for the case of an error as otherwise it could leak memory. For tracing, it is not needed given CAP_PERFMON can already read all kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped in here. Also, the MTU helpers mtu_len pointer value is being written but also read. Technically, the MEM_UNINIT should not be there in order to always force init. Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now implies two things actually: i) write into memory, ii) memory does not have to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory, ii) memory must be initialized. This means that for bpf_*_check_mtu() we're readding the issue we're trying to fix, that is, it would then be able to write back into things like .rodata BPF maps. Follow-up work will rework the MEM_UNINIT semantics such that the intent can be better expressed. For now just clear the *mtu_len on error path which can be lifted later again.
- https://git.kernel.org/stable/c/4b3786a6c5397dc220b1483d8e2f4867743e966f
- https://git.kernel.org/stable/c/594a9f5a8d2de2573a856e506f77ba7dd2cefc6a
- https://git.kernel.org/stable/c/599d15b6d03356a97bff7a76155c5604c42a2962
- https://git.kernel.org/stable/c/8397bf78988f3ae9dbebb0200189a62a57264980
- https://git.kernel.org/stable/c/a634fa8e480ac2423f86311a602f6295df2c8ed0
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47730
In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - inject error before stopping queue The master ooo cannot be completely closed when the accelerator core reports memory error. Therefore, the driver needs to inject the qm error to close the master ooo. Currently, the qm error is injected after stopping queue, memory may be released immediately after stopping queue, causing the device to access the released memory. Therefore, error is injected to close master ooo before stopping queue to ensure that the device does not access the released memory.
- https://git.kernel.org/stable/c/801d64177faaec184cee1e1aa4d8487df1364a54
- https://git.kernel.org/stable/c/85e81103033324d7a271dafb584991da39554a89
- https://git.kernel.org/stable/c/98d3be34c9153eceadb56de50d9f9347e88d86e4
- https://git.kernel.org/stable/c/aa3e0db35a60002fb34ef0e4ad203aa59fd00203
- https://git.kernel.org/stable/c/b04f06fc0243600665b3b50253869533b7938468
- https://git.kernel.org/stable/c/c5f5b813e546f7fe133539c3d7a5086cc8dd2aa1
- https://git.kernel.org/stable/c/f8024f12752e32ffbbf59e1c09d949f977ff743f
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
Modified: 2025-11-03
CVE-2024-47731
In the Linux kernel, the following vulnerability has been resolved: drivers/perf: Fix ali_drw_pmu driver interrupt status clearing The alibaba_uncore_pmu driver forgot to clear all interrupt status in the interrupt processing function. After the PMU counter overflow interrupt occurred, an interrupt storm occurred, causing the system to hang. Therefore, clear the correct interrupt status in the interrupt handling function to fix it.
- https://git.kernel.org/stable/c/062b7176e484678b2c9072d28fbecea47846b274
- https://git.kernel.org/stable/c/24f30b34ff76648d26872dd4eaa002f074225058
- https://git.kernel.org/stable/c/3b839d4619042b02eecdfc986484ac6e6be6acbf
- https://git.kernel.org/stable/c/85702fddba70d2b63f5646793d77de2ad4fc3784
- https://git.kernel.org/stable/c/a3dd920977dccc453c550260c4b7605b280b79c3
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47734
In the Linux kernel, the following vulnerability has been resolved: bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave() syzbot reported a WARNING in bond_xdp_get_xmit_slave. To reproduce this[1], one bond device (bond1) has xdpdrv, which increases bpf_master_redirect_enabled_key. Another bond device (bond0) which is unsupported by XDP but its slave (veth3) has xdpgeneric that returns XDP_TX. This triggers WARN_ON_ONCE() from the xdp_master_redirect(). To reduce unnecessary warnings and improve log management, we need to delete the WARN_ON_ONCE() and add ratelimit to the netdev_err(). [1] Steps to reproduce: # Needs tx_xdp with return XDP_TX; ip l add veth0 type veth peer veth1 ip l add veth3 type veth peer veth4 ip l add bond0 type bond mode 6 # BOND_MODE_ALB, unsupported by XDP ip l add bond1 type bond # BOND_MODE_ROUNDROBIN by default ip l set veth0 master bond1 ip l set bond1 up # Increases bpf_master_redirect_enabled_key ip l set dev bond1 xdpdrv object tx_xdp.o section xdp_tx ip l set veth3 master bond0 ip l set bond0 up ip l set veth4 up # Triggers WARN_ON_ONCE() from the xdp_master_redirect() ip l set veth3 xdpgeneric object tx_xdp.o section xdp_tx
- https://git.kernel.org/stable/c/0cbfd45fbcf0cb26d85c981b91c62fe73cdee01c
- https://git.kernel.org/stable/c/57b5fba55c6f8b1d83312a34bd656166fcd95658
- https://git.kernel.org/stable/c/6b64197b4bf1a5703a8b105367baf20f1e627a75
- https://git.kernel.org/stable/c/72e2c0825a480e19ee999cee9d018850d38c82b9
- https://git.kernel.org/stable/c/c1be35e774f8ed415e01209fddd963c5a74e8e9f
- https://git.kernel.org/stable/c/ccd3e6ff05e5236d1b9535f23f3e6622e0bb32b8
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47735
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled Fix missuse of spin_lock_irq()/spin_unlock_irq() when spin_lock_irqsave()/spin_lock_irqrestore() was hold. This was discovered through the lock debugging, and the corresponding log is as follows: raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40 ... Call trace: warn_bogus_irq_restore+0x30/0x40 _raw_spin_unlock_irqrestore+0x84/0xc8 add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2] hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2] hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2] create_qp+0x138/0x258 ib_create_qp_kernel+0x50/0xe8 create_mad_qp+0xa8/0x128 ib_mad_port_open+0x218/0x448 ib_mad_init_device+0x70/0x1f8 add_client_context+0xfc/0x220 enable_device_and_get+0xd0/0x140 ib_register_device.part.0+0xf4/0x1c8 ib_register_device+0x34/0x50 hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2] hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2] __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2] hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]
- https://git.kernel.org/stable/c/07f0f643d7e570dbe8ef6f5c3367a43e3086a335
- https://git.kernel.org/stable/c/094a1821903f33fb91de4b71087773ee16aeb3a0
- https://git.kernel.org/stable/c/2656336a84fcb6802f6e6c233f4661891deea24f
- https://git.kernel.org/stable/c/29c0f546d3fd66238b42cf25bcd5f193bb1cf794
- https://git.kernel.org/stable/c/425589d4af09c49574bd71ac31f811362a5126c3
- https://git.kernel.org/stable/c/74d315b5af180220d561684d15897730135733a6
- https://git.kernel.org/stable/c/a1a3403bb1826c8ec787f0d60c3e7b54f419129e
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47737
In the Linux kernel, the following vulnerability has been resolved:
nfsd: call cache_put if xdr_reserve_space returns NULL
If not enough buffer space available, but idmap_lookup has triggered
lookup_fn which calls cache_get and returns successfully. Then we
missed to call cache_put here which pairs with cache_get.
Reviwed-by: Jeff Layton
- https://git.kernel.org/stable/c/3e8081ebff12bec1347deaceb6bce0765cce54df
- https://git.kernel.org/stable/c/81821617312988096f5deccf0f7da6f888e98056
- https://git.kernel.org/stable/c/8d0765f86135e27f0bb5c950c136495719b4c834
- https://git.kernel.org/stable/c/9803ab882d565a8fb2dde5999d98866d1c499dfd
- https://git.kernel.org/stable/c/9f03f0016ff797932551881c7e06ae50e9c39134
- https://git.kernel.org/stable/c/a1afbbb5276f943ad7173d0b4c626b8c75a260da
- https://git.kernel.org/stable/c/c6b16e700cf4d959af524bd9d3978407ff7ce462
- https://git.kernel.org/stable/c/d078cbf5c38de83bc31f83c47dcd2184c04a50c7
- https://git.kernel.org/stable/c/e32ee6a61041925d1a05c14d10352dcfce9ef029
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47738
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't use rate mask for offchannel TX either Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for scanning"), ignore incorrect settings to avoid no supported rate warning reported by syzbot. The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211: fix default HE tx bitrate mask in 2G band"), which however corrects bitmask of HE MCS and recognizes correctly settings of empty legacy rate plus HE MCS rate instead of returning -EINVAL. As suggestions [1], follow the change of SCAN TX to consider this case of offchannel TX as well. [1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024
- https://git.kernel.org/stable/c/3565ef215101ffadb5fe5394c70b1fca51376b25
- https://git.kernel.org/stable/c/43897111481b679508711d3ca881c4c6593e9247
- https://git.kernel.org/stable/c/aafca50e71dc8f3192a5bfb325135a7908f3ef9e
- https://git.kernel.org/stable/c/d54455a3a965feb547711aff7afd2ca5deadb99c
- https://git.kernel.org/stable/c/e7a7ef9a0742dbd0818d5b15fba2c5313ace765b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47739
In the Linux kernel, the following vulnerability has been resolved: padata: use integer wrap around to prevent deadlock on seq_nr overflow When submitting more than 2^32 padata objects to padata_do_serial, the current sorting implementation incorrectly sorts padata objects with overflowed seq_nr, causing them to be placed before existing objects in the reorder list. This leads to a deadlock in the serialization process as padata_find_next cannot match padata->seq_nr and pd->processed because the padata instance with overflowed seq_nr will be selected next. To fix this, we use an unsigned integer wrap around to correctly sort padata objects in scenarios with integer overflow.
- https://git.kernel.org/stable/c/1b8cf11b3ca593a8802a51802cd0c28c38501428
- https://git.kernel.org/stable/c/1bd712de96ad7167fe0d608e706cd60587579f16
- https://git.kernel.org/stable/c/46c4079460f4dcaf445860679558eedef4e1bc91
- https://git.kernel.org/stable/c/72164d5b648951684b1a593996b37a6083c61d7d
- https://git.kernel.org/stable/c/9a22b2812393d93d84358a760c347c21939029a6
- https://git.kernel.org/stable/c/9e279e6c1f012b82628b89e1b9c65dbefa8ca25a
- https://git.kernel.org/stable/c/ab205e1c3846326f162180e56825b4ba38ce9c30
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47740
In the Linux kernel, the following vulnerability has been resolved: f2fs: Require FMODE_WRITE for atomic write ioctls The F2FS ioctls for starting and committing atomic writes check for inode_owner_or_capable(), but this does not give LSMs like SELinux or Landlock an opportunity to deny the write access - if the caller's FSUID matches the inode's UID, inode_owner_or_capable() immediately returns true. There are scenarios where LSMs want to deny a process the ability to write particular files, even files that the FSUID of the process owns; but this can currently partially be bypassed using atomic write ioctls in two ways: - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can truncate an inode to size 0 - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert changes another process concurrently made to a file Fix it by requiring FMODE_WRITE for these operations, just like for F2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these ioctls when intending to write into the file, that seems unlikely to break anything.
- https://git.kernel.org/stable/c/000bab8753ae29a259feb339b99ee759795a48ac
- https://git.kernel.org/stable/c/32f348ecc149e9ca70a1c424ae8fa9b6919d2713
- https://git.kernel.org/stable/c/4583290898c13c2c2e5eb8773886d153c2c5121d
- https://git.kernel.org/stable/c/4ce87674c3a6b4d3b3d45f85b584ab8618a3cece
- https://git.kernel.org/stable/c/4f5a100f87f32cb65d4bb1ad282a08c92f6f591e
- https://git.kernel.org/stable/c/5e0de753bfe87768ebe6744d869caa92f35e5731
- https://git.kernel.org/stable/c/700f3a7c7fa5764c9f24bbf7c78e0b6e479fa653
- https://git.kernel.org/stable/c/88ff021e1fea2d9b40b2d5efd9013c89f7be04ac
- https://git.kernel.org/stable/c/f3bfac2cabf5333506b263bc0c8497c95302f32d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47742
In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Block path traversal Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously.
- https://git.kernel.org/stable/c/28f1cd94d3f1092728fb775a0fe26c5f1ac2ebeb
- https://git.kernel.org/stable/c/3d2411f4edcb649eaf232160db459bb4770b5251
- https://git.kernel.org/stable/c/6c4e13fdfcab34811c3143a0a03c05fec4e870ec
- https://git.kernel.org/stable/c/7420c1bf7fc784e587b87329cc6dfa3dca537aa4
- https://git.kernel.org/stable/c/9b1ca33ebd05b3acef5b976c04e5e791af93ce1b
- https://git.kernel.org/stable/c/a77fc4acfd49fc6076e565445b2bc5fdc3244da4
- https://git.kernel.org/stable/c/c30558e6c5c9ad6c86459d9acce1520ceeab9ea6
- https://git.kernel.org/stable/c/d1768e5535d3ded59f888637016e6f821f4e069f
- https://git.kernel.org/stable/c/f0e5311aa8022107d63c54e2f03684ec097d1394
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47743
In the Linux kernel, the following vulnerability has been resolved: KEYS: prevent NULL pointer dereference in find_asymmetric_key() In find_asymmetric_key(), if all NULLs are passed in the id_{0,1,2} arguments, the kernel will first emit WARN but then have an oops because id_2 gets dereferenced anyway. Add the missing id_2 check and move WARN_ON() to the final else branch to avoid duplicate NULL checks. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool.
- https://git.kernel.org/stable/c/0d3b0706ada15c333e6f9faf19590ff715e45d1e
- https://git.kernel.org/stable/c/13b5b401ead95b5d8266f64904086c55b6024900
- https://git.kernel.org/stable/c/3322fa8f2aa40b0b3651034cd541647a600cc6c0
- https://git.kernel.org/stable/c/70fd1966c93bf3bfe3fe6d753eb3d83a76597eef
- https://git.kernel.org/stable/c/a3765b497a4f5224cb2f7a6a2d3357d3066214ee
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47747
In the Linux kernel, the following vulnerability has been resolved: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove.
- https://git.kernel.org/stable/c/1c57d61a43293252ad732007c7070fdb112545fd
- https://git.kernel.org/stable/c/25d559ed2beec9b34045886100dac46d1ad92eba
- https://git.kernel.org/stable/c/338a0582b28e69460df03af50e938b86b4206353
- https://git.kernel.org/stable/c/516dbc6d16637430808c39568cbb6b841d32b55b
- https://git.kernel.org/stable/c/77a77331cef0a219b8dd91361435eeef04cb741c
- https://git.kernel.org/stable/c/822c7bb1f6f8b0331e8d1927151faf8db3b33afd
- https://git.kernel.org/stable/c/b5109b60ee4fcb2f2bb24f589575e10cc5283ad4
- https://git.kernel.org/stable/c/b5a84b6c772564c8359a9a0fbaeb2a2944aa1ee9
- https://git.kernel.org/stable/c/d2abc379071881798d20e2ac1d332ad855ae22f3
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47748
In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: assign irq bypass producer token correctly We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not. Actually, we use the eventfd_ctx as the token so the life cycle of the token should be bound to the VHOST_SET_VRING_CALL instead of vhost_vdpa_setup_vq_irq() which could be called by set_status(). Fixing this by setting up irq bypass producer's token when handling VHOST_SET_VRING_CALL and un-registering the producer before calling vhost_vring_ioctl() to prevent a possible use after free as eventfd could have been released in vhost_vring_ioctl(). And such registering and unregistering will only be done if DRIVER_OK is set.
- https://git.kernel.org/stable/c/02e9e9366fefe461719da5d173385b6685f70319
- https://git.kernel.org/stable/c/0c170b1e918b9afac25e2bbd01eaa2bfc0ece8c0
- https://git.kernel.org/stable/c/7cf2fb51175cafe01df8c43fa15a06194a59c6e2
- https://git.kernel.org/stable/c/927a2580208e0f9b0b47b08f1c802b7233a7ba3c
- https://git.kernel.org/stable/c/ca64edd7ae93402af2596a952e0d94d545e2b9c0
- https://git.kernel.org/stable/c/ec5f1b54ceb23475049ada6e7a43452cf4df88d1
- https://git.kernel.org/stable/c/fae9b1776f53aab93ab345bdbf653b991aed717d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47749
In the Linux kernel, the following vulnerability has been resolved: RDMA/cxgb4: Added NULL check for lookup_atid The lookup_atid() function can return NULL if the ATID is invalid or does not exist in the identifier table, which could lead to dereferencing a null pointer without a check in the `act_establish()` and `act_open_rpl()` functions. Add a NULL check to prevent null pointer dereferencing. Found by Linux Verification Center (linuxtesting.org) with SVACE.
- https://git.kernel.org/stable/c/0d50ae281a1712b9b2ca72830a96b8f11882358d
- https://git.kernel.org/stable/c/39cb9f39913566ec5865581135f3e8123ad1aee1
- https://git.kernel.org/stable/c/4e1fe68d695af367506ea3c794c5969630f21697
- https://git.kernel.org/stable/c/54aaa3ed40972511e423b604324b881425b9ff1e
- https://git.kernel.org/stable/c/b11318dc8a1ec565300bb1a9073095af817cc508
- https://git.kernel.org/stable/c/b12e25d91c7f97958341538c7dc63ee49d01548f
- https://git.kernel.org/stable/c/b9c94c8ba5a713817cffd74c4bacc05187469624
- https://git.kernel.org/stable/c/dd598ac57dcae796cb58551074660c39b43fb155
- https://git.kernel.org/stable/c/e766e6a92410ca269161de059fff0843b8ddd65f
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47750
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 Currently rsv_qp is freed before ib_unregister_device() is called on HIP08. During the time interval, users can still dereg MR and rsv_qp will be used in this process, leading to a UAF. Move the release of rsv_qp after calling ib_unregister_device() to fix it.
- https://git.kernel.org/stable/c/2ccf1c75d39949d8ea043d04a2e92d7100ea723d
- https://git.kernel.org/stable/c/60595923371c2ebe7faf82536c47eb0c967e3425
- https://git.kernel.org/stable/c/d2d9c5127122745da6e887f451dd248cfeffca33
- https://git.kernel.org/stable/c/dac2723d8bfa9cf5333f477741e6e5fa1ed34645
- https://git.kernel.org/stable/c/fd8489294dd2beefb70f12ec4f6132aeec61a4d0
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47751
In the Linux kernel, the following vulnerability has been resolved: PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() Within kirin_pcie_parse_port(), the pcie->num_slots is compared to pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead to an overflow. Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move pcie->num_slots increment below the if-statement to avoid out-of-bounds array access. Found by Linux Verification Center (linuxtesting.org) with SVACE. [kwilczynski: commit log]
- https://git.kernel.org/stable/c/6dcc5b49d6607a741a14122bf3105f3ac50d259e
- https://git.kernel.org/stable/c/95248d7497bcbfe7deed4805469c6ff6ddd7f9d1
- https://git.kernel.org/stable/c/a5f795f9412854df28e66679c5e6b68b0b79c229
- https://git.kernel.org/stable/c/aeb0335971806e15ac91e838ca471936c8e7efd5
- https://git.kernel.org/stable/c/c500a86693a126c9393e602741e348f80f1b0fc5
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47756
In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Fix if-statement expression in ks_pcie_quirk() This code accidentally uses && where || was intended. It potentially results in a NULL dereference. Thus, fix the if-statement expression to use the correct condition. [kwilczynski: commit log]
- https://git.kernel.org/stable/c/2171c5cb2fbc3e03af7e8116cd58736c09328655
- https://git.kernel.org/stable/c/23838bef2adb714ec37b2d6141dccf4a3a70bdef
- https://git.kernel.org/stable/c/6188a1c762eb9bbd444f47696eda77a5eae6207a
- https://git.kernel.org/stable/c/72210e52e19a27f615e0b5273d2bf012d0dc318d
- https://git.kernel.org/stable/c/9c9afc3e75069fcfb067727973242cfbf00dd7eb
- https://git.kernel.org/stable/c/c289903b7a216df5ea6e1850ddf1b958eea9921d
- https://git.kernel.org/stable/c/dc5aeba07395c8dfa29bb878c8ce4d5180427221
- https://git.kernel.org/stable/c/e85ab507882db165c10a858d7f685a0a38f0312e
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47757
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential oob read in nilfs_btree_check_delete() The function nilfs_btree_check_delete(), which checks whether degeneration to direct mapping occurs before deleting a b-tree entry, causes memory access outside the block buffer when retrieving the maximum key if the root node has no entries. This does not usually happen because b-tree mappings with 0 child nodes are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen if the b-tree root node read from a device is configured that way, so fix this potential issue by adding a check for that case.
- https://git.kernel.org/stable/c/257f9e5185eb6de83377caea686c306e22e871f2
- https://git.kernel.org/stable/c/a33e967b681e088a125b979975c93e3453e686cd
- https://git.kernel.org/stable/c/a8abfda768b9f33630cfbc4af6c4214f1e5681b0
- https://git.kernel.org/stable/c/c4cbcc64bb31e67e02940ce060cc77f7180564cf
- https://git.kernel.org/stable/c/c4f8554996e8ada3be872dfb8f60e93bcf15fb27
- https://git.kernel.org/stable/c/d20674f31626e0596ae4c1d9401dfb6739b81b58
- https://git.kernel.org/stable/c/ed76d381dae125b81d09934e365391a656249da8
- https://git.kernel.org/stable/c/f3a9859767c7aea758976f5523903d247e585129
- https://git.kernel.org/stable/c/f9c96351aa6718b42a9f42eaf7adce0356bdb5e8
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49850
In the Linux kernel, the following vulnerability has been resolved: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL referencing a non-existing BTF type, function bpf_core_calc_relo_insn would cause a null pointer deference. Fix this by adding a proper check upper in call stack, as malformed relocation records could be passed from user space. Simplest reproducer is a program: r0 = 0 exit With a single relocation record: .insn_off = 0, /* patch first instruction */ .type_id = 100500, /* this type id does not exist */ .access_str_off = 6, /* offset of string "0" */ .kind = BPF_CORE_TYPE_ID_LOCAL, See the link for original reproducer or next commit for a test case.
- https://git.kernel.org/stable/c/2288b54b96dcb55bedebcef3572bb8821fc5e708
- https://git.kernel.org/stable/c/3d2786d65aaa954ebd3fcc033ada433e10da21c4
- https://git.kernel.org/stable/c/584cd3ff792e1edbea20b2a7df55897159b0be3e
- https://git.kernel.org/stable/c/dc7ce14f00bcd50641f2110b7a32aa6552e0780f
- https://git.kernel.org/stable/c/e7e9c5b2dda29067332df2a85b0141a92b41f218
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49851
In the Linux kernel, the following vulnerability has been resolved: tpm: Clean up TPM space after command failure tpm_dev_transmit prepares the TPM space before attempting command transmission. However if the command fails no rollback of this preparation is done. This can result in transient handles being leaked if the device is subsequently closed with no further commands performed. Fix this by flushing the space in the event of command transmission failure.
- https://git.kernel.org/stable/c/2c9b228938e9266a1065a3f4fe5c99b7235dc439
- https://git.kernel.org/stable/c/3f9f72d843c92fb6f4ff7460d774413cde7f254c
- https://git.kernel.org/stable/c/82478cb8a23bd4f97935bbe60d64528c6d9918b4
- https://git.kernel.org/stable/c/87e8134c18977b566f4ec248c8a147244da69402
- https://git.kernel.org/stable/c/adf4ce162561222338cf2c9a2caa294527f7f721
- https://git.kernel.org/stable/c/c84ceb546f30432fccea4891163f7050f5bee5dd
- https://git.kernel.org/stable/c/e3aaebcbb7c6b403416f442d1de70d437ce313a7
- https://git.kernel.org/stable/c/ebc4e1f4492d114f9693950621b3ea42b2f82bec
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49852
In the Linux kernel, the following vulnerability has been resolved: scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del() The kref_put() function will call nport->release if the refcount drops to zero. The nport->release release function is _efc_nport_free() which frees "nport". But then we dereference "nport" on the next line which is a use after free. Re-order these lines to avoid the use after free.
- https://git.kernel.org/stable/c/16a570f07d870a285b0c0b0d1ca4dff79e8aa5ff
- https://git.kernel.org/stable/c/2e4b02fad094976763af08fec2c620f4f8edd9ae
- https://git.kernel.org/stable/c/7c2908985e4ae0ea1b526b3916de9e5351650908
- https://git.kernel.org/stable/c/98752fcd076a8cbc978016eae7125b4971be1eec
- https://git.kernel.org/stable/c/abc71e89170ed32ecf0a5a29f31aa711e143e941
- https://git.kernel.org/stable/c/baeb8628ab7f4577740f00e439d3fdf7c876b0ff
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49853
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in OPTEE transport Channels can be shared between protocols, avoid freeing the same channel descriptors twice when unloading the stack.
- https://git.kernel.org/stable/c/6699567b0bbb378600a4dc0a1f929439a4e84a2c
- https://git.kernel.org/stable/c/aef6ae124bb3cc12e34430fed91fbb7efd7a444d
- https://git.kernel.org/stable/c/d7f4fc2bc101e666da649605a9ece2bd42529c7a
- https://git.kernel.org/stable/c/dc9543a4f2a5498a4a12d6d2427492a6f1a28056
- https://git.kernel.org/stable/c/e98dba934b2fc587eafb83f47ad64d9053b18ae0
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49854
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for accessing waker_bfqq after splitting After commit 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()"), if the current procress is the last holder of bfqq, the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq may in the merge chain of bfqq, hence just recored waker_bfqq is still not safe. Fix the problem by adding a helper bfq_waker_bfqq() to check if bfqq->waker_bfqq is in the merge chain, and current procress is the only holder.
- https://git.kernel.org/stable/c/0780451f03bf518bc032a7c584de8f92e2d39d7f
- https://git.kernel.org/stable/c/0b8bda0ff17156cd3f60944527c9d8c9f99f1583
- https://git.kernel.org/stable/c/1ba0403ac6447f2d63914fb760c44a3b19c44eaf
- https://git.kernel.org/stable/c/63a07379fdb6c72450cb05294461c6016b8b7726
- https://git.kernel.org/stable/c/cae58d19121a70329cf971359e2518c93fec04fe
- https://git.kernel.org/stable/c/de0456460f2abf921e356ed2bd8da87a376680bd
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49855
In the Linux kernel, the following vulnerability has been resolved: nbd: fix race between timeout and normal completion If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue.
- https://git.kernel.org/stable/c/5236ada8ebbd9e7461f17477357582f5be4f46f7
- https://git.kernel.org/stable/c/6e73b946a379a1dfbb62626af93843bdfb53753d
- https://git.kernel.org/stable/c/9a74c3e6c0d686c26ba2aab66d15ddb89dc139cc
- https://git.kernel.org/stable/c/9c25faf72d780a9c71081710cd48759d61ff6e9b
- https://git.kernel.org/stable/c/c9ea57c91f03bcad415e1a20113bdb2077bcf990
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49856
In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Fix deadlock in SGX NUMA node search When the current node doesn't have an EPC section configured by firmware and all other EPC sections are used up, CPU can get stuck inside the while loop that looks for an available EPC page from remote nodes indefinitely, leading to a soft lockup. Note how nid_of_current will never be equal to nid in that while loop because nid_of_current is not set in sgx_numa_mask. Also worth mentioning is that it's perfectly fine for the firmware not to setup an EPC section on a node. While setting up an EPC section on each node can enhance performance, it is not a requirement for functionality. Rework the loop to start and end on *a* node that has SGX memory. This avoids the deadlock looking for the current SGX-lacking node to show up in the loop when it never will.
- https://git.kernel.org/stable/c/0f89fb4042c08fd143bfc28af08bf6c8a0197eea
- https://git.kernel.org/stable/c/20c96d0aaabfe361fc2a11c173968dc67feadbbf
- https://git.kernel.org/stable/c/40fb64257dab507d86b5f1f2a62f3669ef0c91a8
- https://git.kernel.org/stable/c/8132510c915815e6b537ab937d94ed66893bc7b8
- https://git.kernel.org/stable/c/9c936844010466535bd46ea4ce4656ef17653644
- https://git.kernel.org/stable/c/fb2d057539eda67ec7cfc369bf587e6518a9b99d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49858
In the Linux kernel, the following vulnerability has been resolved: efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption The TPM event log table is a Linux specific construct, where the data produced by the GetEventLog() boot service is cached in memory, and passed on to the OS using an EFI configuration table. The use of EFI_LOADER_DATA here results in the region being left unreserved in the E820 memory map constructed by the EFI stub, and this is the memory description that is passed on to the incoming kernel by kexec, which is therefore unaware that the region should be reserved. Even though the utility of the TPM2 event log after a kexec is questionable, any corruption might send the parsing code off into the weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY instead, which is always treated as reserved by the E820 conversion logic.
- https://git.kernel.org/stable/c/11690d7e76842f29b60fbb5b35bc97d206ea0e83
- https://git.kernel.org/stable/c/19fd2f2c5fb36b61506d3208474bfd8fdf1cada3
- https://git.kernel.org/stable/c/2e6871a632a99d9b9e2ce3a7847acabe99e5a26e
- https://git.kernel.org/stable/c/38d9b07d99b789efb6d8dda21f1aaad636c38993
- https://git.kernel.org/stable/c/5b22c038fb2757c652642933de5664da471f8cb7
- https://git.kernel.org/stable/c/77d48d39e99170b528e4f2e9fc5d1d64cdedd386
- https://git.kernel.org/stable/c/f76b69ab9cf04358266e3cea5748c0c2791fbb08
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49859
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to check atomic_file in f2fs ioctl interfaces Some f2fs ioctl interfaces like f2fs_ioc_set_pin_file(), f2fs_move_file_range(), and f2fs_defragment_range() missed to check atomic_write status, which may cause potential race issue, fix it.
- https://git.kernel.org/stable/c/10569b682ebe9c75ef06ddd322ae844e9be6374b
- https://git.kernel.org/stable/c/26b07bd2e1f124b0e430c8d250023f7205c549c3
- https://git.kernel.org/stable/c/7cb51731f24b216b0b87942f519f2c67a17107ee
- https://git.kernel.org/stable/c/bfe5c02654261bfb8bd9cb174a67f3279ea99e58
- https://git.kernel.org/stable/c/d6f08c88047accc6127dddb6798a3ff11321539d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49860
In the Linux kernel, the following vulnerability has been resolved: ACPI: sysfs: validate return type of _STR method Only buffer objects are valid return values of _STR. If something else is returned description_show() will access invalid memory.
- https://git.kernel.org/stable/c/0cdfb9178a3bba843c95c2117c82c15f1a64b9ce
- https://git.kernel.org/stable/c/2364b6af90c6b6d8a4783e0d3481ca80af699554
- https://git.kernel.org/stable/c/4b081991c4363e072e1748efed0bbec8a77daba5
- https://git.kernel.org/stable/c/4bb1e7d027413835b086aed35bc3f0713bc0f72b
- https://git.kernel.org/stable/c/5c8d007c14aefc3f2ddf71e4c40713733dc827be
- https://git.kernel.org/stable/c/92fd5209fc014405f63a7db79802ca4b01dc0c05
- https://git.kernel.org/stable/c/f0921ecd4ddc14646bb5511f49db4d7d3b0829f0
- https://git.kernel.org/stable/c/f51e5a88f2e7224858b261546cf6b3037dfb1323
- https://git.kernel.org/stable/c/f51f711d36e61fbb87c67b524fd200e05172668d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49863
In the Linux kernel, the following vulnerability has been resolved:
vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()
Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code
from control queue handler") a null pointer dereference bug can be
triggered when guest sends an SCSI AN request.
In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with
`&v_req.tmf.lun[1]` within a switch-case block and is then passed to
vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for
a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is
set to NULL in this branch. Later, in vhost_scsi_get_req(),
`vc->target` is dereferenced without being checked, leading to a null
pointer dereference bug. This bug can be triggered from guest.
When this bug occurs, the vhost_worker process is killed while holding
`vq->mutex` and the corresponding tpg will remain occupied
indefinitely.
Below is the KASAN report:
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vhost_scsi_get_req+0x165/0x3a0
Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00
48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6
04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00
RSP: 0018:ffff888017affb50 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8
RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000
FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0
Call Trace:
- https://git.kernel.org/stable/c/00fb5b23e1c9cdbe496f5cd6b40367cb895f6c93
- https://git.kernel.org/stable/c/221af82f606d928ccef19a16d35633c63026f1be
- https://git.kernel.org/stable/c/25613e6d9841a1f9fb985be90df921fa99f800de
- https://git.kernel.org/stable/c/46128370a72c431df733af5ebb065c4d48c9ad39
- https://git.kernel.org/stable/c/61517f33e76d2c5247c1e61e668693afe5b67e6f
- https://git.kernel.org/stable/c/6592347f06e2b19a624270a85ad4b3ae48c3b241
- https://git.kernel.org/stable/c/ace9c778a214da9c98d7b69d904d1b0816f4f681
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49866
In the Linux kernel, the following vulnerability has been resolved:
tracing/timerlat: Fix a race during cpuhp processing
There is another found exception that the "timerlat/1" thread was
scheduled on CPU0, and lead to timer corruption finally:
```
ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220
WARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0
Modules linked in:
CPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_print_object+0x7d/0xb0
...
Call Trace:
- https://git.kernel.org/stable/c/322920b53dc11f9c2b33397eb3ae5bc6a175b60d
- https://git.kernel.org/stable/c/829e0c9f0855f26b3ae830d17b24aec103f7e915
- https://git.kernel.org/stable/c/a0d9c0cd5856191e095cf43a2e141b73945b7716
- https://git.kernel.org/stable/c/a6e9849063a6c8f4cb2f652a437e44e3ed24356c
- https://git.kernel.org/stable/c/ce25f33ba89d6eefef64157655d318444580fa14
- https://git.kernel.org/stable/c/f72b451dc75578f644a3019c1489e9ae2c14e6c4
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2026-01-05
CVE-2024-49867
In the Linux kernel, the following vulnerability has been resolved:
btrfs: wait for fixup workers before stopping cleaner kthread during umount
During unmount, at close_ctree(), we have the following steps in this order:
1) Park the cleaner kthread - this doesn't destroy the kthread, it basically
halts its execution (wake ups against it work but do nothing);
2) We stop the cleaner kthread - this results in freeing the respective
struct task_struct;
3) We call btrfs_stop_all_workers() which waits for any jobs running in all
the work queues and then free the work queues.
Syzbot reported a case where a fixup worker resulted in a crash when doing
a delayed iput on its inode while attempting to wake up the cleaner at
btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread
was already freed. This can happen during unmount because we don't wait
for any fixup workers still running before we call kthread_stop() against
the cleaner kthread, which stops and free all its resources.
Fix this by waiting for any fixup workers at close_ctree() before we call
kthread_stop() against the cleaner and run pending delayed iputs.
The stack traces reported by syzbot were the following:
BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btrfs-fixup btrfs_work_helper
Call Trace:
- https://git.kernel.org/stable/c/41fd1e94066a815a7ab0a7025359e9b40e4b3576
- https://git.kernel.org/stable/c/4c98fe0dfa2ae83c4631699695506d8941db4bfe
- https://git.kernel.org/stable/c/65d11eb276836d49003a8060cf31fa2284ad1047
- https://git.kernel.org/stable/c/70b60c8d9b42763d6629e44f448aa5d8ae477d61
- https://git.kernel.org/stable/c/9da40aea63f8769f28afb91aea0fac4cf6fbbb65
- https://git.kernel.org/stable/c/a71349b692ab34ea197949e13e3cc42570fe73d9
- https://git.kernel.org/stable/c/bf0de0f9a0544c11f96f93206da04ab87dcea1f4
- https://git.kernel.org/stable/c/ed87190e9d9c80aad220fb6b0b03a84d22e2c95b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49868
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix a NULL pointer dereference when failed to start a new trasacntion
[BUG]
Syzbot reported a NULL pointer dereference with the following crash:
FAULT_INJECTION: forcing a failure.
start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676
prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642
relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678
...
BTRFS info (device loop0): balance: ended with status: -12
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667]
RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926
Call Trace:
- https://git.kernel.org/stable/c/1282f001cbf56e5dd6e90a18e205a566793f4be0
- https://git.kernel.org/stable/c/37fee9c220b92c3b7bf22b51c51dde5364e7590b
- https://git.kernel.org/stable/c/39356ec0e319ed07627b3a0f402d0608546509e6
- https://git.kernel.org/stable/c/7ad0c5868f2f0418619089513d95230c66cb7eb4
- https://git.kernel.org/stable/c/c3b47f49e83197e8dffd023ec568403bcdbb774b
- https://git.kernel.org/stable/c/d13249c0df7aab885acb149695f82c54c0822a70
- https://git.kernel.org/stable/c/d73d48acf36f57362df7e4f9d76568168bf5e944
- https://git.kernel.org/stable/c/dc02c1440705e3451abd1c2c8114a5c1bb188e9f
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49870
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: fix dentry leak in cachefiles_open_file()
A dentry leak may be caused when a lookup cookie and a cull are concurrent:
P1 | P2
-----------------------------------------------------------
cachefiles_lookup_cookie
cachefiles_look_up_object
lookup_one_positive_unlocked
// get dentry
cachefiles_cull
inode->i_flags |= S_KERNEL_FILE;
cachefiles_open_file
cachefiles_mark_inode_in_use
__cachefiles_mark_inode_in_use
can_use = false
if (!(inode->i_flags & S_KERNEL_FILE))
can_use = true
return false
return false
// Returns an error but doesn't put dentry
After that the following WARNING will be triggered when the backend folder
is umounted:
==================================================================
BUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img} still in use (1) [unmount of ext4 sda]
WARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70
CPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25
RIP: 0010:umount_check+0x5d/0x70
Call Trace:
- https://git.kernel.org/stable/c/7fa2382f97421978514a419c93054eca69f5247b
- https://git.kernel.org/stable/c/c7d10fa7d7691558ff967668494672415f5fa151
- https://git.kernel.org/stable/c/d32ff64c872d7e08e893c32ba6a2374583444410
- https://git.kernel.org/stable/c/da6ef2dffe6056aad3435e6cf7c6471c2a62187c
- https://git.kernel.org/stable/c/e4a28489b310339b2b8187bec0a437709be551c1
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49871
In the Linux kernel, the following vulnerability has been resolved: Input: adp5589-keys - fix NULL pointer dereference We register a devm action to call adp5589_clear_config() and then pass the i2c client as argument so that we can call i2c_get_clientdata() in order to get our device object. However, i2c_set_clientdata() is only being set at the end of the probe function which means that we'll get a NULL pointer dereference in case the probe function fails early.
- https://git.kernel.org/stable/c/122b160561f6429701a0559a0f39b0ae309488c6
- https://git.kernel.org/stable/c/34e304cc53ae5d3c8e3f08b41dd11e0d4f3e01ed
- https://git.kernel.org/stable/c/4449fedb8a710043fc0925409eba844c192d4337
- https://git.kernel.org/stable/c/7c3f04223aaf82489472d614c6decee5a1ce8d7f
- https://git.kernel.org/stable/c/9a38791ee79bd17d225c15a6d1479448be127a59
- https://git.kernel.org/stable/c/fb5cc65f973661241e4a2b7390b429aa7b330c69
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49875
In the Linux kernel, the following vulnerability has been resolved: nfsd: map the EBADMSG to nfserr_io to avoid warning Ext4 will throw -EBADMSG through ext4_readdir when a checksum error occurs, resulting in the following WARNING. Fix it by mapping EBADMSG to nfserr_io. nfsd_buffered_readdir iterate_dir // -EBADMSG -74 ext4_readdir // .iterate_shared ext4_dx_readdir ext4_htree_fill_tree htree_dirblock_to_tree ext4_read_dirblock __ext4_read_dirblock ext4_dirblock_csum_verify warn_no_space_for_csum __warn_no_space_for_csum return ERR_PTR(-EFSBADCRC) // -EBADMSG -74 nfserrno // WARNING [ 161.115610] ------------[ cut here ]------------ [ 161.116465] nfsd: non-standard errno: -74 [ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0 [ 161.118596] Modules linked in: [ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138 [ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe mu.org 04/01/2014 [ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0 [ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33 [ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286 [ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a [ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827 [ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021 [ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8 [ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000 [ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0 [ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 161.141519] PKRU: 55555554 [ 161.142076] Call Trace: [ 161.142575] ? __warn+0x9b/0x140 [ 161.143229] ? nfserrno+0x9d/0xd0 [ 161.143872] ? report_bug+0x125/0x150 [ 161.144595] ? handle_bug+0x41/0x90 [ 161.145284] ? exc_invalid_op+0x14/0x70 [ 161.146009] ? asm_exc_invalid_op+0x12/0x20 [ 161.146816] ? nfserrno+0x9d/0xd0 [ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0 [ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380 [ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0 [ 161.150093] ? wait_for_concurrent_writes+0x170/0x170 [ 161.151004] ? generic_file_llseek_size+0x48/0x160 [ 161.151895] nfsd_readdir+0x132/0x190 [ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380 [ 161.153516] ? nfsd_unlink+0x380/0x380 [ 161.154256] ? override_creds+0x45/0x60 [ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0 [ 161.155850] ? nfsd4_encode_readlink+0x210/0x210 [ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0 [ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0 [ 161.158494] ? lock_downgrade+0x90/0x90 [ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10 [ 161.160092] nfsd4_encode_operation+0x15a/0x440 [ 161.160959] nfsd4_proc_compound+0x718/0xe90 [ 161.161818] nfsd_dispatch+0x18e/0x2c0 [ 161.162586] svc_process_common+0x786/0xc50 [ 161.163403] ? nfsd_svc+0x380/0x380 [ 161.164137] ? svc_printk+0x160/0x160 [ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380 [ 161.165808] ? nfsd_svc+0x380/0x380 [ 161.166523] ? rcu_is_watching+0x23/0x40 [ 161.167309] svc_process+0x1a5/0x200 [ 161.168019] nfsd+0x1f5/0x380 [ 161.168663] ? nfsd_shutdown_threads+0x260/0x260 [ 161.169554] kthread+0x1c4/0x210 [ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80 [ 161.171246] ret_from_fork+0x1f/0x30
- https://git.kernel.org/stable/c/0ea4333c679f333e23956de743ad17387819d3f2
- https://git.kernel.org/stable/c/340e61e44c1d2a15c42ec72ade9195ad525fd048
- https://git.kernel.org/stable/c/6fe058502f8864649c3d614b06b2235223798f48
- https://git.kernel.org/stable/c/825789ca94602543101045ad3aad19b2b60c6b2a
- https://git.kernel.org/stable/c/c76005adfa93d1a027433331252422078750321f
- https://git.kernel.org/stable/c/e9cfecca22a36b927a440abc6307efb9e138fed5
- https://git.kernel.org/stable/c/f7d8ee9db94372b8235f5f22bb24381891594c42
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49877
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if bh is NULL.
