csaf2cusa/cusas/k/kernel/kernel-5.10.0-60.137.0.164_openEuler-SA-2024-1619.json

{
  "id": "openEuler-SA-2024-1619",
  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1619",
  "title": "An update for kernel is now available for openEuler-22.03-LTS",
  "severity": "Important",
  "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Harden accesses to the reset domains\r\n\r\nAccessing reset domains descriptors by the index upon the SCMI drivers\nrequests through the SCMI reset operations interface can potentially\nlead to out-of-bound violations if the SCMI driver misbehave.\r\n\r\nAdd an internal consistency check before any such domains descriptors\naccesses.(CVE-2022-48655)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nftables: exthdr: fix 4-byte stack OOB write\r\n\r\nIf priv->len is a multiple of 4, then dst[len / 4] can write past\nthe destination array which leads to stack corruption.\r\n\r\nThis construct is necessary to clean the remainder of the register\nin case ->len is NOT a multiple of the register size, so make it\nconditional just like nft_payload.c does.\r\n\r\nThe bug was added in 4.1 cycle and then copied/inherited when\ntcp/sctp and ip option support was added.\r\n\r\nBug reported by Zero Day Initiative project (ZDI-CAN-21950,\nZDI-CAN-21951, ZDI-CAN-21961).(CVE-2023-52628)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: rc: bpf attach/detach requires write permission\r\n\r\nNote that bpf attach/detach also requires CAP_NET_ADMIN.(CVE-2023-52642)\r\n\r\nA flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.(CVE-2023-6270)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-mq: fix IO hang from sbitmap wakeup race\r\n\r\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\r\n\r\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\r\n\r\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\r\n\r\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n       \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n        \t--ioengine=libaio\r\n\r\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.(CVE-2024-26671)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\r\n\r\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\r\n\r\nE.g: Taking the following steps:\r\n\r\n     fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n     fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n     fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\r\n\r\nGiven that the requested \"pagesize\" is invalid, ctxt->hstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\r\n\r\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param->string, &rest);\n ctx->hstate = h;\n if (!ctx->hstate) {\n         pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n         return -EINVAL;\n }\n return 0;\n ...\n ...\r\n\r\nThis is a problem because later on, we will dereference ctxt->hstate in\nhugetlbfs_fill_super()\r\n\r\n ...\n ...\n sb->s_blocksize = huge_page_size(ctx->hstate);\n ...\n ...\r\n\r\nCausing below Oops.\r\n\r\nFix this by replacing cxt->hstate value only when then pagesize is known\nto be valid.\r\n\r\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G            E      6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS:  00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel:  <TASK>\n kernel:  ? __die_body+0x1a/0x60\n kernel:  ? page_fault_oops+0x16f/0x4a0\n kernel:  ? search_bpf_extables+0x65/0x70\n kernel:  ? fixup_exception+0x22/0x310\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  ? asm_exc_page_fault+0x22/0x30\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel:  ? hugetlbfs_fill_super+0x28/0x1a0\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  vfs_get_super+0x40/0xa0\n kernel:  ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel:  vfs_get_tree+0x25/0xd0\n kernel:  vfs_cmd_create+0x64/0xe0\n kernel:  __x64_sys_fsconfig+0x395/0x410\n kernel:  do_syscall_64+0x80/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---(CVE-2024-26688)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix double free of anonymous device after snapshot creation failure\r\n\r\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there's an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\r\n\r\nThe steps that lead to this:\r\n\r\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n   and assign it to pending_snapshot->anon_dev;\r\n\r\n2) Then we call btrfs_commit_transaction() and end up at\n   transaction.c:create_pending_snapshot();\r\n\r\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n   number stored in pending_snapshot->anon_dev;\r\n\r\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n   btrfs_lookup_fs_root() returned a root - someone else did a lookup\n   of the new root already, which could some task doing backref walking;\r\n\r\n5) After that some error happens in the transaction commit path, and at\n   ioctl.c:create_snapshot() we jump to the 'fail' label, and after\n   that we free again the same anonymous device number, which in the\n   meanwhile may have been reallocated somewhere else, because\n   pending_snapshot->anon_dev still has the same value as in step 1.\r\n\r\nRecently syzbot ran into this and reported the following trace:\r\n\r\n  ------------[ cut here ]------------\n  ida_free called for id=51 which is not allocated.\n  WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n  Modules linked in:\n  CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n  RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n  Code: 10 42 80 3c 28 (...)\n  RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n  RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n  RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n  RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n  R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n  R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n  FS:  00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n   create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n   create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n   btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n   create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n   btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n   btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n   __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n   btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n   btrfs_ioctl+0xa74/0xd40\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:871 [inline]\n   __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n   do_syscall_64+0xfb/0x240\n   entry_SYSCALL_64_after_hwframe+0x6f/0x77\n  RIP: 0033:0x7fca3e67dda9\n  Code: 28 00 00 00 (...)