Debian Linux-6.1 vulnerabilities

CVE-2024-57978 [MEDIUM] CVE-2024-57978: linux - In the Linux kernel, the following vulnerability has been resolved: media: imx-... In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Fix potential error pointer dereference in detach_pm() The proble is on the first line: if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i])) If jpeg->pd_dev[i] is an error pointer, then passing it to pm_runtime_suspended() will lead to an Oops. The other conditions check f

CVE-2024-45001 [MEDIUM] CVE-2024-45001: linux - In the Linux kernel, the following vulnerability has been resolved: net: mana: ... In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix RX buf alloc_size alignment and atomic op panic The MANA driver's RX buffer alloc_size is passed into napi_build_skb() to create SKB. skb_shinfo(skb) is located at the end of skb, and its alignment is affected by the alloc_size passed into napi_build_skb(). The size needs to be aligne

CVE-2024-49978 [MEDIUM] CVE-2024-49978: linux - In the Linux kernel, the following vulnerability has been resolved: gso: fix ud... In the Linux kernel, the following vulnerability has been resolved: gso: fix udp gso fraglist segmentation after pull from frag_list Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_s

CVE-2024-56747 [MEDIUM] CVE-2024-56747: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: qedi:... In the Linux kernel, the following vulnerability has been resolved: scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() Hook "qedi_ops->common->sb_init = qed_sb_init" does not release the DMA memory sb_virt when it fails. Add dma_free_coherent() to free it. This is the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb(). Scope: local bookworm: res

CVE-2024-40970 [MEDIUM] CVE-2024-40970: linux - In the Linux kernel, the following vulnerability has been resolved: Avoid hw_de... In the Linux kernel, the following vulnerability has been resolved: Avoid hw_desc array overrun in dw-axi-dmac I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3 segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put() handles the hw_desc considering the descs_allocated, this scenario would result in a ke

CVE-2024-56660 [MEDIUM] CVE-2024-56660: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: D... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: DR, prevent potential error pointer dereference The dr_domain_add_vport_cap() function generally returns NULL on error but sometimes we want it to return ERR_PTR(-EBUSY) so the caller can retry. The problem here is that "ret" can be either -EBUSY or -ENOMEM and if it's and -ENOMEM then the

CVE-2024-49905 [MEDIUM] CVE-2024-49905: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) This commit adds a null check for the 'afb' variable in the amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was assumed to be null, but was used later in the code without a null check. This could

CVE-2024-46791 [MEDIUM] CVE-2024-46791: linux - In the Linux kernel, the following vulnerability has been resolved: can: mcp251... In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the int

CVE-2024-56568 [MEDIUM] CVE-2024-56568: linux - In the Linux kernel, the following vulnerability has been resolved: iommu/arm-s... In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Defer probe of clients after smmu device bound Null pointer dereference occurs due to a race between smmu driver probe and client driver probe, when of_dma_configure() for client is called after the iommu_device_register() for smmu driver probe has executed but before the driver_boun

CVE-2024-36894 [MEDIUM] CVE-2024-36894: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disco

CVE-2024-50188 [MEDIUM] CVE-2024-50188: linux - In the Linux kernel, the following vulnerability has been resolved: net: phy: d... In the Linux kernel, the following vulnerability has been resolved: net: phy: dp83869: fix memory corruption when enabling fiber When configuring the fiber port, the DP83869 PHY driver incorrectly calls linkmode_set_bit() with a bit mask (1 << 10) rather than a bit number (10). This corrupts some other memory location -- in case of arm64 the priv pointer in the same

CVE-2024-43851 [MEDIUM] CVE-2024-43851: linux - In the Linux kernel, the following vulnerability has been resolved: soc: xilinx... In the Linux kernel, the following vulnerability has been resolved: soc: xilinx: rename cpu_number1 to dummy_cpu_number The per cpu variable cpu_number1 is passed to xlnx_event_handler as argument "dev_id", but it is not used in this function. So drop the initialization of this variable and rename it to dummy_cpu_number. This patch is to fix the following call trace

CVE-2024-44988 [MEDIUM] CVE-2024-44988: linux - In the Linux kernel, the following vulnerability has been resolved: net: dsa: m... In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Fix out-of-bound access If an ATU violation was caused by a CPU Load operation, the SPID could be larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array). Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: resolved (fixed in 5.10.226-1) forky: resolved (

CVE-2024-40945 [MEDIUM] CVE-2024-40945: linux - In the Linux kernel, the following vulnerability has been resolved: iommu: Retu... In the Linux kernel, the following vulnerability has been resolved: iommu: Return right value in iommu_sva_bind_device() iommu_sva_bind_device() should return either a sva bond handle or an ERR_PTR value in error cases. Existing drivers (idxd and uacce) only check the return value with IS_ERR(). This could potentially lead to a kernel NULL pointer dereference issue

CVE-2024-58090 [MEDIUM] CVE-2024-58090: linux - In the Linux kernel, the following vulnerability has been resolved: sched/core:... In the Linux kernel, the following vulnerability has been resolved: sched/core: Prevent rescheduling when interrupts are disabled David reported a warning observed while loop testing kexec jump: Interrupts enabled after irqrouter_resume+0x0/0x50 WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220 kernel_kexec+0xf6/0x180 __do_sys_reboot+

CVE-2024-46784 [MEDIUM] CVE-2024-46784: linux - In the Linux kernel, the following vulnerability has been resolved: net: mana: ... In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f

CVE-2024-41012 [MEDIUM] CVE-2024-41012: linux - In the Linux kernel, the following vulnerability has been resolved: filelock: R... In the Linux kernel, the following vulnerability has been resolved: filelock: Remove locks reliably when fcntl/close race is detected When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove

CVE-2024-42273 [MEDIUM] CVE-2024-42273: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: assig... In the Linux kernel, the following vulnerability has been resolved: f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid mkdir /mnt/test/comp f2fs_io setflags compression /mnt/test/comp dd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1 truncate --size 13 /mnt/test/comp/testfile In the above scenario, we can get a BUG_ON. kernel BUG at fs/f2fs/segment.c:3589

CVE-2024-46816 [MEDIUM] CVE-2024-46816: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links [Why] Coverity report OVERRUN warning. There are only max_links elements within dc->links. link count could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31. [How] Make sure link count less than max_links. Scope: local bookworm: re

CVE-2024-53234 [MEDIUM] CVE-2024-53234: linux - In the Linux kernel, the following vulnerability has been resolved: erofs: hand... In the Linux kernel, the following vulnerability has been resolved: erofs: handle NONHEAD !delta[1] lclusters gracefully syzbot reported a WARNING in iomap_iter_done: iomap_fiemap+0x73b/0x9b0 fs/iomap/fiemap.c:80 ioctl_fiemap fs/ioctl.c:220 [inline] Generally, NONHEAD lclusters won't have delta[1]==0, except for crafted images and filesystems created by pre-1.0 mkfs