- https://git.kernel.org/stable/c/01cb2e751cc61ade454c9bc1aaa2eac1f8197112
- https://git.kernel.org/stable/c/190d98bcd61117a78fe185222d162180f061a6ca
- https://git.kernel.org/stable/c/33b525cef4cff49e216e4133cc48452e11c0391e
- https://git.kernel.org/stable/c/46b1edf0536a5291a8ad2337f88c926214b209d9
- https://git.kernel.org/stable/c/4846e72ab5a0726e49ad4188b9d9df091ae78c64
- https://git.kernel.org/stable/c/61b84013e560382cbe7dd56758be3154d43a3988
- https://git.kernel.org/stable/c/d52c5652e7dcb7a0648bbb8642cc3e617070ab49
- https://git.kernel.org/stable/c/df944dc46d06af65a75191183d52be017e6b9dbe
- https://git.kernel.org/stable/c/e68c8323355e8cedfbe0bec7d5a39009f61640b6
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49878
In the Linux kernel, the following vulnerability has been resolved: resource: fix region_intersects() vs add_memory_driver_managed() On a system with CXL memory, the resource tree (/proc/iomem) related to CXL memory may look like something as follows. 490000000-50fffffff : CXL Window 0 490000000-50fffffff : region0 490000000-50fffffff : dax0.0 490000000-50fffffff : System RAM (kmem) Because drivers/dax/kmem.c calls add_memory_driver_managed() during onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL Window X". This confuses region_intersects(), which expects all "System RAM" resources to be at the top level of iomem_resource. This can lead to bugs. For example, when the following command line is executed to write some memory in CXL memory range via /dev/mem, $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1 dd: error writing '/dev/mem': Bad address 1+0 records in 0+0 records out 0 bytes copied, 0.0283507 s, 0.0 kB/s the command fails as expected. However, the error code is wrong. It should be "Operation not permitted" instead of "Bad address". More seriously, the /dev/mem permission checking in devmem_is_allowed() passes incorrectly. Although the accessing is prevented later because ioremap() isn't allowed to map system RAM, it is a potential security issue. During command executing, the following warning is reported in the kernel log for calling ioremap() on system RAM. ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d Call Trace: memremap+0xcb/0x184 xlate_dev_mem_ptr+0x25/0x2f write_mem+0x94/0xfb vfs_write+0x128/0x26d ksys_write+0xac/0xfe do_syscall_64+0x9a/0xfd entry_SYSCALL_64_after_hwframe+0x4b/0x53 The details of command execution process are as follows. In the above resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a top level resource. So, region_intersects() will report no System RAM resources in the CXL memory region incorrectly, because it only checks the top level resources. Consequently, devmem_is_allowed() will return 1 (allow access via /dev/mem) for CXL memory region incorrectly. Fortunately, ioremap() doesn't allow to map System RAM and reject the access. So, region_intersects() needs to be fixed to work correctly with the resource tree with "System RAM" not at top level as above. To fix it, if we found a unmatched resource in the top level, we will continue to search matched resources in its descendant resources. So, we will not miss any matched resources in resource tree anymore. In the new implementation, an example resource tree |------------- "CXL Window 0" ------------| |-- "System RAM" --| will behave similar as the following fake resource tree for region_intersects(, IORESOURCE_SYSTEM_RAM, ), |-- "System RAM" --||-- "CXL Window 0a" --| Where "CXL Window 0a" is part of the original "CXL Window 0" that isn't covered by "System RAM".
- https://git.kernel.org/stable/c/06ff97a20b8c9e9d256b0d2c3e87f78f8ccea3de
- https://git.kernel.org/stable/c/1d5f85f1b7db79c75c9e07d6571ce2a7bdf725c4
- https://git.kernel.org/stable/c/333fbaf6864a4ca031367eb947961a1f3484d337
- https://git.kernel.org/stable/c/393331e16ce205e036e58b3d8ca4ee2e635f21d9
- https://git.kernel.org/stable/c/4b90d2eb451b357681063ba4552b10b39d7ad885
- https://git.kernel.org/stable/c/8a6fef7d22a1d952aed68584d3fcc0d018d2bdc3
- https://git.kernel.org/stable/c/927abc5b7d6d2c2e936bec5a2f71d9512c5e72f7
- https://git.kernel.org/stable/c/b4afe4183ec77f230851ea139d91e5cf2644c68b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49879
In the Linux kernel, the following vulnerability has been resolved: drm: omapdrm: Add missing check for alloc_ordered_workqueue As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue.
- https://git.kernel.org/stable/c/0d71916694aceb207fefecf62dfa811ec1108bbd
- https://git.kernel.org/stable/c/2bda89735199683b03f55b807bd1e31a3857520b
- https://git.kernel.org/stable/c/334de68eda2b99892ba869c15cb59bc956fd9f42
- https://git.kernel.org/stable/c/b57b53e8ffcdfda87d954fc4187426a54fe75a3d
- https://git.kernel.org/stable/c/c17a4f52fa3c3dac2dd6a3c38f2de7342d97d74c
- https://git.kernel.org/stable/c/e60b0d3b5aa2e8d934deca9e11215af84e632bc9
- https://git.kernel.org/stable/c/e794b7b9b92977365c693760a259f8eef940c536
- https://git.kernel.org/stable/c/f37a1d9e5e22d5489309c3cd2db476dcdcc6530c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49881
In the Linux kernel, the following vulnerability has been resolved:
ext4: update orig_path in ext4_find_extent()
In ext4_find_extent(), if the path is not big enough, we free it and set
*orig_path to NULL. But after reallocating and successfully initializing
the path, we don't update *orig_path, in which case the caller gets a
valid path but a NULL ppath, and this may cause a NULL pointer dereference
or a path memory leak. For example:
ext4_split_extent
path = *ppath = 2000
ext4_find_extent
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*orig_path = path = NULL;
path = kcalloc() = 3000
ext4_split_extent_at(*ppath = NULL)
path = *ppath;
ex = path[depth].p_ext;
// NULL pointer dereference!
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000010
CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847
RIP: 0010:ext4_split_extent_at+0x6d/0x560
Call Trace:
- https://git.kernel.org/stable/c/11b230100d6801c014fab2afabc8bdea304c1b96
- https://git.kernel.org/stable/c/5b4b2dcace35f618fe361a87bae6f0d13af31bc1
- https://git.kernel.org/stable/c/6766937d0327000ac1b87c97bbecdd28b0dd6599
- https://git.kernel.org/stable/c/6801ed1298204d16a38571091e31178bfdc3c679
- https://git.kernel.org/stable/c/a9fcb1717d75061d3653ed69365c8d45331815cd
- https://git.kernel.org/stable/c/b63481b3a388ee2df9e295f97273226140422a42
- https://git.kernel.org/stable/c/ec0c0beb9b777cdd1edd7df9b36e0f3e67e2bdff
- https://git.kernel.org/stable/c/f55ecc58d07a6c1f6d6d5b5af125c25f8da0bda2
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49882
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix double brelse() the buffer of the extents path
In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been
released, otherwise it may be released twice. An example of what triggers
this is as follows:
split2 map split1
|--------|-------|--------|
ext4_ext_map_blocks
ext4_ext_handle_unwritten_extents
ext4_split_convert_extents
// path->p_depth == 0
ext4_split_extent
// 1. do split1
ext4_split_extent_at
|ext4_ext_insert_extent
| ext4_ext_create_new_leaf
| ext4_ext_grow_indepth
| le16_add_cpu(&neh->eh_depth, 1)
| ext4_find_extent
| // return -ENOMEM
|// get error and try zeroout
|path = ext4_find_extent
| path->p_depth = 1
|ext4_ext_try_to_merge
| ext4_ext_try_to_merge_up
| path->p_depth = 0
| brelse(path[1].p_bh) ---> not set to NULL here
|// zeroout success
// 2. update path
ext4_find_extent
// 3. do split2
ext4_split_extent_at
ext4_ext_insert_extent
ext4_ext_create_new_leaf
ext4_ext_grow_indepth
le16_add_cpu(&neh->eh_depth, 1)
ext4_find_extent
path[0].p_bh = NULL;
path->p_depth = 1
read_extent_tree_block ---> return err
// path[1].p_bh is still the old value
ext4_free_ext_path
ext4_ext_drop_refs
// path->p_depth == 1
brelse(path[1].p_bh) ---> brelse a buffer twice
Finally got the following WARRNING when removing the buffer from lru:
============================================
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90
CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716
RIP: 0010:__brelse+0x58/0x90
Call Trace:
- https://git.kernel.org/stable/c/230ee0535d01478bad9a3037292043f39b9be10b
- https://git.kernel.org/stable/c/32bbb59e3f18facd7201bef110010bf35819b8c3
- https://git.kernel.org/stable/c/68a69cf60660c73990c1875f94a5551600b04775
- https://git.kernel.org/stable/c/7633407ca4ab8be2916ab214eb44ccebc6a50e1a
- https://git.kernel.org/stable/c/78bbc3d15b6f443acb26e94418c445bac940d414
- https://git.kernel.org/stable/c/b6c29c8f3d7cb67b505f3b2f6c242d52298d1f2e
- https://git.kernel.org/stable/c/d4574bda63906bf69660e001470bfe1a0ac524ae
- https://git.kernel.org/stable/c/dcaa6c31134c0f515600111c38ed7750003e1b9c
- https://git.kernel.org/stable/c/f9fd47c9d9548f9e47fa60098eab99dde175401d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49883
In the Linux kernel, the following vulnerability has been resolved:
ext4: aovid use-after-free in ext4_ext_insert_extent()
As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is
reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and
cause UAF. Below is a sample trace with dummy values:
ext4_ext_insert_extent
path = *ppath = 2000
ext4_ext_create_new_leaf(ppath)
ext4_find_extent(ppath)
path = *ppath = 2000
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*ppath = path = NULL;
path = kcalloc() = 3000
*ppath = 3000;
return path;
/* here path is still 2000, UAF! */
eh = path[depth].p_hdr
==================================================================
BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330
Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179
CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866
Call Trace:
- https://git.kernel.org/stable/c/51db04892a993cace63415be99848970a0f15ef2
- https://git.kernel.org/stable/c/5e811066c5ab709b070659197dccfb80ab650ddd
- https://git.kernel.org/stable/c/8162ee5d94b8c0351be0a9321be134872a7654a1
- https://git.kernel.org/stable/c/975ca06f3fd154c5f7742083e7b2574c57d1c0c3
- https://git.kernel.org/stable/c/9df59009dfc6d9fc1bd9ddf6c5ab6e56d6ed887a
- https://git.kernel.org/stable/c/a164f3a432aae62ca23d03e6d926b122ee5b860d
- https://git.kernel.org/stable/c/beb7b66fb489041c50c6473100b383f7a51648fc
- https://git.kernel.org/stable/c/bfed082ce4b1ce6349b05c09a0fa4f3da35ecb1b
- https://git.kernel.org/stable/c/e17ebe4fdd7665c93ae9459ba40fcdfb76769ac1
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49884
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix slab-use-after-free in ext4_split_extent_at()
We hit the following use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
Call Trace:
- https://git.kernel.org/stable/c/393a46f60ea4f249dc9d496d4eb2d542f5e11ade
- https://git.kernel.org/stable/c/448100a29395b0c8b4c42967155849fe0fbe808f
- https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238
- https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3
- https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18
- https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9
- https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f
- https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe
- https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49886
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds".
kasan report:
[ 19.411889] ==================================================================
[ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113
[ 19.417368]
[ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10
[ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022
[ 19.422687] Call Trace:
[ 19.424091]
- https://git.kernel.org/stable/c/1973c4d8ee0782a808303d75e3be9c12baaacd97
- https://git.kernel.org/stable/c/7d59ac07ccb58f8f604f8057db63b8efcebeb3de
- https://git.kernel.org/stable/c/8176d4878ed2af5d93ddd0e971e24c412124d38b
- https://git.kernel.org/stable/c/afa7f78d9a907cfded6c98c91aae2bf7b3b56e51
- https://git.kernel.org/stable/c/cdd03afcb6eda3103da5a0948d3db12372f62910
- https://git.kernel.org/stable/c/cebc705b097d5c16469b141a25e840161d1c517a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49889
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid use-after-free in ext4_ext_show_leaf() In ext4_find_extent(), path may be freed by error or be reallocated, so using a previously saved *ppath may have been freed and thus may trigger use-after-free, as follows: ext4_split_extent path = *ppath; ext4_split_extent_at(ppath) path = ext4_find_extent(ppath) ext4_split_extent_at(ppath) // ext4_find_extent fails to free path // but zeroout succeeds ext4_ext_show_leaf(inode, path) eh = path[depth].p_hdr // path use-after-free !!! Similar to ext4_split_extent_at(), we use *ppath directly as an input to ext4_ext_show_leaf(). Fix a spelling error by the way. Same problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only used in ext4_ext_show_leaf(), remove 'path' and use *ppath directly. This issue is triggered only when EXT_DEBUG is defined and therefore does not affect functionality.
- https://git.kernel.org/stable/c/2eba3b0cc5b8de624918d21f32b5b8db59a90b39
- https://git.kernel.org/stable/c/34b2096380ba475771971a778a478661a791aa15
- https://git.kernel.org/stable/c/4999fed877bb64e3e7f9ab9996de2ca983c41928
- https://git.kernel.org/stable/c/4e2524ba2ca5f54bdbb9e5153bea00421ef653f5
- https://git.kernel.org/stable/c/8b114f2cc7dd5d36729d040b68432fbd0f0a8868
- https://git.kernel.org/stable/c/b0cb4561fc4284d04e69c8a66c8504928ab2484e
- https://git.kernel.org/stable/c/d483c7cc1796bd6a80e7b3a8fd494996260f6b67
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49890
In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: ensure the fw_info is not null before using it This resolves the dereference null return value warning reported by Coverity.
- https://git.kernel.org/stable/c/016bf0294b401246471c6710c6bf9251616228b6
- https://git.kernel.org/stable/c/186fb12e7a7b038c2710ceb2fb74068f1b5d55a4
- https://git.kernel.org/stable/c/29f388945770bd0a6c82711436b2bc98b0dfac92
- https://git.kernel.org/stable/c/8adf4408d482faa51b2c14e60bfd9946ec1911a4
- https://git.kernel.org/stable/c/9550d8d6f19fac7623f044ae8d9503825b325497
- https://git.kernel.org/stable/c/b511474f49588cdca355ebfce54e7eddbf7b75a5
- https://git.kernel.org/stable/c/fd5f4ac1a986f0e7e9fa019201b5890554f87bcf
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49892
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Initialize get_bytes_per_element's default to 1 Variables, used as denominators and maybe not assigned to other values, should not be 0. bytes_per_element_y & bytes_per_element_c are initialized by get_bytes_per_element() which should never return 0. This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.
- https://git.kernel.org/stable/c/1f9f8186e239222f1c8d3dd73bf3bc6ae86c5e76
- https://git.kernel.org/stable/c/3334ab72cbba55a632f24579cd47c4a4e5e69cda
- https://git.kernel.org/stable/c/4067f4fa0423a89fb19a30b57231b384d77d2610
- https://git.kernel.org/stable/c/8f0abb39c16e719129de10596b3ae3363fa178b4
- https://git.kernel.org/stable/c/a23d6029e730f8a151b1a34afb169baac1274583
- https://git.kernel.org/stable/c/bc00d211da4ffad5314a2043b50bdc8ff8a33724
- https://git.kernel.org/stable/c/c7630935d9a4986e8c0ed91658a781b7a77d73f7
- https://git.kernel.org/stable/c/f921335123f6620c3dce5c96fbb95f18524a021c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49894
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in degamma hardware format translation Fixes index out of bounds issue in `cm_helper_translate_curve_to_degamma_hw_format` function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
- https://git.kernel.org/stable/c/07078fa5d589a7fbce8f81ea8acf7aa0021ab38e
- https://git.kernel.org/stable/c/122e3a7a8c7bcbe3aacddd6103f67f9f36bed473
- https://git.kernel.org/stable/c/2495c8e272d84685403506833a664fad932e453a
- https://git.kernel.org/stable/c/2f5da549535be8ccd2ab7c9abac8562ad370b181
- https://git.kernel.org/stable/c/b3dfa878257a7e98830b3009ca5831a01d8f85fc
- https://git.kernel.org/stable/c/b7e99058eb2e86aabd7a10761e76cae33d22b49f
- https://git.kernel.org/stable/c/c130a3c09e3746c1a09ce26c20d21d449d039b1d
- https://git.kernel.org/stable/c/c6979719012a90e5b8e3bc31725fbfdd0b9b2b79
- https://git.kernel.org/stable/c/f5f6d90087131812c1e4b9d3103f400f1624396d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49895
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:338 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:339 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:340 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
- https://git.kernel.org/stable/c/0d38a0751143afc03faef02d55d31f70374ff843
- https://git.kernel.org/stable/c/ad89f83343a501890cf082c8a584e96b59fe4015
- https://git.kernel.org/stable/c/bc50b614d59990747dd5aeced9ec22f9258991ff
- https://git.kernel.org/stable/c/c4fdc2d6fea129684b82bab90bb52fbace494a58
- https://git.kernel.org/stable/c/de6ee4f9e6b1c36b4fdc7c345c1a6de9e246093e
- https://git.kernel.org/stable/c/f3ccd855b4395ce65f10dd37847167f52e122b70
- https://git.kernel.org/stable/c/f5c3d306de91a4b69cfe3eedb72b42d452593e42
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49896
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check stream before comparing them [WHAT & HOW] amdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is necessary to check for null before dereferencing them. This fixes 1 FORWARD_NULL issue reported by Coverity.
- https://git.kernel.org/stable/c/0167d570f6a0b38689c4a0e50bf79c518d827500
- https://git.kernel.org/stable/c/14db8692afe1aa2143b673856bb603713d8ea93f
- https://git.kernel.org/stable/c/35ff747c86767937ee1e0ca987545b7eed7a0810
- https://git.kernel.org/stable/c/3944d226f55235a960d8f1135927f95e9801be12
- https://git.kernel.org/stable/c/42d31a33643813cce55ee1ebbad3a2d0d24a08e0
- https://git.kernel.org/stable/c/471c53350ab83e47a2a117c2738ce0363785976e
- https://git.kernel.org/stable/c/5b4b13e678b15975055f4ff1ce4cf0ce4c19b6c4
- https://git.kernel.org/stable/c/e41a291e1bef1153bba091b6580ecc7affc53c82
- https://git.kernel.org/stable/c/e8da54b7f8a17e44e67ea6d1037f35450af28115
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49900
In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uninit-value access of new_ea in ea_buffer syzbot reports that lzo1x_1_do_compress is using uninit-value: ===================================================== BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 ... Uninit was stored to memory at: ea_put fs/jfs/xattr.c:639 [inline] ... Local variable ea_buf created at: __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662 __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934 ===================================================== The reason is ea_buf->new_ea is not initialized properly. Fix this by using memset to empty its content at the beginning in ea_get().
- https://git.kernel.org/stable/c/2b59ffad47db1c46af25ccad157bb3b25147c35c
- https://git.kernel.org/stable/c/6041536d18c5f51a84bc37cd568cbab61870031e
- https://git.kernel.org/stable/c/7b24d41d47a6805c45378debf8bd115675d41da8
- https://git.kernel.org/stable/c/7c244d5b48284a770d96ff703df2dfeadf804a73
- https://git.kernel.org/stable/c/8ad8b531de79c348bcb8133e7f5e827b884226af
- https://git.kernel.org/stable/c/8b1dcf25c26d42e4a68c4725ce52a0543c7878cc
- https://git.kernel.org/stable/c/c076b3746224982eebdba5c9e4b1467e146c0d64
- https://git.kernel.org/stable/c/d7444f91a9f93eaa48827087ed0f3381c194181d
- https://git.kernel.org/stable/c/dac398ed272a378d2f42ac68ae408333a51baf52
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49902
In the Linux kernel, the following vulnerability has been resolved: jfs: check if leafidx greater than num leaves per dmap tree syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. Shaggy: Modified sanity check to apply to control pages as well as leaf pages.
- https://git.kernel.org/stable/c/058aa89b3318be3d66a103ba7c68d717561e1dc6
- https://git.kernel.org/stable/c/2451e5917c56be45d4add786e2a059dd9c2c37c4
- https://git.kernel.org/stable/c/25d2a3ff02f22e215ce53355619df10cc5faa7ab
- https://git.kernel.org/stable/c/35b91f15f44ce3c01eba058ccb864bb04743e792
- https://git.kernel.org/stable/c/4a7bf6a01fb441009a6698179a739957efd88e38
- https://git.kernel.org/stable/c/7fff9a9f866e99931cf6fa260288e55d01626582
- https://git.kernel.org/stable/c/cb0eb10558802764f07de1dc439c4609e27cb4f0
- https://git.kernel.org/stable/c/d64ff0d2306713ff084d4b09f84ed1a8c75ecc32
- https://git.kernel.org/stable/c/d76b9a4c283c7535ae7c7c9b14984e75402951e1
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49903
In the Linux kernel, the following vulnerability has been resolved:
jfs: Fix uaf in dbFreeBits
[syzbot reported]
==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752
Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216
CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
- https://git.kernel.org/stable/c/0c238da83f56bb895cab1e5851d034ac45b158d1
- https://git.kernel.org/stable/c/3126ccde51f51b0648c8cdccaf916e8bd062e972
- https://git.kernel.org/stable/c/4218b31ecc7af7e191768d32e32ed4386d8f9b76
- https://git.kernel.org/stable/c/4ac58f7734937f3249da734ede946dfb3b1af5e4
- https://git.kernel.org/stable/c/95accb7183badca387f7a8d19a2475cf3089f148
- https://git.kernel.org/stable/c/a9603a6f75df2fd8125cd208c98cfaa0fe3f7505
- https://git.kernel.org/stable/c/d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234
- https://git.kernel.org/stable/c/e7ae14f7ee76c6ef5a48aebab1a278ad78f42619
- https://git.kernel.org/stable/c/fd026b6b6758d5569705c02540b40f3bbf822b9a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49905
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) This commit adds a null check for the 'afb' variable in the amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was assumed to be null, but was used later in the code without a null check. This could potentially lead to a null pointer dereference. Changes since v1: - Moved the null check for 'afb' to the line where 'afb' is used. (Alex) Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)
- https://git.kernel.org/stable/c/75839e2365b666ff4e1b9047e442cab138eac4f6
- https://git.kernel.org/stable/c/9132882eaae4d21d2fc5843b3308379a481ebdf0
- https://git.kernel.org/stable/c/bd0e24e5e608ccb9fdda300bb974496d6d8cf57d
- https://git.kernel.org/stable/c/cd9e9e0852d501f169aa3bb34e4b413d2eb48c37
- https://git.kernel.org/stable/c/e4e26cbe34d7c1c1db5fb7b3101573c29866439f
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49907
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointers before using dc->clk_mgr [WHY & HOW] dc->clk_mgr is null checked previously in the same function, indicating it might be null. Passing "dc" to "dc->hwss.apply_idle_power_optimizations", which dereferences null "dc->clk_mgr". (The function pointer resolves to "dcn35_apply_idle_power_optimizations".) This fixes 1 FORWARD_NULL issue reported by Coverity.
- https://git.kernel.org/stable/c/3f7e533c10db3d0158709a99e2129ff63add6bcd
- https://git.kernel.org/stable/c/5ba3fbf75b243b2863a8be9e7c393e003d3b88f3
- https://git.kernel.org/stable/c/8d54001f8dccd56146973f23f3ab2ba037a21251
- https://git.kernel.org/stable/c/95d9e0803e51d5a24276b7643b244c7477daf463
- https://git.kernel.org/stable/c/9641bc4adf8446034e490ed543ae7e9833cfbdf5
- https://git.kernel.org/stable/c/a2773e0a4b79e7a6463abdffaf8cc4f24428ba18
- https://git.kernel.org/stable/c/a545a9403e04c6e17fdc04a26a61d9feebbba106
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49912
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' This commit adds a null check for 'stream_status' in the function 'planes_changed_for_existing_stream'. Previously, the code assumed 'stream_status' could be null, but did not handle the case where it was actually null. This could lead to a null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_resource.c:3784 planes_changed_for_existing_stream() error: we previously assumed 'stream_status' could be null (see line 3774)
- https://git.kernel.org/stable/c/0ffd9fb03bbc99ed1eb5dc989d5c7da2faac0659
- https://git.kernel.org/stable/c/4778982c73d6c9f3fdbdbc6b6c8aa18df98251af
- https://git.kernel.org/stable/c/8141f21b941710ecebe49220b69822cab3abd23d
- https://git.kernel.org/stable/c/c4b699b93496c423b0e5b584d4eb4ab849313bcf
- https://git.kernel.org/stable/c/ec6c32b58e6c4e87760e797c525e99a460c82bcb
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49913
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream This commit addresses a null pointer dereference issue in the `commit_planes_for_stream` function at line 4140. The issue could occur when `top_pipe_to_program` is null. The fix adds a check to ensure `top_pipe_to_program` is not null before accessing its stream_res. This prevents a null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:4140 commit_planes_for_stream() error: we previously assumed 'top_pipe_to_program' could be null (see line 3906)
- https://git.kernel.org/stable/c/1ebfa6663807c144be8c8b6727375012409d2356
- https://git.kernel.org/stable/c/3929e382e4758aff42da0102a60d13337c99d3b8
- https://git.kernel.org/stable/c/40193ff73630adf76bc0d82398f7d90fb576dba4
- https://git.kernel.org/stable/c/66d71a72539e173a9b00ca0b1852cbaa5f5bf1ad
- https://git.kernel.org/stable/c/73efd2a611b62fee71a7b7f27d9d08bb60da8a72
- https://git.kernel.org/stable/c/8ab59527852a6f7780aad6185729550ca0569122
- https://git.kernel.org/stable/c/e47e563c6f0db7d792a559301862c19ead0dfc2f
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49924
In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafb_task() In the pxafb_probe function, it calls the pxafb_init_fbinfo function, after which &fbi->task is associated with pxafb_task. Moreover, within this pxafb_init_fbinfo function, the pxafb_blank function within the &pxafb_ops struct is capable of scheduling work. If we remove the module which will call pxafb_remove to make cleanup, it will call unregister_framebuffer function which can call do_unregister_framebuffer to free fbi->fb through put_fb_info(fb_info), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | pxafb_task pxafb_remove | unregister_framebuffer(info) | do_unregister_framebuffer(fb_info) | put_fb_info(fb_info) | // free fbi->fb | set_ctrlr_state(fbi, state) | __pxafb_lcd_power(fbi, 0) | fbi->lcd_power(on, &fbi->fb.var) | //use fbi->fb Fix it by ensuring that the work is canceled before proceeding with the cleanup in pxafb_remove. Note that only root user can remove the driver at runtime.
- https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd
- https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e
- https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a
- https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473
- https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e
- https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08
- https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd
- https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae
- https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49927
In the Linux kernel, the following vulnerability has been resolved: x86/ioapic: Handle allocation failures gracefully Breno observed panics when using failslab under certain conditions during runtime: can not alloc irq_pin_list (-1,0,20) Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can not proceed panic+0x4e9/0x590 mp_irqdomain_alloc+0x9ab/0xa80 irq_domain_alloc_irqs_locked+0x25d/0x8d0 __irq_domain_alloc_irqs+0x80/0x110 mp_map_pin_to_irq+0x645/0x890 acpi_register_gsi_ioapic+0xe6/0x150 hpet_open+0x313/0x480 That's a pointless panic which is a leftover of the historic IO/APIC code which panic'ed during early boot when the interrupt allocation failed. The only place which might justify panic is the PIT/HPET timer_check() code which tries to figure out whether the timer interrupt is delivered through the IO/APIC. But that code does not require to handle interrupt allocation failures. If the interrupt cannot be allocated then timer delivery fails and it either panics due to that or falls back to legacy mode. Cure this by removing the panic wrapper around __add_pin_to_irq_node() and making mp_irqdomain_alloc() aware of the failure condition and handle it as any other failure in this function gracefully.
- https://git.kernel.org/stable/c/077e1b7cd521163ded545987bbbd389519aeed71
- https://git.kernel.org/stable/c/649a5c2ffae797ce792023a70e84c7fe4b6fb8e0
- https://git.kernel.org/stable/c/830802a0fea8fb39d3dc9fb7d6b5581e1343eb1f
- https://git.kernel.org/stable/c/e479cb835feeb2abff97f25766e23b96a6eabe28
- https://git.kernel.org/stable/c/ec862cd843faa6f0e84a7a07362f2786446bf697
- https://git.kernel.org/stable/c/f17efbeb2922327ea01a9efa8829fea9a30e547d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49930
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix array out-of-bound access in SoC stats Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() function access ath11k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath11k_dp_process_rx() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
- https://git.kernel.org/stable/c/01b77f5ee11c89754fb836af8f76799d3b72ae2f
- https://git.kernel.org/stable/c/0f26f26944035ec67546a944f182cbad6577a9c0
- https://git.kernel.org/stable/c/4dd732893bd38cec51f887244314e2b47f0d658f
- https://git.kernel.org/stable/c/6045ef5b4b00fee3629689f791992900a1c94009
- https://git.kernel.org/stable/c/69f253e46af98af17e3efa3e5dfa72fcb7d1983d
- https://git.kernel.org/stable/c/73e235728e515faccc104b0153b47d0f263b3344
- https://git.kernel.org/stable/c/7a552bc2f3efe2aaf77a85cb34cdf4a63d81a1a7
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49933
In the Linux kernel, the following vulnerability has been resolved:
blk_iocost: fix more out of bound shifts
Recently running UBSAN caught few out of bound shifts in the
ioc_forgive_debts() function:
UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38
shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
long')
...
UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30
shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
long')
...
Call Trace:
- https://git.kernel.org/stable/c/1ab2cfe19700fb3dde4c7dfec392acff34db3120
- https://git.kernel.org/stable/c/1b120f151871eb47ce9f283c007af3f8ae1d990e
- https://git.kernel.org/stable/c/1f61d509257d6a05763d05bf37943b35306522b1
- https://git.kernel.org/stable/c/364022095bdd4108efdaaa68576afa4712a5d085
- https://git.kernel.org/stable/c/59121bb38fdc01434ea3fe361ee02b59f036227f
- https://git.kernel.org/stable/c/9bce8005ec0dcb23a58300e8522fe4a31da606fa
- https://git.kernel.org/stable/c/f4ef9bef023d5c543cb0f3194ecacfd47ef590ec
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49935
In the Linux kernel, the following vulnerability has been resolved:
ACPI: PAD: fix crash in exit_round_robin()
The kernel occasionally crashes in cpumask_clear_cpu(), which is called
within exit_round_robin(), because when executing clear_bit(nr, addr) with
nr set to 0xffffffff, the address calculation may cause misalignment within
the memory, leading to access to an invalid memory address.
----------
BUG: unable to handle kernel paging request at ffffffffe0740618
...
CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1
...
RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]
Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0
- https://git.kernel.org/stable/c/03593dbb0b272ef7b0358b099841e65735422aca
- https://git.kernel.org/stable/c/0a2ed70a549e61c5181bad5db418d223b68ae932
- https://git.kernel.org/stable/c/27c045f868f0e5052c6b532868a65e0cd250c8fc
- https://git.kernel.org/stable/c/68a599da16ebad442ce295d8d2d5c488e3992822
- https://git.kernel.org/stable/c/68a8e45743d6a120f863fb14b72dc59616597019
- https://git.kernel.org/stable/c/82191a21a0dedc8c64e14f07f5d568d09bc4b331
- https://git.kernel.org/stable/c/92e5661b7d0727ab912b76625a88b33fdb9b609a
- https://git.kernel.org/stable/c/d214ffa6eb39c08d18a460124dd7ba318dc56f33
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
Modified: 2025-11-03
CVE-2024-49936
In the Linux kernel, the following vulnerability has been resolved: net/xen-netback: prevent UAF in xenvif_flush_hash() During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe.
- https://git.kernel.org/stable/c/0fa5e94a1811d68fbffa0725efe6d4ca62c03d12
- https://git.kernel.org/stable/c/143edf098b80669d05245b2f2367dd156a83a2c5
- https://git.kernel.org/stable/c/3c4423b0c4b98213b3438e15061e1d08220e6982
- https://git.kernel.org/stable/c/54d8639af5568fc41c0e274fc3ec9cf86c59fcbb
- https://git.kernel.org/stable/c/a0465723b8581cad27164c9073fd780904cd22d4
- https://git.kernel.org/stable/c/a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c
- https://git.kernel.org/stable/c/d408889d4b54f5501e4becc4dbbb9065143fbf4e
- https://git.kernel.org/stable/c/efcff6ce7467f01f0753609f420333f3f2ceceda
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49937
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Set correct chandef when starting CAC When starting CAC in a mode other than AP mode, it return a "WARNING: CPU: 0 PID: 63 at cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]" caused by the chandef.chan being null at the end of CAC. Solution: Ensure the channel definition is set for the different modes when starting CAC to avoid getting a NULL 'chan' at the end of CAC. Call Trace: ? show_regs.part.0+0x14/0x16 ? __warn+0x67/0xc0 ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211] ? report_bug+0xa7/0x130 ? exc_overflow+0x30/0x30 ? handle_bug+0x27/0x50 ? exc_invalid_op+0x18/0x60 ? handle_exception+0xf6/0xf6 ? exc_overflow+0x30/0x30 ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211] ? exc_overflow+0x30/0x30 ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211] ? regulatory_propagate_dfs_state.cold+0x1b/0x4c [cfg80211] ? cfg80211_propagate_cac_done_wk+0x1a/0x30 [cfg80211] ? process_one_work+0x165/0x280 ? worker_thread+0x120/0x3f0 ? kthread+0xc2/0xf0 ? process_one_work+0x280/0x280 ? kthread_complete_and_exit+0x20/0x20 ? ret_from_fork+0x19/0x24 [shorten subject, remove OCB, reorder cases to match previous list]
- https://git.kernel.org/stable/c/04053e55dd50741cf6c59b9bbaa4238218c05c70
- https://git.kernel.org/stable/c/20361712880396e44ce80aaeec2d93d182035651
- https://git.kernel.org/stable/c/95f32191e50b75e0f75fae1bb925cdf51d8df0a3
- https://git.kernel.org/stable/c/c628026563f4ea9e0413dd4b69429e4a1db240b1
- https://git.kernel.org/stable/c/f4dbfda159e43d49b43003cc3c2914751939035f
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49938
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Syzbot points out that skb_trim() has a sanity check on the existing length of the skb, which can be uninitialised in some error paths. The intent here is clearly just to reset the length to zero before resubmitting, so switch to calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length() already contains a call to skb_reset_tail_pointer(), so remove the redundant call. The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.
- https://git.kernel.org/stable/c/012ae530afa0785102360de452745d33c99a321b
- https://git.kernel.org/stable/c/2c230210ec0ae6ed08306ac70dc21c24b817bb95
- https://git.kernel.org/stable/c/6a875220670475d9247e576c15dc29823100a4e4
- https://git.kernel.org/stable/c/94745807f3ebd379f23865e6dab196f220664179
- https://git.kernel.org/stable/c/a9f4e28e8adaf0715bd4e01462af0a52ee46b01f
- https://git.kernel.org/stable/c/b02eb7c86ff2ef1411c3095ec8a52b13f68db04f
- https://git.kernel.org/stable/c/d1f2fbc6a769081503f6ffedbb5cd1ac497f0e77
- https://git.kernel.org/stable/c/e37e348835032d6940ec89308cc8996ded691d2d
- https://git.kernel.org/stable/c/e6b9bf32e0695e4f374674002de0527d2a6768eb
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49944
In the Linux kernel, the following vulnerability has been resolved:
sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.
Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
is NULL.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
Call Trace:
- https://git.kernel.org/stable/c/0e4e2e60556c6ed00e8450b720f106a268d23062
- https://git.kernel.org/stable/c/7f64cb5b4d8c872296eda0fdce3bcf099eec7aa7
- https://git.kernel.org/stable/c/89bbead9d897c77d0b566349c8643030ff2abeba
- https://git.kernel.org/stable/c/8beee4d8dee76b67c75dc91fd8185d91e845c160
- https://git.kernel.org/stable/c/9230a59eda0878d7ecaa901d876aec76f57bd455
- https://git.kernel.org/stable/c/dd70c8a89ef99c3d53127fe19e51ef47c3f860fa
- https://git.kernel.org/stable/c/e7a8442195e8ebd97df467ce4742980ab57edcce
- https://git.kernel.org/stable/c/e914bf68dab88815a7ae7b7a3a5e8913c8ff14a5
- https://git.kernel.org/stable/c/f032e1dac30b3376c7d6026fb01a8c403c47a80d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49946
In the Linux kernel, the following vulnerability has been resolved:
ppp: do not assume bh is held in ppp_channel_bridge_input()
Networking receive path is usually handled from BH handler.
However, some protocols need to acquire the socket lock, and
packets might be stored in the socket backlog is the socket was
owned by a user process.
In this case, release_sock(), __release_sock(), and sk_backlog_rcv()
might call the sk->sk_backlog_rcv() handler in process context.
sybot caught ppp was not considering this case in
ppp_channel_bridge_input() :
WARNING: inconsistent lock state
6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
{SOFTIRQ-ON-W} state was registered at:
lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379
sk_backlog_rcv include/net/sock.h:1111 [inline]
__release_sock+0x1a8/0x3d8 net/core/sock.c:3004
release_sock+0x68/0x1b8 net/core/sock.c:3558
pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x374/0x4f4 net/socket.c:2204
__do_sys_sendto net/socket.c:2216 [inline]
__se_sys_sendto net/socket.c:2212 [inline]
__arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 282914
hardirqs last enabled at (282914): [
- https://git.kernel.org/stable/c/176dd41e8c2bd997ed3d66568a3362e69ecce99b
- https://git.kernel.org/stable/c/635deca1800a68624f185dc1e04a8495b48cf185
- https://git.kernel.org/stable/c/aec7291003df78cb71fd461d7b672912bde55807
- https://git.kernel.org/stable/c/c837f8583535f094a39386308c2ccfd92c8596cd
- https://git.kernel.org/stable/c/efe9cc0f7c0279216a5522271ec675b8288602e4
- https://git.kernel.org/stable/c/f9620e2a665aa642625bd2501282bbddff556bd7
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49948
In the Linux kernel, the following vulnerability has been resolved: net: add more sanity checks to qdisc_pkt_len_init() One path takes care of SKB_GSO_DODGY, assuming skb->len is bigger than hdr_len. virtio_net_hdr_to_skb() does not fully dissect TCP headers, it only make sure it is at least 20 bytes. It is possible for an user to provide a malicious 'GSO' packet, total length of 80 bytes. - 20 bytes of IPv4 header - 60 bytes TCP header - a small gso_size like 8 virtio_net_hdr_to_skb() would declare this packet as a normal GSO packet, because it would see 40 bytes of payload, bigger than gso_size. We need to make detect this case to not underflow qdisc_skb_cb(skb)->pkt_len.