\n  RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n  RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n   </TASK>\r\n\r\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---(CVE-2024-26792)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namdkfd: use calloc instead of kzalloc to avoid integer overflow\r\n\r\nThis uses calloc instead of doing the multiplication which might\noverflow.(CVE-2024-26817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Fix a memleak in init_credit_return\r\n\r\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.(CVE-2024-26839)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncachefiles: fix memory leak in cachefiles_add_cache()\r\n\r\nThe following memory leak was reported after unbinding /dev/cachefiles:\r\n\r\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n  comm \"cachefilesd2\", pid 680, jiffies 4294881224\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc ea38a44b):\n    [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370\n    [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0\n    [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120\n    [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0\n    [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0\n    [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520\n    [<ffffffff8ebc5069>] ksys_write+0x69/0xf0\n    [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140\n    [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\r\n\r\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks.(CVE-2024-26840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nefi: runtime: Fix potential overflow of soft-reserved region size\r\n\r\nmd_size will have been narrowed if we have >= 4GB worth of pages in a\nsoft-reserved region.(CVE-2024-26843)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()\r\n\r\nThe function ice_bridge_setlink() may encounter a NULL pointer dereference\nif nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently\nin nla_for_each_nested(). To address this issue, add a check to ensure that\nbr_spec is not NULL before proceeding with the nested attribute iteration.(CVE-2024-26855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix uaf in pvr2_context_set_notify\r\n\r\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\nRead of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26\r\n\r\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\n pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]\n pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272\r\n\r\nFreed by task 906:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\npoison_slab_object mm/kasan/common.c:241 [inline]\n__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2121 [inline]\nslab_free mm/slub.c:4299 [inline]\nkfree+0x105/0x340 mm/slub.c:4409\npvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]\npvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158\r\n\r\n[Analyze]\nTask A set disconnect_flag = !0, which resulted in Task B's condition being met\nand releasing mp, leading to this issue.\r\n\r\n[Fix]\nPlace the disconnect_flag assignment operation after all code in pvr2_context_disconnect()\nto avoid this issue.(CVE-2024-26875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nquota: Fix potential NULL pointer dereference\r\n\r\nBelow race may cause NULL pointer dereference\r\n\r\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t  drop_dquot_ref\n\t\t\t\t\t   remove_dquot_ref\n\t\t\t\t\t   dquots = i_dquot(inode)\n  dquots = i_dquot(inode)\n  srcu_read_lock\n  dquots[cnt]) != NULL (1)\n\t\t\t\t\t     dquots[type] = NULL (2)\n  spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n   ....\r\n\r\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\r\n\r\nSo let's fix it by using a temporary pointer to avoid this issue.(CVE-2024-26878)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\r\n\r\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\r\n\r\n    | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n    | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n    | arm-scmi firmware:scmi: unable to communicate with SCMI\n    | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n    | Mem abort info:\n    |   ESR = 0x0000000096000004\n    |   EC = 0x25: DABT (current EL), IL = 32 bits\n    |   SET = 0, FnV = 0\n    |   EA = 0, S1PTW = 0\n    |   FSC = 0x04: level 0 translation fault\n    | Data abort info:\n    |   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n    |   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n    |   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n    | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n    | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n    | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n    | Modules linked in:\n    | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n    | Hardware name: FVP Base RevC (DT)\n    | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n    | pc : smc_chan_free+0x3c/0x6c\n    | lr : smc_chan_free+0x3c/0x6c\n    | Call trace:\n    |  smc_chan_free+0x3c/0x6c\n    |  idr_for_each+0x68/0xf8\n    |  scmi_cleanup_channels.isra.0+0x2c/0x58\n    |  scmi_probe+0x434/0x734\n    |  platform_probe+0x68/0xd8\n    |  really_probe+0x110/0x27c\n    |  __driver_probe_device+0x78/0x12c\n    |  driver_probe_device+0x3c/0x118\n    |  __driver_attach+0x74/0x128\n    |  bus_for_each_dev+0x78/0xe0\n    |  driver_attach+0x24/0x30\n    |  bus_add_driver+0xe4/0x1e8\n    |  driver_register+0x60/0x128\n    |  __platform_driver_register+0x28/0x34\n    |  scmi_driver_init+0x84/0xc0\n    |  do_one_initcall+0x78/0x33c\n    |  kernel_init_freeable+0x2b8/0x51c\n    |  kernel_init+0x24/0x130\n    |  ret_from_fork+0x10/0x20\n    | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n    | ---[ end trace 0000000000000000 ]---\r\n\r\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\r\n\r\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.(CVE-2024-26893)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\r\n\r\nThis patch is against CVE-2023-6270. The description of cve is:\r\n\r\n  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n  `struct net_device`, and a use-after-free can be triggered by racing\n  between the free on the struct and the access through the `skbtxq`\n  global queue. This could lead to a denial of service condition or\n  potential code execution.\r\n\r\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\r\n\r\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().(CVE-2024-26898)",
  "cves": [
    {
      "id": "CVE-2024-26898",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898",
      "severity": "Important"
    }
  ]
}