Debian Linux-6.1 vulnerabilities

CVE-2024-43867 [MEDIUM] CVE-2024-43867: linux - In the Linux kernel, the following vulnerability has been resolved: drm/nouveau... In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix refcount underflow Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and hence the backing ttm_bo) leads to a refcount underflow. Instead of calling nouveau_bo_ref() in the unwind path of drm_gem_object_init(), clean things up manually. (cherry picked from com

CVE-2024-50249 [MEDIUM] CVE-2024-50249: linux - In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC:... In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Make rmw_lock a raw_spin_lock The following BUG was triggered: ============================= [ BUG: Invalid wait context ] 6.12.0-rc2-XXX #406 Not tainted ----------------------------- kworker/1:1/62 is trying to lock: ffffff8801593030 (&cpc_ptr->rmw_lock){+.+.}-{3:3}, at: cpc_write+0xcc

CVE-2024-46686 [MEDIUM] CVE-2024-46686: linux - In the Linux kernel, the following vulnerability has been resolved: smb/client:... In the Linux kernel, the following vulnerability has been resolved: smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() This happens when called from SMB2_read() while using rdma and reaching the rdma_readwrite_threshold. Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: resolved forky: resolved (fixed in 6.10.9-1) sid: resolved (fixed in

CVE-2024-42247 [MEDIUM] CVE-2024-42247: linux - In the Linux kernel, the following vulnerability has been resolved: wireguard: ... In the Linux kernel, the following vulnerability has been resolved: wireguard: allowedips: avoid unaligned 64-bit memory accesses On the parisc platform, the kernel issues kernel warnings because swap_endian() tries to load a 128-bit IPv6 address from an unaligned memory location: Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard

CVE-2024-47710 [MEDIUM] CVE-2024-47710: linux - In the Linux kernel, the following vulnerability has been resolved: sock_map: A... In the Linux kernel, the following vulnerability has been resolved: sock_map: Add a cond_resched() in sock_hash_free() Several syzbot soft lockup reports all have in common sock_hash_free() If a map with a large number of buckets is destroyed, we need to yield the cpu when needed. Scope: local bookworm: resolved (fixed in 6.1.115-1) bullseye: resolved (fixed in 5.10

CVE-2024-42077 [MEDIUM] CVE-2024-42077: linux - In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix ... In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix DIO failure due to insufficient transaction credits The code in ocfs2_dio_end_io_write() estimates number of necessary transaction credits using ocfs2_calc_extend_credits(). This however does not take into account that the IO could be arbitrarily large and can contain arbitrary number of

CVE-2024-46679 [MEDIUM] CVE-2024-46679: linux - In the Linux kernel, the following vulnerability has been resolved: ethtool: ch... In the Linux kernel, the following vulnerability has been resolved: ethtool: check device is present when getting link settings A sysfs reader can race with a device reset or removal, attempting to read device state when the device is not actually present. eg: [exception RIP: qed_get_current_link+17] #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a

CVE-2024-53151 [MEDIUM] CVE-2024-53151: linux - In the Linux kernel, the following vulnerability has been resolved: svcrdma: Ad... In the Linux kernel, the following vulnerability has been resolved: svcrdma: Address an integer overflow Dan Carpenter reports: > Commit 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data > structure") from Jun 22, 2020 (linux-next), leads to the following > Smatch static checker warning: > > net/sunrpc/xprtrdma/svc_rdma_recvfrom.c:498 xdr_check_write_chunk() >

CVE-2024-50205 [MEDIUM] CVE-2024-50205: linux - In the Linux kernel, the following vulnerability has been resolved: ALSA: firew... In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() The step variable is initialized to zero. It is changed in the loop, but if it's not changed it will remain zero. Add a variable check before the division. The observed behavior was introduced by commit 826b5de90c0b ("ALSA: fir

CVE-2024-39474 [MEDIUM] CVE-2024-39474: linux - In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc:... In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL commit a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc") includes support for __GFP_NOFAIL, but it presents a conflict with commit dd544141b9eb ("vmalloc: back off when the current task is OOM-killed"). A possibl

CVE-2024-38540 [MEDIUM] CVE-2024-38540: linux - In the Linux kernel, the following vulnerability has been resolved: bnxt_re: av... In the Linux kernel, the following vulnerability has been resolved: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is docum

CVE-2024-47739 [MEDIUM] CVE-2024-47739: linux - In the Linux kernel, the following vulnerability has been resolved: padata: use... In the Linux kernel, the following vulnerability has been resolved: padata: use integer wrap around to prevent deadlock on seq_nr overflow When submitting more than 2^32 padata objects to padata_do_serial, the current sorting implementation incorrectly sorts padata objects with overflowed seq_nr, causing them to be placed before existing objects in the reorder list.

CVE-2024-42309 [MEDIUM] CVE-2024-42309: linux - In the Linux kernel, the following vulnerability has been resolved: drm/gma500:... In the Linux kernel, the following vulnerability has been resolved: drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Scope: local bookworm

CVE-2024-50031 [MEDIUM] CVE-2024-50031: linux - In the Linux kernel, the following vulnerability has been resolved: drm/v3d: St... In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Stop the active perfmon before being destroyed When running `kmscube` with one or more performance monitors enabled via `GALLIUM_HUD`, the following kernel panic can occur: [ 55.008324] Unable to handle kernel paging request at virtual address 00000000052004a4 [ 55.008368] Mem abort info: [

CVE-2024-56644 [MEDIUM] CVE-2024-56644: linux - In the Linux kernel, the following vulnerability has been resolved: net/ipv6: r... In the Linux kernel, the following vulnerability has been resolved: net/ipv6: release expired exception dst cached in socket Dst objects get leaked in ip6_negative_advice() when this function is executed for an expired IPv6 route located in the exception table. There are several conditions that must be fulfilled for the leak to occur: * an ICMPv6 packet indicating a

CVE-2024-49866 [MEDIUM] CVE-2024-49866: linux - In the Linux kernel, the following vulnerability has been resolved: tracing/tim... In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Fix a race during cpuhp processing There is another found exception that the "timerlat/1" thread was scheduled on CPU0, and lead to timer corruption finally: ``` ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220 WARNING:

CVE-2024-43914 [MEDIUM] CVE-2024-43914: linux - In the Linux kernel, the following vulnerability has been resolved: md/raid5: a... In the Linux kernel, the following vulnerability has been resolved: md/raid5: avoid BUG_ON() while continue reshape after reassembling Currently, mdadm support --revert-reshape to abort the reshape while reassembling, as the test 07revert-grow. However, following BUG_ON() can be triggerred by the test: kernel BUG at drivers/md/raid5.c:6278! invalid opcode: 0000 [#1]

CVE-2024-53042 [MEDIUM] CVE-2024-53042: linux - In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_tu... In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() There are code paths from which the function is called without holding the RCU read lock, resulting in a suspicious RCU usage warning [1]. Fix by using l3mdev_master_upper_ifindex_by_index() which will acquire the RCU read lo

CVE-2024-40910 [MEDIUM] CVE-2024-40910: linux - In the Linux kernel, the following vulnerability has been resolved: ax25: Fix r... In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount er

CVE-2024-50198 [MEDIUM] CVE-2024-50198: linux - In the Linux kernel, the following vulnerability has been resolved: iio: light:... In the Linux kernel, the following vulnerability has been resolved: iio: light: veml6030: fix IIO device retrieval from embedded device The dev pointer that is received as an argument in the in_illuminance_period_available_show function references the device embedded in the IIO device, not in the i2c client. dev_to_iio_dev() must be used to accessthe right data. The