- https://git.kernel.org/stable/c/1eebe602a8d8264a12e35e39d0645fa88dbbacdd
- https://git.kernel.org/stable/c/2415f465730e48b6e38da1c7c097317bf5dd2d20
- https://git.kernel.org/stable/c/27a8fabc54d2f960d47bdfbebf2bdc6e8a92a4c4
- https://git.kernel.org/stable/c/473426a1d53a68dd1e718e6cd00d57936993fa6c
- https://git.kernel.org/stable/c/566a931a1436d0e0ad13708ea55479b95426213c
- https://git.kernel.org/stable/c/9b0ee571d20a238a22722126abdfde61f1b2bdd0
- https://git.kernel.org/stable/c/ab9a9a9e9647392a19e7a885b08000e89c86b535
- https://git.kernel.org/stable/c/d7d1a28f5dd57b4d83def876f8d7b4403bd37df9
- https://git.kernel.org/stable/c/ff1c3cadcf405ab37dd91418a62a7acecf3bc5e2
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49949
In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO After commit 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") virtio_net_hdr_to_skb() had sanity check to detect malicious attempts from user space to cook a bad GSO packet. Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") while fixing one issue, allowed user space to cook a GSO packet with the following characteristic : IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. When this packet arrives in qdisc_pkt_len_init(), we end up with hdr_len = 28 (IPv4 header + UDP header), matching skb->len Then the following sets gso_segs to 0 : gso_segs = DIV_ROUND_UP(skb->len - hdr_len, shinfo->gso_size); Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; This leads to the following crash in fq_codel [1] qdisc_pkt_len_init() is best effort, we only want an estimation of the bytes sent on the wire, not crashing the kernel. This patch is fixing this particular issue, a following one adds more sanity checks for another potential bug. [1] [ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 70.724561] #PF: supervisor read access in kernel mode [ 70.724561] #PF: error_code(0x0000) - not-present page [ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 [ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI [ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 [ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 All code ======== 0: 24 08 and $0x8,%al 2: 49 c1 e1 06 shl $0x6,%r9 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) b: 45 31 ed xor %r13d,%r13d e: 45 31 c0 xor %r8d,%r8d 11: 31 ff xor %edi,%edi 13: 89 44 24 14 mov %eax,0x14(%rsp) 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 1e: eb 04 jmp 0x24 20: 39 ca cmp %ecx,%edx 22: 73 37 jae 0x5b 24: 4d 8b 39 mov (%r9),%r15 27: 83 c7 01 add $0x1,%edi 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction 2d: 49 89 11 mov %rdx,(%r9) 30: 41 8b 57 28 mov 0x28(%r15),%edx 34: 45 8b 5f 34 mov 0x34(%r15),%r11d 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 3f: 49 rex.WB Code starting with the faulting instruction =========================================== 0: 49 8b 17 mov (%r15),%rdx 3: 49 89 11 mov %rdx,(%r9) 6: 41 8b 57 28 mov 0x28(%r15),%edx a: 45 8b 5f 34 mov 0x34(%r15),%r11d e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 15: 49 rex.WB [ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 [ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 [ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 [ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 [ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 [ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 [ 70.724561] CS: 0010 DS: 0000 ES: 0000 C ---truncated---
- https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d
- https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1
- https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b
- https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c
- https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c
- https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1
- https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174
- https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72
- https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49952
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: prevent nf_skb_duplicated corruption
syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write
per-cpu variable nf_skb_duplicated in an unsafe way [1].
Disabling preemption as hinted by the splat is not enough,
we have to disable soft interrupts as well.
[1]
BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316
caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
- https://git.kernel.org/stable/c/38e3fd0c4a2616052eb3c8f4e6f32d1ff47cd663
- https://git.kernel.org/stable/c/4e3542f40f3a94efa59ea328e307c50601ed7065
- https://git.kernel.org/stable/c/50067d8b3f48e4cd4c9e817d3e9a5b5ff3507ca7
- https://git.kernel.org/stable/c/531754952f5dfc4b141523088147071d6e6112c4
- https://git.kernel.org/stable/c/752e1924604254f1708f3e3700283a86ebdd325d
- https://git.kernel.org/stable/c/92ceba94de6fb4cee2bf40b485979c342f44a492
- https://git.kernel.org/stable/c/b40b027a0c0cc1cb9471a13f9730bb2fff12a15b
- https://git.kernel.org/stable/c/c0add6ed2cf1c4733cd489efc61faeccd3433b41
- https://git.kernel.org/stable/c/f839c5cd348201fec440d987cbca9b979bdb4fa7
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49954
In the Linux kernel, the following vulnerability has been resolved: static_call: Replace pointless WARN_ON() in static_call_module_notify() static_call_module_notify() triggers a WARN_ON(), when memory allocation fails in __static_call_add_module(). That's not really justified, because the failure case must be correctly handled by the well known call chain and the error code is passed through to the initiating userspace application. A memory allocation fail is not a fatal problem, but the WARN_ON() takes the machine out when panic_on_warn is set. Replace it with a pr_warn().
- https://git.kernel.org/stable/c/85a104aaef1f56623acc10ba4c42d5f046ba65b7
- https://git.kernel.org/stable/c/b83bef74c121a3311240fc4002d23486b85355e4
- https://git.kernel.org/stable/c/bc9356513d56b688775497b7ac6f2b967f46a80c
- https://git.kernel.org/stable/c/e67534bd31d79952b50e791e92adf0b3e6c13b8c
- https://git.kernel.org/stable/c/ea2cdf4da093d0482f0ef36ba971e2e0c7673425
- https://git.kernel.org/stable/c/fe513c2ef0a172a58f158e2e70465c4317f0a9a2
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49955
In the Linux kernel, the following vulnerability has been resolved: ACPI: battery: Fix possible crash when unregistering a battery hook When a battery hook returns an error when adding a new battery, then the battery hook is automatically unregistered. However the battery hook provider cannot know that, so it will later call battery_hook_unregister() on the already unregistered battery hook, resulting in a crash. Fix this by using the list head to mark already unregistered battery hooks as already being unregistered so that they can be ignored by battery_hook_unregister().
- https://git.kernel.org/stable/c/07b98400cb0285a6348188aa8c5ec6a2ae0551f7
- https://git.kernel.org/stable/c/76959aff14a0012ad6b984ec7686d163deccdc16
- https://git.kernel.org/stable/c/76fb2cbf01571926da8ecf6876cc8cb07d3f5183
- https://git.kernel.org/stable/c/9f469ef1c79dac7f9ac1518643a33703918f7e13
- https://git.kernel.org/stable/c/c47843a831e0eae007ad7e848d208e675ba4c132
- https://git.kernel.org/stable/c/ca1fb7942a287b40659cc79551a1de54a2c2e7d5
- https://git.kernel.org/stable/c/ca26e8eed9c1c6651f51f7fa38fe444f8573cd1b
- https://git.kernel.org/stable/c/ce31847f109c3a5b2abdd19d7bcaafaacfde53de
- https://git.kernel.org/stable/c/da964de4c18199e14b961b5b2e5e6570552a313c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49957
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix null-ptr-deref when journal load failed. During the mounting process, if journal_reset() fails because of too short journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. Subsequently, ocfs2_journal_shutdown() calls jbd2_journal_flush()->jbd2_cleanup_journal_tail()-> __jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail() ->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer dereference error. To resolve this issue, we should check the JBD2_LOADED flag to ensure the journal was properly loaded. Additionally, use journal instead of osb->journal directly to simplify the code.
- https://git.kernel.org/stable/c/387bf565cc03e2e8c720b8b4798efea4aacb6962
- https://git.kernel.org/stable/c/5784d9fcfd43bd853654bb80c87ef293b9e8e80a
- https://git.kernel.org/stable/c/703b2c7e0798d263154dc8593dc2345f75dc077f
- https://git.kernel.org/stable/c/82dfdd1e31e774578f76ce6dc90c834f96403a0f
- https://git.kernel.org/stable/c/86a89e75e9e4dfa768b97db466ad6bedf2e7ea5b
- https://git.kernel.org/stable/c/bf605ae98dab5c15c5b631d4d7f88898cb41b649
- https://git.kernel.org/stable/c/f60e94a83db799bde625ac8671a5b4a6354e7120
- https://git.kernel.org/stable/c/fd89d92c1140cee8f59de336cb37fa65e359c123
- https://git.kernel.org/stable/c/ff55291fb36779819211b596da703389135f5b05
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49958
In the Linux kernel, the following vulnerability has been resolved: ocfs2: reserve space for inline xattr before attaching reflink tree One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case up to 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix.
- https://git.kernel.org/stable/c/020f5c53c17f66c0a8f2d37dad27ace301b8d8a1
- https://git.kernel.org/stable/c/5c2072f02c0d75802ec28ec703b7d43a0dd008b5
- https://git.kernel.org/stable/c/5c9807c523b4fca81d3e8e864dabc8c806402121
- https://git.kernel.org/stable/c/5ca60b86f57a4d9648f68418a725b3a7de2816b0
- https://git.kernel.org/stable/c/637c00e06564a945e9d0edb3d78d362d64935f9f
- https://git.kernel.org/stable/c/74364cb578dcc0b6c9109519d19cbe5a56afac9a
- https://git.kernel.org/stable/c/96ce4c3537114d1698be635f5e36c62dc49df7a4
- https://git.kernel.org/stable/c/9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9
- https://git.kernel.org/stable/c/aac31d654a0a31cb0d2fa36ae694f4e164a52707
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49959
In the Linux kernel, the following vulnerability has been resolved:
jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error
In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail()
to recover some journal space. But if an error occurs while executing
jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free
space right away, we try other branches, and if j_committing_transaction
is NULL (i.e., the tid is 0), we will get the following complain:
============================================
JBD2: I/O error when updating journal superblock for sdd-8.
__jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available
__jbd2_log_wait_for_space: no way to get more journal space in sdd-8
------------[ cut here ]------------
WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0
Modules linked in:
CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1
RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0
Call Trace:
- https://git.kernel.org/stable/c/1c62dc0d82c62f0dc8fcdc4843208e522acccaf5
- https://git.kernel.org/stable/c/3ced0fe6c0eff032733ea8b38778b34707270138
- https://git.kernel.org/stable/c/481e8f18a290e39e04ddb7feb2bb2a2cc3b213ed
- https://git.kernel.org/stable/c/70bae48377a2c4296fd3caf4caf8f11079111019
- https://git.kernel.org/stable/c/801a35dfef6996f3d5eaa96a59caf00440d9165e
- https://git.kernel.org/stable/c/c6bf043b210eac67d35a114e345c4e5585672913
- https://git.kernel.org/stable/c/d5dc65370a746750dbb2f03eabcf86b18db65f32
- https://git.kernel.org/stable/c/ec7f8337c98ad281020ad1f11ba492462d80737a
- https://git.kernel.org/stable/c/f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49961
In the Linux kernel, the following vulnerability has been resolved: media: i2c: ar0521: Use cansleep version of gpiod_set_value() If we use GPIO reset from I2C port expander, we must use *_cansleep() variant of GPIO functions. This was not done in ar0521_power_on()/ar0521_power_off() functions. Let's fix that. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11 at drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x74/0x7c Modules linked in: CPU: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.10.0 #53 Hardware name: Diasom DS-RK3568-SOM-EVB (DT) Workqueue: events_unbound deferred_probe_work_func pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : gpiod_set_value+0x74/0x7c lr : ar0521_power_on+0xcc/0x290 sp : ffffff8001d7ab70 x29: ffffff8001d7ab70 x28: ffffff80027dcc90 x27: ffffff8003c82000 x26: ffffff8003ca9250 x25: ffffffc080a39c60 x24: ffffff8003ca9088 x23: ffffff8002402720 x22: ffffff8003ca9080 x21: ffffff8003ca9088 x20: 0000000000000000 x19: ffffff8001eb2a00 x18: ffffff80efeeac80 x17: 756d2d6332692f30 x16: 0000000000000000 x15: 0000000000000000 x14: ffffff8001d91d40 x13: 0000000000000016 x12: ffffffc080e98930 x11: ffffff8001eb2880 x10: 0000000000000890 x9 : ffffff8001d7a9f0 x8 : ffffff8001d92570 x7 : ffffff80efeeac80 x6 : 000000003fc6e780 x5 : ffffff8001d91c80 x4 : 0000000000000002 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000001 Call trace: gpiod_set_value+0x74/0x7c ar0521_power_on+0xcc/0x290 ...
- https://git.kernel.org/stable/c/2423b60a2d6d27e5f66c5021b494463aef2db212
- https://git.kernel.org/stable/c/3cf00ecfbf11ee8e6afff306a5bdcff4bf95d2cf
- https://git.kernel.org/stable/c/625a77b68c96349c16fcc1faa42784313e0b1a85
- https://git.kernel.org/stable/c/9f08876d766755a92f1b9543ae3ee21bfc596fb8
- https://git.kernel.org/stable/c/bee1aed819a8cda47927436685d216906ed17f62
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49962
In the Linux kernel, the following vulnerability has been resolved: ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause NULL pointer dereference later. [ rjw: Subject and changelog edits ]
- https://git.kernel.org/stable/c/1c9b8775062f8d854a80caf186af57fc617d454c
- https://git.kernel.org/stable/c/402b4c6b7500c7cca6972d2456a4a422801035b5
- https://git.kernel.org/stable/c/4588ea78d3904bebb613b0bb025669e75800f546
- https://git.kernel.org/stable/c/4669da66ebc5b09881487f30669b0fcdb462188e
- https://git.kernel.org/stable/c/a5242874488eba2b9062985bf13743c029821330
- https://git.kernel.org/stable/c/a907c113a8b66972f15f084d7dff960207b1f71d
- https://git.kernel.org/stable/c/ae5d4c7e76ba393d20366dfea1f39f24560ffb1d
- https://git.kernel.org/stable/c/cbb67e245dacd02b5e1d82733892647df1523982
- https://git.kernel.org/stable/c/f282db38953ad71dd4f3f8877a4e1d37e580e30a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49963
In the Linux kernel, the following vulnerability has been resolved: mailbox: bcm2835: Fix timeout during suspend mode During noirq suspend phase the Raspberry Pi power driver suffer of firmware property timeouts. The reason is that the IRQ of the underlying BCM2835 mailbox is disabled and rpi_firmware_property_list() will always run into a timeout [1]. Since the VideoCore side isn't consider as a wakeup source, set the IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled during suspend-resume cycle. [1] PM: late suspend of devices complete after 1.754 msecs WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128 rpi_firmware_property_list+0x204/0x22c Firmware transaction 0x00028001 timeout Modules linked in: CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17 Hardware name: BCM2835 Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x44 dump_stack_lvl from __warn+0x88/0xec __warn from warn_slowpath_fmt+0x7c/0xb0 warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0 rpi_firmware_set_power from _genpd_power_off+0xe4/0x148 _genpd_power_off from genpd_sync_power_off+0x7c/0x11c genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0 genpd_finish_suspend from dpm_run_callback+0x78/0xd0 dpm_run_callback from device_suspend_noirq+0xc0/0x238 device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168 dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac suspend_devices_and_enter from pm_suspend+0x254/0x2e4 pm_suspend from state_store+0xa8/0xd4 state_store from kernfs_fop_write_iter+0x154/0x1a0 kernfs_fop_write_iter from vfs_write+0x12c/0x184 vfs_write from ksys_write+0x78/0xc0 ksys_write from ret_fast_syscall+0x0/0x54 Exception stack(0xcc93dfa8 to 0xcc93dff0) [...] PM: noirq suspend of devices complete after 3095.584 msecs
- https://git.kernel.org/stable/c/10a58555e0bb5cc4673c8bb73b8afc5fa651f0ac
- https://git.kernel.org/stable/c/32ee78823dea2d54adaf6e05f86622eba359e091
- https://git.kernel.org/stable/c/4e1e03760ee7cc4779b6306867fe0fc02921b963
- https://git.kernel.org/stable/c/90320cfc07b7d6e7a58fd8168f6380ec52ff0251
- https://git.kernel.org/stable/c/b0de20de29b13950493a36bd4cf531200eb0e807
- https://git.kernel.org/stable/c/dc09f007caed3b2f6a3b6bd7e13777557ae22bfd
- https://git.kernel.org/stable/c/df293ea78740a41384d648041f38f645700288e1
- https://git.kernel.org/stable/c/dfeb67b2194ecc55ef8065468c5adda3cdf59114
- https://git.kernel.org/stable/c/e65a9af05a0b59ebeba28e5e82265a233db7bc27
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49965
In the Linux kernel, the following vulnerability has been resolved: ocfs2: remove unreasonable unlock in ocfs2_read_blocks Patch series "Misc fixes for ocfs2_read_blocks", v5. This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix the issue reported by syzbot, which detects bad unlock balance in ocfs2_read_blocks(). The second patch fixes an issue reported by Heming Zhao when reviewing above fix. This patch (of 2): There was a lock release before exiting, so remove the unreasonable unlock.
- https://git.kernel.org/stable/c/39a88623af3f1c686bf6db1e677ed865ffe6fccc
- https://git.kernel.org/stable/c/3f1ca6ba5452d53c598a45d21267a2c0c221eef3
- https://git.kernel.org/stable/c/5245f109b4afb6595360d4c180d483a6d2009a59
- https://git.kernel.org/stable/c/81aba693b129e82e11bb54f569504d943d018de9
- https://git.kernel.org/stable/c/84543da867c967edffd5065fa910ebf56aaae49d
- https://git.kernel.org/stable/c/9753bcb17b36c9add9b32c61766ddf8d2d161911
- https://git.kernel.org/stable/c/c03a82b4a0c935774afa01fd6d128b444fd930a1
- https://git.kernel.org/stable/c/df4f20fc3673cee11abf2c571987a95733cb638d
- https://git.kernel.org/stable/c/f55a33fe0fb5274ef185fd61947cf142138958af
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49966
In the Linux kernel, the following vulnerability has been resolved: ocfs2: cancel dqi_sync_work before freeing oinfo ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the end, if error occurs after successfully reading global quota, it will trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c This reports that there is an active delayed work when freeing oinfo in error handling, so cancel dqi_sync_work first. BTW, return status instead of -1 when .read_file_info fails.
- https://git.kernel.org/stable/c/0d707a33c84b371cb66120e198eed3374726ddd8
- https://git.kernel.org/stable/c/14114d8148db07e7946fb06b56a50cfa425e26c7
- https://git.kernel.org/stable/c/35fccce29feb3706f649726d410122dd81b92c18
- https://git.kernel.org/stable/c/4173d1277c00baeedaaca76783e98b8fd0e3c08d
- https://git.kernel.org/stable/c/89043e7ed63c7fc141e68ea5a79758ed24b6c699
- https://git.kernel.org/stable/c/a4346c04d055bf7e184c18a73dbd23b6a9811118
- https://git.kernel.org/stable/c/bbf41277df8b33fbedf4750a9300c147e8f104eb
- https://git.kernel.org/stable/c/ef768020366f47d23f39c4f57bcb03af6d1e24b3
- https://git.kernel.org/stable/c/fc5cc716dfbdc5fd5f373ff3b51358174cf88bfc
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49969
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in DCN30 color transformation This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
- https://git.kernel.org/stable/c/0f1e222a4b41d77c442901d166fbdca967af0d86
- https://git.kernel.org/stable/c/578422ddae3d13362b64e77ef9bab98780641631
- https://git.kernel.org/stable/c/7ab69af56a23859b647dee69fa1052c689343621
- https://git.kernel.org/stable/c/929506d5671419cffd8d01e9a7f5eae53682a838
- https://git.kernel.org/stable/c/b9d8b94ec7e67f0cae228c054f77b73967c389a3
- https://git.kernel.org/stable/c/c13f9c62015c56a938304cef6d507227ea3e0039
- https://git.kernel.org/stable/c/d81873f9e715b72d4f8d391c8eb243946f784dfc
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49973
In the Linux kernel, the following vulnerability has been resolved: r8169: add tally counter fields added with RTL8125 RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it.
- https://git.kernel.org/stable/c/1c723d785adb711496bc64c24240f952f4faaabf
- https://git.kernel.org/stable/c/21950321ad33d7613b1453f4c503d7b1871deb61
- https://git.kernel.org/stable/c/585c048d15ed559f20cb94c8fa2f30077efa4fbc
- https://git.kernel.org/stable/c/64648ae8c97ec5a3165021627f5a1658ebe081ca
- https://git.kernel.org/stable/c/92bc8647b4d65f4d4bf8afdb206321c1bc55a486
- https://git.kernel.org/stable/c/991e8b0bab669b7d06927c3e442b3352532e8581
- https://git.kernel.org/stable/c/ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a
- https://git.kernel.org/stable/c/fe44b3bfbf0c74df5712f44458689d0eccccf47d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49975
In the Linux kernel, the following vulnerability has been resolved: uprobes: fix kernel info leak via "[uprobes]" vma xol_add_vma() maps the uninitialized page allocated by __create_xol_area() into userspace. On some architectures (x86) this memory is readable even without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ, although this doesn't really matter, debugger can read this memory anyway.
- https://git.kernel.org/stable/c/21cb47db1ec9765f91304763a24565ddc22d2492
- https://git.kernel.org/stable/c/24141df5a8615790950deedd926a44ddf1dfd6d8
- https://git.kernel.org/stable/c/2aa45f43709ba2082917bd2973d02687075b6eee
- https://git.kernel.org/stable/c/34820304cc2cd1804ee1f8f3504ec77813d29c8e
- https://git.kernel.org/stable/c/5b981d8335e18aef7908a068529a3287258ff6d8
- https://git.kernel.org/stable/c/9634e8dc964a4adafa7e1535147abd7ec29441a6
- https://git.kernel.org/stable/c/f31f92107e5a8ecc8902705122c594e979a351fe
- https://git.kernel.org/stable/c/f561b48d633ac2e7d0d667020fc634a96ade33a0
- https://git.kernel.org/stable/c/fe5e9182d3e227476642ae2b312e2356c4d326a3
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49977
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Fix zero-division error when disabling tc cbs The commit b8c43360f6e4 ("net: stmmac: No need to calculate speed divider when offload is disabled") allows the "port_transmit_rate_kbps" to be set to a value of 0, which is then passed to the "div_s64" function when tc-cbs is disabled. This leads to a zero-division error. When tc-cbs is disabled, the idleslope, sendslope, and credit values the credit values are not required to be configured. Therefore, adding a return statement after setting the txQ mode to DCB when tc-cbs is disabled would prevent a zero-division error.
- https://git.kernel.org/stable/c/03582f4752427f60817d896f1a827aff772bd31e
- https://git.kernel.org/stable/c/5d43e1ad4567d67af2b42d3ab7c14152ffed25c6
- https://git.kernel.org/stable/c/675faf5a14c14a2be0b870db30a70764df81e2df
- https://git.kernel.org/stable/c/837d9df9c0792902710149d1a5e0991520af0f93
- https://git.kernel.org/stable/c/b0da9504a528f05f97d926b4db74ff21917a33e9
- https://git.kernel.org/stable/c/e297a2bf56d12fd7f91a0c209eb6ea84361f3368
- https://git.kernel.org/stable/c/e33fe25b1efe4f2e6a5858786dbc82ae4c44ed4c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49978
In the Linux kernel, the following vulnerability has been resolved: gso: fix udp gso fraglist segmentation after pull from frag_list Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in __udpv4_gso_segment_list_csum at udp_hdr(seg->next)->dest. Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment.
- https://git.kernel.org/stable/c/080e6c9a3908de193a48f646c5ce1bfb15676ffc
- https://git.kernel.org/stable/c/33e28acf42ee863f332a958bfc2f1a284a3659df
- https://git.kernel.org/stable/c/3cd00d2e3655fad3bda96dc1ebf17b6495f86fea
- https://git.kernel.org/stable/c/a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab
- https://git.kernel.org/stable/c/af3122f5fdc0d00581d6e598a668df6bf54c9daa
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49981
In the Linux kernel, the following vulnerability has been resolved: media: venus: fix use after free bug in venus_remove due to race condition in venus_probe, core->work is bound with venus_sys_error_handler, which is used to handle error. The code use core->sys_err_done to make sync work. The core->work is started in venus_event_notify. If we call venus_remove, there might be an unfished work. The possible sequence is as follows: CPU0 CPU1 |venus_sys_error_handler venus_remove | hfi_destroy | venus_hfi_destroy | kfree(hdev); | |hfi_reinit |venus_hfi_queues_reinit |//use hdev Fix it by canceling the work in venus_remove.
- https://git.kernel.org/stable/c/10941d4f99a5a34999121b314afcd9c0a1c14f15
- https://git.kernel.org/stable/c/2a541fcc0bd2b05a458e9613376df1289ec11621
- https://git.kernel.org/stable/c/5098b9e6377577fe13d03e1d8914930f014a3314
- https://git.kernel.org/stable/c/60b6968341a6dd5353554f3e72db554693a128a5
- https://git.kernel.org/stable/c/63bbe26471ebdcc3c20bb4cc3950d666279ad658
- https://git.kernel.org/stable/c/b0686aedc5f1343442d044bd64eeac7e7a391f4e
- https://git.kernel.org/stable/c/bf6be32e2d39f6301ff1831e249d32a8744ab28a
- https://git.kernel.org/stable/c/c5a85ed88e043474161bbfe54002c89c1cb50ee2
- https://git.kernel.org/stable/c/d925e9f7fb5a2dbefd1a73fc01061f38c7becd4c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49982
In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in more places For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs into use-after-free. Then Nicolai Stange found more places in aoe have potential use-after-free problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push packet to tx queue. So they should also use dev_hold() to increase the refcnt of skb->dev. On the other hand, moving dev_put() to tx() causes that the refcnt of skb->dev be reduced to a negative value, because corresponding dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.
- https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79
- https://git.kernel.org/stable/c/12f7b89dd72b25da4eeaa22097877963cad6418e
- https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3
- https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58
- https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f
- https://git.kernel.org/stable/c/a786265aecf39015418e4f930cc1c14603a01490
- https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3
- https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254
- https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49983
In the Linux kernel, the following vulnerability has been resolved: ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free When calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(), the 'ppath' is updated but it is the 'path' that is freed, thus potentially triggering a double-free in the following process: ext4_ext_replay_update_ex ppath = path ext4_force_split_extent_at(&ppath) ext4_split_extent_at ext4_ext_insert_extent ext4_ext_create_new_leaf ext4_ext_grow_indepth ext4_find_extent if (depth > path[0].p_maxdepth) kfree(path) ---> path First freed *orig_path = path = NULL ---> null ppath kfree(path) ---> path double-free !!! So drop the unnecessary ppath and use path directly to avoid this problem. And use ext4_find_extent() directly to update path, avoiding unnecessary memory allocation and freeing. Also, propagate the error returned by ext4_find_extent() instead of using strange error codes.
- https://git.kernel.org/stable/c/1b558006d98b7b0b730027be0ee98973dd10ee0d
- https://git.kernel.org/stable/c/3ff710662e8d86a63a39b334e9ca0cb10e5c14b0
- https://git.kernel.org/stable/c/5c0f4cc84d3a601c99bc5e6e6eb1cbda542cce95
- https://git.kernel.org/stable/c/6367d3f04c69e2b8770b8137bd800e0784b0abbc
- https://git.kernel.org/stable/c/63adc9016917e6970fb0104ee5fd6770f02b2d80
- https://git.kernel.org/stable/c/8c26d9e53e5fbacda0732a577e97c5a5b7882aaf
- https://git.kernel.org/stable/c/a34bed978364114390162c27e50fca50791c568d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49985
In the Linux kernel, the following vulnerability has been resolved: i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume In case there is any sort of clock controller attached to this I2C bus controller, for example Versaclock or even an AIC32x4 I2C codec, then an I2C transfer triggered from the clock controller clk_ops .prepare callback may trigger a deadlock on drivers/clk/clk.c prepare_lock mutex. This is because the clock controller first grabs the prepare_lock mutex and then performs the prepare operation, including its I2C access. The I2C access resumes this I2C bus controller via .runtime_resume callback, which calls clk_prepare_enable(), which attempts to grab the prepare_lock mutex again and deadlocks. Since the clock are already prepared since probe() and unprepared in remove(), use simple clk_enable()/clk_disable() calls to enable and disable the clock on runtime suspend and resume, to avoid hitting the prepare_lock mutex.
- https://git.kernel.org/stable/c/048bbbdbf85e5e00258dfb12f5e368f908801d7b
- https://git.kernel.org/stable/c/1883cad2cc629ded4a3556c0bbb8b42533ad8764
- https://git.kernel.org/stable/c/22a1f8a5b56ba93d3e8b7a1dafa24e01c8bb48ba
- https://git.kernel.org/stable/c/894cd5f5fd9061983445bbd1fa3d81be43095344
- https://git.kernel.org/stable/c/9b8bc33ad64192f54142396470cc34ce539a8940
- https://git.kernel.org/stable/c/c2024b1a583ab9176c797ea1e5f57baf8d5e2682
- https://git.kernel.org/stable/c/d6f1250a4d5773f447740b9fe37b8692105796d4
- https://git.kernel.org/stable/c/fac3c9f7784e8184c0338e9f0877b81e55d3ef1c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49992
In the Linux kernel, the following vulnerability has been resolved: drm/stm: Avoid use-after-free issues with crtc and plane ltdc_load() calls functions drm_crtc_init_with_planes(), drm_universal_plane_init() and drm_encoder_init(). These functions should not be called with parameters allocated with devm_kzalloc() to avoid use-after-free issues [1]. Use allocations managed by the DRM framework. Found by Linux Verification Center (linuxtesting.org). [1] https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
- https://git.kernel.org/stable/c/0a1741d10da29aa84955ef89ae9a03c4b6038657
- https://git.kernel.org/stable/c/19dd9780b7ac673be95bf6fd6892a184c9db611f
- https://git.kernel.org/stable/c/454e5d7e671946698af0f201e48469e5ddb42851
- https://git.kernel.org/stable/c/b22eec4b57d04befa90e8554ede34e6c67257606
- https://git.kernel.org/stable/c/d02611ff001454358be6910cb926799e2d818716
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49997
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix memory disclosure When applying padding, the buffer is not zeroed, which results in memory disclosure. The mentioned data is observed on the wire. This patch uses skb_put_padto() to pad Ethernet frames properly. The mentioned function zeroes the expanded buffer. In case the packet cannot be padded it is silently dropped. Statistics are also not incremented. This driver does not support statistics in the old 32-bit format or the new 64-bit format. These will be added in the future. In its current form, the patch should be easily backported to stable versions. Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets in hardware, so software padding must be applied.
- https://git.kernel.org/stable/c/1097bf16501ed5e35358d848b0a94ad2830b0f65
- https://git.kernel.org/stable/c/185df159843d30fb71f821e7ea4368c2a3bfcd36
- https://git.kernel.org/stable/c/2bf4c101d7c99483b8b15a0c8f881e3f399f7e18
- https://git.kernel.org/stable/c/431b122933b197820d319eb3987a67d04346ce9e
- https://git.kernel.org/stable/c/45c0de18ff2dc9af01236380404bbd6a46502c69
- https://git.kernel.org/stable/c/469856f76f4802c5d7e3d20e343185188de1e2db
- https://git.kernel.org/stable/c/60c068444c20bf9a3e22b65b5f6f3d9edc852931
- https://git.kernel.org/stable/c/905f06a34f960676e7dc77bea00f2f8fe18177ad
- https://git.kernel.org/stable/c/e66e38d07b31e177ca430758ed97fbc79f27d966
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50000
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() In mlx5e_tir_builder_alloc() kvzalloc() may return NULL which is dereferenced on the next line in a reference to the modify field. Found by Linux Verification Center (linuxtesting.org) with SVACE.
- https://git.kernel.org/stable/c/0168ab6fbd9e50d20b97486168b604b2ab28a2ca
- https://git.kernel.org/stable/c/1bcc86cc721bea68980098f51f102aa2c2b9d932
- https://git.kernel.org/stable/c/4655456a64a0f936098c8432bac64e7176bd2aff
- https://git.kernel.org/stable/c/4d80dde26d7bab1320210279483ac854dcb274b2
- https://git.kernel.org/stable/c/b48ee5bb25c02ca2b81e0d16bf8af17ab6ed3f8b
- https://git.kernel.org/stable/c/f25389e779500cf4a59ef9804534237841bce536
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50001
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix error path in multi-packet WQE transmit Remove the erroneous unmap in case no DMA mapping was established The multi-packet WQE transmit code attempts to obtain a DMA mapping for the skb. This could fail, e.g. under memory pressure, when the IOMMU driver just can't allocate more memory for page tables. While the code tries to handle this in the path below the err_unmap label it erroneously unmaps one entry from the sq's FIFO list of active mappings. Since the current map attempt failed this unmap is removing some random DMA mapping that might still be required. If the PCI function now presents that IOVA, the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI function in error state. The erroneous behavior was seen in a stress-test environment that created memory pressure.
- https://git.kernel.org/stable/c/26fad69b34fcba80d5c7d9e651f628e6ac927754
- https://git.kernel.org/stable/c/2bcae12c795f32ddfbf8c80d1b5f1d3286341c32
- https://git.kernel.org/stable/c/8bb8c12fb5e2b1f03d603d493c92941676f109b5
- https://git.kernel.org/stable/c/ca36d6c1a49b6965c86dd528a73f38bc62d9c625
- https://git.kernel.org/stable/c/ce828b347cf1b3c1b12b091d02463c35ce5097f5
- https://git.kernel.org/stable/c/ecf310aaf256acbc8182189fe0aa1021c3ddef72
- https://git.kernel.org/stable/c/fc357e78176945ca7bcacf92ab794b9ccd41b4f4
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50002
In the Linux kernel, the following vulnerability has been resolved: static_call: Handle module init failure correctly in static_call_del_module() Module insertion invokes static_call_add_module() to initialize the static calls in a module. static_call_add_module() invokes __static_call_init(), which allocates a struct static_call_mod to either encapsulate the built-in static call sites of the associated key into it so further modules can be added or to append the module to the module chain. If that allocation fails the function returns with an error code and the module core invokes static_call_del_module() to clean up eventually added static_call_mod entries. This works correctly, when all keys used by the module were converted over to a module chain before the failure. If not then static_call_del_module() causes a #GP as it blindly assumes that key::mods points to a valid struct static_call_mod. The problem is that key::mods is not a individual struct member of struct static_call_key, it's part of a union to save space: union { /* bit 0: 0 = mods, 1 = sites */ unsigned long type; struct static_call_mod *mods; struct static_call_site *sites; }; key::sites is a pointer to the list of built-in usage sites of the static call. The type of the pointer is differentiated by bit 0. A mods pointer has the bit clear, the sites pointer has the bit set. As static_call_del_module() blidly assumes that the pointer is a valid static_call_mod type, it fails to check for this failure case and dereferences the pointer to the list of built-in call sites, which is obviously bogus. Cure it by checking whether the key has a sites or a mods pointer. If it's a sites pointer then the key is not to be touched. As the sites are walked in the same order as in __static_call_init() the site walk can be terminated because all subsequent sites have not been touched by the init code due to the error exit. If it was converted before the allocation fail, then the inner loop which searches for a module match will find nothing. A fail in the second allocation in __static_call_init() is harmless and does not require special treatment. The first allocation succeeded and converted the key to a module chain. That first entry has mod::mod == NULL and mod::next == NULL, so the inner loop of static_call_del_module() will neither find a module match nor a module chain. The next site in the walk was either already converted, but can't match the module, or it will exit the outer loop because it has a static_call_site pointer and not a static_call_mod pointer.
- https://git.kernel.org/stable/c/2b494471797bff3d257e99dc0a7abb0c5ff3b4cd
- https://git.kernel.org/stable/c/4b30051c4864234ec57290c3d142db7c88f10d8a
- https://git.kernel.org/stable/c/9c48c2b53191bf991361998f5bb97b8f2fc5a89c
- https://git.kernel.org/stable/c/b566c7d8a2de403ccc9d8a06195e19bbb386d0e4
- https://git.kernel.org/stable/c/c0abbbe8c98c077292221ec7e2baa667c9f0974c
- https://git.kernel.org/stable/c/ed4c8ce0f307f2ab8778aeb40a8866d171e8f128
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50003
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix system hang while resume with TBT monitor [Why] Connected with a Thunderbolt monitor and do the suspend and the system may hang while resume. The TBT monitor HPD will be triggered during the resume procedure and call the drm_client_modeset_probe() while struct drm_connector connector->dev->master is NULL. It will mess up the pipe topology after resume. [How] Skip the TBT monitor HPD during the resume procedure because we currently will probe the connectors after resume by default. (cherry picked from commit 453f86a26945207a16b8f66aaed5962dc2b95b85)
- https://git.kernel.org/stable/c/52d4e3fb3d340447dcdac0e14ff21a764f326907
- https://git.kernel.org/stable/c/68d603f467a75618eeae5bfe8af32cda47097010
- https://git.kernel.org/stable/c/722d2d8fc423108597b97efbf165187d16d9aa1e
- https://git.kernel.org/stable/c/73e441be033d3ed0bdff09b575da3e7d4606ffc9
- https://git.kernel.org/stable/c/c2356296f546326f9f06c109e201d42201e1e783
- https://git.kernel.org/stable/c/eb9329cd882aa274e92bdb1003bc088433fdee86
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50006
In the Linux kernel, the following vulnerability has been resolved: ext4: fix i_data_sem unlock order in ext4_ind_migrate() Fuzzing reports a possible deadlock in jbd2_log_wait_commit. This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require synchronous updates because the file descriptor is opened with O_SYNC. This can lead to the jbd2_journal_stop() function calling jbd2_might_wait_for_commit(), potentially causing a deadlock if the EXT4_IOC_MIGRATE call races with a write(2) system call. This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the jbd2_journal_stop function while i_data_sem is locked. This triggers lockdep because the jbd2_journal_start function might also lock the same jbd2_handle simultaneously. Found by Linux Verification Center (linuxtesting.org) with syzkaller. Rule: add
- https://git.kernel.org/stable/c/3c46d6060d3e38de22196c1fe7706c5a3c696285
- https://git.kernel.org/stable/c/4192adefc9c570698821c5eb9873320eac2fcbf1
- https://git.kernel.org/stable/c/53b1999cfd2c7addf2e581a32865fe8835467b44
- https://git.kernel.org/stable/c/6252cb6bde7fc76cb8dcb49d1def7c326b190820
- https://git.kernel.org/stable/c/9fedf51ab8cf7b69bff08f37fe0989fec7f5d870
- https://git.kernel.org/stable/c/cc749e61c011c255d81b192a822db650c68b313f
- https://git.kernel.org/stable/c/d43776b907659affef1de888525847d64b244194
- https://git.kernel.org/stable/c/d58a00e981d3118b91d503da263e640b7cde6729
- https://git.kernel.org/stable/c/ef05572da0c0eb89614ed01cc17d3c882bdbd1ff
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50007
In the Linux kernel, the following vulnerability has been resolved: ALSA: asihpi: Fix potential OOB array access ASIHPI driver stores some values in the static array upon a response from the driver, and its index depends on the firmware. We shouldn't trust it blindly. This patch adds a sanity check of the array index to fit in the array size.
- https://git.kernel.org/stable/c/219587bca2678e31700ef09ecec178ba1f735674
- https://git.kernel.org/stable/c/36ee4021bcc37b834996e79740d095d6f8dd948f
- https://git.kernel.org/stable/c/7a55740996701f7b2bc46dc988b60ef2e416a747
- https://git.kernel.org/stable/c/7b986c7430a6bb68d523dac7bfc74cbd5b44ef96
- https://git.kernel.org/stable/c/876d04bf5a8ac1d6af5afd258cd37ab83ab2cf3d
- https://git.kernel.org/stable/c/a6bdb691cf7b66dcd929de1a253c5c42edd2e522
- https://git.kernel.org/stable/c/ad7248a5e92587b9266c62db8bcc4e58de53e372
- https://git.kernel.org/stable/c/ce2953e44829ec54bcbb57e9d890fc8af0900c80
- https://git.kernel.org/stable/c/e658227d9d4f4e122d81690fdbc0d438b10288f5
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50008
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Replace one-element array with a flexible-array member in `struct host_cmd_ds_802_11_scan_ext`. With this, fix the following warning: elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------ elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1) elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]
- https://git.kernel.org/stable/c/17199b69a84798efffc475040fbef44374ef1de1
- https://git.kernel.org/stable/c/1756918f51e9ab247a0f4782cc28853c2bb457c1
- https://git.kernel.org/stable/c/498365e52bebcbc36a93279fe7e9d6aec8479cee
- https://git.kernel.org/stable/c/71267bd4e8c752d7af6c6b96bb83984a6a95273d
- https://git.kernel.org/stable/c/a3a12c30f9510f3753286fadbc6cdb7dad78c1d5
- https://git.kernel.org/stable/c/b55c8848fdc81514ec047b2a0ec782ffe9ab5323
- https://git.kernel.org/stable/c/e59bdb1ba594104cd0ee0af3ee9e4435d842a8fe
- https://git.kernel.org/stable/c/f9310a6704bf52e2493480edea896e1f9b795d40
- https://git.kernel.org/stable/c/fef7b51f22cf2049b0ca6740adeb0ba6f2e671dc
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50013
In the Linux kernel, the following vulnerability has been resolved: exfat: fix memory leak in exfat_load_bitmap() If the first directory entry in the root directory is not a bitmap directory entry, 'bh' will not be released and reassigned, which will cause a memory leak.
- https://git.kernel.org/stable/c/4e1813e52f86eb8db0c6c9570251f2fcbc571f5d
- https://git.kernel.org/stable/c/89081e8407e637463db5880d168e3652fb9f4330
- https://git.kernel.org/stable/c/bf0b3b35259475d1fe377bcaa565488e26684f7a
- https://git.kernel.org/stable/c/d2b537b3e533f28e0d97293fe9293161fe8cd137
- https://git.kernel.org/stable/c/dca359db1eb37f334267ebd7e3cab9a66d191d5b
- https://git.kernel.org/stable/c/ddf704c2ce3b73f38d2dd8cf1bb0f7ec038bdf63
- https://git.kernel.org/stable/c/f692160d3e1e5450605071b8df8f7d08d9b09a83
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50015
In the Linux kernel, the following vulnerability has been resolved: ext4: dax: fix overflowing extents beyond inode size when partially writing The dax_iomap_rw() does two things in each iteration: map written blocks and copy user data to blocks. If the process is killed by user(See signal handling in dax_iomap_iter()), the copied data will be returned and added on inode size, which means that the length of written extents may exceed the inode size, then fsck will fail. An example is given as: dd if=/dev/urandom of=file bs=4M count=1 dax_iomap_rw iomap_iter // round 1 ext4_iomap_begin ext4_iomap_alloc // allocate 0~2M extents(written flag) dax_iomap_iter // copy 2M data iomap_iter // round 2 iomap_iter_advance iter->pos += iter->processed // iter->pos = 2M ext4_iomap_begin ext4_iomap_alloc // allocate 2~4M extents(written flag) dax_iomap_iter fatal_signal_pending done = iter->pos - iocb->ki_pos // done = 2M ext4_handle_inode_extension ext4_update_inode_size // inode size = 2M fsck reports: Inode 13, i_size is 2097152, should be 4194304. Fix? Fix the problem by truncating extents if the written length is smaller than expected.
- https://git.kernel.org/stable/c/5efccdee4a7d507a483f20f880b809cc4eaef14d
- https://git.kernel.org/stable/c/8c30a9a8610c314554997f86370140746aa35661
- https://git.kernel.org/stable/c/a9f331f51515bdb3ebc8d0963131af367ef468f6
- https://git.kernel.org/stable/c/abfaa876b948baaea4d14f21a1963789845c8b4c
- https://git.kernel.org/stable/c/dda898d7ffe85931f9cca6d702a51f33717c501e
- https://git.kernel.org/stable/c/ec0dd451e236c46e4858d53e9e82bae7797a7af5
- https://git.kernel.org/stable/c/f8a7c342326f6ad1dfdb30a18dd013c70f5e9669
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50019
In the Linux kernel, the following vulnerability has been resolved:
kthread: unpark only parked kthread
Calling into kthread unparking unconditionally is mostly harmless when
the kthread is already unparked. The wake up is then simply ignored
because the target is not in TASK_PARKED state.
However if the kthread is per CPU, the wake up is preceded by a call
to kthread_bind() which expects the task to be inactive and in
TASK_PARKED state, which obviously isn't the case if it is unparked.
As a result, calling kthread_stop() on an unparked per-cpu kthread
triggers such a warning:
WARNING: CPU: 0 PID: 11 at kernel/kthread.c:525 __kthread_bind_mask kernel/kthread.c:525
- https://git.kernel.org/stable/c/19a5029981c87c2ad0845e713837faa88f5d8e2b
- https://git.kernel.org/stable/c/214e01ad4ed7158cab66498810094fac5d09b218
- https://git.kernel.org/stable/c/40a6e660d2a3a7a5cb99f0b8ff4fb41bad039f68
- https://git.kernel.org/stable/c/8608196a155cb6cfae04d96b10a2652d0327e33f
- https://git.kernel.org/stable/c/cda5423c1a1c906062ef235c940f249b97d9d135
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50022
In the Linux kernel, the following vulnerability has been resolved: device-dax: correct pgoff align in dax_set_mapping() pgoff should be aligned using ALIGN_DOWN() instead of ALIGN(). Otherwise, vmf->address not aligned to fault_size will be aligned to the next alignment, that can result in memory failure getting the wrong address. It's a subtle situation that only can be observed in page_mapped_in_vma() after the page is page fault handled by dev_dax_huge_fault. Generally, there is little chance to perform page_mapped_in_vma in dev-dax's page unless in specific error injection to the dax device to trigger an MCE - memory-failure. In that case, page_mapped_in_vma() will be triggered to determine which task is accessing the failure address and kill that task in the end. We used self-developed dax device (which is 2M aligned mapping) , to perform error injection to random address. It turned out that error injected to non-2M-aligned address was causing endless MCE until panic. Because page_mapped_in_vma() kept resulting wrong address and the task accessing the failure address was never killed properly: [ 3783.719419] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.049006] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.049190] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.448042] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.448186] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.792026] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.792179] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.162502] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.162633] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.461116] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.461247] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.764730] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.764859] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.042128] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.042259] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.464293] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.464423] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.818090] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.818217] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3787.085297] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3787.085424] Memory failure: 0x200c9742: recovery action for dax page: Recovered It took us several weeks to pinpoint this problem, but we eventually used bpftrace to trace the page fault and mce address and successfully identified the issue. Joao added: ; Likely we never reproduce in production because we always pin : device-dax regions in the region align they provide (Qemu does : similarly with prealloc in hugetlb/file backed memory). I think this : bug requires that we touch *unpinned* device-dax regions unaligned to : the device-dax selected alignment (page size i.e. 4K/2M/1G)
- https://git.kernel.org/stable/c/7fcbd9785d4c17ea533c42f20a9083a83f301fa6
- https://git.kernel.org/stable/c/9c4198dfdca818c5ce19c764d90eabd156bbc6da
- https://git.kernel.org/stable/c/b822007e8db341d6f175c645ed79866db501ad86
- https://git.kernel.org/stable/c/e877427d218159ac29c9326100920d24330c9ee6
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50024
In the Linux kernel, the following vulnerability has been resolved: net: Fix an unsafe loop on the list The kernel may crash when deleting a genetlink family if there are still listeners for that family: Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c000000000c080bc] netlink_update_socket_mc+0x3c/0xc0 LR [c000000000c0f764] __netlink_clear_multicast_users+0x74/0xc0 Call Trace: __netlink_clear_multicast_users+0x74/0xc0 genl_unregister_family+0xd4/0x2d0 Change the unsafe loop on the list to a safe one, because inside the loop there is an element removal from this list.
- https://git.kernel.org/stable/c/1cdec792b2450105b1314c5123a9a0452cb2c2f0
- https://git.kernel.org/stable/c/1dae9f1187189bc09ff6d25ca97ead711f7e26f9
- https://git.kernel.org/stable/c/3be342e0332a7c83eb26fbb22bf156fdca467a5d
- https://git.kernel.org/stable/c/464801a0f6ccb52b21faa33bac6014fd74cc5e10
- https://git.kernel.org/stable/c/49f9b726bf2bf3dd2caf0d27cadf4bc1ccf7a7dd
- https://git.kernel.org/stable/c/5f03a7f601f33cda1f710611625235dc86fd8a9e
- https://git.kernel.org/stable/c/68ad5da6ca630a276f0a5c924179e57724d00013
- https://git.kernel.org/stable/c/8e0766fcf37ad8eed289dd3853628dd9b01b58b0
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50026
In the Linux kernel, the following vulnerability has been resolved: scsi: wd33c93: Don't use stale scsi_pointer value A regression was introduced with commit dbb2da557a6a ("scsi: wd33c93: Move the SCSI pointer to private command data") which results in an oops in wd33c93_intr(). That commit added the scsi_pointer variable and initialized it from hostdata->connected. However, during selection, hostdata->connected is not yet valid. Fix this by getting the current scsi_pointer from hostdata->selecting.
- https://git.kernel.org/stable/c/3afeceda855dea9b85cddd96307d4d17c8742005
- https://git.kernel.org/stable/c/9023ed8d91eb1fcc93e64dc4962f7412b1c4cbec
- https://git.kernel.org/stable/c/b60ff1a95c7c386cdd6153de3d7d85edaeabd800
- https://git.kernel.org/stable/c/e04642a207f1d2ae28a08624c04c67f5681f3451
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50031
In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Stop the active perfmon before being destroyed When running `kmscube` with one or more performance monitors enabled via `GALLIUM_HUD`, the following kernel panic can occur: [ 55.008324] Unable to handle kernel paging request at virtual address 00000000052004a4 [ 55.008368] Mem abort info: [ 55.008377] ESR = 0x0000000096000005 [ 55.008387] EC = 0x25: DABT (current EL), IL = 32 bits [ 55.008402] SET = 0, FnV = 0 [ 55.008412] EA = 0, S1PTW = 0 [ 55.008421] FSC = 0x05: level 1 translation fault [ 55.008434] Data abort info: [ 55.008442] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 55.008455] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 55.008467] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 55.008481] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001046c6000 [ 55.008497] [00000000052004a4] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 55.008525] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 55.008542] Modules linked in: rfcomm [...] vc4 v3d snd_soc_hdmi_codec drm_display_helper gpu_sched drm_shmem_helper cec drm_dma_helper drm_kms_helper i2c_brcmstb drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 55.008799] CPU: 2 PID: 166 Comm: v3d_bin Tainted: G C 6.6.47+rpt-rpi-v8 #1 Debian 1:6.6.47-1+rpt1 [ 55.008824] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [ 55.008838] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 55.008855] pc : __mutex_lock.constprop.0+0x90/0x608 [ 55.008879] lr : __mutex_lock.constprop.0+0x58/0x608 [ 55.008895] sp : ffffffc080673cf0 [ 55.008904] x29: ffffffc080673cf0 x28: 0000000000000000 x27: ffffff8106188a28 [ 55.008926] x26: ffffff8101e78040 x25: ffffff8101baa6c0 x24: ffffffd9d989f148 [ 55.008947] x23: ffffffda1c2a4008 x22: 0000000000000002 x21: ffffffc080673d38 [ 55.008968] x20: ffffff8101238000 x19: ffffff8104f83188 x18: 0000000000000000 [ 55.008988] x17: 0000000000000000 x16: ffffffda1bd04d18 x15: 00000055bb08bc90 [ 55.009715] x14: 0000000000000000 x13: 0000000000000000 x12: ffffffda1bd4cbb0 [ 55.010433] x11: 00000000fa83b2da x10: 0000000000001a40 x9 : ffffffda1bd04d04 [ 55.011162] x8 : ffffff8102097b80 x7 : 0000000000000000 x6 : 00000000030a5857 [ 55.011880] x5 : 00ffffffffffffff x4 : 0300000005200470 x3 : 0300000005200470 [ 55.012598] x2 : ffffff8101238000 x1 : 0000000000000021 x0 : 0300000005200470 [ 55.013292] Call trace: [ 55.013959] __mutex_lock.constprop.0+0x90/0x608 [ 55.014646] __mutex_lock_slowpath+0x1c/0x30 [ 55.015317] mutex_lock+0x50/0x68 [ 55.015961] v3d_perfmon_stop+0x40/0xe0 [v3d] [ 55.016627] v3d_bin_job_run+0x10c/0x2d8 [v3d] [ 55.017282] drm_sched_main+0x178/0x3f8 [gpu_sched] [ 55.017921] kthread+0x11c/0x128 [ 55.018554] ret_from_fork+0x10/0x20 [ 55.019168] Code: f9400260 f1001c1f 54001ea9 927df000 (b9403401) [ 55.019776] ---[ end trace 0000000000000000 ]--- [ 55.020411] note: v3d_bin[166] exited with preempt_count 1 This issue arises because, upon closing the file descriptor (which happens when we interrupt `kmscube`), the active performance monitor is not stopped. Although all perfmons are destroyed in `v3d_perfmon_close_file()`, the active performance monitor's pointer (`v3d->active_perfmon`) is still retained. If `kmscube` is run again, the driver will attempt to stop the active performance monitor using the stale pointer in `v3d->active_perfmon`. However, this pointer is no longer valid because the previous process has already terminated, and all performance monitors associated with it have been destroyed and freed. To fix this, when the active performance monitor belongs to a given process, explicitly stop it before destroying and freeing it.
- https://git.kernel.org/stable/c/07c51108d9e278831c16191d1223ee49986e7890
- https://git.kernel.org/stable/c/0c9e9a3a4873705740b19300cadc6599170646ef
- https://git.kernel.org/stable/c/24ab54a066d2ef671b03eb909ca2114c0c9ac1e7
- https://git.kernel.org/stable/c/333767cbce6ac20ec794c76eec82ed0ef55022db
- https://git.kernel.org/stable/c/7d1fd3638ee3a9f9bca4785fffb638ca19120718
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50033
In the Linux kernel, the following vulnerability has been resolved: slip: make slhc_remember() more robust against malicious packets syzbot found that slhc_remember() was missing checks against malicious packets [1]. slhc_remember() only checked the size of the packet was at least 20, which is not good enough. We need to make sure the packet includes the IPv4 and TCP header that are supposed to be carried. Add iph and th pointers to make the code more readable. [1] BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455 ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline] ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212 ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 __release_sock+0x1da/0x330 net/core/sock.c:3072 release_sock+0x6b/0x250 net/core/sock.c:3626 pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4091 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [inline] sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
- https://git.kernel.org/stable/c/29e8d96d44f51cf89a62dd042be35d052833b95c
- https://git.kernel.org/stable/c/36b054324d18e51cf466134e13b6fbe3c91f52af
- https://git.kernel.org/stable/c/5e336384cc9b608e0551f99c3d87316ca3b0e51a
- https://git.kernel.org/stable/c/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c
- https://git.kernel.org/stable/c/8bb79eb1db85a10865f0d4dd15b013def3f2d246
- https://git.kernel.org/stable/c/ba6501ea06462d6404d57d5644cf2854db38e7d7
- https://git.kernel.org/stable/c/ff5e0f895315706e4ca5a19df15be6866cee4f5d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50035
In the Linux kernel, the following vulnerability has been resolved: ppp: fix ppp_async_encode() illegal access syzbot reported an issue in ppp_async_encode() [1] In this case, pppoe_sendmsg() is called with a zero size. Then ppp_async_encode() is called with an empty skb. BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline] ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 __release_sock+0x1da/0x330 net/core/sock.c:3072 release_sock+0x6b/0x250 net/core/sock.c:3626 pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4092 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [inline] sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
- https://git.kernel.org/stable/c/30d91a478d58cbae3dbaa8224d17d0d839f0d71b
- https://git.kernel.org/stable/c/40dddd4b8bd08a69471efd96107a4e1c73fabefc
- https://git.kernel.org/stable/c/4151ec65abd755133ebec687218fadd2d2631167
- https://git.kernel.org/stable/c/8dfe93901b410ae41264087427f3b9f389388f83
- https://git.kernel.org/stable/c/8fe992ff3df493d1949922ca234419f3ede08dff
- https://git.kernel.org/stable/c/c007a14797240607038bd3464501109f408940e2
- https://git.kernel.org/stable/c/ce249a4c68d0ce27a8c5d853338d502e2711a314
- https://git.kernel.org/stable/c/fadf8fdb3110d3138e05c3765f645535434f8d76
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50038
In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: avoid NFPROTO_UNSPEC where needed syzbot managed to call xt_cluster match via ebtables: WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780 [..] ebt_do_table+0x174b/0x2a40 Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet processing. As this is only useful to restrict locally terminating TCP/UDP traffic, register this for ipv4 and ipv6 family only. Pablo points out that this is a general issue, direct users of the set/getsockopt interface can call into targets/matches that were only intended for use with ip(6)tables. Check all UNSPEC matches and targets for similar issues: - matches and targets are fine except if they assume skb_network_header() is valid -- this is only true when called from inet layer: ip(6) stack pulls the ip/ipv6 header into linear data area. - targets that return XT_CONTINUE or other xtables verdicts must be restricted too, they are incompatbile with the ebtables traverser, e.g. EBT_CONTINUE is a completely different value than XT_CONTINUE. Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as they are provided for use by ip(6)tables. The MARK target is also used by arptables, so register for NFPROTO_ARP too. While at it, bail out if connbytes fails to enable the corresponding conntrack family. This change passes the selftests in iptables.git.
- https://git.kernel.org/stable/c/0bfcb7b71e735560077a42847f69597ec7dcc326
- https://git.kernel.org/stable/c/4cdc55ec6222bb195995cc58f7cb46e4d8907056
- https://git.kernel.org/stable/c/85ff9a0f793ca52c527e75cd40a69c948627ebde
- https://git.kernel.org/stable/c/8f482bb7e27b37f1f734bb9a8eeb28b23d59d189
- https://git.kernel.org/stable/c/997f67d813ce0cf5eb3cdb8f124da68141e91b6c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50039
In the Linux kernel, the following vulnerability has been resolved:
net/sched: accept TCA_STAB only for root qdisc
Most qdiscs maintain their backlog using qdisc_pkt_len(skb)
on the assumption it is invariant between the enqueue()
and dequeue() handlers.
Unfortunately syzbot can crash a host rather easily using
a TBF + SFQ combination, with an STAB on SFQ [1]
We can't support TCA_STAB on arbitrary level, this would
require to maintain per-qdisc storage.
[1]
[ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 88.798611] #PF: supervisor read access in kernel mode
[ 88.799014] #PF: error_code(0x0000) - not-present page
[ 88.799506] PGD 0 P4D 0
[ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI
[ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117
[ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00
All code
========
0: 0f b7 50 12 movzwl 0x12(%rax),%edx
4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax
b: 00
c: 48 89 d6 mov %rdx,%rsi
f: 48 29 d0 sub %rdx,%rax
12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx
19: 48 c1 e0 03 shl $0x3,%rax
1d: 48 01 c2 add %rax,%rdx
20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx)
25: 7e c0 jle 0xffffffffffffffe7
27: 48 8b 3a mov (%rdx),%rdi
2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction
2d: 4c 89 02 mov %r8,(%rdx)
30: 49 89 50 08 mov %rdx,0x8(%r8)
34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi)
3b: 00
3c: 48 rex.W
3d: c7 .byte 0xc7
3e: 07 (bad)
...
Code starting with the faulting instruction
===========================================
0: 4c 8b 07 mov (%rdi),%r8
3: 4c 89 02 mov %r8,(%rdx)
6: 49 89 50 08 mov %rdx,0x8(%r8)
a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi)
11: 00
12: 48 rex.W
13: c7 .byte 0xc7
14: 07 (bad)
...
[ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206
[ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800
[ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000
[ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f
[ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140
[ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac
[ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000
[ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0
[ 88.808165] Call Trace:
[ 88.808459]
- https://git.kernel.org/stable/c/1edf039ee01788ffc25625fe58a903ae2efa213e
- https://git.kernel.org/stable/c/2acbb9539bc2284e30d2aeb789c3d96287014264
- https://git.kernel.org/stable/c/3cb7cf1540ddff5473d6baeb530228d19bc97b8a
- https://git.kernel.org/stable/c/3dc6ee96473cc2962c6db4297d4631f261be150f
- https://git.kernel.org/stable/c/76feedc74b90270390fbfdf74a2e944e96872363
- https://git.kernel.org/stable/c/8fb6503592d39065316f45d267c5527b4e7cd995
- https://git.kernel.org/stable/c/adbc3eef43fc94c7c8436da832691ae02333a972
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50040
In the Linux kernel, the following vulnerability has been resolved:
igb: Do not bring the device up after non-fatal error
Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal")
changed igb_io_error_detected() to ignore non-fatal pcie errors in order
to avoid hung task that can happen when igb_down() is called multiple
times. This caused an issue when processing transient non-fatal errors.
igb_io_resume(), which is called after igb_io_error_detected(), assumes
that device is brought down by igb_io_error_detected() if the interface
is up. This resulted in panic with stacktrace below.
[ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down
[ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0
[ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)
[ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000
[ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000
[ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message
[ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.
[ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message
[ T292] pcieport 0000:00:1c.5: AER: broadcast resume message
[ T292] ------------[ cut here ]------------
[ T292] kernel BUG at net/core/dev.c:6539!
[ T292] invalid opcode: 0000 [#1] PREEMPT SMP
[ T292] RIP: 0010:napi_enable+0x37/0x40
[ T292] Call Trace:
[ T292]
- https://git.kernel.org/stable/c/0a94079e3841d00ea5abb05e3233d019a86745f6
- https://git.kernel.org/stable/c/330a699ecbfc9c26ec92c6310686da1230b4e7eb
- https://git.kernel.org/stable/c/500be93c5d53b7e2c5314292012185f0207bad0c
- https://git.kernel.org/stable/c/57c5053eaa5f9a8a99e34732e37a86615318e464
- https://git.kernel.org/stable/c/6a39c8f5c8aae74c5ab2ba466791f59ffaab0178
- https://git.kernel.org/stable/c/c92cbd283ddcf55fd85a9a9b0ba13298213f3dd7
- https://git.kernel.org/stable/c/d79af3af2f49c6aae9add3d492c04d60c1b85ce4
- https://git.kernel.org/stable/c/dca2ca65a8695d9593e2cf1b40848e073ad75413
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50041
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix macvlan leak by synchronizing access to mac_filter_hash This patch addresses a macvlan leak issue in the i40e driver caused by concurrent access to vsi->mac_filter_hash. The leak occurs when multiple threads attempt to modify the mac_filter_hash simultaneously, leading to inconsistent state and potential memory leaks. To fix this, we now wrap the calls to i40e_del_mac_filter() and zeroing vf->default_lan_addr.addr with spin_lock/unlock_bh(&vsi->mac_filter_hash_lock), ensuring atomic operations and preventing concurrent access. Additionally, we add lockdep_assert_held(&vsi->mac_filter_hash_lock) in i40e_add_mac_filter() to help catch similar issues in the future. Reproduction steps: 1. Spawn VFs and configure port vlan on them. 2. Trigger concurrent macvlan operations (e.g., adding and deleting portvlan and/or mac filters). 3. Observe the potential memory leak and inconsistent state in the mac_filter_hash. This synchronization ensures the integrity of the mac_filter_hash and prevents the described leak.
- https://git.kernel.org/stable/c/703c4d820b31bcadf465288d5746c53445f02a55
- https://git.kernel.org/stable/c/8831abff1bd5b6bc8224f0c0671f46fbd702b5b2
- https://git.kernel.org/stable/c/9a9747288ba0a9ad4f5c9877f18dd245770ad64e
- https://git.kernel.org/stable/c/9db6ce9e2738b05a3672aff4d42169cf3bb5a3e3
- https://git.kernel.org/stable/c/dac6c7b3d33756d6ce09f00a96ea2ecd79fae9fb
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50044
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change rfcomm_sk_state_change attempts to use sock_lock so it must never be called with it locked but rfcomm_sock_ioctl always attempt to lock it causing the following trace: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted ------------------------------------------------------ syz-executor386/5093 is trying to acquire lock: ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline] ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73 but task is already holding lock: ffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491
- https://git.kernel.org/stable/c/08d1914293dae38350b8088980e59fbc699a72fe
- https://git.kernel.org/stable/c/38b2d5a57d125e1c17661b8308c0240c4a43b534
- https://git.kernel.org/stable/c/496b2ab0fd10f205e08909a125485fdc98843dbe
- https://git.kernel.org/stable/c/4cb9807c9b53bf1e5560420d26f319f528b50268
- https://git.kernel.org/stable/c/869c6ee62ab8f01bf2419e45326642be5c9b670a
- https://git.kernel.org/stable/c/b77b3fb12fd483cae7c28648903b1d8a6b275f01
- https://git.kernel.org/stable/c/ced98072d3511b232ae1d3347945f35f30c0e303
- https://git.kernel.org/stable/c/ef44274dae9b0a90d1a97ce8b242a3b8243a7745
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50045
In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: fix panic with metadata_dst skb Fix a kernel panic in the br_netfilter module when sending untagged traffic via a VxLAN device. This happens during the check for fragmentation in br_nf_dev_queue_xmit. It is dependent on: 1) the br_netfilter module being loaded; 2) net.bridge.bridge-nf-call-iptables set to 1; 3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port; 4) untagged frames with size higher than the VxLAN MTU forwarded/flooded When forwarding the untagged packet to the VxLAN bridge port, before the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL. Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check for frames that needs to be fragmented: frames with higher MTU than the VxLAN device end up calling br_nf_ip_fragment, which in turns call ip_skb_dst_mtu. The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst with valid dst->dev, thus the crash. This case was never supported in the first place, so drop the packet instead. PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data. [ 176.291791] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000110 [ 176.292101] Mem abort info: [ 176.292184] ESR = 0x0000000096000004 [ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits [ 176.292530] SET = 0, FnV = 0 [ 176.292709] EA = 0, S1PTW = 0 [ 176.292862] FSC = 0x04: level 0 translation fault [ 176.293013] Data abort info: [ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000 [ 176.294166] [0000000000000110] pgd=0000000000000000, p4d=0000000000000000 [ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth br_netfilter bridge stp llc ipv6 crct10dif_ce [ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted 6.8.0-rc3-g5b3fbd61b9d1 #2 [ 176.296314] Hardware name: linux,dummy-virt (DT) [ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] [ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter] [ 176.297636] sp : ffff800080003630 [ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27: ffff6828c49ad9f8 [ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24: 00000000000003e8 [ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21: ffff6828c3b16d28 [ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18: 0000000000000014 [ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15: 0000000095744632 [ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12: ffffb7e137926a70 [ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 : 0000000000000000 [ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 : f20e0100bebafeca [ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 : 0000000000000000 [ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 : ffff6828c7f918f0 [ 176.300889] Call trace: [ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] [ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter] [ 176.301703] nf_hook_slow+0x48/0x124 [ 176.302060] br_forward_finish+0xc8/0xe8 [bridge] [ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter] [ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter] [ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter] [ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter] [ 176.303359] nf_hook_slow+0x48/0x124 [ 176.303 ---truncated---
- https://git.kernel.org/stable/c/3453f5839420bfbb85c86c61e49f49ffd0f041c4
- https://git.kernel.org/stable/c/75dfcb758015c97e1accd6340691fca67d363bed
- https://git.kernel.org/stable/c/78ed917133b118661e1fe62d4a85d5d428ee9568
- https://git.kernel.org/stable/c/915717e0bb9837cc5c101bc545af487bd787239e
- https://git.kernel.org/stable/c/95c0cff5a1a5d28bf623b92eb5d1a8f56ed30803
- https://git.kernel.org/stable/c/cce8419b8168f6e7eb637103a47f916f3de8bc81
- https://git.kernel.org/stable/c/f07131239a76cc10d5e82c19d91f53cb55727297
- https://git.kernel.org/stable/c/f9ff7665cd128012868098bbd07e28993e314fdb
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50046
In the Linux kernel, the following vulnerability has been resolved: NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies() On the node of an NFS client, some files saved in the mountpoint of the NFS server were copied to another location of the same NFS server. Accidentally, the nfs42_complete_copies() got a NULL-pointer dereference crash with the following syslog: [232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116 [232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116 [232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 [232066.588586] Mem abort info: [232066.588701] ESR = 0x0000000096000007 [232066.588862] EC = 0x25: DABT (current EL), IL = 32 bits [232066.589084] SET = 0, FnV = 0 [232066.589216] EA = 0, S1PTW = 0 [232066.589340] FSC = 0x07: level 3 translation fault [232066.589559] Data abort info: [232066.589683] ISV = 0, ISS = 0x00000007 [232066.589842] CM = 0, WnR = 0 [232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400 [232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000 [232066.590757] Internal error: Oops: 96000007 [#1] SMP [232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2 [232066.591052] vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs [232066.596953] CPU: 6 PID: 4124696 Comm: 10.253.166.125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1 [232066.597356] Hardware name: Great Wall .\x93\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06 [232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4] [232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4] [232066.598595] sp : ffff8000f568fc70 [232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000 [232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001 [232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050 [232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000 [232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000 [232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6 [232066.600498] x11: 00000000000000 ---truncated---
- https://git.kernel.org/stable/c/584c019baedddec3fd634053e8fb2d8836108d38
- https://git.kernel.org/stable/c/632344b9efa064ca737bfcdaaaced59fd5f18ae9
- https://git.kernel.org/stable/c/a848c29e3486189aaabd5663bc11aea50c5bd144
- https://git.kernel.org/stable/c/ef9189bb15dcbe7ed3f3515aaa6fc8bf7483960d
- https://git.kernel.org/stable/c/f892165c564e3aab272948dbb556cc20e290c55a
- https://git.kernel.org/stable/c/fca41e5fa4914d12b2136c25f9dad69520b52683
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50048
In the Linux kernel, the following vulnerability has been resolved: fbcon: Fix a NULL pointer dereference issue in fbcon_putcs syzbot has found a NULL pointer dereference bug in fbcon. Here is the simplified C reproducer: struct param { uint8_t type; struct tiocl_selection ts; }; int main() { struct fb_con2fbmap con2fb; struct param param; int fd = open("/dev/fb1", 0, 0); con2fb.console = 0x19; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); param.type = 2; param.ts.xs = 0; param.ts.ys = 0; param.ts.xe = 0; param.ts.ye = 0; param.ts.sel_mode = 0; int fd1 = open("/dev/tty1", O_RDWR, 0); ioctl(fd1, TIOCLINUX, ¶m); con2fb.console = 1; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); return 0; } After calling ioctl(fd1, TIOCLINUX, ¶m), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb) causes the kernel to follow a different execution path: set_con2fb_map -> con2fb_init_display -> fbcon_set_disp -> redraw_screen -> hide_cursor -> clear_selection -> highlight -> invert_screen -> do_update_region -> fbcon_putcs -> ops->putcs Since ops->putcs is a NULL pointer, this leads to a kernel panic. To prevent this, we need to call set_blitting_type() within set_con2fb_map() to properly initialize ops->putcs.
- https://git.kernel.org/stable/c/5b97eebcce1b4f3f07a71f635d6aa3af96c236e7
- https://git.kernel.org/stable/c/8266ae6eafdcd5a3136592445ff4038bbc7ee80e
- https://git.kernel.org/stable/c/e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b
- https://git.kernel.org/stable/c/f7fb5dda555344529ce584ff7a28b109528d2f1b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50049
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointer before dereferencing se [WHAT & HOW] se is null checked previously in the same function, indicating it might be null; therefore, it must be checked when used again. This fixes 1 FORWARD_NULL issue reported by Coverity.
- https://git.kernel.org/stable/c/65b2d49e55fe13ae56da3a7685bdccadca31134a
- https://git.kernel.org/stable/c/97a79933fb08a002ba9400d1a7a5df707ecdb896
- https://git.kernel.org/stable/c/a9b4fd1946678fa0e069e442f3c5a7d3fa446fac
- https://git.kernel.org/stable/c/c643ef59390e49f1dfab35e8ea65f5db5e527d64
- https://git.kernel.org/stable/c/f4149eec960110ffd5bcb161075dd9f1d7773075
- https://git.kernel.org/stable/c/ff599ef6970ee000fa5bc38d02fa5ff5f3fc7575
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50059
In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev function, then &sndev->check_link_status_work is bound with check_link_status_work. switchtec_ntb_link_notification may be called to start the work. If we remove the module which will call switchtec_ntb_remove to make cleanup, it will free sndev through kfree(sndev), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | check_link_status_work switchtec_ntb_remove | kfree(sndev); | | if (sndev->link_force_down) | // use sndev Fix it by ensuring that the work is canceled before proceeding with the cleanup in switchtec_ntb_remove.
- https://git.kernel.org/stable/c/177925d9c8715a897bb79eca62628862213ba956
- https://git.kernel.org/stable/c/3ae45be8492460a35b5aebf6acac1f1d32708946
- https://git.kernel.org/stable/c/5126d8f5567f49b52e21fca320eaa97977055099
- https://git.kernel.org/stable/c/92728fceefdaa2a0a3aae675f86193b006eeaa43
- https://git.kernel.org/stable/c/b650189687822b705711f0567a65a164a314d8df
- https://git.kernel.org/stable/c/e51aded92d42784313ba16c12f4f88cc4f973bbb
- https://git.kernel.org/stable/c/fa840ba4bd9f3bad7f104e5b32028ee73af8b3dd
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50060
In the Linux kernel, the following vulnerability has been resolved: io_uring: check if we need to reschedule during overflow flush In terms of normal application usage, this list will always be empty. And if an application does overflow a bit, it'll have a few entries. However, nothing obviously prevents syzbot from running a test case that generates a ton of overflow entries, and then flushing them can take quite a while. Check for needing to reschedule while flushing, and drop our locks and do so if necessary. There's no state to maintain here as overflows always prune from head-of-list, hence it's fine to drop and reacquire the locks at the end of the loop.
- https://git.kernel.org/stable/c/a2493904e95ce94bbec819d8f7f03b99976eb25c
- https://git.kernel.org/stable/c/c2eadeafce2d385b3f6d26a7f31fee5aba2bbbb0
- https://git.kernel.org/stable/c/eac2ca2d682f94f46b1973bdf5e77d85d77b8e53
- https://git.kernel.org/stable/c/f4ce3b5d26ce149e77e6b8e8f2058aa80e5b034e
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50062
In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-srv: Avoid null pointer deref during path establishment For RTRS path establishment, RTRS client initiates and completes con_num of connections. After establishing all its connections, the information is exchanged between the client and server through the info_req message. During this exchange, it is essential that all connections have been established, and the state of the RTRS srv path is CONNECTED. So add these sanity checks, to make sure we detect and abort process in error scenarios to avoid null pointer deref.
- https://git.kernel.org/stable/c/394b2f4d5e014820455af3eb5859eb328eaafcfd
- https://git.kernel.org/stable/c/b5d4076664465487a9a3d226756995b12fb73d71
- https://git.kernel.org/stable/c/b720792d7e8515bc695752e0ed5884e2ea34d12a
- https://git.kernel.org/stable/c/ccb8e44ae3e2391235f80ffc6be59bec6b889ead
- https://git.kernel.org/stable/c/d0e62bf7b575fbfe591f6f570e7595dd60a2f5eb
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50093
In the Linux kernel, the following vulnerability has been resolved:
thermal: intel: int340x: processor: Fix warning during module unload
The processor_thermal driver uses pcim_device_enable() to enable a PCI
device, which means the device will be automatically disabled on driver
detach. Thus there is no need to call pci_disable_device() again on it.
With recent PCI device resource management improvements, e.g. commit
f748a07a0b64 ("PCI: Remove legacy pcim_release()"), this problem is
exposed and triggers the warining below.
[ 224.010735] proc_thermal_pci 0000:00:04.0: disabling already-disabled device
[ 224.010747] WARNING: CPU: 8 PID: 4442 at drivers/pci/pci.c:2250 pci_disable_device+0xe5/0x100
...
[ 224.010844] Call Trace:
[ 224.010845]
- https://git.kernel.org/stable/c/434525a864136c928b54fd2512b4c0167c207463
- https://git.kernel.org/stable/c/8403021b6f32d68a7e3a6b8428ecaf5c153a9974
- https://git.kernel.org/stable/c/99ca0b57e49fb73624eede1c4396d9e3d10ccf14
- https://git.kernel.org/stable/c/b4ab78f4adeaf6c98be5d375518dd4fb666eac5e
- https://git.kernel.org/stable/c/dd64ea03375618684477f946be4f5e253f8676c2
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50095
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mad: Improve handling of timed out WRs of mad agent
Current timeout handler of mad agent acquires/releases mad_agent_priv
lock for every timed out WRs. This causes heavy locking contention
when higher no. of WRs are to be handled inside timeout handler.
This leads to softlockup with below trace in some use cases where
rdma-cm path is used to establish connection between peer nodes
Trace:
-----
BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767]
CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE
------- --- 5.14.0-427.13.1.el9_4.x86_64 #1
Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019
Workqueue: ib_mad1 timeout_sends [ib_core]
RIP: 0010:__do_softirq+0x78/0x2ac
RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246
RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f
RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b
RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000
R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040
FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
- https://git.kernel.org/stable/c/2a777679b8ccd09a9a65ea0716ef10365179caac
- https://git.kernel.org/stable/c/3e799fa463508abe7a738ce5d0f62a8dfd05262a
- https://git.kernel.org/stable/c/7022a517bf1ca37ef5a474365bcc5eafd345a13a
- https://git.kernel.org/stable/c/713adaf0ecfc49405f6e5d9e409d984f628de818
- https://git.kernel.org/stable/c/a195a42dd25ca4f12489687065d00be64939409f
- https://git.kernel.org/stable/c/e80eadb3604a92d2d086e956b8b2692b699d4d0a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50096
In the Linux kernel, the following vulnerability has been resolved: nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error The `nouveau_dmem_copy_one` function ensures that the copy push command is sent to the device firmware but does not track whether it was executed successfully. In the case of a copy error (e.g., firmware or hardware failure), the copy push command will be sent via the firmware channel, and `nouveau_dmem_copy_one` will likely report success, leading to the `migrate_to_ram` function returning a dirty HIGH_USER page to the user. This can result in a security vulnerability, as a HIGH_USER page that may contain sensitive or corrupted data could be returned to the user. To prevent this vulnerability, we allocate a zero page. Thus, in case of an error, a non-dirty (zero) page will be returned to the user.
- https://git.kernel.org/stable/c/614bfb2050982d23d53d0d51c4079dba0437c883
- https://git.kernel.org/stable/c/697e3ddcf1f8b68bd531fc34eead27c000bdf3e1
- https://git.kernel.org/stable/c/73f75d2b5aee5a735cf64b8ab4543d5c20dbbdd9
- https://git.kernel.org/stable/c/835745a377a4519decd1a36d6b926e369b3033e2
- https://git.kernel.org/stable/c/8c3de9282dde21ce3c1bf1bde3166a4510547aa9
- https://git.kernel.org/stable/c/ab4d113b6718b076046018292f821d5aa4b844f8
- https://git.kernel.org/stable/c/fd9bb7e996bab9b9049fffe3f3d3b50dee191d27
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50176
In the Linux kernel, the following vulnerability has been resolved: remoteproc: k3-r5: Fix error handling when power-up failed By simply bailing out, the driver was violating its rule and internal assumptions that either both or no rproc should be initialized. E.g., this could cause the first core to be available but not the second one, leading to crashes on its shutdown later on while trying to dereference that second instance.
- https://git.kernel.org/stable/c/7afb5e3aa989c479979faeb18768a67889a7a9c6
- https://git.kernel.org/stable/c/87ab3af7447791d0c619610fd560bd804549e187
- https://git.kernel.org/stable/c/9ab27eb5866ccbf57715cfdba4b03d57776092fb
- https://git.kernel.org/stable/c/afd102bde99d90ef41e043c846ea34b04433eb7b
- https://git.kernel.org/stable/c/fc71c23958931713b5e76f317b76be37189f2516
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50179
In the Linux kernel, the following vulnerability has been resolved: ceph: remove the incorrect Fw reference check when dirtying pages When doing the direct-io reads it will also try to mark pages dirty, but for the read path it won't hold the Fw caps and there is case will it get the Fw reference.
- https://git.kernel.org/stable/c/11ab19d48ab877430eed0c7d83810970bbcbc4f6
- https://git.kernel.org/stable/c/126b567a2ef65fc38a71d832bf1216c56816f231
- https://git.kernel.org/stable/c/74b302ebad5b43ac17460fa58092d892a3cba6eb
- https://git.kernel.org/stable/c/9d4f619153bab7fa59736462967821d6521a38cb
- https://git.kernel.org/stable/c/c08dfb1b49492c09cf13838c71897493ea3b424e
- https://git.kernel.org/stable/c/c26c5ec832dd9e9dcd0a0a892a485c99889b68f0
- https://git.kernel.org/stable/c/ea98284fc4fb05f276737d2043b02b62be5a8dfb
- https://git.kernel.org/stable/c/f55e003d261baa7c57d51ae5c8ec1f5c26a35c89
- https://git.kernel.org/stable/c/f863bfd0a2c6c99011c62ea71ac04f8e78707da9
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50180
In the Linux kernel, the following vulnerability has been resolved: fbdev: sisfb: Fix strbuf array overflow The values of the variables xres and yres are placed in strbuf. These variables are obtained from strbuf1. The strbuf1 array contains digit characters and a space if the array contains non-digit characters. Then, when executing sprintf(strbuf, "%ux%ux8", xres, yres); more than 16 bytes will be written to strbuf. It is suggested to increase the size of the strbuf array to 24. Found by Linux Verification Center (linuxtesting.org) with SVACE.
- https://git.kernel.org/stable/c/11c0d49093b82f6c547fd419c41a982d26bdf5ef
- https://git.kernel.org/stable/c/252f147b1826cbb30ae0304cf86b66d3bb12b743
- https://git.kernel.org/stable/c/41cf6f26abe4f491b694c54bd1aa2530369b7510
- https://git.kernel.org/stable/c/433c84c8495008922534c5cafdae6ff970fb3241
- https://git.kernel.org/stable/c/57c4f4db0a194416da237fd09dad9527e00cb587
- https://git.kernel.org/stable/c/688872c4ea4a528cd6a057d545c83506b533ee1f
- https://git.kernel.org/stable/c/889304120ecb2ca30674d89cd4ef15990b6a571c
- https://git.kernel.org/stable/c/9cf14f5a2746c19455ce9cb44341b5527b5e19c3
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50182
In the Linux kernel, the following vulnerability has been resolved: secretmem: disable memfd_secret() if arch cannot set direct map Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map(). This is the case for example on some arm64 configurations, where marking 4k PTEs in the direct map not present can only be done if the direct map is set up at 4k granularity in the first place (as ARM's break-before-make semantics do not easily allow breaking apart large/gigantic pages). More precisely, on arm64 systems with !can_set_direct_map(), set_direct_map_invalid_noflush() is a no-op, however it returns success (0) instead of an error. This means that memfd_secret will seemingly "work" (e.g. syscall succeeds, you can mmap the fd and fault in pages), but it does not actually achieve its goal of removing its memory from the direct map. Note that with this patch, memfd_secret() will start erroring on systems where can_set_direct_map() returns false (arm64 with CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n and CONFIG_KFENCE=n), but that still seems better than the current silent failure. Since CONFIG_RODATA_FULL_DEFAULT_ENABLED defaults to 'y', most arm64 systems actually have a working memfd_secret() and aren't be affected. From going through the iterations of the original memfd_secret patch series, it seems that disabling the syscall in these scenarios was the intended behavior [1] (preferred over having set_direct_map_invalid_noflush return an error as that would result in SIGBUSes at page-fault time), however the check for it got dropped between v16 [2] and v17 [3], when secretmem moved away from CMA allocations. [1]: https://lore.kernel.org/lkml/20201124164930.GK8537@kernel.org/ [2]: https://lore.kernel.org/lkml/20210121122723.3446-11-rppt@kernel.org/#t [3]: https://lore.kernel.org/lkml/20201125092208.12544-10-rppt@kernel.org/
- https://git.kernel.org/stable/c/532b53cebe58f34ce1c0f34d866f5c0e335c53c6
- https://git.kernel.org/stable/c/5ea0b7af38754d2b45ead9257bca47e84662e926
- https://git.kernel.org/stable/c/757786abe4547eb3d9d0e8350a63bdb0f9824af2
- https://git.kernel.org/stable/c/7caf966390e6e4ebf42775df54e7ee1f280ce677
- https://git.kernel.org/stable/c/d0ae6ffa1aeb297aef89f49cfb894a83c329ebad
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50183
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance Deleting an NPIV instance requires all fabric ndlps to be released before an NPIV's resources can be torn down. Failure to release fabric ndlps beforehand opens kref imbalance race conditions. Fix by forcing the DA_ID to complete synchronously with usage of wait_queue.
- https://git.kernel.org/stable/c/0857b1c573c0b095aa778bb26d8b3378172471b6
- https://git.kernel.org/stable/c/0a3c84f71680684c1d41abb92db05f95c09111e8
- https://git.kernel.org/stable/c/0ef6e016eb53fad6dc44c3253945efb43a3486b9
- https://git.kernel.org/stable/c/bbc525409bfe8e5bff12f5d18d550ab3e52cdbef
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50184
In the Linux kernel, the following vulnerability has been resolved: virtio_pmem: Check device status before requesting flush If a pmem device is in a bad status, the driver side could wait for host ack forever in virtio_pmem_flush(), causing the system to hang. So add a status check in the beginning of virtio_pmem_flush() to return early if the device is not activated.
- https://git.kernel.org/stable/c/4ce662fe4be6fbc2595d9ef4888b2b6e778c99ed
- https://git.kernel.org/stable/c/59ac565c6277d4be6661e81ea6a7f3ca2c5e4e36
- https://git.kernel.org/stable/c/6a5ca0ab94e13a1474bf7ad8437a975c2193618f
- https://git.kernel.org/stable/c/9a2bc9b6f929a2ce1ebe4d1a796ddab37568c5b4
- https://git.kernel.org/stable/c/b01793cc63dd39c8f12b9a3d8dc115fbebb19e2a
- https://git.kernel.org/stable/c/ce7a3a62cc533c922072f328fd2ea2fd7cb893d4
- https://git.kernel.org/stable/c/e25fbcd97cf52c3c9824d44b5c56c19673c3dd50
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50185
In the Linux kernel, the following vulnerability has been resolved: mptcp: handle consistently DSS corruption Bugged peer implementation can send corrupted DSS options, consistently hitting a few warning in the data path. Use DEBUG_NET assertions, to avoid the splat on some builds and handle consistently the error, dumping related MIBs and performing fallback and/or reset according to the subflow type.
- https://git.kernel.org/stable/c/12c1676d598e3b8dd92a033b623b792cc2ea1ec5
- https://git.kernel.org/stable/c/35668f8ec84f6c944676e48ecc6bbc5fc8e6fe25
- https://git.kernel.org/stable/c/8bfd391bde685df7289b928ce8876a3583be4bfb
- https://git.kernel.org/stable/c/b8be15d1ae7ea4eedd547c3b3141f592fbddcd30
- https://git.kernel.org/stable/c/e32d262c89e2b22cb0640223f953b548617ed8a6
- https://git.kernel.org/stable/c/fde99e972b8f88cebe619241d7aa43d288ef666a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50186
In the Linux kernel, the following vulnerability has been resolved: net: explicitly clear the sk pointer, when pf->create fails We have recently noticed the exact same KASAN splat as in commit 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket creation fails"). The problem is that commit did not fully address the problem, as some pf->create implementations do not use sk_common_release in their error paths. For example, we can use the same reproducer as in the above commit, but changing ping to arping. arping uses AF_PACKET socket and if packet_create fails, it will just sk_free the allocated sk object. While we could chase all the pf->create implementations and make sure they NULL the freed sk object on error from the socket, we can't guarantee future protocols will not make the same mistake. So it is easier to just explicitly NULL the sk pointer upon return from pf->create in __sock_create. We do know that pf->create always releases the allocated sk object on error, so if the pointer is not NULL, it is definitely dangling.
- https://git.kernel.org/stable/c/563e6892e21d6ecabdf62103fc4e7b326d212334
- https://git.kernel.org/stable/c/631083143315d1b192bd7d915b967b37819e88ea
- https://git.kernel.org/stable/c/8e1b72fd74bf9da3b099d09857f4e7f114f38e12
- https://git.kernel.org/stable/c/b7d22a79ff4e962b8af5ffe623abd1d6c179eb9f
- https://git.kernel.org/stable/c/daf462ff3cde6ecf22b98d9ae770232c10d28de2
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50187
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Stop the active perfmon before being destroyed Upon closing the file descriptor, the active performance monitor is not stopped. Although all perfmons are destroyed in `vc4_perfmon_close_file()`, the active performance monitor's pointer (`vc4->active_perfmon`) is still retained. If we open a new file descriptor and submit a few jobs with performance monitors, the driver will attempt to stop the active performance monitor using the stale pointer in `vc4->active_perfmon`. However, this pointer is no longer valid because the previous process has already terminated, and all performance monitors associated with it have been destroyed and freed. To fix this, when the active performance monitor belongs to a given process, explicitly stop it before destroying and freeing it.
- https://git.kernel.org/stable/c/0b2ad4f6f2bec74a5287d96cb2325a5e11706f22
- https://git.kernel.org/stable/c/75452da51e2403e14be007df80d133e1443fc967
- https://git.kernel.org/stable/c/937943c042503dc6087438bf3557f9057a588ba0
- https://git.kernel.org/stable/c/c9adba739d5f7cdc47a7754df4a17b47b1ecf513
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50188
In the Linux kernel, the following vulnerability has been resolved: net: phy: dp83869: fix memory corruption when enabling fiber When configuring the fiber port, the DP83869 PHY driver incorrectly calls linkmode_set_bit() with a bit mask (1 << 10) rather than a bit number (10). This corrupts some other memory location -- in case of arm64 the priv pointer in the same structure. Since the advertising flags are updated from supported at the end of the function the incorrect line isn't needed at all and can be removed.
- https://git.kernel.org/stable/c/21b5af7f0c99b3bf1fd02016e6708b613acbcaf4
- https://git.kernel.org/stable/c/9ca634676ff66e1d616259e136f96f96b2a1759a
- https://git.kernel.org/stable/c/a842e443ca8184f2dc82ab307b43a8b38defd6a5
- https://git.kernel.org/stable/c/ad0d76b8ee5db063791cc2e7a30ffc9852ac37c4
- https://git.kernel.org/stable/c/c1944b4253649fc6f2fb53e7d6302eb414d2182c
- https://git.kernel.org/stable/c/e3f2de32dae35bc7d173377dc97b5bc9fcd9fc84
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50189
In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: Switch to device-managed dmam_alloc_coherent() Using the device-managed version allows to simplify clean-up in probe() error path. Additionally, this device-managed ensures proper cleanup, which helps to resolve memory errors, page faults, btrfs going read-only, and btrfs disk corruption.
- https://git.kernel.org/stable/c/1c3b4c90479aa0375ec98fe1a802993ff96a5f47
- https://git.kernel.org/stable/c/4cd9c5a0fcadc39a05c978a01e15e0d1edc4be93
- https://git.kernel.org/stable/c/8c6ad37e5882073cab84901a31da9cb22f316276
- https://git.kernel.org/stable/c/9dfee956f53eea96d93ef1e13ab4ce020f4c58b3
- https://git.kernel.org/stable/c/c56f9ecb7fb6a3a90079c19eb4c8daf3bbf514b3
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2026-01-05
CVE-2024-50191
In the Linux kernel, the following vulnerability has been resolved: ext4: don't set SB_RDONLY after filesystem errors When the filesystem is mounted with errors=remount-ro, we were setting SB_RDONLY flag to stop all filesystem modifications. We knew this misses proper locking (sb->s_umount) and does not go through proper filesystem remount procedure but it has been the way this worked since early ext2 days and it was good enough for catastrophic situation damage mitigation. Recently, syzbot has found a way (see link) to trigger warnings in filesystem freezing because the code got confused by SB_RDONLY changing under its hands. Since these days we set EXT4_FLAGS_SHUTDOWN on the superblock which is enough to stop all filesystem modifications, modifying SB_RDONLY shouldn't be needed. So stop doing that.
Modified: 2025-11-03
CVE-2024-53144
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE This aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4 ("Bluetooth: Always request for user confirmation for Just Works") always request user confirmation with confirm_hint set since the likes of bluetoothd have dedicated policy around JUST_WORKS method (e.g. main.conf:JustWorksRepairing). CVE: CVE-2024-8805
- https://git.kernel.org/stable/c/22b49d6e4f399a390c70f3034f5fbacbb9413858
- https://git.kernel.org/stable/c/5291ff856d2c5177b4fe9c18828312be30213193
- https://git.kernel.org/stable/c/830c03e58beb70b99349760f822e505ecb4eeb7e
- https://git.kernel.org/stable/c/ad7adfb95f64a761e4784381e47bee1a362eb30d
- https://git.kernel.org/stable/c/b25e11f978b63cb7857890edb3a698599cddb10e
- https://git.kernel.org/stable/c/baaa50c6f91ea5a9c7503af51f2bc50e6568b66b
- https://git.kernel.org/stable/c/d17c631ba04e960eb6f8728b10d585de20ac4f71
- https://www.zerodayinitiative.com/advisories/ZDI-24-1229/
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
Closed bugs
Добавьте пожалуйста сборку sign-file
Package kernel-image-std-def updated to version 5.10.227-alt1 for branch p10 in task 360075.
Closed vulnerabilities
Modified: 2025-08-19
BDU:2024-03703
Уязвимость функции inet_frag_reasm_prepare() в модуле net/ipv4/inet_fragment.c реализации протокола IPv4 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-05-06
BDU:2024-08236
Уязвимость функции gue_gro_receive() реализации протокола IPv4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2024-08308
Уязвимость функции ftrace_location() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-03-04
BDU:2024-08323
Уязвимость функции ocfs2_xattr_find_entry() файловой системы ocfs2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2024-08977
Уязвимость функции switchtec_ntb_remove() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2024-08978
Уязвимость функции venus_remove() драйвера Qualcomm Venus V4L2 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2024-08982
Уязвимость функции nilfs_btree_check_delete() файловой системы nilfs2 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2024-08983
Уязвимость функции nf_reject_ip6_tcphdr_put() компонента netfilter ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2024-08989
Уязвимость функции rtl2830_pid_filter() драйвера Realtek RTL2830 DVB-T ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2024-08990
Уязвимость функции rtl2832_pid_filter() драйвера Realtek RTL2830 DVB-T ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2024-08997
Уязвимость функции ether3_remove() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-05-06
BDU:2024-08999
Уязвимость функции tx() драйвера ATA over Ethernet (AoE) ядра операционной системы Linux, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2024-09003
Уязвимость функции pxafb_remove() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2026-03-12
BDU:2024-09004
Уязвимость функции xenvif_flush_hash() ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-05-06
BDU:2024-09006
Уязвимость функции ext4_ext_replay_update_ex() файловой системы ext4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2024-09788
Уязвимость функции ext4_ext_try_to_merge_up() файловой системы ext4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2024-09789
Уязвимость функции ext4_ext_insert_extent() файловой системы ext4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-03-12
BDU:2024-09790
Уязвимость функции ext4_split_extent_at() файловой системы ext4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2026-01-20
BDU:2024-09791
Уязвимость функции ext4_ext_handle_unwritten_extents() файловой системы ext4 ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2024-09795
Уязвимость функции jfs_ioc_trim() файловой системы jfs ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2025-00170
Уязвимость функции sisfb_search_mode() в модуле drivers/video/fbdev/sis/sis_main.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2025-00948
Уязвимость компонента drivers/infiniband/core/iwcm.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-01-20
BDU:2025-03038
Уязвимость функции struct buffer_head *ext4_find_inline_entry() модуля fs/ext4/inline.c ядра операционной системы Linux позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-06-09
BDU:2025-03039
Уязвимость функции rtw_wait_firmware_completion() модуля drivers/net/wireless/realtek/rtw88/main.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-04-29
BDU:2025-03087
Уязвимость функции usbtv_video_free() модуля drivers/media/usb/usbtv/usbtv-video.c драйвера USB ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03107
Уязвимость функции dbMount() модуля fs/jfs/jfs_dmap.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании.
Modified: 2026-01-20
BDU:2025-03109
Уязвимость функции _request_firmware() модуля drivers/base/firmware_loader/main.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2026-01-20
BDU:2025-03110
Уязвимость функции vhost_vdpa_vring_ioctl() модуля drivers/vhost/vdpa.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2025-03111
Уязвимость функций calculate_ttu_cursor(), calculate_ttu_cursor() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03112
Уязвимость функции init_overdrive_limits() в модуле drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03113
Уязвимость функций get_ext_path(), ext4_find_extent() и ext4_split_extent_at() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03114
Уязвимость функции acpi_device_setup_files() модуля drivers/acpi/device_sysfs.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2025-03115
Уязвимость функции cm_helper_translate_curve_to_degamma_hw_format() модуля drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2025-03116
Уязвимость функции btrfs_update_reloc_root() (fs/btrfs/relocation.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03117
Уязвимость функции efi_retrieve_tpm2_eventlog() (drivers/firmware/efi/libstub/tpm.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03118
Уязвимость функции cm3_helper_translate_curve_to_degamma_hw_format() модуля drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2025-03120
Уязвимость функции ea_get() модуля fs/jfs/xattr.c ядра операционной системы Linux, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации.
Modified: 2025-10-24
BDU:2025-03121
Уязвимость функции dc_allow_idle_optimizations() модуля drivers/gpu/drm/amd/display/dc/core/dc.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03125
Уязвимость функции EXPORT_SYMBOL_GPL() (kernel/resource.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03126
Уязвимость функции close_ctree() (fs/btrfs/disk-io.c) ядра операционной системы Linux, позволяющая нарушителю повысить свои привилегии
Modified: 2025-06-09
BDU:2025-03128
Уязвимость функции vhost_scsi_get_req() (drivers/vhost/scsi.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03132
Уязвимость функций tpm2_flush_space(), tpm_dev_transmit() драйвера Trusted Platform Module (TPM) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03133
Уязвимость функции commit_planes_for_stream() модуля drivers/gpu/drm/amd/display/dc/core/dc.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03144
Уязвимость функций dbAdjTree() и dbFindLeaf() модуля fs/jfs/jfs_dmap.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03145
Уязвимость функции are_stream_backends_same() модуля drivers/gpu/drm/amd/display/dc/core/dc_resource.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03148
Уязвимость функции ocfs2_set_buffer_uptodate() кластерной файловой системы OCFS2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03149
Уязвимость демона nfsd модуля fs/nfsd/vfs.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03151
Уязвимость функций omapdrm_init() и omap_gem_deinit() драйвера DRM (drivers/gpu/drm/omapdrm/omap_drv.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03277
Уязвимость компонентов RDMA/cxgb4 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03282
Уязвимость функции rxe_comp_queue_pkt() модуля drivers/infiniband/sw/rxe/rxe_comp.c - драйвера поддержки InfiniBand ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на целостность защищаемой информации или вызвать отказ в обслуживании.
Modified: 2025-10-29
BDU:2025-03285
Уязвимость функции __cld_pipe_inprogress_downcall() модуля fs/nfsd/nfs4recover.c поддержки сетевой файловой системы NFS ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании.
Modified: 2025-10-29
BDU:2025-03289
Уязвимость компонентов block, bfq ядра операционной системы Linux, позволяющая нарушителю повысить привилегии в системе
Modified: 2025-06-09
BDU:2025-03290
Уязвимость компонента block ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03293
Уязвимость компонента WiFi ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03295
Уязвимость компонента sock_map ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03297
Уязвимость компонента tcp ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03356
Уязвимость компонентов nouveau/dmem ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-03359
Уязвимость компонентов RDMA/mad ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03385
Уязвимость компонента PCI ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03386
Уязвимость компонента f2fs ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03395
Уязвимость компонента nfsd ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03396
Уязвимость компонента padata ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03416
Уязвимость компонента nilfs2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03418
Уязвимость компонента can ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03419
Уязвимость компонента WiFi ядра операционной системы Linux, позволяющая нарушителю повысить привилегии в системе
Modified: 2025-06-09
BDU:2025-03426
Уязвимость компонентов RDMA/hns ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03488
Уязвимость компонента ceph ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-03490
Уязвимость компонента virtio_pmem ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-03492
Уязвимость компонента net ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04480
Уязвимость компонента netfilter ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-04482
Уязвимость компонентов drm/amd/display ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04484
Уязвимость компонента Bluetooth ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-06-09
BDU:2025-04510
Уязвимость компонента NFSv4 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04511
Уязвимость компонента uprobes ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04513
Уязвимость компонента r8169 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-04550
Уязвимость функции ath11k_dp_process_rx() модуля drivers/net/wireless/ath/ath11k/dp_rx.c - драйвера поддержки адаптеров беспроводной связи Atheros/Qualcomm ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-24
BDU:2025-04552
Уязвимость функции cm3_helper_translate_curve_to_hw_format() компонента AMD Display драйвера /drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2025-04687
Уязвимость функции slhc_remember() драйвера /drivers/net/slip/slhc.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2026-01-20
BDU:2025-04688
Уязвимость функции ppp_async_encode() модуля drivers/net/ppp/ppp_async.c ядра операционной системы Linux, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации или вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04700
Уязвимость функции battery_hook_unregister() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04701
Уязвимость функции ocfs2_reflink_xattr_inline() кластерной файловой системы ocfs2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04703
Уязвимость функции qdisc_pkt_len_init() модуля net/core/dev.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04705
Уязвимость функции __skb_set_length() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-04990
Уязвимость функции ocfs2_global_read_info() модуля /fs/ocfs2/quota_local.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации.
Modified: 2025-10-29
BDU:2025-05118
Уязвимость компонента ACPICA ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05126
Уязвимость компонента mailbox ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05127
Уязвимость компонента ocfs2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05135
Уязвимость функции spin_lock() компонента vfs ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-02-09
BDU:2025-05136
Уязвимость функции __jbd2_log_wait_for_space() модуля fs/jbd2/checkpoint.c поддержки файловой системы ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05137
Уязвимость функции ocfs2_journal_shutdown() компонента ocfs2 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05138
Уязвимость функции qdisc_pkt_len_init() компонента net ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-05139
Уязвимость функции ioc_forgive_debts() компонента blk_iocost ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05184
Уязвимость функции sctp_listen_start() компонента sctp ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-05185
Уязвимость функций nf_dup_ipv4() и nf_dup_ipv6() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-06998
Уязвимость функции HPIMSGX__init() в модуле sound/pci/asihpi/hpimsgx.c компонента asihpi модуля /sound/pci/asihpi/hpimsgx.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2025-06999
Уязвимость функции skb_put_padto() компонента Ethernet Frame Handler драйвера /drivers/net/ethernet/lantiq_etop.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2025-10-29
BDU:2025-07938
Уязвимость компонента net/sched ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07976
Уязвимость ядра операционной системы Linux, связанная с чрезмерным итерированием, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07978
Уязвимость функции exfat_load_bitmap() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-07982
Уязвимость функции mwifiex_cmd_802_11_scan_ext() компонента drivers/net/wireless/marvell/mwifiex/scan.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-07983
Уязвимость функции ext4_ind_migrate() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-24
BDU:2025-07985
Уязвимость компонента net/mlx5 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-07987
Уязвимость ядра операционной системы Linux, связанная с недостаточной блокировкой, позволяющая нарушителю вызвать отказ в обслуживании(DoS)
Modified: 2026-03-19
BDU:2025-07990
Уязвимость ядра операционной системы Linux, связанная с отсутствием проверки деления на ноль, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-02-17
BDU:2025-08082
Уязвимость компонента l2cap_sock.c ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-08523
Уязвимость ядра операционной системы Linux, связанная с ошибками при освобождении ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-29
BDU:2025-08536
Уязвимость ядра операционной системы Linux, связанная с ошибками при освобождении ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-11-03
CVE-2024-26921
In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.
- https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272
- https://git.kernel.org/stable/c/1b6de5e6575b56502665c65cf93b0ae6aa0f51ab
- https://git.kernel.org/stable/c/4318608dc28ef184158b4045896740716bea23f0
- https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325
- https://git.kernel.org/stable/c/9705f447bf9a6cd088300ad2c407b5e1c6591091
- https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981
- https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727
- https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272
- https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325
- https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981
- https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-27072
In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Remove useless locks in usbtv_video_free() Remove locks calls in usbtv_video_free() because are useless and may led to a deadlock as reported here: https://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000 Also remove usbtv_stop() call since it will be called when unregistering the device. Before 'c838530d230b' this issue would only be noticed if you disconnect while streaming and now it is noticeable even when disconnecting while not streaming. [hverkuil: fix minor spelling mistake in log message]
- https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2
- https://git.kernel.org/stable/c/4ec4641df57cbdfdc51bb4959afcdbcf5003ddb9
- https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895
- https://git.kernel.org/stable/c/bdd82c47b22a8befd617b723098b2a41b77373c7
- https://git.kernel.org/stable/c/d5ed208d04acf06781d63d30f9fa991e8d609ebd
- https://git.kernel.org/stable/c/dea46e246ef0f98d89d59a4229157cd9ffb636bf
- https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2
- https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-35965
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix not validating setsockopt user input Check user input length before copying data.
- https://git.kernel.org/stable/c/28234f8ab69c522ba447f3e041bbfbb284c5959a
- https://git.kernel.org/stable/c/4f3951242ace5efc7131932e2e01e6ac6baed846
- https://git.kernel.org/stable/c/8ee0c132a61df9723813c40e742dc5321824daa9
- https://git.kernel.org/stable/c/9d42f373391211c7c8af66a3a316533a32b8a607
- https://git.kernel.org/stable/c/f13b04cf65a86507ff15a9bbf37969d25be3e2a0
- https://git.kernel.org/stable/c/4f3951242ace5efc7131932e2e01e6ac6baed846
- https://git.kernel.org/stable/c/8ee0c132a61df9723813c40e742dc5321824daa9
- https://git.kernel.org/stable/c/9d42f373391211c7c8af66a3a316533a32b8a607
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-38544
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the resp_pkts queue and then a decision is made whether to run the completer task inline or schedule it. Finally the skb is dereferenced to bump a 'hw' performance counter. This is wrong because if the completer task is already running in a separate thread it may have already processed the skb and freed it which can cause a seg fault. This has been observed infrequently in testing at high scale. This patch fixes this by changing the order of enqueuing the packet until after the counter is accessed.
- https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794
- https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6
- https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb
- https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc
- https://git.kernel.org/stable/c/c91fb72a2ca6480d8d77262eef52dc5b178463a3
- https://git.kernel.org/stable/c/de5a059e36657442b5637cc16df5163e435b9cb4
- https://git.kernel.org/stable/c/e0e14dd35d4242340c7346aac60c7ff8fbf87ffc
- https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19
- https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794
- https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6
- https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb
- https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc
- https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-12-23
CVE-2024-38588
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix possible use-after-free issue in ftrace_location()
KASAN reports a bug:
BUG: KASAN: use-after-free in ftrace_location+0x90/0x120
Read of size 8 at addr ffff888141d40010 by task insmod/424
CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+
[...]
Call Trace:
- https://git.kernel.org/stable/c/1880a324af1c95940a7c954b6b937e86844a33bd
- https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b
- https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6
- https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461
- https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831
- https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada
- https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d
- https://git.kernel.org/stable/c/eea46baf145150910ba134f75a67106ba2222c1b
- https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b
- https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6
- https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461
- https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831
- https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada
- https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-41016
In the Linux kernel, the following vulnerability has been resolved: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() xattr in ocfs2 maybe 'non-indexed', which saved with additional space requested. It's better to check if the memory is out of bound before memcmp, although this possibility mainly comes from crafted poisonous images.
- https://git.kernel.org/stable/c/57a3d89831fcaa2cdbe024b47c7c36d5a56c3637
- https://git.kernel.org/stable/c/af77c4fc1871847b528d58b7fdafb4aa1f6a9262
- https://git.kernel.org/stable/c/c031d286eceb82f72f8623b7f4abd2aa491bfb5e
- https://git.kernel.org/stable/c/c726dea9d0c806d64c26fcef483b1fb9474d8c5e
- https://git.kernel.org/stable/c/cfb926051fab19b10d1e65976211f364aa820180
- https://git.kernel.org/stable/c/e2b3d7a9d019d4d1a0da6c3ea64a1ff79c99c090
- https://git.kernel.org/stable/c/e4ffea01adf3323c821b6f37e9577d2d400adbaa
- https://git.kernel.org/stable/c/e8f9c4af7af7e9e4cd09c0251c7936593147419f
- https://git.kernel.org/stable/c/af77c4fc1871847b528d58b7fdafb4aa1f6a9262
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-46865
In the Linux kernel, the following vulnerability has been resolved: fou: fix initialization of grc The grc must be initialize first. There can be a condition where if fou is NULL, goto out will be executed and grc would be used uninitialized.
- https://git.kernel.org/stable/c/16ff0895283058b0f96d4fe277aa25ee096f0ea8
- https://git.kernel.org/stable/c/392f6a97fcbecc64f0c00058b2db5bb0e4b8cc3e
- https://git.kernel.org/stable/c/4c8002277167125078e6b9b90137bdf443ebaa08
- https://git.kernel.org/stable/c/5d537b8d900514509622ce92330b70d2e581d409
- https://git.kernel.org/stable/c/7ae890ee19479eeeb87724cca8430b5cb3660c74
- https://git.kernel.org/stable/c/aca06c617c83295f0caa486ad608fbef7bdc11e8
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47679
In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between evice_inodes() and find_inode()&iput() Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug.
- https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb
- https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1
- https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b
- https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195
- https://git.kernel.org/stable/c/489faddb1ae75b0e1a741fe5ca2542a2b5e794a5
- https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1
- https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11
- https://git.kernel.org/stable/c/6cc13a80a26e6b48f78c725c01b91987d61563ef
- https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47684
In the Linux kernel, the following vulnerability has been resolved: tcp: check skb is non-NULL in tcp_rto_delta_us() We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic kernel that are running ceph and recently hit a null ptr dereference in tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also saw it getting hit from the RACK case as well. Here are examples of the oops messages we saw in each of those cases: Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020 Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0 Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246 Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8 Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900 Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000 Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0 Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554 Jul 26 15:05:02 rx [11061395.916786] Call Trace: Jul 26 15:05:02 rx [11061395.919488] Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9 Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380 Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50 Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0 Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20 Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450 Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140 Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90 Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0 Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40 Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220 Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240 Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0 Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240 Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130 Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280 Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10 Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30 Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_even ---truncated---
- https://git.kernel.org/stable/c/09aea49fbc7e755a915c405644f347137cdb62b0
- https://git.kernel.org/stable/c/16e0387d87fc858e34449fdf2b14ed5837f761db
- https://git.kernel.org/stable/c/570f7d8c9bf14f041152ba8353d4330ef7575915
- https://git.kernel.org/stable/c/5c4c03288a4aea705e36aa44119c13d7ee4dce99
- https://git.kernel.org/stable/c/81d18c152e3f82bacadf83bc0a471b2363b9cc18
- https://git.kernel.org/stable/c/96c4983eab2a5da235f7fff90beaf17b008ba029
- https://git.kernel.org/stable/c/ad4f0a14d6856e68f023fc4e5017cfd881a3dfbc
- https://git.kernel.org/stable/c/c8770db2d54437a5f49417ae7b46f7de23d14db6
- https://git.kernel.org/stable/c/ec31cf42fc4e35bb1248ce6eb1de6de9f851ac86
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-18
CVE-2024-47685
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 do_softirq+0x9a/0x100 kernel/softirq.c:455 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 __sys_connect_file net/socket.c:2061 [inline] __sys_connect+0x606/0x690 net/socket.c:2078 __do_sys_connect net/socket.c:2088 [inline] __se_sys_connect net/socket.c:2085 [inline] __x64_sys_connect+0x91/0xe0 net/socket.c:2085 x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core ---truncated---
- https://git.kernel.org/stable/c/10210658f827ad45061581cbfc05924b723e8922
- https://git.kernel.org/stable/c/7a7b5a27c53b55e91eecf646d1b204e73fa4af93
- https://git.kernel.org/stable/c/7bcbc4cda777d26c88500d973fad0d497fc8a82e
- https://git.kernel.org/stable/c/7ea2bcfd9bf4c3dbbf22546162226fd1c14d8ad2
- https://git.kernel.org/stable/c/872eca64c3267dbc5836b715716fc6c03a18eda7
- https://git.kernel.org/stable/c/9c778fe48d20ef362047e3376dee56d77f8500d4
- https://git.kernel.org/stable/c/af4b8a704f26f38310655bad67fd8096293275a2
- https://git.kernel.org/stable/c/dcf48ab3ca2c55b09c8f9c8de0df01c1943bc4e5
- https://git.kernel.org/stable/c/fbff87d682e57ddbbe82abf6d0a1a4a36a98afcd
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47692
In the Linux kernel, the following vulnerability has been resolved: nfsd: return -EINVAL when namelen is 0 When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may result in namelen being 0, which will cause memdup_user() to return ZERO_SIZE_PTR. When we access the name.data that has been assigned the value of ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is triggered. [ T1205] ================================================================== [ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260 [ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205 [ T1205] [ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406 [ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ T1205] Call Trace: [ T1205] dump_stack+0x9a/0xd0 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] __kasan_report.cold+0x34/0x84 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] kasan_report+0x3a/0x50 [ T1205] nfs4_client_to_reclaim+0xe9/0x260 [ T1205] ? nfsd4_release_lockowner+0x410/0x410 [ T1205] cld_pipe_downcall+0x5ca/0x760 [ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0 [ T1205] ? down_write_killable_nested+0x170/0x170 [ T1205] ? avc_policy_seqno+0x28/0x40 [ T1205] ? selinux_file_permission+0x1b4/0x1e0 [ T1205] rpc_pipe_write+0x84/0xb0 [ T1205] vfs_write+0x143/0x520 [ T1205] ksys_write+0xc9/0x170 [ T1205] ? __ia32_sys_read+0x50/0x50 [ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110 [ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110 [ T1205] do_syscall_64+0x33/0x40 [ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ T1205] RIP: 0033:0x7fdbdb761bc7 [ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514 [ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7 [ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008 [ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001 [ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b [ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000 [ T1205] ================================================================== Fix it by checking namelen.
- https://git.kernel.org/stable/c/0f1d007bbea38a61cf9c5392708dc70ae9d84a3d
- https://git.kernel.org/stable/c/1ff8be8d008b9ddc8e7043fbddd37d5d451b271b
- https://git.kernel.org/stable/c/22451a16b7ab7debefce660672566be887db1637
- https://git.kernel.org/stable/c/318f70857caab3da9a6ada9bc8c1f4f7591b695e
- https://git.kernel.org/stable/c/6d07040ae5c2214e39c7444d898039c9e655a79a
- https://git.kernel.org/stable/c/766d5fbd78f7a52b3888449a0358760477b74602
- https://git.kernel.org/stable/c/84a563d136faf514fdad1ade28d7a142fd313cb8
- https://git.kernel.org/stable/c/b7b7a8df41ef18862dd6b22289fb46c2c12398af
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47696
In the Linux kernel, the following vulnerability has been resolved:
RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency
In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to
destroying CM IDs"), the function flush_workqueue is invoked to flush the
work queue iwcm_wq.
But at that time, the work queue iwcm_wq was created via the function
alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.
Because the current process is trying to flush the whole iwcm_wq, if
iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current
process is not reclaiming memory or running on a workqueue which doesn't
have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee
leading to a deadlock.
The call trace is as below:
[ 125.350876][ T1430] Call Trace:
[ 125.356281][ T1430]
- https://git.kernel.org/stable/c/29b3bbd912b8db86df7a3c180b910ccb621f5635
- https://git.kernel.org/stable/c/2efe8da2ddbf873385b4bc55366d09350b408df6
- https://git.kernel.org/stable/c/86dfdd8288907f03c18b7fb462e0e232c4f98d89
- https://git.kernel.org/stable/c/8b7df76356d098f85f3bd2c7cf6fb43f531893d7
- https://git.kernel.org/stable/c/a09dc967b3c58899e259c0aea092f421d22a0b04
- https://git.kernel.org/stable/c/a64f30db12bdc937c5108158d98c8eab1925c548
- https://git.kernel.org/stable/c/c8b18a75282cfd27822a8cc3c1f005c1ac8d1a58
- https://git.kernel.org/stable/c/da0392698c62397c19deb1b9e9bdf2fbb5a9420e
- https://git.kernel.org/stable/c/da2708a19f45b4a7278adf523837c8db21d1e2b5
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47697
In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Ensure index in rtl2830_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue.
- https://git.kernel.org/stable/c/042b101d7bf70616c4967c286ffa6fcca65babfb
- https://git.kernel.org/stable/c/3dba83d3c81de1368d15a39f22df7b53e306052f
- https://git.kernel.org/stable/c/46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14
- https://git.kernel.org/stable/c/58f31be7dfbc0c84a6497ad51924949cf64b86a2
- https://git.kernel.org/stable/c/7fd6aae7e53b94f4035b1bfce28b8dfa0d0ae470
- https://git.kernel.org/stable/c/86d920d2600c3a48efc2775c1666c1017eec6956
- https://git.kernel.org/stable/c/883f794c6e498ae24680aead55c16f66b06cfc30
- https://git.kernel.org/stable/c/8ffbe7d07b8e76193b151107878ddc1ccc94deb5
- https://git.kernel.org/stable/c/badbd736e6649c4e6d7b4ff7e2b9857acfa9ea94
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47698
In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Ensure index in rtl2832_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue. [hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]
- https://git.kernel.org/stable/c/15bea004e939d938a6771dfcf2a26cc899ffd20a
- https://git.kernel.org/stable/c/49b33c38d202d3327dcfd058e27f541dcc308b92
- https://git.kernel.org/stable/c/527ab3eb3b0b4a6ee00e183c1de6a730239e2835
- https://git.kernel.org/stable/c/66dbe0df6eccc7ee53a2c35016ce81e13b3ff447
- https://git.kernel.org/stable/c/6ae3b9aee42616ee93c4585174f40c767828006d
- https://git.kernel.org/stable/c/7065c05c6d58b9b9a98127aa14e9a5ec68173918
- https://git.kernel.org/stable/c/8ae06f360cfaca2b88b98ca89144548b3186aab1
- https://git.kernel.org/stable/c/a879b6cdd48134a3d58949ea4f075c75fa2d7d71
- https://git.kernel.org/stable/c/bedd42e07988dbdd124b23e758ffef7a681b9c60
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47699
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() Patch series "nilfs2: fix potential issues with empty b-tree nodes". This series addresses three potential issues with empty b-tree nodes that can occur with corrupted filesystem images, including one recently discovered by syzbot. This patch (of 3): If a b-tree is broken on the device, and the b-tree height is greater than 2 (the level of the root node is greater than 1) even if the number of child nodes of the b-tree root is 0, a NULL pointer dereference occurs in nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert(). This is because, when the number of child nodes of the b-tree root is 0, nilfs_btree_do_lookup() does not set the block buffer head in any of path[x].bp_bh, leaving it as the initial value of NULL, but if the level of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(), which accesses the buffer memory of path[x].bp_bh, is called. Fix this issue by adding a check to nilfs_btree_root_broken(), which performs sanity checks when reading the root node from the device, to detect this inconsistency. Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause early on.
- https://git.kernel.org/stable/c/1d94dbdfbb64cc48d10dec65cc3c4fbf2497b343
- https://git.kernel.org/stable/c/21839b6fbc3c41b3e374ecbdb0cabbbb2c53cf34
- https://git.kernel.org/stable/c/24bf40740a3da6b4056721da34997ae6938f3da1
- https://git.kernel.org/stable/c/2b78e9df10fb7f4e9d3d7a18417dd72fbbc1dfd0
- https://git.kernel.org/stable/c/3644554d308ddf2669e459a1551a7edf60b2d62b
- https://git.kernel.org/stable/c/73d23ecf234b7a6d47fb883f2dabe10e3230b31d
- https://git.kernel.org/stable/c/9403001ad65ae4f4c5de368bdda3a0636b51d51a
- https://git.kernel.org/stable/c/db73500d3f0e558eb642aae1d4782e7726b4a03f
- https://git.kernel.org/stable/c/f68523e0f26faade18833fbef577a4295d8e2c94
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47701
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid OOB when system.data xattr changes underneath the filesystem
When looking up for an entry in an inlined directory, if e_value_offs is
changed underneath the filesystem by some change in the block device, it
will lead to an out-of-bounds access that KASAN detects as an UAF.
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
loop0: detected capacity change from 2048 to 2047
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103
CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
- https://git.kernel.org/stable/c/2a6579ef5f2576a940125729f7409cc182f1c8df
- https://git.kernel.org/stable/c/371d0bacecd529f887ea2547333d9173e7bcdc0a
- https://git.kernel.org/stable/c/5b076d37e8d99918e9294bd6b35a8bbb436819b0
- https://git.kernel.org/stable/c/7fc22c3b3ffc0e952f5e0062dd11aa6ae76affba
- https://git.kernel.org/stable/c/8adf0eb4e361a9e060d54f4bd0ac9c5d85277d20
- https://git.kernel.org/stable/c/be2e9b111e2790962cc66a177869b4e9717b4e29
- https://git.kernel.org/stable/c/c6b72f5d82b1017bad80f9ebf502832fc321d796
- https://git.kernel.org/stable/c/ccb8c18076e2e630fea23fbec583cdad61787fc5
- https://git.kernel.org/stable/c/ea32883e4a03ed575a2eb7a66542022312bde477
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47705
In the Linux kernel, the following vulnerability has been resolved: block: fix potential invalid pointer dereference in blk_add_partition The blk_add_partition() function initially used a single if-condition (IS_ERR(part)) to check for errors when adding a partition. This was modified to handle the specific case of -ENXIO separately, allowing the function to proceed without logging the error in this case. However, this change unintentionally left a path where md_autodetect_dev() could be called without confirming that part is a valid pointer. This commit separates the error handling logic by splitting the initial if-condition, improving code readability and handling specific error scenarios explicitly. The function now distinguishes the general error case from -ENXIO without altering the existing behavior of md_autodetect_dev() calls.
- https://git.kernel.org/stable/c/26e197b7f9240a4ac301dd0ad520c0c697c2ea7d
- https://git.kernel.org/stable/c/4bc4272e2506941c3f3d4fb8b0c659ee814dcf6f
- https://git.kernel.org/stable/c/64cf2a39202ca2d9df5ee70eb310b6141ce2b8ed
- https://git.kernel.org/stable/c/652039ba477c9a4ab43740cf2cb0d068d53508c2
- https://git.kernel.org/stable/c/80f5bfbb80ea1615290dbc24f49d3d8c86db58fe
- https://git.kernel.org/stable/c/afe53ea9b378c376101d99d216f13b6256f75189
- https://git.kernel.org/stable/c/cc4d21d9492db4e534d3e01253cf885c90dd2a8b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47706
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix possible UAF for bfqq->bic with merge chain
1) initial state, three tasks:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
| Λ | Λ | Λ
| | | | | |
V | V | V |
bfqq1 bfqq2 bfqq3
process ref: 1 1 1
2) bfqq1 merged to bfqq2:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
| | | Λ
\--------------\| | |
V V |
bfqq1--------->bfqq2 bfqq3
process ref: 0 2 1
3) bfqq2 merged to bfqq3:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
here -> Λ | |
\--------------\ \-------------\|
V V
bfqq1--------->bfqq2---------->bfqq3
process ref: 0 1 3
In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
get bfqq3 through merge chain, and finially handle IO by bfqq3.
Howerver, current code will think bfqq2 is owned by BIC1, like initial
state, and set bfqq2->bic to BIC1.
bfq_insert_request
-> by Process 1
bfqq = bfq_init_rq(rq)
bfqq = bfq_get_bfqq_handle_split
bfqq = bic_to_bfqq
-> get bfqq2 from BIC1
bfqq->ref++
rq->elv.priv[0] = bic
rq->elv.priv[1] = bfqq
if (bfqq_process_refs(bfqq) == 1)
bfqq->bic = bic
-> record BIC1 to bfqq2
__bfq_insert_request
new_bfqq = bfq_setup_cooperator
-> get bfqq3 from bfqq2->new_bfqq
bfqq_request_freed(bfqq)
new_bfqq->ref++
rq->elv.priv[1] = new_bfqq
-> handle IO by bfqq3
Fix the problem by checking bfqq is from merge chain fist. And this
might fix a following problem reported by our syzkaller(unreproducible):
==================================================================
BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595
CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_requeue_work
Call Trace:
- https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7
- https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048
- https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa
- https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5
- https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3
- https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587
- https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777
- https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0
- https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47709
In the Linux kernel, the following vulnerability has been resolved:
can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().
syzbot reported a warning in bcm_release(). [0]
The blamed change fixed another warning that is triggered when
connect() is issued again for a socket whose connect()ed device has
been unregistered.
However, if the socket is just close()d without the 2nd connect(), the
remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
in bcm_release().
Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().
[0]
name '4986'
WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
Modules linked in:
CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
- https://git.kernel.org/stable/c/5cc00913c1fdcab861c4e65fa20d1f1e1bbbf977
- https://git.kernel.org/stable/c/770b463264426cc3c167b1d44efa85f6a526ce5b
- https://git.kernel.org/stable/c/7a145d6ec2124bdb94bd6fc436b342ff6ddf2b70
- https://git.kernel.org/stable/c/94b0818fa63555a65f6ba107080659ea6bcca63e
- https://git.kernel.org/stable/c/9550baada4c8ef8cebefccc746384842820b4dff
- https://git.kernel.org/stable/c/a833da8eec20b51af39643faa7067b25c8b20f3e
- https://git.kernel.org/stable/c/b02ed2f01240b226570b4a19b5041d61f5125784
- https://git.kernel.org/stable/c/c3d941cc734e0c8dc486c062926d5249070af5e4
- https://git.kernel.org/stable/c/f5059fae5ed518fc56494ce5bdd4f5360de4b3bc
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47710
In the Linux kernel, the following vulnerability has been resolved: sock_map: Add a cond_resched() in sock_hash_free() Several syzbot soft lockup reports all have in common sock_hash_free() If a map with a large number of buckets is destroyed, we need to yield the cpu when needed.
- https://git.kernel.org/stable/c/04f62c012e0e4683e572b30baf6004ca0a3f6772
- https://git.kernel.org/stable/c/1a11a1a53255ddab8a903cdae01b9d3eb2c1a47b
- https://git.kernel.org/stable/c/80bd490ac0a3b662a489e17d8eedeb1e905a3d40
- https://git.kernel.org/stable/c/984648aac87a6a1c8fd61663bec3f7b61eafad5e
- https://git.kernel.org/stable/c/ae8c1b3e7353ad240b829eabac7ba2584b2c6bdc
- https://git.kernel.org/stable/c/b1339be951ad31947ae19bc25cb08769bf255100
- https://git.kernel.org/stable/c/bc05f6855642cff3c0eeb63060b35d8c4f8a851d
- https://git.kernel.org/stable/c/cd10abf41bae55c9d2b93f34a516dbf52626bcb7
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47712
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param In the `wilc_parse_join_bss_param` function, the TSF field of the `ies` structure is accessed after the RCU read-side critical section is unlocked. According to RCU usage rules, this is illegal. Reusing this pointer can lead to unpredictable behavior, including accessing memory that has been updated or causing use-after-free issues. This possible bug was identified using a static analysis tool developed by myself, specifically designed to detect RCU-related issues. To address this, the TSF value is now stored in a local variable `ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is then assigned using this local variable, ensuring that the TSF value is safely accessed.
- https://git.kernel.org/stable/c/2f944e6255c2fc1c9bd9ee32f6b14ee0b2a51eb5
- https://git.kernel.org/stable/c/557418e1704605a81c9e26732449f71b1d40ba1e
- https://git.kernel.org/stable/c/5a24cedc243ace5ed7c1016f52a7bfc8f5b07815
- https://git.kernel.org/stable/c/6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8
- https://git.kernel.org/stable/c/79510414a7626317f13cc9073244ab7a8deb3192
- https://git.kernel.org/stable/c/84398204c5df5aaf89453056cf0647cda9664d2b
- https://git.kernel.org/stable/c/b040b71d99ee5e17bb7a743dc01cbfcae8908ce1
- https://git.kernel.org/stable/c/bf090f4fe935294361eabd9dc5a949fdd77d3d1b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47713
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() Since '__dev_queue_xmit()' should be called with interrupts enabled, the following backtrace: ieee80211_do_stop() ... spin_lock_irqsave(&local->queue_stop_reason_lock, flags) ... ieee80211_free_txskb() ieee80211_report_used_skb() ieee80211_report_ack_skb() cfg80211_mgmt_tx_status_ext() nl80211_frame_tx_status() genlmsg_multicast_netns() genlmsg_multicast_netns_filtered() nlmsg_multicast_filtered() netlink_broadcast_filtered() do_one_broadcast() netlink_broadcast_deliver() __netlink_sendskb() netlink_deliver_tap() __netlink_deliver_tap_skb() dev_queue_xmit() __dev_queue_xmit() ; with IRQS disabled ... spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags) issues the warning (as reported by syzbot reproducer): WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120 Fix this by implementing a two-phase skb reclamation in 'ieee80211_do_stop()', where actual work is performed outside of a section with interrupts disabled.
- https://git.kernel.org/stable/c/04f75f5bae33349283d6886901d9acd2f110c024
- https://git.kernel.org/stable/c/058c9026ad79dc98572442fd4c7e9a36aba6f596
- https://git.kernel.org/stable/c/07eb0bd7b0a8abed9d45e0f567c9af1dc83e5268
- https://git.kernel.org/stable/c/9d301de12da6e1bb069a9835c38359b8e8135121
- https://git.kernel.org/stable/c/acb53a716e492a02479345157c43f21edc8bc64b
- https://git.kernel.org/stable/c/ad4b7068b101fbbb4a9ca4b99b25eb051a9482ec
- https://git.kernel.org/stable/c/db5ca4b42ccfa42d2af7b335ff12578e57775c02
- https://git.kernel.org/stable/c/eab272972cffff9cd973b8e4055a8e81c64f7e6a
- https://git.kernel.org/stable/c/f232916fab67ca1c3425926df4a866e59ff26908
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47718
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: always wait for both firmware loading attempts In 'rtw_wait_firmware_completion()', always wait for both (regular and wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue 'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually the wowlan one) is still in progress, causing UAF detected by KASAN.
- https://git.kernel.org/stable/c/0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d
- https://git.kernel.org/stable/c/1b8178a2ae272256ea0dc4f940320a81003535e2
- https://git.kernel.org/stable/c/7887ad11995a4142671cc49146db536f923c8568
- https://git.kernel.org/stable/c/9432185540bafd42b7bfac6e6ef2f0a0fb4be447
- https://git.kernel.org/stable/c/a0c1e2da652cf70825739bc12d49ea15805690bf
- https://git.kernel.org/stable/c/ceaab3fb64d6a5426a3db8f87f3e5757964f2532
- https://git.kernel.org/stable/c/e9a78d9417e167410d6fb83c4e908b077ad8ba6d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47723
In the Linux kernel, the following vulnerability has been resolved: jfs: fix out-of-bounds in dbNextAG() and diAlloc() In dbNextAG() , there is no check for the case where bmp->db_numag is greater or same than MAXAG due to a polluted image, which causes an out-of-bounds. Therefore, a bounds check should be added in dbMount(). And in dbNextAG(), a check for the case where agpref is greater than bmp->db_numag should be added, so an out-of-bounds exception should be prevented. Additionally, a check for the case where agno is greater or same than MAXAG should be added in diAlloc() to prevent out-of-bounds.
- https://git.kernel.org/stable/c/0338e66cba272351ca9d7d03f3628e390e70963b
- https://git.kernel.org/stable/c/128d5cfdcf844cb690c9295a3a1c1114c21fc15a
- https://git.kernel.org/stable/c/5ad6284c8d433f8a213111c5c44ead4d9705b622
- https://git.kernel.org/stable/c/6ce8b6ab44a8b5918c0ee373d4ad19d19017931b
- https://git.kernel.org/stable/c/96855f40e152989c9e7c20c4691ace5581098acc
- https://git.kernel.org/stable/c/c1ba4b8ca799ff1d99d01f37d7ccb7d5ba5533d2
- https://git.kernel.org/stable/c/d1017d2a0f3f16dc1db5120e7ddbe7c6680425b0
- https://git.kernel.org/stable/c/e63866a475562810500ea7f784099bfe341e761a
- https://git.kernel.org/stable/c/ead82533278502428883085a787d5a00f15e5eb9
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47735
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled Fix missuse of spin_lock_irq()/spin_unlock_irq() when spin_lock_irqsave()/spin_lock_irqrestore() was hold. This was discovered through the lock debugging, and the corresponding log is as follows: raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40 ... Call trace: warn_bogus_irq_restore+0x30/0x40 _raw_spin_unlock_irqrestore+0x84/0xc8 add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2] hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2] hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2] create_qp+0x138/0x258 ib_create_qp_kernel+0x50/0xe8 create_mad_qp+0xa8/0x128 ib_mad_port_open+0x218/0x448 ib_mad_init_device+0x70/0x1f8 add_client_context+0xfc/0x220 enable_device_and_get+0xd0/0x140 ib_register_device.part.0+0xf4/0x1c8 ib_register_device+0x34/0x50 hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2] hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2] __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2] hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]
- https://git.kernel.org/stable/c/07f0f643d7e570dbe8ef6f5c3367a43e3086a335
- https://git.kernel.org/stable/c/094a1821903f33fb91de4b71087773ee16aeb3a0
- https://git.kernel.org/stable/c/2656336a84fcb6802f6e6c233f4661891deea24f
- https://git.kernel.org/stable/c/29c0f546d3fd66238b42cf25bcd5f193bb1cf794
- https://git.kernel.org/stable/c/425589d4af09c49574bd71ac31f811362a5126c3
- https://git.kernel.org/stable/c/74d315b5af180220d561684d15897730135733a6
- https://git.kernel.org/stable/c/a1a3403bb1826c8ec787f0d60c3e7b54f419129e
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47737
In the Linux kernel, the following vulnerability has been resolved:
nfsd: call cache_put if xdr_reserve_space returns NULL
If not enough buffer space available, but idmap_lookup has triggered
lookup_fn which calls cache_get and returns successfully. Then we
missed to call cache_put here which pairs with cache_get.
Reviwed-by: Jeff Layton
- https://git.kernel.org/stable/c/3e8081ebff12bec1347deaceb6bce0765cce54df
- https://git.kernel.org/stable/c/81821617312988096f5deccf0f7da6f888e98056
- https://git.kernel.org/stable/c/8d0765f86135e27f0bb5c950c136495719b4c834
- https://git.kernel.org/stable/c/9803ab882d565a8fb2dde5999d98866d1c499dfd
- https://git.kernel.org/stable/c/9f03f0016ff797932551881c7e06ae50e9c39134
- https://git.kernel.org/stable/c/a1afbbb5276f943ad7173d0b4c626b8c75a260da
- https://git.kernel.org/stable/c/c6b16e700cf4d959af524bd9d3978407ff7ce462
- https://git.kernel.org/stable/c/d078cbf5c38de83bc31f83c47dcd2184c04a50c7
- https://git.kernel.org/stable/c/e32ee6a61041925d1a05c14d10352dcfce9ef029
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47739
In the Linux kernel, the following vulnerability has been resolved: padata: use integer wrap around to prevent deadlock on seq_nr overflow When submitting more than 2^32 padata objects to padata_do_serial, the current sorting implementation incorrectly sorts padata objects with overflowed seq_nr, causing them to be placed before existing objects in the reorder list. This leads to a deadlock in the serialization process as padata_find_next cannot match padata->seq_nr and pd->processed because the padata instance with overflowed seq_nr will be selected next. To fix this, we use an unsigned integer wrap around to correctly sort padata objects in scenarios with integer overflow.
- https://git.kernel.org/stable/c/1b8cf11b3ca593a8802a51802cd0c28c38501428
- https://git.kernel.org/stable/c/1bd712de96ad7167fe0d608e706cd60587579f16
- https://git.kernel.org/stable/c/46c4079460f4dcaf445860679558eedef4e1bc91
- https://git.kernel.org/stable/c/72164d5b648951684b1a593996b37a6083c61d7d
- https://git.kernel.org/stable/c/9a22b2812393d93d84358a760c347c21939029a6
- https://git.kernel.org/stable/c/9e279e6c1f012b82628b89e1b9c65dbefa8ca25a
- https://git.kernel.org/stable/c/ab205e1c3846326f162180e56825b4ba38ce9c30
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47740
In the Linux kernel, the following vulnerability has been resolved: f2fs: Require FMODE_WRITE for atomic write ioctls The F2FS ioctls for starting and committing atomic writes check for inode_owner_or_capable(), but this does not give LSMs like SELinux or Landlock an opportunity to deny the write access - if the caller's FSUID matches the inode's UID, inode_owner_or_capable() immediately returns true. There are scenarios where LSMs want to deny a process the ability to write particular files, even files that the FSUID of the process owns; but this can currently partially be bypassed using atomic write ioctls in two ways: - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can truncate an inode to size 0 - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert changes another process concurrently made to a file Fix it by requiring FMODE_WRITE for these operations, just like for F2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these ioctls when intending to write into the file, that seems unlikely to break anything.
- https://git.kernel.org/stable/c/000bab8753ae29a259feb339b99ee759795a48ac
- https://git.kernel.org/stable/c/32f348ecc149e9ca70a1c424ae8fa9b6919d2713
- https://git.kernel.org/stable/c/4583290898c13c2c2e5eb8773886d153c2c5121d
- https://git.kernel.org/stable/c/4ce87674c3a6b4d3b3d45f85b584ab8618a3cece
- https://git.kernel.org/stable/c/4f5a100f87f32cb65d4bb1ad282a08c92f6f591e
- https://git.kernel.org/stable/c/5e0de753bfe87768ebe6744d869caa92f35e5731
- https://git.kernel.org/stable/c/700f3a7c7fa5764c9f24bbf7c78e0b6e479fa653
- https://git.kernel.org/stable/c/88ff021e1fea2d9b40b2d5efd9013c89f7be04ac
- https://git.kernel.org/stable/c/f3bfac2cabf5333506b263bc0c8497c95302f32d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47742
In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Block path traversal Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously.
- https://git.kernel.org/stable/c/28f1cd94d3f1092728fb775a0fe26c5f1ac2ebeb
- https://git.kernel.org/stable/c/3d2411f4edcb649eaf232160db459bb4770b5251
- https://git.kernel.org/stable/c/6c4e13fdfcab34811c3143a0a03c05fec4e870ec
- https://git.kernel.org/stable/c/7420c1bf7fc784e587b87329cc6dfa3dca537aa4
- https://git.kernel.org/stable/c/9b1ca33ebd05b3acef5b976c04e5e791af93ce1b
- https://git.kernel.org/stable/c/a77fc4acfd49fc6076e565445b2bc5fdc3244da4
- https://git.kernel.org/stable/c/c30558e6c5c9ad6c86459d9acce1520ceeab9ea6
- https://git.kernel.org/stable/c/d1768e5535d3ded59f888637016e6f821f4e069f
- https://git.kernel.org/stable/c/f0e5311aa8022107d63c54e2f03684ec097d1394
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47747
In the Linux kernel, the following vulnerability has been resolved: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove.
- https://git.kernel.org/stable/c/1c57d61a43293252ad732007c7070fdb112545fd
- https://git.kernel.org/stable/c/25d559ed2beec9b34045886100dac46d1ad92eba
- https://git.kernel.org/stable/c/338a0582b28e69460df03af50e938b86b4206353
- https://git.kernel.org/stable/c/516dbc6d16637430808c39568cbb6b841d32b55b
- https://git.kernel.org/stable/c/77a77331cef0a219b8dd91361435eeef04cb741c
- https://git.kernel.org/stable/c/822c7bb1f6f8b0331e8d1927151faf8db3b33afd
- https://git.kernel.org/stable/c/b5109b60ee4fcb2f2bb24f589575e10cc5283ad4
- https://git.kernel.org/stable/c/b5a84b6c772564c8359a9a0fbaeb2a2944aa1ee9
- https://git.kernel.org/stable/c/d2abc379071881798d20e2ac1d332ad855ae22f3
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-47748
In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: assign irq bypass producer token correctly We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not. Actually, we use the eventfd_ctx as the token so the life cycle of the token should be bound to the VHOST_SET_VRING_CALL instead of vhost_vdpa_setup_vq_irq() which could be called by set_status(). Fixing this by setting up irq bypass producer's token when handling VHOST_SET_VRING_CALL and un-registering the producer before calling vhost_vring_ioctl() to prevent a possible use after free as eventfd could have been released in vhost_vring_ioctl(). And such registering and unregistering will only be done if DRIVER_OK is set.
- https://git.kernel.org/stable/c/02e9e9366fefe461719da5d173385b6685f70319
- https://git.kernel.org/stable/c/0c170b1e918b9afac25e2bbd01eaa2bfc0ece8c0
- https://git.kernel.org/stable/c/7cf2fb51175cafe01df8c43fa15a06194a59c6e2
- https://git.kernel.org/stable/c/927a2580208e0f9b0b47b08f1c802b7233a7ba3c
- https://git.kernel.org/stable/c/ca64edd7ae93402af2596a952e0d94d545e2b9c0
- https://git.kernel.org/stable/c/ec5f1b54ceb23475049ada6e7a43452cf4df88d1
- https://git.kernel.org/stable/c/fae9b1776f53aab93ab345bdbf653b991aed717d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47749
In the Linux kernel, the following vulnerability has been resolved: RDMA/cxgb4: Added NULL check for lookup_atid The lookup_atid() function can return NULL if the ATID is invalid or does not exist in the identifier table, which could lead to dereferencing a null pointer without a check in the `act_establish()` and `act_open_rpl()` functions. Add a NULL check to prevent null pointer dereferencing. Found by Linux Verification Center (linuxtesting.org) with SVACE.
- https://git.kernel.org/stable/c/0d50ae281a1712b9b2ca72830a96b8f11882358d
- https://git.kernel.org/stable/c/39cb9f39913566ec5865581135f3e8123ad1aee1
- https://git.kernel.org/stable/c/4e1fe68d695af367506ea3c794c5969630f21697
- https://git.kernel.org/stable/c/54aaa3ed40972511e423b604324b881425b9ff1e
- https://git.kernel.org/stable/c/b11318dc8a1ec565300bb1a9073095af817cc508
- https://git.kernel.org/stable/c/b12e25d91c7f97958341538c7dc63ee49d01548f
- https://git.kernel.org/stable/c/b9c94c8ba5a713817cffd74c4bacc05187469624
- https://git.kernel.org/stable/c/dd598ac57dcae796cb58551074660c39b43fb155
- https://git.kernel.org/stable/c/e766e6a92410ca269161de059fff0843b8ddd65f
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47756
In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Fix if-statement expression in ks_pcie_quirk() This code accidentally uses && where || was intended. It potentially results in a NULL dereference. Thus, fix the if-statement expression to use the correct condition. [kwilczynski: commit log]
- https://git.kernel.org/stable/c/2171c5cb2fbc3e03af7e8116cd58736c09328655
- https://git.kernel.org/stable/c/23838bef2adb714ec37b2d6141dccf4a3a70bdef
- https://git.kernel.org/stable/c/6188a1c762eb9bbd444f47696eda77a5eae6207a
- https://git.kernel.org/stable/c/72210e52e19a27f615e0b5273d2bf012d0dc318d
- https://git.kernel.org/stable/c/9c9afc3e75069fcfb067727973242cfbf00dd7eb
- https://git.kernel.org/stable/c/c289903b7a216df5ea6e1850ddf1b958eea9921d
- https://git.kernel.org/stable/c/dc5aeba07395c8dfa29bb878c8ce4d5180427221
- https://git.kernel.org/stable/c/e85ab507882db165c10a858d7f685a0a38f0312e
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-47757
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential oob read in nilfs_btree_check_delete() The function nilfs_btree_check_delete(), which checks whether degeneration to direct mapping occurs before deleting a b-tree entry, causes memory access outside the block buffer when retrieving the maximum key if the root node has no entries. This does not usually happen because b-tree mappings with 0 child nodes are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen if the b-tree root node read from a device is configured that way, so fix this potential issue by adding a check for that case.
- https://git.kernel.org/stable/c/257f9e5185eb6de83377caea686c306e22e871f2
- https://git.kernel.org/stable/c/a33e967b681e088a125b979975c93e3453e686cd
- https://git.kernel.org/stable/c/a8abfda768b9f33630cfbc4af6c4214f1e5681b0
- https://git.kernel.org/stable/c/c4cbcc64bb31e67e02940ce060cc77f7180564cf
- https://git.kernel.org/stable/c/c4f8554996e8ada3be872dfb8f60e93bcf15fb27
- https://git.kernel.org/stable/c/d20674f31626e0596ae4c1d9401dfb6739b81b58
- https://git.kernel.org/stable/c/ed76d381dae125b81d09934e365391a656249da8
- https://git.kernel.org/stable/c/f3a9859767c7aea758976f5523903d247e585129
- https://git.kernel.org/stable/c/f9c96351aa6718b42a9f42eaf7adce0356bdb5e8
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49851
In the Linux kernel, the following vulnerability has been resolved: tpm: Clean up TPM space after command failure tpm_dev_transmit prepares the TPM space before attempting command transmission. However if the command fails no rollback of this preparation is done. This can result in transient handles being leaked if the device is subsequently closed with no further commands performed. Fix this by flushing the space in the event of command transmission failure.
- https://git.kernel.org/stable/c/2c9b228938e9266a1065a3f4fe5c99b7235dc439
- https://git.kernel.org/stable/c/3f9f72d843c92fb6f4ff7460d774413cde7f254c
- https://git.kernel.org/stable/c/82478cb8a23bd4f97935bbe60d64528c6d9918b4
- https://git.kernel.org/stable/c/87e8134c18977b566f4ec248c8a147244da69402
- https://git.kernel.org/stable/c/adf4ce162561222338cf2c9a2caa294527f7f721
- https://git.kernel.org/stable/c/c84ceb546f30432fccea4891163f7050f5bee5dd
- https://git.kernel.org/stable/c/e3aaebcbb7c6b403416f442d1de70d437ce313a7
- https://git.kernel.org/stable/c/ebc4e1f4492d114f9693950621b3ea42b2f82bec
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49858
In the Linux kernel, the following vulnerability has been resolved: efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption The TPM event log table is a Linux specific construct, where the data produced by the GetEventLog() boot service is cached in memory, and passed on to the OS using an EFI configuration table. The use of EFI_LOADER_DATA here results in the region being left unreserved in the E820 memory map constructed by the EFI stub, and this is the memory description that is passed on to the incoming kernel by kexec, which is therefore unaware that the region should be reserved. Even though the utility of the TPM2 event log after a kexec is questionable, any corruption might send the parsing code off into the weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY instead, which is always treated as reserved by the E820 conversion logic.
- https://git.kernel.org/stable/c/11690d7e76842f29b60fbb5b35bc97d206ea0e83
- https://git.kernel.org/stable/c/19fd2f2c5fb36b61506d3208474bfd8fdf1cada3
- https://git.kernel.org/stable/c/2e6871a632a99d9b9e2ce3a7847acabe99e5a26e
- https://git.kernel.org/stable/c/38d9b07d99b789efb6d8dda21f1aaad636c38993
- https://git.kernel.org/stable/c/5b22c038fb2757c652642933de5664da471f8cb7
- https://git.kernel.org/stable/c/77d48d39e99170b528e4f2e9fc5d1d64cdedd386
- https://git.kernel.org/stable/c/f76b69ab9cf04358266e3cea5748c0c2791fbb08
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49860
In the Linux kernel, the following vulnerability has been resolved: ACPI: sysfs: validate return type of _STR method Only buffer objects are valid return values of _STR. If something else is returned description_show() will access invalid memory.
- https://git.kernel.org/stable/c/0cdfb9178a3bba843c95c2117c82c15f1a64b9ce
- https://git.kernel.org/stable/c/2364b6af90c6b6d8a4783e0d3481ca80af699554
- https://git.kernel.org/stable/c/4b081991c4363e072e1748efed0bbec8a77daba5
- https://git.kernel.org/stable/c/4bb1e7d027413835b086aed35bc3f0713bc0f72b
- https://git.kernel.org/stable/c/5c8d007c14aefc3f2ddf71e4c40713733dc827be
- https://git.kernel.org/stable/c/92fd5209fc014405f63a7db79802ca4b01dc0c05
- https://git.kernel.org/stable/c/f0921ecd4ddc14646bb5511f49db4d7d3b0829f0
- https://git.kernel.org/stable/c/f51e5a88f2e7224858b261546cf6b3037dfb1323
- https://git.kernel.org/stable/c/f51f711d36e61fbb87c67b524fd200e05172668d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49863
In the Linux kernel, the following vulnerability has been resolved:
vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()
Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code
from control queue handler") a null pointer dereference bug can be
triggered when guest sends an SCSI AN request.
In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with
`&v_req.tmf.lun[1]` within a switch-case block and is then passed to
vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for
a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is
set to NULL in this branch. Later, in vhost_scsi_get_req(),
`vc->target` is dereferenced without being checked, leading to a null
pointer dereference bug. This bug can be triggered from guest.
When this bug occurs, the vhost_worker process is killed while holding
`vq->mutex` and the corresponding tpg will remain occupied
indefinitely.
Below is the KASAN report:
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vhost_scsi_get_req+0x165/0x3a0
Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00
48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6
04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00
RSP: 0018:ffff888017affb50 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8
RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000
FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0
Call Trace:
- https://git.kernel.org/stable/c/00fb5b23e1c9cdbe496f5cd6b40367cb895f6c93
- https://git.kernel.org/stable/c/221af82f606d928ccef19a16d35633c63026f1be
- https://git.kernel.org/stable/c/25613e6d9841a1f9fb985be90df921fa99f800de
- https://git.kernel.org/stable/c/46128370a72c431df733af5ebb065c4d48c9ad39
- https://git.kernel.org/stable/c/61517f33e76d2c5247c1e61e668693afe5b67e6f
- https://git.kernel.org/stable/c/6592347f06e2b19a624270a85ad4b3ae48c3b241
- https://git.kernel.org/stable/c/ace9c778a214da9c98d7b69d904d1b0816f4f681
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2026-01-05
CVE-2024-49867
In the Linux kernel, the following vulnerability has been resolved:
btrfs: wait for fixup workers before stopping cleaner kthread during umount
During unmount, at close_ctree(), we have the following steps in this order:
1) Park the cleaner kthread - this doesn't destroy the kthread, it basically
halts its execution (wake ups against it work but do nothing);
2) We stop the cleaner kthread - this results in freeing the respective
struct task_struct;
3) We call btrfs_stop_all_workers() which waits for any jobs running in all
the work queues and then free the work queues.
Syzbot reported a case where a fixup worker resulted in a crash when doing
a delayed iput on its inode while attempting to wake up the cleaner at
btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread
was already freed. This can happen during unmount because we don't wait
for any fixup workers still running before we call kthread_stop() against
the cleaner kthread, which stops and free all its resources.
Fix this by waiting for any fixup workers at close_ctree() before we call
kthread_stop() against the cleaner and run pending delayed iputs.
The stack traces reported by syzbot were the following:
BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btrfs-fixup btrfs_work_helper
Call Trace:
- https://git.kernel.org/stable/c/41fd1e94066a815a7ab0a7025359e9b40e4b3576
- https://git.kernel.org/stable/c/4c98fe0dfa2ae83c4631699695506d8941db4bfe
- https://git.kernel.org/stable/c/65d11eb276836d49003a8060cf31fa2284ad1047
- https://git.kernel.org/stable/c/70b60c8d9b42763d6629e44f448aa5d8ae477d61
- https://git.kernel.org/stable/c/9da40aea63f8769f28afb91aea0fac4cf6fbbb65
- https://git.kernel.org/stable/c/a71349b692ab34ea197949e13e3cc42570fe73d9
- https://git.kernel.org/stable/c/bf0de0f9a0544c11f96f93206da04ab87dcea1f4
- https://git.kernel.org/stable/c/ed87190e9d9c80aad220fb6b0b03a84d22e2c95b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49868
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix a NULL pointer dereference when failed to start a new trasacntion
[BUG]
Syzbot reported a NULL pointer dereference with the following crash:
FAULT_INJECTION: forcing a failure.
start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676
prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642
relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678
...
BTRFS info (device loop0): balance: ended with status: -12
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667]
RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926
Call Trace:
- https://git.kernel.org/stable/c/1282f001cbf56e5dd6e90a18e205a566793f4be0
- https://git.kernel.org/stable/c/37fee9c220b92c3b7bf22b51c51dde5364e7590b
- https://git.kernel.org/stable/c/39356ec0e319ed07627b3a0f402d0608546509e6
- https://git.kernel.org/stable/c/7ad0c5868f2f0418619089513d95230c66cb7eb4
- https://git.kernel.org/stable/c/c3b47f49e83197e8dffd023ec568403bcdbb774b
- https://git.kernel.org/stable/c/d13249c0df7aab885acb149695f82c54c0822a70
- https://git.kernel.org/stable/c/d73d48acf36f57362df7e4f9d76568168bf5e944
- https://git.kernel.org/stable/c/dc02c1440705e3451abd1c2c8114a5c1bb188e9f
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49875
In the Linux kernel, the following vulnerability has been resolved: nfsd: map the EBADMSG to nfserr_io to avoid warning Ext4 will throw -EBADMSG through ext4_readdir when a checksum error occurs, resulting in the following WARNING. Fix it by mapping EBADMSG to nfserr_io. nfsd_buffered_readdir iterate_dir // -EBADMSG -74 ext4_readdir // .iterate_shared ext4_dx_readdir ext4_htree_fill_tree htree_dirblock_to_tree ext4_read_dirblock __ext4_read_dirblock ext4_dirblock_csum_verify warn_no_space_for_csum __warn_no_space_for_csum return ERR_PTR(-EFSBADCRC) // -EBADMSG -74 nfserrno // WARNING [ 161.115610] ------------[ cut here ]------------ [ 161.116465] nfsd: non-standard errno: -74 [ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0 [ 161.118596] Modules linked in: [ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138 [ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe mu.org 04/01/2014 [ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0 [ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33 [ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286 [ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a [ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827 [ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021 [ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8 [ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000 [ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0 [ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 161.141519] PKRU: 55555554 [ 161.142076] Call Trace: [ 161.142575] ? __warn+0x9b/0x140 [ 161.143229] ? nfserrno+0x9d/0xd0 [ 161.143872] ? report_bug+0x125/0x150 [ 161.144595] ? handle_bug+0x41/0x90 [ 161.145284] ? exc_invalid_op+0x14/0x70 [ 161.146009] ? asm_exc_invalid_op+0x12/0x20 [ 161.146816] ? nfserrno+0x9d/0xd0 [ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0 [ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380 [ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0 [ 161.150093] ? wait_for_concurrent_writes+0x170/0x170 [ 161.151004] ? generic_file_llseek_size+0x48/0x160 [ 161.151895] nfsd_readdir+0x132/0x190 [ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380 [ 161.153516] ? nfsd_unlink+0x380/0x380 [ 161.154256] ? override_creds+0x45/0x60 [ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0 [ 161.155850] ? nfsd4_encode_readlink+0x210/0x210 [ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0 [ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0 [ 161.158494] ? lock_downgrade+0x90/0x90 [ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10 [ 161.160092] nfsd4_encode_operation+0x15a/0x440 [ 161.160959] nfsd4_proc_compound+0x718/0xe90 [ 161.161818] nfsd_dispatch+0x18e/0x2c0 [ 161.162586] svc_process_common+0x786/0xc50 [ 161.163403] ? nfsd_svc+0x380/0x380 [ 161.164137] ? svc_printk+0x160/0x160 [ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380 [ 161.165808] ? nfsd_svc+0x380/0x380 [ 161.166523] ? rcu_is_watching+0x23/0x40 [ 161.167309] svc_process+0x1a5/0x200 [ 161.168019] nfsd+0x1f5/0x380 [ 161.168663] ? nfsd_shutdown_threads+0x260/0x260 [ 161.169554] kthread+0x1c4/0x210 [ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80 [ 161.171246] ret_from_fork+0x1f/0x30
- https://git.kernel.org/stable/c/0ea4333c679f333e23956de743ad17387819d3f2
- https://git.kernel.org/stable/c/340e61e44c1d2a15c42ec72ade9195ad525fd048
- https://git.kernel.org/stable/c/6fe058502f8864649c3d614b06b2235223798f48
- https://git.kernel.org/stable/c/825789ca94602543101045ad3aad19b2b60c6b2a
- https://git.kernel.org/stable/c/c76005adfa93d1a027433331252422078750321f
- https://git.kernel.org/stable/c/e9cfecca22a36b927a440abc6307efb9e138fed5
- https://git.kernel.org/stable/c/f7d8ee9db94372b8235f5f22bb24381891594c42
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49877
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if bh is NULL.
- https://git.kernel.org/stable/c/01cb2e751cc61ade454c9bc1aaa2eac1f8197112
- https://git.kernel.org/stable/c/190d98bcd61117a78fe185222d162180f061a6ca
- https://git.kernel.org/stable/c/33b525cef4cff49e216e4133cc48452e11c0391e
- https://git.kernel.org/stable/c/46b1edf0536a5291a8ad2337f88c926214b209d9
- https://git.kernel.org/stable/c/4846e72ab5a0726e49ad4188b9d9df091ae78c64
- https://git.kernel.org/stable/c/61b84013e560382cbe7dd56758be3154d43a3988
- https://git.kernel.org/stable/c/d52c5652e7dcb7a0648bbb8642cc3e617070ab49
- https://git.kernel.org/stable/c/df944dc46d06af65a75191183d52be017e6b9dbe
- https://git.kernel.org/stable/c/e68c8323355e8cedfbe0bec7d5a39009f61640b6
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49878
In the Linux kernel, the following vulnerability has been resolved: resource: fix region_intersects() vs add_memory_driver_managed() On a system with CXL memory, the resource tree (/proc/iomem) related to CXL memory may look like something as follows. 490000000-50fffffff : CXL Window 0 490000000-50fffffff : region0 490000000-50fffffff : dax0.0 490000000-50fffffff : System RAM (kmem) Because drivers/dax/kmem.c calls add_memory_driver_managed() during onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL Window X". This confuses region_intersects(), which expects all "System RAM" resources to be at the top level of iomem_resource. This can lead to bugs. For example, when the following command line is executed to write some memory in CXL memory range via /dev/mem, $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1 dd: error writing '/dev/mem': Bad address 1+0 records in 0+0 records out 0 bytes copied, 0.0283507 s, 0.0 kB/s the command fails as expected. However, the error code is wrong. It should be "Operation not permitted" instead of "Bad address". More seriously, the /dev/mem permission checking in devmem_is_allowed() passes incorrectly. Although the accessing is prevented later because ioremap() isn't allowed to map system RAM, it is a potential security issue. During command executing, the following warning is reported in the kernel log for calling ioremap() on system RAM. ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d Call Trace: memremap+0xcb/0x184 xlate_dev_mem_ptr+0x25/0x2f write_mem+0x94/0xfb vfs_write+0x128/0x26d ksys_write+0xac/0xfe do_syscall_64+0x9a/0xfd entry_SYSCALL_64_after_hwframe+0x4b/0x53 The details of command execution process are as follows. In the above resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a top level resource. So, region_intersects() will report no System RAM resources in the CXL memory region incorrectly, because it only checks the top level resources. Consequently, devmem_is_allowed() will return 1 (allow access via /dev/mem) for CXL memory region incorrectly. Fortunately, ioremap() doesn't allow to map System RAM and reject the access. So, region_intersects() needs to be fixed to work correctly with the resource tree with "System RAM" not at top level as above. To fix it, if we found a unmatched resource in the top level, we will continue to search matched resources in its descendant resources. So, we will not miss any matched resources in resource tree anymore. In the new implementation, an example resource tree |------------- "CXL Window 0" ------------| |-- "System RAM" --| will behave similar as the following fake resource tree for region_intersects(, IORESOURCE_SYSTEM_RAM, ), |-- "System RAM" --||-- "CXL Window 0a" --| Where "CXL Window 0a" is part of the original "CXL Window 0" that isn't covered by "System RAM".
- https://git.kernel.org/stable/c/06ff97a20b8c9e9d256b0d2c3e87f78f8ccea3de
- https://git.kernel.org/stable/c/1d5f85f1b7db79c75c9e07d6571ce2a7bdf725c4
- https://git.kernel.org/stable/c/333fbaf6864a4ca031367eb947961a1f3484d337
- https://git.kernel.org/stable/c/393331e16ce205e036e58b3d8ca4ee2e635f21d9
- https://git.kernel.org/stable/c/4b90d2eb451b357681063ba4552b10b39d7ad885
- https://git.kernel.org/stable/c/8a6fef7d22a1d952aed68584d3fcc0d018d2bdc3
- https://git.kernel.org/stable/c/927abc5b7d6d2c2e936bec5a2f71d9512c5e72f7
- https://git.kernel.org/stable/c/b4afe4183ec77f230851ea139d91e5cf2644c68b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49879
In the Linux kernel, the following vulnerability has been resolved: drm: omapdrm: Add missing check for alloc_ordered_workqueue As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue.
- https://git.kernel.org/stable/c/0d71916694aceb207fefecf62dfa811ec1108bbd
- https://git.kernel.org/stable/c/2bda89735199683b03f55b807bd1e31a3857520b
- https://git.kernel.org/stable/c/334de68eda2b99892ba869c15cb59bc956fd9f42
- https://git.kernel.org/stable/c/b57b53e8ffcdfda87d954fc4187426a54fe75a3d
- https://git.kernel.org/stable/c/c17a4f52fa3c3dac2dd6a3c38f2de7342d97d74c
- https://git.kernel.org/stable/c/e60b0d3b5aa2e8d934deca9e11215af84e632bc9
- https://git.kernel.org/stable/c/e794b7b9b92977365c693760a259f8eef940c536
- https://git.kernel.org/stable/c/f37a1d9e5e22d5489309c3cd2db476dcdcc6530c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49881
In the Linux kernel, the following vulnerability has been resolved:
ext4: update orig_path in ext4_find_extent()
In ext4_find_extent(), if the path is not big enough, we free it and set
*orig_path to NULL. But after reallocating and successfully initializing
the path, we don't update *orig_path, in which case the caller gets a
valid path but a NULL ppath, and this may cause a NULL pointer dereference
or a path memory leak. For example:
ext4_split_extent
path = *ppath = 2000
ext4_find_extent
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*orig_path = path = NULL;
path = kcalloc() = 3000
ext4_split_extent_at(*ppath = NULL)
path = *ppath;
ex = path[depth].p_ext;
// NULL pointer dereference!
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000010
CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847
RIP: 0010:ext4_split_extent_at+0x6d/0x560
Call Trace:
- https://git.kernel.org/stable/c/11b230100d6801c014fab2afabc8bdea304c1b96
- https://git.kernel.org/stable/c/5b4b2dcace35f618fe361a87bae6f0d13af31bc1
- https://git.kernel.org/stable/c/6766937d0327000ac1b87c97bbecdd28b0dd6599
- https://git.kernel.org/stable/c/6801ed1298204d16a38571091e31178bfdc3c679
- https://git.kernel.org/stable/c/a9fcb1717d75061d3653ed69365c8d45331815cd
- https://git.kernel.org/stable/c/b63481b3a388ee2df9e295f97273226140422a42
- https://git.kernel.org/stable/c/ec0c0beb9b777cdd1edd7df9b36e0f3e67e2bdff
- https://git.kernel.org/stable/c/f55ecc58d07a6c1f6d6d5b5af125c25f8da0bda2
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49882
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix double brelse() the buffer of the extents path
In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been
released, otherwise it may be released twice. An example of what triggers
this is as follows:
split2 map split1
|--------|-------|--------|
ext4_ext_map_blocks
ext4_ext_handle_unwritten_extents
ext4_split_convert_extents
// path->p_depth == 0
ext4_split_extent
// 1. do split1
ext4_split_extent_at
|ext4_ext_insert_extent
| ext4_ext_create_new_leaf
| ext4_ext_grow_indepth
| le16_add_cpu(&neh->eh_depth, 1)
| ext4_find_extent
| // return -ENOMEM
|// get error and try zeroout
|path = ext4_find_extent
| path->p_depth = 1
|ext4_ext_try_to_merge
| ext4_ext_try_to_merge_up
| path->p_depth = 0
| brelse(path[1].p_bh) ---> not set to NULL here
|// zeroout success
// 2. update path
ext4_find_extent
// 3. do split2
ext4_split_extent_at
ext4_ext_insert_extent
ext4_ext_create_new_leaf
ext4_ext_grow_indepth
le16_add_cpu(&neh->eh_depth, 1)
ext4_find_extent
path[0].p_bh = NULL;
path->p_depth = 1
read_extent_tree_block ---> return err
// path[1].p_bh is still the old value
ext4_free_ext_path
ext4_ext_drop_refs
// path->p_depth == 1
brelse(path[1].p_bh) ---> brelse a buffer twice
Finally got the following WARRNING when removing the buffer from lru:
============================================
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90
CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716
RIP: 0010:__brelse+0x58/0x90
Call Trace:
- https://git.kernel.org/stable/c/230ee0535d01478bad9a3037292043f39b9be10b
- https://git.kernel.org/stable/c/32bbb59e3f18facd7201bef110010bf35819b8c3
- https://git.kernel.org/stable/c/68a69cf60660c73990c1875f94a5551600b04775
- https://git.kernel.org/stable/c/7633407ca4ab8be2916ab214eb44ccebc6a50e1a
- https://git.kernel.org/stable/c/78bbc3d15b6f443acb26e94418c445bac940d414
- https://git.kernel.org/stable/c/b6c29c8f3d7cb67b505f3b2f6c242d52298d1f2e
- https://git.kernel.org/stable/c/d4574bda63906bf69660e001470bfe1a0ac524ae
- https://git.kernel.org/stable/c/dcaa6c31134c0f515600111c38ed7750003e1b9c
- https://git.kernel.org/stable/c/f9fd47c9d9548f9e47fa60098eab99dde175401d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49883
In the Linux kernel, the following vulnerability has been resolved:
ext4: aovid use-after-free in ext4_ext_insert_extent()
As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is
reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and
cause UAF. Below is a sample trace with dummy values:
ext4_ext_insert_extent
path = *ppath = 2000
ext4_ext_create_new_leaf(ppath)
ext4_find_extent(ppath)
path = *ppath = 2000
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*ppath = path = NULL;
path = kcalloc() = 3000
*ppath = 3000;
return path;
/* here path is still 2000, UAF! */
eh = path[depth].p_hdr
==================================================================
BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330
Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179
CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866
Call Trace:
- https://git.kernel.org/stable/c/51db04892a993cace63415be99848970a0f15ef2
- https://git.kernel.org/stable/c/5e811066c5ab709b070659197dccfb80ab650ddd
- https://git.kernel.org/stable/c/8162ee5d94b8c0351be0a9321be134872a7654a1
- https://git.kernel.org/stable/c/975ca06f3fd154c5f7742083e7b2574c57d1c0c3
- https://git.kernel.org/stable/c/9df59009dfc6d9fc1bd9ddf6c5ab6e56d6ed887a
- https://git.kernel.org/stable/c/a164f3a432aae62ca23d03e6d926b122ee5b860d
- https://git.kernel.org/stable/c/beb7b66fb489041c50c6473100b383f7a51648fc
- https://git.kernel.org/stable/c/bfed082ce4b1ce6349b05c09a0fa4f3da35ecb1b
- https://git.kernel.org/stable/c/e17ebe4fdd7665c93ae9459ba40fcdfb76769ac1
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49884
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix slab-use-after-free in ext4_split_extent_at()
We hit the following use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
Call Trace:
- https://git.kernel.org/stable/c/393a46f60ea4f249dc9d496d4eb2d542f5e11ade
- https://git.kernel.org/stable/c/448100a29395b0c8b4c42967155849fe0fbe808f
- https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238
- https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3
- https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18
- https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9
- https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f
- https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe
- https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49889
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid use-after-free in ext4_ext_show_leaf() In ext4_find_extent(), path may be freed by error or be reallocated, so using a previously saved *ppath may have been freed and thus may trigger use-after-free, as follows: ext4_split_extent path = *ppath; ext4_split_extent_at(ppath) path = ext4_find_extent(ppath) ext4_split_extent_at(ppath) // ext4_find_extent fails to free path // but zeroout succeeds ext4_ext_show_leaf(inode, path) eh = path[depth].p_hdr // path use-after-free !!! Similar to ext4_split_extent_at(), we use *ppath directly as an input to ext4_ext_show_leaf(). Fix a spelling error by the way. Same problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only used in ext4_ext_show_leaf(), remove 'path' and use *ppath directly. This issue is triggered only when EXT_DEBUG is defined and therefore does not affect functionality.
- https://git.kernel.org/stable/c/2eba3b0cc5b8de624918d21f32b5b8db59a90b39
- https://git.kernel.org/stable/c/34b2096380ba475771971a778a478661a791aa15
- https://git.kernel.org/stable/c/4999fed877bb64e3e7f9ab9996de2ca983c41928
- https://git.kernel.org/stable/c/4e2524ba2ca5f54bdbb9e5153bea00421ef653f5
- https://git.kernel.org/stable/c/8b114f2cc7dd5d36729d040b68432fbd0f0a8868
- https://git.kernel.org/stable/c/b0cb4561fc4284d04e69c8a66c8504928ab2484e
- https://git.kernel.org/stable/c/d483c7cc1796bd6a80e7b3a8fd494996260f6b67
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49890
In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: ensure the fw_info is not null before using it This resolves the dereference null return value warning reported by Coverity.
- https://git.kernel.org/stable/c/016bf0294b401246471c6710c6bf9251616228b6
- https://git.kernel.org/stable/c/186fb12e7a7b038c2710ceb2fb74068f1b5d55a4
- https://git.kernel.org/stable/c/29f388945770bd0a6c82711436b2bc98b0dfac92
- https://git.kernel.org/stable/c/8adf4408d482faa51b2c14e60bfd9946ec1911a4
- https://git.kernel.org/stable/c/9550d8d6f19fac7623f044ae8d9503825b325497
- https://git.kernel.org/stable/c/b511474f49588cdca355ebfce54e7eddbf7b75a5
- https://git.kernel.org/stable/c/fd5f4ac1a986f0e7e9fa019201b5890554f87bcf
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49892
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Initialize get_bytes_per_element's default to 1 Variables, used as denominators and maybe not assigned to other values, should not be 0. bytes_per_element_y & bytes_per_element_c are initialized by get_bytes_per_element() which should never return 0. This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.
- https://git.kernel.org/stable/c/1f9f8186e239222f1c8d3dd73bf3bc6ae86c5e76
- https://git.kernel.org/stable/c/3334ab72cbba55a632f24579cd47c4a4e5e69cda
- https://git.kernel.org/stable/c/4067f4fa0423a89fb19a30b57231b384d77d2610
- https://git.kernel.org/stable/c/8f0abb39c16e719129de10596b3ae3363fa178b4
- https://git.kernel.org/stable/c/a23d6029e730f8a151b1a34afb169baac1274583
- https://git.kernel.org/stable/c/bc00d211da4ffad5314a2043b50bdc8ff8a33724
- https://git.kernel.org/stable/c/c7630935d9a4986e8c0ed91658a781b7a77d73f7
- https://git.kernel.org/stable/c/f921335123f6620c3dce5c96fbb95f18524a021c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49894
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in degamma hardware format translation Fixes index out of bounds issue in `cm_helper_translate_curve_to_degamma_hw_format` function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
- https://git.kernel.org/stable/c/07078fa5d589a7fbce8f81ea8acf7aa0021ab38e
- https://git.kernel.org/stable/c/122e3a7a8c7bcbe3aacddd6103f67f9f36bed473
- https://git.kernel.org/stable/c/2495c8e272d84685403506833a664fad932e453a
- https://git.kernel.org/stable/c/2f5da549535be8ccd2ab7c9abac8562ad370b181
- https://git.kernel.org/stable/c/b3dfa878257a7e98830b3009ca5831a01d8f85fc
- https://git.kernel.org/stable/c/b7e99058eb2e86aabd7a10761e76cae33d22b49f
- https://git.kernel.org/stable/c/c130a3c09e3746c1a09ce26c20d21d449d039b1d
- https://git.kernel.org/stable/c/c6979719012a90e5b8e3bc31725fbfdd0b9b2b79
- https://git.kernel.org/stable/c/f5f6d90087131812c1e4b9d3103f400f1624396d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49895
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:338 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:339 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:340 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
- https://git.kernel.org/stable/c/0d38a0751143afc03faef02d55d31f70374ff843
- https://git.kernel.org/stable/c/ad89f83343a501890cf082c8a584e96b59fe4015
- https://git.kernel.org/stable/c/bc50b614d59990747dd5aeced9ec22f9258991ff
- https://git.kernel.org/stable/c/c4fdc2d6fea129684b82bab90bb52fbace494a58
- https://git.kernel.org/stable/c/de6ee4f9e6b1c36b4fdc7c345c1a6de9e246093e
- https://git.kernel.org/stable/c/f3ccd855b4395ce65f10dd37847167f52e122b70
- https://git.kernel.org/stable/c/f5c3d306de91a4b69cfe3eedb72b42d452593e42
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49896
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check stream before comparing them [WHAT & HOW] amdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is necessary to check for null before dereferencing them. This fixes 1 FORWARD_NULL issue reported by Coverity.
- https://git.kernel.org/stable/c/0167d570f6a0b38689c4a0e50bf79c518d827500
- https://git.kernel.org/stable/c/14db8692afe1aa2143b673856bb603713d8ea93f
- https://git.kernel.org/stable/c/35ff747c86767937ee1e0ca987545b7eed7a0810
- https://git.kernel.org/stable/c/3944d226f55235a960d8f1135927f95e9801be12
- https://git.kernel.org/stable/c/42d31a33643813cce55ee1ebbad3a2d0d24a08e0
- https://git.kernel.org/stable/c/471c53350ab83e47a2a117c2738ce0363785976e
- https://git.kernel.org/stable/c/5b4b13e678b15975055f4ff1ce4cf0ce4c19b6c4
- https://git.kernel.org/stable/c/e41a291e1bef1153bba091b6580ecc7affc53c82
- https://git.kernel.org/stable/c/e8da54b7f8a17e44e67ea6d1037f35450af28115
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49900
In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uninit-value access of new_ea in ea_buffer syzbot reports that lzo1x_1_do_compress is using uninit-value: ===================================================== BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 ... Uninit was stored to memory at: ea_put fs/jfs/xattr.c:639 [inline] ... Local variable ea_buf created at: __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662 __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934 ===================================================== The reason is ea_buf->new_ea is not initialized properly. Fix this by using memset to empty its content at the beginning in ea_get().
- https://git.kernel.org/stable/c/2b59ffad47db1c46af25ccad157bb3b25147c35c
- https://git.kernel.org/stable/c/6041536d18c5f51a84bc37cd568cbab61870031e
- https://git.kernel.org/stable/c/7b24d41d47a6805c45378debf8bd115675d41da8
- https://git.kernel.org/stable/c/7c244d5b48284a770d96ff703df2dfeadf804a73
- https://git.kernel.org/stable/c/8ad8b531de79c348bcb8133e7f5e827b884226af
- https://git.kernel.org/stable/c/8b1dcf25c26d42e4a68c4725ce52a0543c7878cc
- https://git.kernel.org/stable/c/c076b3746224982eebdba5c9e4b1467e146c0d64
- https://git.kernel.org/stable/c/d7444f91a9f93eaa48827087ed0f3381c194181d
- https://git.kernel.org/stable/c/dac398ed272a378d2f42ac68ae408333a51baf52
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49902
In the Linux kernel, the following vulnerability has been resolved: jfs: check if leafidx greater than num leaves per dmap tree syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. Shaggy: Modified sanity check to apply to control pages as well as leaf pages.
- https://git.kernel.org/stable/c/058aa89b3318be3d66a103ba7c68d717561e1dc6
- https://git.kernel.org/stable/c/2451e5917c56be45d4add786e2a059dd9c2c37c4
- https://git.kernel.org/stable/c/25d2a3ff02f22e215ce53355619df10cc5faa7ab
- https://git.kernel.org/stable/c/35b91f15f44ce3c01eba058ccb864bb04743e792
- https://git.kernel.org/stable/c/4a7bf6a01fb441009a6698179a739957efd88e38
- https://git.kernel.org/stable/c/7fff9a9f866e99931cf6fa260288e55d01626582
- https://git.kernel.org/stable/c/cb0eb10558802764f07de1dc439c4609e27cb4f0
- https://git.kernel.org/stable/c/d64ff0d2306713ff084d4b09f84ed1a8c75ecc32
- https://git.kernel.org/stable/c/d76b9a4c283c7535ae7c7c9b14984e75402951e1
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49903
In the Linux kernel, the following vulnerability has been resolved:
jfs: Fix uaf in dbFreeBits
[syzbot reported]
==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752
Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216
CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
- https://git.kernel.org/stable/c/0c238da83f56bb895cab1e5851d034ac45b158d1
- https://git.kernel.org/stable/c/3126ccde51f51b0648c8cdccaf916e8bd062e972
- https://git.kernel.org/stable/c/4218b31ecc7af7e191768d32e32ed4386d8f9b76
- https://git.kernel.org/stable/c/4ac58f7734937f3249da734ede946dfb3b1af5e4
- https://git.kernel.org/stable/c/95accb7183badca387f7a8d19a2475cf3089f148
- https://git.kernel.org/stable/c/a9603a6f75df2fd8125cd208c98cfaa0fe3f7505
- https://git.kernel.org/stable/c/d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234
- https://git.kernel.org/stable/c/e7ae14f7ee76c6ef5a48aebab1a278ad78f42619
- https://git.kernel.org/stable/c/fd026b6b6758d5569705c02540b40f3bbf822b9a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49907
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointers before using dc->clk_mgr [WHY & HOW] dc->clk_mgr is null checked previously in the same function, indicating it might be null. Passing "dc" to "dc->hwss.apply_idle_power_optimizations", which dereferences null "dc->clk_mgr". (The function pointer resolves to "dcn35_apply_idle_power_optimizations".) This fixes 1 FORWARD_NULL issue reported by Coverity.
- https://git.kernel.org/stable/c/3f7e533c10db3d0158709a99e2129ff63add6bcd
- https://git.kernel.org/stable/c/5ba3fbf75b243b2863a8be9e7c393e003d3b88f3
- https://git.kernel.org/stable/c/8d54001f8dccd56146973f23f3ab2ba037a21251
- https://git.kernel.org/stable/c/95d9e0803e51d5a24276b7643b244c7477daf463
- https://git.kernel.org/stable/c/9641bc4adf8446034e490ed543ae7e9833cfbdf5
- https://git.kernel.org/stable/c/a2773e0a4b79e7a6463abdffaf8cc4f24428ba18
- https://git.kernel.org/stable/c/a545a9403e04c6e17fdc04a26a61d9feebbba106
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49913
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream This commit addresses a null pointer dereference issue in the `commit_planes_for_stream` function at line 4140. The issue could occur when `top_pipe_to_program` is null. The fix adds a check to ensure `top_pipe_to_program` is not null before accessing its stream_res. This prevents a null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:4140 commit_planes_for_stream() error: we previously assumed 'top_pipe_to_program' could be null (see line 3906)
- https://git.kernel.org/stable/c/1ebfa6663807c144be8c8b6727375012409d2356
- https://git.kernel.org/stable/c/3929e382e4758aff42da0102a60d13337c99d3b8
- https://git.kernel.org/stable/c/40193ff73630adf76bc0d82398f7d90fb576dba4
- https://git.kernel.org/stable/c/66d71a72539e173a9b00ca0b1852cbaa5f5bf1ad
- https://git.kernel.org/stable/c/73efd2a611b62fee71a7b7f27d9d08bb60da8a72
- https://git.kernel.org/stable/c/8ab59527852a6f7780aad6185729550ca0569122
- https://git.kernel.org/stable/c/e47e563c6f0db7d792a559301862c19ead0dfc2f
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49924
In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafb_task() In the pxafb_probe function, it calls the pxafb_init_fbinfo function, after which &fbi->task is associated with pxafb_task. Moreover, within this pxafb_init_fbinfo function, the pxafb_blank function within the &pxafb_ops struct is capable of scheduling work. If we remove the module which will call pxafb_remove to make cleanup, it will call unregister_framebuffer function which can call do_unregister_framebuffer to free fbi->fb through put_fb_info(fb_info), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | pxafb_task pxafb_remove | unregister_framebuffer(info) | do_unregister_framebuffer(fb_info) | put_fb_info(fb_info) | // free fbi->fb | set_ctrlr_state(fbi, state) | __pxafb_lcd_power(fbi, 0) | fbi->lcd_power(on, &fbi->fb.var) | //use fbi->fb Fix it by ensuring that the work is canceled before proceeding with the cleanup in pxafb_remove. Note that only root user can remove the driver at runtime.
- https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd
- https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e
- https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a
- https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473
- https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e
- https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08
- https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd
- https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae
- https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-49930
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix array out-of-bound access in SoC stats Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() function access ath11k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath11k_dp_process_rx() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
- https://git.kernel.org/stable/c/01b77f5ee11c89754fb836af8f76799d3b72ae2f
- https://git.kernel.org/stable/c/0f26f26944035ec67546a944f182cbad6577a9c0
- https://git.kernel.org/stable/c/4dd732893bd38cec51f887244314e2b47f0d658f
- https://git.kernel.org/stable/c/6045ef5b4b00fee3629689f791992900a1c94009
- https://git.kernel.org/stable/c/69f253e46af98af17e3efa3e5dfa72fcb7d1983d
- https://git.kernel.org/stable/c/73e235728e515faccc104b0153b47d0f263b3344
- https://git.kernel.org/stable/c/7a552bc2f3efe2aaf77a85cb34cdf4a63d81a1a7
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49933
In the Linux kernel, the following vulnerability has been resolved:
blk_iocost: fix more out of bound shifts
Recently running UBSAN caught few out of bound shifts in the
ioc_forgive_debts() function:
UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38
shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
long')
...
UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30
shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
long')
...
Call Trace:
- https://git.kernel.org/stable/c/1ab2cfe19700fb3dde4c7dfec392acff34db3120
- https://git.kernel.org/stable/c/1b120f151871eb47ce9f283c007af3f8ae1d990e
- https://git.kernel.org/stable/c/1f61d509257d6a05763d05bf37943b35306522b1
- https://git.kernel.org/stable/c/364022095bdd4108efdaaa68576afa4712a5d085
- https://git.kernel.org/stable/c/59121bb38fdc01434ea3fe361ee02b59f036227f
- https://git.kernel.org/stable/c/9bce8005ec0dcb23a58300e8522fe4a31da606fa
- https://git.kernel.org/stable/c/f4ef9bef023d5c543cb0f3194ecacfd47ef590ec
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49936
In the Linux kernel, the following vulnerability has been resolved: net/xen-netback: prevent UAF in xenvif_flush_hash() During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe.
- https://git.kernel.org/stable/c/0fa5e94a1811d68fbffa0725efe6d4ca62c03d12
- https://git.kernel.org/stable/c/143edf098b80669d05245b2f2367dd156a83a2c5
- https://git.kernel.org/stable/c/3c4423b0c4b98213b3438e15061e1d08220e6982
- https://git.kernel.org/stable/c/54d8639af5568fc41c0e274fc3ec9cf86c59fcbb
- https://git.kernel.org/stable/c/a0465723b8581cad27164c9073fd780904cd22d4
- https://git.kernel.org/stable/c/a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c
- https://git.kernel.org/stable/c/d408889d4b54f5501e4becc4dbbb9065143fbf4e
- https://git.kernel.org/stable/c/efcff6ce7467f01f0753609f420333f3f2ceceda
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49938
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Syzbot points out that skb_trim() has a sanity check on the existing length of the skb, which can be uninitialised in some error paths. The intent here is clearly just to reset the length to zero before resubmitting, so switch to calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length() already contains a call to skb_reset_tail_pointer(), so remove the redundant call. The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.
- https://git.kernel.org/stable/c/012ae530afa0785102360de452745d33c99a321b
- https://git.kernel.org/stable/c/2c230210ec0ae6ed08306ac70dc21c24b817bb95
- https://git.kernel.org/stable/c/6a875220670475d9247e576c15dc29823100a4e4
- https://git.kernel.org/stable/c/94745807f3ebd379f23865e6dab196f220664179
- https://git.kernel.org/stable/c/a9f4e28e8adaf0715bd4e01462af0a52ee46b01f
- https://git.kernel.org/stable/c/b02eb7c86ff2ef1411c3095ec8a52b13f68db04f
- https://git.kernel.org/stable/c/d1f2fbc6a769081503f6ffedbb5cd1ac497f0e77
- https://git.kernel.org/stable/c/e37e348835032d6940ec89308cc8996ded691d2d
- https://git.kernel.org/stable/c/e6b9bf32e0695e4f374674002de0527d2a6768eb
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49944
In the Linux kernel, the following vulnerability has been resolved:
sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.
Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
is NULL.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
Call Trace:
- https://git.kernel.org/stable/c/0e4e2e60556c6ed00e8450b720f106a268d23062
- https://git.kernel.org/stable/c/7f64cb5b4d8c872296eda0fdce3bcf099eec7aa7
- https://git.kernel.org/stable/c/89bbead9d897c77d0b566349c8643030ff2abeba
- https://git.kernel.org/stable/c/8beee4d8dee76b67c75dc91fd8185d91e845c160
- https://git.kernel.org/stable/c/9230a59eda0878d7ecaa901d876aec76f57bd455
- https://git.kernel.org/stable/c/dd70c8a89ef99c3d53127fe19e51ef47c3f860fa
- https://git.kernel.org/stable/c/e7a8442195e8ebd97df467ce4742980ab57edcce
- https://git.kernel.org/stable/c/e914bf68dab88815a7ae7b7a3a5e8913c8ff14a5
- https://git.kernel.org/stable/c/f032e1dac30b3376c7d6026fb01a8c403c47a80d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49948
In the Linux kernel, the following vulnerability has been resolved: net: add more sanity checks to qdisc_pkt_len_init() One path takes care of SKB_GSO_DODGY, assuming skb->len is bigger than hdr_len. virtio_net_hdr_to_skb() does not fully dissect TCP headers, it only make sure it is at least 20 bytes. It is possible for an user to provide a malicious 'GSO' packet, total length of 80 bytes. - 20 bytes of IPv4 header - 60 bytes TCP header - a small gso_size like 8 virtio_net_hdr_to_skb() would declare this packet as a normal GSO packet, because it would see 40 bytes of payload, bigger than gso_size. We need to make detect this case to not underflow qdisc_skb_cb(skb)->pkt_len.
- https://git.kernel.org/stable/c/1eebe602a8d8264a12e35e39d0645fa88dbbacdd
- https://git.kernel.org/stable/c/2415f465730e48b6e38da1c7c097317bf5dd2d20
- https://git.kernel.org/stable/c/27a8fabc54d2f960d47bdfbebf2bdc6e8a92a4c4
- https://git.kernel.org/stable/c/473426a1d53a68dd1e718e6cd00d57936993fa6c
- https://git.kernel.org/stable/c/566a931a1436d0e0ad13708ea55479b95426213c
- https://git.kernel.org/stable/c/9b0ee571d20a238a22722126abdfde61f1b2bdd0
- https://git.kernel.org/stable/c/ab9a9a9e9647392a19e7a885b08000e89c86b535
- https://git.kernel.org/stable/c/d7d1a28f5dd57b4d83def876f8d7b4403bd37df9
- https://git.kernel.org/stable/c/ff1c3cadcf405ab37dd91418a62a7acecf3bc5e2
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49949
In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO After commit 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") virtio_net_hdr_to_skb() had sanity check to detect malicious attempts from user space to cook a bad GSO packet. Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") while fixing one issue, allowed user space to cook a GSO packet with the following characteristic : IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. When this packet arrives in qdisc_pkt_len_init(), we end up with hdr_len = 28 (IPv4 header + UDP header), matching skb->len Then the following sets gso_segs to 0 : gso_segs = DIV_ROUND_UP(skb->len - hdr_len, shinfo->gso_size); Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; This leads to the following crash in fq_codel [1] qdisc_pkt_len_init() is best effort, we only want an estimation of the bytes sent on the wire, not crashing the kernel. This patch is fixing this particular issue, a following one adds more sanity checks for another potential bug. [1] [ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 70.724561] #PF: supervisor read access in kernel mode [ 70.724561] #PF: error_code(0x0000) - not-present page [ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 [ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI [ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 [ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 All code ======== 0: 24 08 and $0x8,%al 2: 49 c1 e1 06 shl $0x6,%r9 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) b: 45 31 ed xor %r13d,%r13d e: 45 31 c0 xor %r8d,%r8d 11: 31 ff xor %edi,%edi 13: 89 44 24 14 mov %eax,0x14(%rsp) 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 1e: eb 04 jmp 0x24 20: 39 ca cmp %ecx,%edx 22: 73 37 jae 0x5b 24: 4d 8b 39 mov (%r9),%r15 27: 83 c7 01 add $0x1,%edi 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction 2d: 49 89 11 mov %rdx,(%r9) 30: 41 8b 57 28 mov 0x28(%r15),%edx 34: 45 8b 5f 34 mov 0x34(%r15),%r11d 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 3f: 49 rex.WB Code starting with the faulting instruction =========================================== 0: 49 8b 17 mov (%r15),%rdx 3: 49 89 11 mov %rdx,(%r9) 6: 41 8b 57 28 mov 0x28(%r15),%edx a: 45 8b 5f 34 mov 0x34(%r15),%r11d e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 15: 49 rex.WB [ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 [ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 [ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 [ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 [ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 [ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 [ 70.724561] CS: 0010 DS: 0000 ES: 0000 C ---truncated---
- https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d
- https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1
- https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b
- https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c
- https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c
- https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1
- https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174
- https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72
- https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49952
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: prevent nf_skb_duplicated corruption
syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write
per-cpu variable nf_skb_duplicated in an unsafe way [1].
Disabling preemption as hinted by the splat is not enough,
we have to disable soft interrupts as well.
[1]
BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316
caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
- https://git.kernel.org/stable/c/38e3fd0c4a2616052eb3c8f4e6f32d1ff47cd663
- https://git.kernel.org/stable/c/4e3542f40f3a94efa59ea328e307c50601ed7065
- https://git.kernel.org/stable/c/50067d8b3f48e4cd4c9e817d3e9a5b5ff3507ca7
- https://git.kernel.org/stable/c/531754952f5dfc4b141523088147071d6e6112c4
- https://git.kernel.org/stable/c/752e1924604254f1708f3e3700283a86ebdd325d
- https://git.kernel.org/stable/c/92ceba94de6fb4cee2bf40b485979c342f44a492
- https://git.kernel.org/stable/c/b40b027a0c0cc1cb9471a13f9730bb2fff12a15b
- https://git.kernel.org/stable/c/c0add6ed2cf1c4733cd489efc61faeccd3433b41
- https://git.kernel.org/stable/c/f839c5cd348201fec440d987cbca9b979bdb4fa7
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49955
In the Linux kernel, the following vulnerability has been resolved: ACPI: battery: Fix possible crash when unregistering a battery hook When a battery hook returns an error when adding a new battery, then the battery hook is automatically unregistered. However the battery hook provider cannot know that, so it will later call battery_hook_unregister() on the already unregistered battery hook, resulting in a crash. Fix this by using the list head to mark already unregistered battery hooks as already being unregistered so that they can be ignored by battery_hook_unregister().
- https://git.kernel.org/stable/c/07b98400cb0285a6348188aa8c5ec6a2ae0551f7
- https://git.kernel.org/stable/c/76959aff14a0012ad6b984ec7686d163deccdc16
- https://git.kernel.org/stable/c/76fb2cbf01571926da8ecf6876cc8cb07d3f5183
- https://git.kernel.org/stable/c/9f469ef1c79dac7f9ac1518643a33703918f7e13
- https://git.kernel.org/stable/c/c47843a831e0eae007ad7e848d208e675ba4c132
- https://git.kernel.org/stable/c/ca1fb7942a287b40659cc79551a1de54a2c2e7d5
- https://git.kernel.org/stable/c/ca26e8eed9c1c6651f51f7fa38fe444f8573cd1b
- https://git.kernel.org/stable/c/ce31847f109c3a5b2abdd19d7bcaafaacfde53de
- https://git.kernel.org/stable/c/da964de4c18199e14b961b5b2e5e6570552a313c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49957
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix null-ptr-deref when journal load failed. During the mounting process, if journal_reset() fails because of too short journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. Subsequently, ocfs2_journal_shutdown() calls jbd2_journal_flush()->jbd2_cleanup_journal_tail()-> __jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail() ->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer dereference error. To resolve this issue, we should check the JBD2_LOADED flag to ensure the journal was properly loaded. Additionally, use journal instead of osb->journal directly to simplify the code.
- https://git.kernel.org/stable/c/387bf565cc03e2e8c720b8b4798efea4aacb6962
- https://git.kernel.org/stable/c/5784d9fcfd43bd853654bb80c87ef293b9e8e80a
- https://git.kernel.org/stable/c/703b2c7e0798d263154dc8593dc2345f75dc077f
- https://git.kernel.org/stable/c/82dfdd1e31e774578f76ce6dc90c834f96403a0f
- https://git.kernel.org/stable/c/86a89e75e9e4dfa768b97db466ad6bedf2e7ea5b
- https://git.kernel.org/stable/c/bf605ae98dab5c15c5b631d4d7f88898cb41b649
- https://git.kernel.org/stable/c/f60e94a83db799bde625ac8671a5b4a6354e7120
- https://git.kernel.org/stable/c/fd89d92c1140cee8f59de336cb37fa65e359c123
- https://git.kernel.org/stable/c/ff55291fb36779819211b596da703389135f5b05
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49958
In the Linux kernel, the following vulnerability has been resolved: ocfs2: reserve space for inline xattr before attaching reflink tree One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case up to 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix.
- https://git.kernel.org/stable/c/020f5c53c17f66c0a8f2d37dad27ace301b8d8a1
- https://git.kernel.org/stable/c/5c2072f02c0d75802ec28ec703b7d43a0dd008b5
- https://git.kernel.org/stable/c/5c9807c523b4fca81d3e8e864dabc8c806402121
- https://git.kernel.org/stable/c/5ca60b86f57a4d9648f68418a725b3a7de2816b0
- https://git.kernel.org/stable/c/637c00e06564a945e9d0edb3d78d362d64935f9f
- https://git.kernel.org/stable/c/74364cb578dcc0b6c9109519d19cbe5a56afac9a
- https://git.kernel.org/stable/c/96ce4c3537114d1698be635f5e36c62dc49df7a4
- https://git.kernel.org/stable/c/9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9
- https://git.kernel.org/stable/c/aac31d654a0a31cb0d2fa36ae694f4e164a52707
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49959
In the Linux kernel, the following vulnerability has been resolved:
jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error
In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail()
to recover some journal space. But if an error occurs while executing
jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free
space right away, we try other branches, and if j_committing_transaction
is NULL (i.e., the tid is 0), we will get the following complain:
============================================
JBD2: I/O error when updating journal superblock for sdd-8.
__jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available
__jbd2_log_wait_for_space: no way to get more journal space in sdd-8
------------[ cut here ]------------
WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0
Modules linked in:
CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1
RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0
Call Trace:
- https://git.kernel.org/stable/c/1c62dc0d82c62f0dc8fcdc4843208e522acccaf5
- https://git.kernel.org/stable/c/3ced0fe6c0eff032733ea8b38778b34707270138
- https://git.kernel.org/stable/c/481e8f18a290e39e04ddb7feb2bb2a2cc3b213ed
- https://git.kernel.org/stable/c/70bae48377a2c4296fd3caf4caf8f11079111019
- https://git.kernel.org/stable/c/801a35dfef6996f3d5eaa96a59caf00440d9165e
- https://git.kernel.org/stable/c/c6bf043b210eac67d35a114e345c4e5585672913
- https://git.kernel.org/stable/c/d5dc65370a746750dbb2f03eabcf86b18db65f32
- https://git.kernel.org/stable/c/ec7f8337c98ad281020ad1f11ba492462d80737a
- https://git.kernel.org/stable/c/f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49962
In the Linux kernel, the following vulnerability has been resolved: ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause NULL pointer dereference later. [ rjw: Subject and changelog edits ]
- https://git.kernel.org/stable/c/1c9b8775062f8d854a80caf186af57fc617d454c
- https://git.kernel.org/stable/c/402b4c6b7500c7cca6972d2456a4a422801035b5
- https://git.kernel.org/stable/c/4588ea78d3904bebb613b0bb025669e75800f546
- https://git.kernel.org/stable/c/4669da66ebc5b09881487f30669b0fcdb462188e
- https://git.kernel.org/stable/c/a5242874488eba2b9062985bf13743c029821330
- https://git.kernel.org/stable/c/a907c113a8b66972f15f084d7dff960207b1f71d
- https://git.kernel.org/stable/c/ae5d4c7e76ba393d20366dfea1f39f24560ffb1d
- https://git.kernel.org/stable/c/cbb67e245dacd02b5e1d82733892647df1523982
- https://git.kernel.org/stable/c/f282db38953ad71dd4f3f8877a4e1d37e580e30a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49963
In the Linux kernel, the following vulnerability has been resolved: mailbox: bcm2835: Fix timeout during suspend mode During noirq suspend phase the Raspberry Pi power driver suffer of firmware property timeouts. The reason is that the IRQ of the underlying BCM2835 mailbox is disabled and rpi_firmware_property_list() will always run into a timeout [1]. Since the VideoCore side isn't consider as a wakeup source, set the IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled during suspend-resume cycle. [1] PM: late suspend of devices complete after 1.754 msecs WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128 rpi_firmware_property_list+0x204/0x22c Firmware transaction 0x00028001 timeout Modules linked in: CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17 Hardware name: BCM2835 Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x44 dump_stack_lvl from __warn+0x88/0xec __warn from warn_slowpath_fmt+0x7c/0xb0 warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0 rpi_firmware_set_power from _genpd_power_off+0xe4/0x148 _genpd_power_off from genpd_sync_power_off+0x7c/0x11c genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0 genpd_finish_suspend from dpm_run_callback+0x78/0xd0 dpm_run_callback from device_suspend_noirq+0xc0/0x238 device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168 dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac suspend_devices_and_enter from pm_suspend+0x254/0x2e4 pm_suspend from state_store+0xa8/0xd4 state_store from kernfs_fop_write_iter+0x154/0x1a0 kernfs_fop_write_iter from vfs_write+0x12c/0x184 vfs_write from ksys_write+0x78/0xc0 ksys_write from ret_fast_syscall+0x0/0x54 Exception stack(0xcc93dfa8 to 0xcc93dff0) [...] PM: noirq suspend of devices complete after 3095.584 msecs
- https://git.kernel.org/stable/c/10a58555e0bb5cc4673c8bb73b8afc5fa651f0ac
- https://git.kernel.org/stable/c/32ee78823dea2d54adaf6e05f86622eba359e091
- https://git.kernel.org/stable/c/4e1e03760ee7cc4779b6306867fe0fc02921b963
- https://git.kernel.org/stable/c/90320cfc07b7d6e7a58fd8168f6380ec52ff0251
- https://git.kernel.org/stable/c/b0de20de29b13950493a36bd4cf531200eb0e807
- https://git.kernel.org/stable/c/dc09f007caed3b2f6a3b6bd7e13777557ae22bfd
- https://git.kernel.org/stable/c/df293ea78740a41384d648041f38f645700288e1
- https://git.kernel.org/stable/c/dfeb67b2194ecc55ef8065468c5adda3cdf59114
- https://git.kernel.org/stable/c/e65a9af05a0b59ebeba28e5e82265a233db7bc27
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49965
In the Linux kernel, the following vulnerability has been resolved: ocfs2: remove unreasonable unlock in ocfs2_read_blocks Patch series "Misc fixes for ocfs2_read_blocks", v5. This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix the issue reported by syzbot, which detects bad unlock balance in ocfs2_read_blocks(). The second patch fixes an issue reported by Heming Zhao when reviewing above fix. This patch (of 2): There was a lock release before exiting, so remove the unreasonable unlock.
- https://git.kernel.org/stable/c/39a88623af3f1c686bf6db1e677ed865ffe6fccc
- https://git.kernel.org/stable/c/3f1ca6ba5452d53c598a45d21267a2c0c221eef3
- https://git.kernel.org/stable/c/5245f109b4afb6595360d4c180d483a6d2009a59
- https://git.kernel.org/stable/c/81aba693b129e82e11bb54f569504d943d018de9
- https://git.kernel.org/stable/c/84543da867c967edffd5065fa910ebf56aaae49d
- https://git.kernel.org/stable/c/9753bcb17b36c9add9b32c61766ddf8d2d161911
- https://git.kernel.org/stable/c/c03a82b4a0c935774afa01fd6d128b444fd930a1
- https://git.kernel.org/stable/c/df4f20fc3673cee11abf2c571987a95733cb638d
- https://git.kernel.org/stable/c/f55a33fe0fb5274ef185fd61947cf142138958af
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49966
In the Linux kernel, the following vulnerability has been resolved: ocfs2: cancel dqi_sync_work before freeing oinfo ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the end, if error occurs after successfully reading global quota, it will trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c This reports that there is an active delayed work when freeing oinfo in error handling, so cancel dqi_sync_work first. BTW, return status instead of -1 when .read_file_info fails.
- https://git.kernel.org/stable/c/0d707a33c84b371cb66120e198eed3374726ddd8
- https://git.kernel.org/stable/c/14114d8148db07e7946fb06b56a50cfa425e26c7
- https://git.kernel.org/stable/c/35fccce29feb3706f649726d410122dd81b92c18
- https://git.kernel.org/stable/c/4173d1277c00baeedaaca76783e98b8fd0e3c08d
- https://git.kernel.org/stable/c/89043e7ed63c7fc141e68ea5a79758ed24b6c699
- https://git.kernel.org/stable/c/a4346c04d055bf7e184c18a73dbd23b6a9811118
- https://git.kernel.org/stable/c/bbf41277df8b33fbedf4750a9300c147e8f104eb
- https://git.kernel.org/stable/c/ef768020366f47d23f39c4f57bcb03af6d1e24b3
- https://git.kernel.org/stable/c/fc5cc716dfbdc5fd5f373ff3b51358174cf88bfc
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49969
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in DCN30 color transformation This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
- https://git.kernel.org/stable/c/0f1e222a4b41d77c442901d166fbdca967af0d86
- https://git.kernel.org/stable/c/578422ddae3d13362b64e77ef9bab98780641631
- https://git.kernel.org/stable/c/7ab69af56a23859b647dee69fa1052c689343621
- https://git.kernel.org/stable/c/929506d5671419cffd8d01e9a7f5eae53682a838
- https://git.kernel.org/stable/c/b9d8b94ec7e67f0cae228c054f77b73967c389a3
- https://git.kernel.org/stable/c/c13f9c62015c56a938304cef6d507227ea3e0039
- https://git.kernel.org/stable/c/d81873f9e715b72d4f8d391c8eb243946f784dfc
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49973
In the Linux kernel, the following vulnerability has been resolved: r8169: add tally counter fields added with RTL8125 RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it.
- https://git.kernel.org/stable/c/1c723d785adb711496bc64c24240f952f4faaabf
- https://git.kernel.org/stable/c/21950321ad33d7613b1453f4c503d7b1871deb61
- https://git.kernel.org/stable/c/585c048d15ed559f20cb94c8fa2f30077efa4fbc
- https://git.kernel.org/stable/c/64648ae8c97ec5a3165021627f5a1658ebe081ca
- https://git.kernel.org/stable/c/92bc8647b4d65f4d4bf8afdb206321c1bc55a486
- https://git.kernel.org/stable/c/991e8b0bab669b7d06927c3e442b3352532e8581
- https://git.kernel.org/stable/c/ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a
- https://git.kernel.org/stable/c/fe44b3bfbf0c74df5712f44458689d0eccccf47d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49975
In the Linux kernel, the following vulnerability has been resolved: uprobes: fix kernel info leak via "[uprobes]" vma xol_add_vma() maps the uninitialized page allocated by __create_xol_area() into userspace. On some architectures (x86) this memory is readable even without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ, although this doesn't really matter, debugger can read this memory anyway.
- https://git.kernel.org/stable/c/21cb47db1ec9765f91304763a24565ddc22d2492
- https://git.kernel.org/stable/c/24141df5a8615790950deedd926a44ddf1dfd6d8
- https://git.kernel.org/stable/c/2aa45f43709ba2082917bd2973d02687075b6eee
- https://git.kernel.org/stable/c/34820304cc2cd1804ee1f8f3504ec77813d29c8e
- https://git.kernel.org/stable/c/5b981d8335e18aef7908a068529a3287258ff6d8
- https://git.kernel.org/stable/c/9634e8dc964a4adafa7e1535147abd7ec29441a6
- https://git.kernel.org/stable/c/f31f92107e5a8ecc8902705122c594e979a351fe
- https://git.kernel.org/stable/c/f561b48d633ac2e7d0d667020fc634a96ade33a0
- https://git.kernel.org/stable/c/fe5e9182d3e227476642ae2b312e2356c4d326a3
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49977
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Fix zero-division error when disabling tc cbs The commit b8c43360f6e4 ("net: stmmac: No need to calculate speed divider when offload is disabled") allows the "port_transmit_rate_kbps" to be set to a value of 0, which is then passed to the "div_s64" function when tc-cbs is disabled. This leads to a zero-division error. When tc-cbs is disabled, the idleslope, sendslope, and credit values the credit values are not required to be configured. Therefore, adding a return statement after setting the txQ mode to DCB when tc-cbs is disabled would prevent a zero-division error.
- https://git.kernel.org/stable/c/03582f4752427f60817d896f1a827aff772bd31e
- https://git.kernel.org/stable/c/5d43e1ad4567d67af2b42d3ab7c14152ffed25c6
- https://git.kernel.org/stable/c/675faf5a14c14a2be0b870db30a70764df81e2df
- https://git.kernel.org/stable/c/837d9df9c0792902710149d1a5e0991520af0f93
- https://git.kernel.org/stable/c/b0da9504a528f05f97d926b4db74ff21917a33e9
- https://git.kernel.org/stable/c/e297a2bf56d12fd7f91a0c209eb6ea84361f3368
- https://git.kernel.org/stable/c/e33fe25b1efe4f2e6a5858786dbc82ae4c44ed4c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49981
In the Linux kernel, the following vulnerability has been resolved: media: venus: fix use after free bug in venus_remove due to race condition in venus_probe, core->work is bound with venus_sys_error_handler, which is used to handle error. The code use core->sys_err_done to make sync work. The core->work is started in venus_event_notify. If we call venus_remove, there might be an unfished work. The possible sequence is as follows: CPU0 CPU1 |venus_sys_error_handler venus_remove | hfi_destroy | venus_hfi_destroy | kfree(hdev); | |hfi_reinit |venus_hfi_queues_reinit |//use hdev Fix it by canceling the work in venus_remove.
- https://git.kernel.org/stable/c/10941d4f99a5a34999121b314afcd9c0a1c14f15
- https://git.kernel.org/stable/c/2a541fcc0bd2b05a458e9613376df1289ec11621
- https://git.kernel.org/stable/c/5098b9e6377577fe13d03e1d8914930f014a3314
- https://git.kernel.org/stable/c/60b6968341a6dd5353554f3e72db554693a128a5
- https://git.kernel.org/stable/c/63bbe26471ebdcc3c20bb4cc3950d666279ad658
- https://git.kernel.org/stable/c/b0686aedc5f1343442d044bd64eeac7e7a391f4e
- https://git.kernel.org/stable/c/bf6be32e2d39f6301ff1831e249d32a8744ab28a
- https://git.kernel.org/stable/c/c5a85ed88e043474161bbfe54002c89c1cb50ee2
- https://git.kernel.org/stable/c/d925e9f7fb5a2dbefd1a73fc01061f38c7becd4c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49982
In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in more places For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs into use-after-free. Then Nicolai Stange found more places in aoe have potential use-after-free problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push packet to tx queue. So they should also use dev_hold() to increase the refcnt of skb->dev. On the other hand, moving dev_put() to tx() causes that the refcnt of skb->dev be reduced to a negative value, because corresponding dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.
- https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79
- https://git.kernel.org/stable/c/12f7b89dd72b25da4eeaa22097877963cad6418e
- https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3
- https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58
- https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f
- https://git.kernel.org/stable/c/a786265aecf39015418e4f930cc1c14603a01490
- https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3
- https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254
- https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49983
In the Linux kernel, the following vulnerability has been resolved: ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free When calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(), the 'ppath' is updated but it is the 'path' that is freed, thus potentially triggering a double-free in the following process: ext4_ext_replay_update_ex ppath = path ext4_force_split_extent_at(&ppath) ext4_split_extent_at ext4_ext_insert_extent ext4_ext_create_new_leaf ext4_ext_grow_indepth ext4_find_extent if (depth > path[0].p_maxdepth) kfree(path) ---> path First freed *orig_path = path = NULL ---> null ppath kfree(path) ---> path double-free !!! So drop the unnecessary ppath and use path directly to avoid this problem. And use ext4_find_extent() directly to update path, avoiding unnecessary memory allocation and freeing. Also, propagate the error returned by ext4_find_extent() instead of using strange error codes.
- https://git.kernel.org/stable/c/1b558006d98b7b0b730027be0ee98973dd10ee0d
- https://git.kernel.org/stable/c/3ff710662e8d86a63a39b334e9ca0cb10e5c14b0
- https://git.kernel.org/stable/c/5c0f4cc84d3a601c99bc5e6e6eb1cbda542cce95
- https://git.kernel.org/stable/c/6367d3f04c69e2b8770b8137bd800e0784b0abbc
- https://git.kernel.org/stable/c/63adc9016917e6970fb0104ee5fd6770f02b2d80
- https://git.kernel.org/stable/c/8c26d9e53e5fbacda0732a577e97c5a5b7882aaf
- https://git.kernel.org/stable/c/a34bed978364114390162c27e50fca50791c568d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49985
In the Linux kernel, the following vulnerability has been resolved: i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume In case there is any sort of clock controller attached to this I2C bus controller, for example Versaclock or even an AIC32x4 I2C codec, then an I2C transfer triggered from the clock controller clk_ops .prepare callback may trigger a deadlock on drivers/clk/clk.c prepare_lock mutex. This is because the clock controller first grabs the prepare_lock mutex and then performs the prepare operation, including its I2C access. The I2C access resumes this I2C bus controller via .runtime_resume callback, which calls clk_prepare_enable(), which attempts to grab the prepare_lock mutex again and deadlocks. Since the clock are already prepared since probe() and unprepared in remove(), use simple clk_enable()/clk_disable() calls to enable and disable the clock on runtime suspend and resume, to avoid hitting the prepare_lock mutex.
- https://git.kernel.org/stable/c/048bbbdbf85e5e00258dfb12f5e368f908801d7b
- https://git.kernel.org/stable/c/1883cad2cc629ded4a3556c0bbb8b42533ad8764
- https://git.kernel.org/stable/c/22a1f8a5b56ba93d3e8b7a1dafa24e01c8bb48ba
- https://git.kernel.org/stable/c/894cd5f5fd9061983445bbd1fa3d81be43095344
- https://git.kernel.org/stable/c/9b8bc33ad64192f54142396470cc34ce539a8940
- https://git.kernel.org/stable/c/c2024b1a583ab9176c797ea1e5f57baf8d5e2682
- https://git.kernel.org/stable/c/d6f1250a4d5773f447740b9fe37b8692105796d4
- https://git.kernel.org/stable/c/fac3c9f7784e8184c0338e9f0877b81e55d3ef1c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-49997
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix memory disclosure When applying padding, the buffer is not zeroed, which results in memory disclosure. The mentioned data is observed on the wire. This patch uses skb_put_padto() to pad Ethernet frames properly. The mentioned function zeroes the expanded buffer. In case the packet cannot be padded it is silently dropped. Statistics are also not incremented. This driver does not support statistics in the old 32-bit format or the new 64-bit format. These will be added in the future. In its current form, the patch should be easily backported to stable versions. Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets in hardware, so software padding must be applied.
- https://git.kernel.org/stable/c/1097bf16501ed5e35358d848b0a94ad2830b0f65
- https://git.kernel.org/stable/c/185df159843d30fb71f821e7ea4368c2a3bfcd36
- https://git.kernel.org/stable/c/2bf4c101d7c99483b8b15a0c8f881e3f399f7e18
- https://git.kernel.org/stable/c/431b122933b197820d319eb3987a67d04346ce9e
- https://git.kernel.org/stable/c/45c0de18ff2dc9af01236380404bbd6a46502c69
- https://git.kernel.org/stable/c/469856f76f4802c5d7e3d20e343185188de1e2db
- https://git.kernel.org/stable/c/60c068444c20bf9a3e22b65b5f6f3d9edc852931
- https://git.kernel.org/stable/c/905f06a34f960676e7dc77bea00f2f8fe18177ad
- https://git.kernel.org/stable/c/e66e38d07b31e177ca430758ed97fbc79f27d966
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Modified: 2025-11-03
CVE-2024-50001
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix error path in multi-packet WQE transmit Remove the erroneous unmap in case no DMA mapping was established The multi-packet WQE transmit code attempts to obtain a DMA mapping for the skb. This could fail, e.g. under memory pressure, when the IOMMU driver just can't allocate more memory for page tables. While the code tries to handle this in the path below the err_unmap label it erroneously unmaps one entry from the sq's FIFO list of active mappings. Since the current map attempt failed this unmap is removing some random DMA mapping that might still be required. If the PCI function now presents that IOVA, the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI function in error state. The erroneous behavior was seen in a stress-test environment that created memory pressure.
- https://git.kernel.org/stable/c/26fad69b34fcba80d5c7d9e651f628e6ac927754
- https://git.kernel.org/stable/c/2bcae12c795f32ddfbf8c80d1b5f1d3286341c32
- https://git.kernel.org/stable/c/8bb8c12fb5e2b1f03d603d493c92941676f109b5
- https://git.kernel.org/stable/c/ca36d6c1a49b6965c86dd528a73f38bc62d9c625
- https://git.kernel.org/stable/c/ce828b347cf1b3c1b12b091d02463c35ce5097f5
- https://git.kernel.org/stable/c/ecf310aaf256acbc8182189fe0aa1021c3ddef72
- https://git.kernel.org/stable/c/fc357e78176945ca7bcacf92ab794b9ccd41b4f4
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50006
In the Linux kernel, the following vulnerability has been resolved: ext4: fix i_data_sem unlock order in ext4_ind_migrate() Fuzzing reports a possible deadlock in jbd2_log_wait_commit. This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require synchronous updates because the file descriptor is opened with O_SYNC. This can lead to the jbd2_journal_stop() function calling jbd2_might_wait_for_commit(), potentially causing a deadlock if the EXT4_IOC_MIGRATE call races with a write(2) system call. This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the jbd2_journal_stop function while i_data_sem is locked. This triggers lockdep because the jbd2_journal_start function might also lock the same jbd2_handle simultaneously. Found by Linux Verification Center (linuxtesting.org) with syzkaller. Rule: add
- https://git.kernel.org/stable/c/3c46d6060d3e38de22196c1fe7706c5a3c696285
- https://git.kernel.org/stable/c/4192adefc9c570698821c5eb9873320eac2fcbf1
- https://git.kernel.org/stable/c/53b1999cfd2c7addf2e581a32865fe8835467b44
- https://git.kernel.org/stable/c/6252cb6bde7fc76cb8dcb49d1def7c326b190820
- https://git.kernel.org/stable/c/9fedf51ab8cf7b69bff08f37fe0989fec7f5d870
- https://git.kernel.org/stable/c/cc749e61c011c255d81b192a822db650c68b313f
- https://git.kernel.org/stable/c/d43776b907659affef1de888525847d64b244194
- https://git.kernel.org/stable/c/d58a00e981d3118b91d503da263e640b7cde6729
- https://git.kernel.org/stable/c/ef05572da0c0eb89614ed01cc17d3c882bdbd1ff
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50007
In the Linux kernel, the following vulnerability has been resolved: ALSA: asihpi: Fix potential OOB array access ASIHPI driver stores some values in the static array upon a response from the driver, and its index depends on the firmware. We shouldn't trust it blindly. This patch adds a sanity check of the array index to fit in the array size.
- https://git.kernel.org/stable/c/219587bca2678e31700ef09ecec178ba1f735674
- https://git.kernel.org/stable/c/36ee4021bcc37b834996e79740d095d6f8dd948f
- https://git.kernel.org/stable/c/7a55740996701f7b2bc46dc988b60ef2e416a747
- https://git.kernel.org/stable/c/7b986c7430a6bb68d523dac7bfc74cbd5b44ef96
- https://git.kernel.org/stable/c/876d04bf5a8ac1d6af5afd258cd37ab83ab2cf3d
- https://git.kernel.org/stable/c/a6bdb691cf7b66dcd929de1a253c5c42edd2e522
- https://git.kernel.org/stable/c/ad7248a5e92587b9266c62db8bcc4e58de53e372
- https://git.kernel.org/stable/c/ce2953e44829ec54bcbb57e9d890fc8af0900c80
- https://git.kernel.org/stable/c/e658227d9d4f4e122d81690fdbc0d438b10288f5
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50008
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Replace one-element array with a flexible-array member in `struct host_cmd_ds_802_11_scan_ext`. With this, fix the following warning: elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------ elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1) elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]
- https://git.kernel.org/stable/c/17199b69a84798efffc475040fbef44374ef1de1
- https://git.kernel.org/stable/c/1756918f51e9ab247a0f4782cc28853c2bb457c1
- https://git.kernel.org/stable/c/498365e52bebcbc36a93279fe7e9d6aec8479cee
- https://git.kernel.org/stable/c/71267bd4e8c752d7af6c6b96bb83984a6a95273d
- https://git.kernel.org/stable/c/a3a12c30f9510f3753286fadbc6cdb7dad78c1d5
- https://git.kernel.org/stable/c/b55c8848fdc81514ec047b2a0ec782ffe9ab5323
- https://git.kernel.org/stable/c/e59bdb1ba594104cd0ee0af3ee9e4435d842a8fe
- https://git.kernel.org/stable/c/f9310a6704bf52e2493480edea896e1f9b795d40
- https://git.kernel.org/stable/c/fef7b51f22cf2049b0ca6740adeb0ba6f2e671dc
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50013
In the Linux kernel, the following vulnerability has been resolved: exfat: fix memory leak in exfat_load_bitmap() If the first directory entry in the root directory is not a bitmap directory entry, 'bh' will not be released and reassigned, which will cause a memory leak.
- https://git.kernel.org/stable/c/4e1813e52f86eb8db0c6c9570251f2fcbc571f5d
- https://git.kernel.org/stable/c/89081e8407e637463db5880d168e3652fb9f4330
- https://git.kernel.org/stable/c/bf0b3b35259475d1fe377bcaa565488e26684f7a
- https://git.kernel.org/stable/c/d2b537b3e533f28e0d97293fe9293161fe8cd137
- https://git.kernel.org/stable/c/dca359db1eb37f334267ebd7e3cab9a66d191d5b
- https://git.kernel.org/stable/c/ddf704c2ce3b73f38d2dd8cf1bb0f7ec038bdf63
- https://git.kernel.org/stable/c/f692160d3e1e5450605071b8df8f7d08d9b09a83
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50015
In the Linux kernel, the following vulnerability has been resolved: ext4: dax: fix overflowing extents beyond inode size when partially writing The dax_iomap_rw() does two things in each iteration: map written blocks and copy user data to blocks. If the process is killed by user(See signal handling in dax_iomap_iter()), the copied data will be returned and added on inode size, which means that the length of written extents may exceed the inode size, then fsck will fail. An example is given as: dd if=/dev/urandom of=file bs=4M count=1 dax_iomap_rw iomap_iter // round 1 ext4_iomap_begin ext4_iomap_alloc // allocate 0~2M extents(written flag) dax_iomap_iter // copy 2M data iomap_iter // round 2 iomap_iter_advance iter->pos += iter->processed // iter->pos = 2M ext4_iomap_begin ext4_iomap_alloc // allocate 2~4M extents(written flag) dax_iomap_iter fatal_signal_pending done = iter->pos - iocb->ki_pos // done = 2M ext4_handle_inode_extension ext4_update_inode_size // inode size = 2M fsck reports: Inode 13, i_size is 2097152, should be 4194304. Fix? Fix the problem by truncating extents if the written length is smaller than expected.
- https://git.kernel.org/stable/c/5efccdee4a7d507a483f20f880b809cc4eaef14d
- https://git.kernel.org/stable/c/8c30a9a8610c314554997f86370140746aa35661
- https://git.kernel.org/stable/c/a9f331f51515bdb3ebc8d0963131af367ef468f6
- https://git.kernel.org/stable/c/abfaa876b948baaea4d14f21a1963789845c8b4c
- https://git.kernel.org/stable/c/dda898d7ffe85931f9cca6d702a51f33717c501e
- https://git.kernel.org/stable/c/ec0dd451e236c46e4858d53e9e82bae7797a7af5
- https://git.kernel.org/stable/c/f8a7c342326f6ad1dfdb30a18dd013c70f5e9669
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50024
In the Linux kernel, the following vulnerability has been resolved: net: Fix an unsafe loop on the list The kernel may crash when deleting a genetlink family if there are still listeners for that family: Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c000000000c080bc] netlink_update_socket_mc+0x3c/0xc0 LR [c000000000c0f764] __netlink_clear_multicast_users+0x74/0xc0 Call Trace: __netlink_clear_multicast_users+0x74/0xc0 genl_unregister_family+0xd4/0x2d0 Change the unsafe loop on the list to a safe one, because inside the loop there is an element removal from this list.
- https://git.kernel.org/stable/c/1cdec792b2450105b1314c5123a9a0452cb2c2f0
- https://git.kernel.org/stable/c/1dae9f1187189bc09ff6d25ca97ead711f7e26f9
- https://git.kernel.org/stable/c/3be342e0332a7c83eb26fbb22bf156fdca467a5d
- https://git.kernel.org/stable/c/464801a0f6ccb52b21faa33bac6014fd74cc5e10
- https://git.kernel.org/stable/c/49f9b726bf2bf3dd2caf0d27cadf4bc1ccf7a7dd
- https://git.kernel.org/stable/c/5f03a7f601f33cda1f710611625235dc86fd8a9e
- https://git.kernel.org/stable/c/68ad5da6ca630a276f0a5c924179e57724d00013
- https://git.kernel.org/stable/c/8e0766fcf37ad8eed289dd3853628dd9b01b58b0
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50033
In the Linux kernel, the following vulnerability has been resolved: slip: make slhc_remember() more robust against malicious packets syzbot found that slhc_remember() was missing checks against malicious packets [1]. slhc_remember() only checked the size of the packet was at least 20, which is not good enough. We need to make sure the packet includes the IPv4 and TCP header that are supposed to be carried. Add iph and th pointers to make the code more readable. [1] BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455 ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline] ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212 ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 __release_sock+0x1da/0x330 net/core/sock.c:3072 release_sock+0x6b/0x250 net/core/sock.c:3626 pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4091 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [inline] sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
- https://git.kernel.org/stable/c/29e8d96d44f51cf89a62dd042be35d052833b95c
- https://git.kernel.org/stable/c/36b054324d18e51cf466134e13b6fbe3c91f52af
- https://git.kernel.org/stable/c/5e336384cc9b608e0551f99c3d87316ca3b0e51a
- https://git.kernel.org/stable/c/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c
- https://git.kernel.org/stable/c/8bb79eb1db85a10865f0d4dd15b013def3f2d246
- https://git.kernel.org/stable/c/ba6501ea06462d6404d57d5644cf2854db38e7d7
- https://git.kernel.org/stable/c/ff5e0f895315706e4ca5a19df15be6866cee4f5d
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50035
In the Linux kernel, the following vulnerability has been resolved: ppp: fix ppp_async_encode() illegal access syzbot reported an issue in ppp_async_encode() [1] In this case, pppoe_sendmsg() is called with a zero size. Then ppp_async_encode() is called with an empty skb. BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline] ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 __release_sock+0x1da/0x330 net/core/sock.c:3072 release_sock+0x6b/0x250 net/core/sock.c:3626 pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4092 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [inline] sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
- https://git.kernel.org/stable/c/30d91a478d58cbae3dbaa8224d17d0d839f0d71b
- https://git.kernel.org/stable/c/40dddd4b8bd08a69471efd96107a4e1c73fabefc
- https://git.kernel.org/stable/c/4151ec65abd755133ebec687218fadd2d2631167
- https://git.kernel.org/stable/c/8dfe93901b410ae41264087427f3b9f389388f83
- https://git.kernel.org/stable/c/8fe992ff3df493d1949922ca234419f3ede08dff
- https://git.kernel.org/stable/c/c007a14797240607038bd3464501109f408940e2
- https://git.kernel.org/stable/c/ce249a4c68d0ce27a8c5d853338d502e2711a314
- https://git.kernel.org/stable/c/fadf8fdb3110d3138e05c3765f645535434f8d76
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50039
In the Linux kernel, the following vulnerability has been resolved:
net/sched: accept TCA_STAB only for root qdisc
Most qdiscs maintain their backlog using qdisc_pkt_len(skb)
on the assumption it is invariant between the enqueue()
and dequeue() handlers.
Unfortunately syzbot can crash a host rather easily using
a TBF + SFQ combination, with an STAB on SFQ [1]
We can't support TCA_STAB on arbitrary level, this would
require to maintain per-qdisc storage.
[1]
[ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 88.798611] #PF: supervisor read access in kernel mode
[ 88.799014] #PF: error_code(0x0000) - not-present page
[ 88.799506] PGD 0 P4D 0
[ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI
[ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117
[ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00
All code
========
0: 0f b7 50 12 movzwl 0x12(%rax),%edx
4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax
b: 00
c: 48 89 d6 mov %rdx,%rsi
f: 48 29 d0 sub %rdx,%rax
12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx
19: 48 c1 e0 03 shl $0x3,%rax
1d: 48 01 c2 add %rax,%rdx
20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx)
25: 7e c0 jle 0xffffffffffffffe7
27: 48 8b 3a mov (%rdx),%rdi
2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction
2d: 4c 89 02 mov %r8,(%rdx)
30: 49 89 50 08 mov %rdx,0x8(%r8)
34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi)
3b: 00
3c: 48 rex.W
3d: c7 .byte 0xc7
3e: 07 (bad)
...
Code starting with the faulting instruction
===========================================
0: 4c 8b 07 mov (%rdi),%r8
3: 4c 89 02 mov %r8,(%rdx)
6: 49 89 50 08 mov %rdx,0x8(%r8)
a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi)
11: 00
12: 48 rex.W
13: c7 .byte 0xc7
14: 07 (bad)
...
[ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206
[ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800
[ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000
[ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f
[ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140
[ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac
[ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000
[ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0
[ 88.808165] Call Trace:
[ 88.808459]
- https://git.kernel.org/stable/c/1edf039ee01788ffc25625fe58a903ae2efa213e
- https://git.kernel.org/stable/c/2acbb9539bc2284e30d2aeb789c3d96287014264
- https://git.kernel.org/stable/c/3cb7cf1540ddff5473d6baeb530228d19bc97b8a
- https://git.kernel.org/stable/c/3dc6ee96473cc2962c6db4297d4631f261be150f
- https://git.kernel.org/stable/c/76feedc74b90270390fbfdf74a2e944e96872363
- https://git.kernel.org/stable/c/8fb6503592d39065316f45d267c5527b4e7cd995
- https://git.kernel.org/stable/c/adbc3eef43fc94c7c8436da832691ae02333a972
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50040
In the Linux kernel, the following vulnerability has been resolved:
igb: Do not bring the device up after non-fatal error
Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal")
changed igb_io_error_detected() to ignore non-fatal pcie errors in order
to avoid hung task that can happen when igb_down() is called multiple
times. This caused an issue when processing transient non-fatal errors.
igb_io_resume(), which is called after igb_io_error_detected(), assumes
that device is brought down by igb_io_error_detected() if the interface
is up. This resulted in panic with stacktrace below.
[ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down
[ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0
[ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)
[ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000
[ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000
[ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message
[ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.
[ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message
[ T292] pcieport 0000:00:1c.5: AER: broadcast resume message
[ T292] ------------[ cut here ]------------
[ T292] kernel BUG at net/core/dev.c:6539!
[ T292] invalid opcode: 0000 [#1] PREEMPT SMP
[ T292] RIP: 0010:napi_enable+0x37/0x40
[ T292] Call Trace:
[ T292]
- https://git.kernel.org/stable/c/0a94079e3841d00ea5abb05e3233d019a86745f6
- https://git.kernel.org/stable/c/330a699ecbfc9c26ec92c6310686da1230b4e7eb
- https://git.kernel.org/stable/c/500be93c5d53b7e2c5314292012185f0207bad0c
- https://git.kernel.org/stable/c/57c5053eaa5f9a8a99e34732e37a86615318e464
- https://git.kernel.org/stable/c/6a39c8f5c8aae74c5ab2ba466791f59ffaab0178
- https://git.kernel.org/stable/c/c92cbd283ddcf55fd85a9a9b0ba13298213f3dd7
- https://git.kernel.org/stable/c/d79af3af2f49c6aae9add3d492c04d60c1b85ce4
- https://git.kernel.org/stable/c/dca2ca65a8695d9593e2cf1b40848e073ad75413
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50044
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change rfcomm_sk_state_change attempts to use sock_lock so it must never be called with it locked but rfcomm_sock_ioctl always attempt to lock it causing the following trace: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted ------------------------------------------------------ syz-executor386/5093 is trying to acquire lock: ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline] ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73 but task is already holding lock: ffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491
- https://git.kernel.org/stable/c/08d1914293dae38350b8088980e59fbc699a72fe
- https://git.kernel.org/stable/c/38b2d5a57d125e1c17661b8308c0240c4a43b534
- https://git.kernel.org/stable/c/496b2ab0fd10f205e08909a125485fdc98843dbe
- https://git.kernel.org/stable/c/4cb9807c9b53bf1e5560420d26f319f528b50268
- https://git.kernel.org/stable/c/869c6ee62ab8f01bf2419e45326642be5c9b670a
- https://git.kernel.org/stable/c/b77b3fb12fd483cae7c28648903b1d8a6b275f01
- https://git.kernel.org/stable/c/ced98072d3511b232ae1d3347945f35f30c0e303
- https://git.kernel.org/stable/c/ef44274dae9b0a90d1a97ce8b242a3b8243a7745
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50045
In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: fix panic with metadata_dst skb Fix a kernel panic in the br_netfilter module when sending untagged traffic via a VxLAN device. This happens during the check for fragmentation in br_nf_dev_queue_xmit. It is dependent on: 1) the br_netfilter module being loaded; 2) net.bridge.bridge-nf-call-iptables set to 1; 3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port; 4) untagged frames with size higher than the VxLAN MTU forwarded/flooded When forwarding the untagged packet to the VxLAN bridge port, before the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL. Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check for frames that needs to be fragmented: frames with higher MTU than the VxLAN device end up calling br_nf_ip_fragment, which in turns call ip_skb_dst_mtu. The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst with valid dst->dev, thus the crash. This case was never supported in the first place, so drop the packet instead. PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data. [ 176.291791] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000110 [ 176.292101] Mem abort info: [ 176.292184] ESR = 0x0000000096000004 [ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits [ 176.292530] SET = 0, FnV = 0 [ 176.292709] EA = 0, S1PTW = 0 [ 176.292862] FSC = 0x04: level 0 translation fault [ 176.293013] Data abort info: [ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000 [ 176.294166] [0000000000000110] pgd=0000000000000000, p4d=0000000000000000 [ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth br_netfilter bridge stp llc ipv6 crct10dif_ce [ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted 6.8.0-rc3-g5b3fbd61b9d1 #2 [ 176.296314] Hardware name: linux,dummy-virt (DT) [ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] [ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter] [ 176.297636] sp : ffff800080003630 [ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27: ffff6828c49ad9f8 [ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24: 00000000000003e8 [ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21: ffff6828c3b16d28 [ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18: 0000000000000014 [ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15: 0000000095744632 [ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12: ffffb7e137926a70 [ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 : 0000000000000000 [ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 : f20e0100bebafeca [ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 : 0000000000000000 [ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 : ffff6828c7f918f0 [ 176.300889] Call trace: [ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] [ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter] [ 176.301703] nf_hook_slow+0x48/0x124 [ 176.302060] br_forward_finish+0xc8/0xe8 [bridge] [ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter] [ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter] [ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter] [ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter] [ 176.303359] nf_hook_slow+0x48/0x124 [ 176.303 ---truncated---
- https://git.kernel.org/stable/c/3453f5839420bfbb85c86c61e49f49ffd0f041c4
- https://git.kernel.org/stable/c/75dfcb758015c97e1accd6340691fca67d363bed
- https://git.kernel.org/stable/c/78ed917133b118661e1fe62d4a85d5d428ee9568
- https://git.kernel.org/stable/c/915717e0bb9837cc5c101bc545af487bd787239e
- https://git.kernel.org/stable/c/95c0cff5a1a5d28bf623b92eb5d1a8f56ed30803
- https://git.kernel.org/stable/c/cce8419b8168f6e7eb637103a47f916f3de8bc81
- https://git.kernel.org/stable/c/f07131239a76cc10d5e82c19d91f53cb55727297
- https://git.kernel.org/stable/c/f9ff7665cd128012868098bbd07e28993e314fdb
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50046
In the Linux kernel, the following vulnerability has been resolved: NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies() On the node of an NFS client, some files saved in the mountpoint of the NFS server were copied to another location of the same NFS server. Accidentally, the nfs42_complete_copies() got a NULL-pointer dereference crash with the following syslog: [232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116 [232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116 [232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 [232066.588586] Mem abort info: [232066.588701] ESR = 0x0000000096000007 [232066.588862] EC = 0x25: DABT (current EL), IL = 32 bits [232066.589084] SET = 0, FnV = 0 [232066.589216] EA = 0, S1PTW = 0 [232066.589340] FSC = 0x07: level 3 translation fault [232066.589559] Data abort info: [232066.589683] ISV = 0, ISS = 0x00000007 [232066.589842] CM = 0, WnR = 0 [232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400 [232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000 [232066.590757] Internal error: Oops: 96000007 [#1] SMP [232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2 [232066.591052] vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs [232066.596953] CPU: 6 PID: 4124696 Comm: 10.253.166.125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1 [232066.597356] Hardware name: Great Wall .\x93\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06 [232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4] [232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4] [232066.598595] sp : ffff8000f568fc70 [232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000 [232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001 [232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050 [232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000 [232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000 [232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6 [232066.600498] x11: 00000000000000 ---truncated---
- https://git.kernel.org/stable/c/584c019baedddec3fd634053e8fb2d8836108d38
- https://git.kernel.org/stable/c/632344b9efa064ca737bfcdaaaced59fd5f18ae9
- https://git.kernel.org/stable/c/a848c29e3486189aaabd5663bc11aea50c5bd144
- https://git.kernel.org/stable/c/ef9189bb15dcbe7ed3f3515aaa6fc8bf7483960d
- https://git.kernel.org/stable/c/f892165c564e3aab272948dbb556cc20e290c55a
- https://git.kernel.org/stable/c/fca41e5fa4914d12b2136c25f9dad69520b52683
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50049
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointer before dereferencing se [WHAT & HOW] se is null checked previously in the same function, indicating it might be null; therefore, it must be checked when used again. This fixes 1 FORWARD_NULL issue reported by Coverity.
- https://git.kernel.org/stable/c/65b2d49e55fe13ae56da3a7685bdccadca31134a
- https://git.kernel.org/stable/c/97a79933fb08a002ba9400d1a7a5df707ecdb896
- https://git.kernel.org/stable/c/a9b4fd1946678fa0e069e442f3c5a7d3fa446fac
- https://git.kernel.org/stable/c/c643ef59390e49f1dfab35e8ea65f5db5e527d64
- https://git.kernel.org/stable/c/f4149eec960110ffd5bcb161075dd9f1d7773075
- https://git.kernel.org/stable/c/ff599ef6970ee000fa5bc38d02fa5ff5f3fc7575
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50059
In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev function, then &sndev->check_link_status_work is bound with check_link_status_work. switchtec_ntb_link_notification may be called to start the work. If we remove the module which will call switchtec_ntb_remove to make cleanup, it will free sndev through kfree(sndev), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | check_link_status_work switchtec_ntb_remove | kfree(sndev); | | if (sndev->link_force_down) | // use sndev Fix it by ensuring that the work is canceled before proceeding with the cleanup in switchtec_ntb_remove.
- https://git.kernel.org/stable/c/177925d9c8715a897bb79eca62628862213ba956
- https://git.kernel.org/stable/c/3ae45be8492460a35b5aebf6acac1f1d32708946
- https://git.kernel.org/stable/c/5126d8f5567f49b52e21fca320eaa97977055099
- https://git.kernel.org/stable/c/92728fceefdaa2a0a3aae675f86193b006eeaa43
- https://git.kernel.org/stable/c/b650189687822b705711f0567a65a164a314d8df
- https://git.kernel.org/stable/c/e51aded92d42784313ba16c12f4f88cc4f973bbb
- https://git.kernel.org/stable/c/fa840ba4bd9f3bad7f104e5b32028ee73af8b3dd
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50095
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mad: Improve handling of timed out WRs of mad agent
Current timeout handler of mad agent acquires/releases mad_agent_priv
lock for every timed out WRs. This causes heavy locking contention
when higher no. of WRs are to be handled inside timeout handler.
This leads to softlockup with below trace in some use cases where
rdma-cm path is used to establish connection between peer nodes
Trace:
-----
BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767]
CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE
------- --- 5.14.0-427.13.1.el9_4.x86_64 #1
Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019
Workqueue: ib_mad1 timeout_sends [ib_core]
RIP: 0010:__do_softirq+0x78/0x2ac
RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246
RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f
RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b
RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000
R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040
FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
- https://git.kernel.org/stable/c/2a777679b8ccd09a9a65ea0716ef10365179caac
- https://git.kernel.org/stable/c/3e799fa463508abe7a738ce5d0f62a8dfd05262a
- https://git.kernel.org/stable/c/7022a517bf1ca37ef5a474365bcc5eafd345a13a
- https://git.kernel.org/stable/c/713adaf0ecfc49405f6e5d9e409d984f628de818
- https://git.kernel.org/stable/c/a195a42dd25ca4f12489687065d00be64939409f
- https://git.kernel.org/stable/c/e80eadb3604a92d2d086e956b8b2692b699d4d0a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50096
In the Linux kernel, the following vulnerability has been resolved: nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error The `nouveau_dmem_copy_one` function ensures that the copy push command is sent to the device firmware but does not track whether it was executed successfully. In the case of a copy error (e.g., firmware or hardware failure), the copy push command will be sent via the firmware channel, and `nouveau_dmem_copy_one` will likely report success, leading to the `migrate_to_ram` function returning a dirty HIGH_USER page to the user. This can result in a security vulnerability, as a HIGH_USER page that may contain sensitive or corrupted data could be returned to the user. To prevent this vulnerability, we allocate a zero page. Thus, in case of an error, a non-dirty (zero) page will be returned to the user.
- https://git.kernel.org/stable/c/614bfb2050982d23d53d0d51c4079dba0437c883
- https://git.kernel.org/stable/c/697e3ddcf1f8b68bd531fc34eead27c000bdf3e1
- https://git.kernel.org/stable/c/73f75d2b5aee5a735cf64b8ab4543d5c20dbbdd9
- https://git.kernel.org/stable/c/835745a377a4519decd1a36d6b926e369b3033e2
- https://git.kernel.org/stable/c/8c3de9282dde21ce3c1bf1bde3166a4510547aa9
- https://git.kernel.org/stable/c/ab4d113b6718b076046018292f821d5aa4b844f8
- https://git.kernel.org/stable/c/fd9bb7e996bab9b9049fffe3f3d3b50dee191d27
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50179
In the Linux kernel, the following vulnerability has been resolved: ceph: remove the incorrect Fw reference check when dirtying pages When doing the direct-io reads it will also try to mark pages dirty, but for the read path it won't hold the Fw caps and there is case will it get the Fw reference.
- https://git.kernel.org/stable/c/11ab19d48ab877430eed0c7d83810970bbcbc4f6
- https://git.kernel.org/stable/c/126b567a2ef65fc38a71d832bf1216c56816f231
- https://git.kernel.org/stable/c/74b302ebad5b43ac17460fa58092d892a3cba6eb
- https://git.kernel.org/stable/c/9d4f619153bab7fa59736462967821d6521a38cb
- https://git.kernel.org/stable/c/c08dfb1b49492c09cf13838c71897493ea3b424e
- https://git.kernel.org/stable/c/c26c5ec832dd9e9dcd0a0a892a485c99889b68f0
- https://git.kernel.org/stable/c/ea98284fc4fb05f276737d2043b02b62be5a8dfb
- https://git.kernel.org/stable/c/f55e003d261baa7c57d51ae5c8ec1f5c26a35c89
- https://git.kernel.org/stable/c/f863bfd0a2c6c99011c62ea71ac04f8e78707da9
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50180
In the Linux kernel, the following vulnerability has been resolved: fbdev: sisfb: Fix strbuf array overflow The values of the variables xres and yres are placed in strbuf. These variables are obtained from strbuf1. The strbuf1 array contains digit characters and a space if the array contains non-digit characters. Then, when executing sprintf(strbuf, "%ux%ux8", xres, yres); more than 16 bytes will be written to strbuf. It is suggested to increase the size of the strbuf array to 24. Found by Linux Verification Center (linuxtesting.org) with SVACE.
- https://git.kernel.org/stable/c/11c0d49093b82f6c547fd419c41a982d26bdf5ef
- https://git.kernel.org/stable/c/252f147b1826cbb30ae0304cf86b66d3bb12b743
- https://git.kernel.org/stable/c/41cf6f26abe4f491b694c54bd1aa2530369b7510
- https://git.kernel.org/stable/c/433c84c8495008922534c5cafdae6ff970fb3241
- https://git.kernel.org/stable/c/57c4f4db0a194416da237fd09dad9527e00cb587
- https://git.kernel.org/stable/c/688872c4ea4a528cd6a057d545c83506b533ee1f
- https://git.kernel.org/stable/c/889304120ecb2ca30674d89cd4ef15990b6a571c
- https://git.kernel.org/stable/c/9cf14f5a2746c19455ce9cb44341b5527b5e19c3
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50184
In the Linux kernel, the following vulnerability has been resolved: virtio_pmem: Check device status before requesting flush If a pmem device is in a bad status, the driver side could wait for host ack forever in virtio_pmem_flush(), causing the system to hang. So add a status check in the beginning of virtio_pmem_flush() to return early if the device is not activated.
- https://git.kernel.org/stable/c/4ce662fe4be6fbc2595d9ef4888b2b6e778c99ed
- https://git.kernel.org/stable/c/59ac565c6277d4be6661e81ea6a7f3ca2c5e4e36
- https://git.kernel.org/stable/c/6a5ca0ab94e13a1474bf7ad8437a975c2193618f
- https://git.kernel.org/stable/c/9a2bc9b6f929a2ce1ebe4d1a796ddab37568c5b4
- https://git.kernel.org/stable/c/b01793cc63dd39c8f12b9a3d8dc115fbebb19e2a
- https://git.kernel.org/stable/c/ce7a3a62cc533c922072f328fd2ea2fd7cb893d4
- https://git.kernel.org/stable/c/e25fbcd97cf52c3c9824d44b5c56c19673c3dd50
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Modified: 2025-11-03
CVE-2024-50188
In the Linux kernel, the following vulnerability has been resolved: net: phy: dp83869: fix memory corruption when enabling fiber When configuring the fiber port, the DP83869 PHY driver incorrectly calls linkmode_set_bit() with a bit mask (1 << 10) rather than a bit number (10). This corrupts some other memory location -- in case of arm64 the priv pointer in the same structure. Since the advertising flags are updated from supported at the end of the function the incorrect line isn't needed at all and can be removed.
- https://git.kernel.org/stable/c/21b5af7f0c99b3bf1fd02016e6708b613acbcaf4
- https://git.kernel.org/stable/c/9ca634676ff66e1d616259e136f96f96b2a1759a
- https://git.kernel.org/stable/c/a842e443ca8184f2dc82ab307b43a8b38defd6a5
- https://git.kernel.org/stable/c/ad0d76b8ee5db063791cc2e7a30ffc9852ac37c4
- https://git.kernel.org/stable/c/c1944b4253649fc6f2fb53e7d6302eb414d2182c
- https://git.kernel.org/stable/c/e3f2de32dae35bc7d173377dc97b5bc9fcd9fc84
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Closed bugs
Не определяет версию trivy --version
Package k8s-trivy-node-collector updated to version 0.3.1-alt1 for branch p10 in task 360126.
Closed vulnerabilities
Modified: 2024-12-05
BDU:2024-04486
Уязвимость компонента net-netip языка программирования Golang, связанная с неправильным контролем доступа, позволяющая нарушителю обойти существующую политику ограничения доступа
Modified: 2024-11-21
CVE-2024-24790
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
- http://www.openwall.com/lists/oss-security/2024/06/04/1
- https://go.dev/cl/590316
- https://go.dev/issue/67680
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
- https://pkg.go.dev/vuln/GO-2024-2887
- http://www.openwall.com/lists/oss-security/2024/06/04/1
- https://go.dev/cl/590316
- https://go.dev/issue/67680
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
- https://pkg.go.dev/vuln/GO-2024-2887
- https://security.netapp.com/advisory/ntap-20240905-0002/
Closed vulnerabilities
BDU:2024-04119
Уязвимость функции api_plugin_hook() программного средства мониторинга сети Cacti, позволяющая нарушителю выполнить произвольный код
BDU:2024-04179
Уязвимость функции form_save() программного средства мониторинга сети Cacti, позволяющая нарушителю выполнять произвольные SQL-запросы
BDU:2024-04180
Уязвимость функции automation_get_new_graphs_sql программного средства мониторинга сети Cacti, позволяющая нарушителю выполнять произвольные SQL-запросы
Modified: 2024-09-06
BDU:2024-04181
Уязвимость функции create_all_header_nodes() программного средства мониторинга сети Cacti, позволяющая нарушителю выполнять произвольные SQL-запросы
BDU:2024-05742
Уязвимость функции import_package() (lib/import.php) программного средства мониторинга сети Cacti, позволяющая нарушителю выполнить произвольный PHP-код
BDU:2024-05743
Уязвимость программного средства мониторинга сети Cacti, существующая из-за непринятия мер по защите структуры веб-страницы, позволяющая нарушителю выполнить межсайтовый скриптинг
Modified: 2024-12-27
BDU:2024-05744
Уязвимость функции automation_tree_rules_form_save() (automation_tree_rules.php) программного средства мониторинга сети Cacti, позволяющая нарушителю провести атаку межстайтового скриптинга (XSS)
Modified: 2024-12-27
BDU:2024-05745
Уязвимость функции form_save() (data_queries.php) программного средства мониторинга сети Cacti, позволяющая нарушителю выполнить межсайтовый скриптинг
BDU:2024-07867
Уязвимость программного средства мониторинга сети Cacti, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код
Modified: 2025-11-05
BDU:2024-08721
Уязвимость сценария links.php программного средства мониторинга сети Cacti, позволяющая нарушителю проводить межсайтовые сценарные атаки
BDU:2024-08740
Уязвимость сценария links.php программного средства мониторинга сети Cacti, позволяющая нарушителю проводить межсайтовые сценарные атаки
Modified: 2025-11-04
CVE-2024-25641
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.
- http://seclists.org/fulldisclosure/2024/May/6
- https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
- https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- http://seclists.org/fulldisclosure/2024/May/6
- https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
- https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
- https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Modified: 2024-12-18
CVE-2024-27082
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who access a particular page. Version 1.2.27 contains a patch for the issue.
Modified: 2024-12-18
CVE-2024-29894
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue.
- https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh
- https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh
- https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Modified: 2025-11-04
CVE-2024-31443
Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.
- https://github.com/Cacti/cacti/commit/f946fa537d19678f938ddbd784a10e3290d275cf
- https://github.com/Cacti/cacti/security/advisories/GHSA-rqc8-78cm-85j3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://github.com/Cacti/cacti/commit/f946fa537d19678f938ddbd784a10e3290d275cf
- https://github.com/Cacti/cacti/security/advisories/GHSA-rqc8-78cm-85j3
- https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Modified: 2025-11-04
CVE-2024-31444
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.
- https://github.com/Cacti/cacti/security/advisories/GHSA-p4ch-7hjw-6m87
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://github.com/Cacti/cacti/security/advisories/GHSA-p4ch-7hjw-6m87
- https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Modified: 2025-11-04
CVE-2024-31445
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L717
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L856
- https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886
- https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L717
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L856
- https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886
- https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc
- https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Modified: 2025-11-04
CVE-2024-31458
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue.
- https://github.com/Cacti/cacti/security/advisories/GHSA-jrxg-8wh8-943x
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://github.com/Cacti/cacti/security/advisories/GHSA-jrxg-8wh8-943x
- https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Modified: 2025-11-04
CVE-2024-31459
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue.
- https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
- https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
- https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
- https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
- https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
- https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Modified: 2025-11-04
CVE-2024-31460
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue.
- https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
- https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
- https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
- https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Modified: 2025-11-04
CVE-2024-34340
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability. Version 1.2.27 contains a patch for the issue.
- https://github.com/Cacti/cacti/security/advisories/GHSA-37x7-mfjv-mm7m
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://github.com/Cacti/cacti/security/advisories/GHSA-37x7-mfjv-mm7m
- https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Modified: 2025-11-03
CVE-2024-43362
Cacti is an open source performance and fault management framework. The `fileurl` parameter is not properly sanitized when saving external links in `links.php` . Morever, the said fileurl is placed in some html code which is passed to the `print` function in `link.php` and `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `fileurl` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this issue.
Modified: 2025-11-03
CVE-2024-43363
Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Modified: 2025-11-03
CVE-2024-43364
Cacti is an open source performance and fault management framework. The `title` parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `title` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.