SUSE-IU-2024:1465-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:1465-1 Interim 1 1 2025-05-10T14:59:31Z current 2024-10-04T01:00:00Z 2024-10-04T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:1465-1 / google/sles-15-sp6-chost-byos-v20241004-arm64 This image update for google/sles-15-sp6-chost-byos-v20241004-arm64 contains the following changes: Package containerd was updated: - Update to containerd v1.7.21. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.21&gt; Fixes CVE-2023-47108. bsc#1217070 Fixes CVE-2023-45142. bsc#1228553 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package dracut was updated: - Update to version 059+suse.541.g3c2df232: * fix(dasd-rules): handle all possible options in `rd.dasd` (bsc#1230110) - Update to version 059+suse.539.gdd3495f7: * fix(dracut.spec): add Builddeps for initrd posttrans macros (bsc#1230639) * fix(zfcp_rules): check for presence of legacy rules (bsc#1230330) Fixes for NVMeoF boot (bsc#1230468): * fix(nvmf): install (only) required nvmf modules * fix(nvmf): require NVMeoF modules * fix(nvmf): move /etc/nvme/host{nqn,id} requirement to hostonly Package e2fsprogs was updated: - resize2fs-Check-number-of-group-descriptors-only-if-.patch: resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145) Package fipscheck was updated: - Backport upstream patches fipscheck-fix_check_openssl_version.patch and fipscheck-fix_incorrect_length_type.patch to fix C99 violations which are errors by default with GCC 14 [boo#1221714] - although the first one looks like it possibly fixes some more substantial error. Package glibc was updated: - Use nss-systemd by default also in SLE (bsc#1230638) - s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228042, BZ [#31934]) Package grub2 was updated: - Fix crash in bli module (bsc#1226497) * 0001-bli-Fix-crash-in-get_part_uuid.patch Package kernel-default was updated: - Revert &quot;mm/sparsemem: fix race in accessing memory_section-&gt;usage&quot; This reverts commit 6aa8957889611fbe7f06353f917cfb3d9620a680 to fix a regression (bsc#1230413) - commit 720e36b - Revert &quot;mm, kmsan: fix infinite recursion due to RCU critical section&quot; This reverts commit 16ad73a9f4c2888f3bc28513f5e9a88d753f8741 to fix a regression (bsc#1230413) - commit 2fd5290 - Revert &quot;mm: prevent derefencing NULL ptr in pfn_section_valid()&quot; This reverts commit 35f619d3c421219e07bc89d2d6a37fbff25519fe to fix a refression (bsc#1230413) - commit 7e5afd7 - Drop soundwire patch that caused a regression (bsc#1230350) Deleted: patches.suse/soundwire-stream-fix-programming-slave-ports-for-non.patch - commit 5c05eeb - ceph: periodically flush the cap releases (bsc#1230056). - commit e22b6e0 - Bluetooth: Fix usage of __hci_cmd_sync_status (git-fixes). - commit 1bec58d - Bluetooth: L2CAP: Fix deadlock (git-fixes). - commit 13aba13 - bluetooth/l2cap: sync sock recv cb and release (bsc#1228576 CVE-2024-41062). - commit 6553526 - mm: prevent derefencing NULL ptr in pfn_section_valid() (git-fixes). - commit 35f619d - mm, kmsan: fix infinite recursion due to RCU critical section (git-fixes). - commit 16ad73a - mm/sparsemem: fix race in accessing memory_section-&gt;usage (bsc#1221326 CVE-2023-52489). - commit 6aa8957 - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response (git-fixes). - commit 4dc1da1 - xfs: Fix missing interval for missing_owner in xfs fsmap (git-fixes). - commit 5448ab5 - xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code (git-fixes). - commit 288ad9b - xfs: Fix the owner setting issue for rmap query in xfs fsmap (git-fixes). - commit 49b5eec - usb: cdnsp: fix for Link TRB with TC (git-fixes). - usb: dwc3: st: add missing depopulate in probe error path (git-fixes). - usb: dwc3: st: fix probed platform device ref count on probe error path (git-fixes). - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() (git-fixes). - usb: typec: fsa4480: Relax CHIP_ID check (git-fixes). - usb: dwc3: omap: add missing depopulate in probe error path (git-fixes). - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function (git-fixes). - soc: qcom: pmic_glink: Actually communicate when remote goes down (git-fixes). - soc: qcom: cmd-db: Map shared memory as WC, not WB (git-fixes). - commit 7121142 - dmaengine: dw: Add memory bus width verification (git-fixes). - dmaengine: dw: Add peripheral bus width verification (git-fixes). - soundwire: stream: fix programming slave ports for non-continous port maps (git-fixes). - commit b7e9784 - Update patches.suse/0001-net-rds-fix-possible-cp-null-dereference.patch (git-fixes CVE-2024-35902 bsc#1224496). - Update patches.suse/ASoC-TAS2781-Fix-tasdev_load_calibrated_data.patch (git-fixes CVE-2024-42278 bsc#1229403). - Update patches.suse/ASoC-amd-Adjust-error-handling-in-case-of-absent-cod.patch (git-fixes CVE-2024-43818 bsc#1229296). - Update patches.suse/ASoC-fsl-fsl_qmc_audio-Check-devm_kasprintf-returned.patch (git-fixes CVE-2024-42298 bsc#1229369). - Update patches.suse/Bluetooth-MGMT-Add-error-handling-to-pair_device.patch (git-fixes CVE-2024-43884 bsc#1229739). - Update patches.suse/KVM-Always-flush-async-PF-workqueue-when-vCPU-is-bei.patch (git-fixes CVE-2024-26976 bsc#1223635). - Update patches.suse/PCI-DPC-Fix-use-after-free-on-concurrent-DPC-and-hot.patch (git-fixes CVE-2024-42302 bsc#1229366). - Update patches.suse/PCI-endpoint-Clean-up-error-handling-in-vpci_scan_bu.patch (git-fixes CVE-2024-43875 bsc#1229486). - Update patches.suse/PCI-endpoint-pci-epf-test-Make-use-of-cached-epc_fea.patch (git-fixes CVE-2024-43824 bsc#1229320). - Update patches.suse/PCI-keystone-Fix-NULL-pointer-dereference-in-case-of.patch (git-fixes CVE-2024-43823 bsc#1229303). - Update patches.suse/PCI-rcar-Demote-WARN-to-dev_warn_ratelimited-in-rcar.patch (git-fixes CVE-2024-43876 bsc#1229485). - Update patches.suse/RDMA-hns-Fix-soft-lockup-under-heavy-CEQE-load.patch (git-fixes CVE-2024-43872 bsc#1229489). - Update patches.suse/RDMA-iwcm-Fix-a-use-after-free-related-to-destroying.patch (git-fixes CVE-2024-42285 bsc#1229381). - Update patches.suse/Revert-ALSA-firewire-lib-operate-for-period-elapse-e.patch (bsc#1208783 CVE-2024-42274 bsc#1229417). - Update patches.suse/SUNRPC-add-a-missing-rpc_stat-for-TCP-TLS.patch (git-fixes CVE-2024-36907 bsc#1225751). - Update patches.suse/bpf-arm64-Fix-trampoline-for-BPF_TRAMP_F_CALL_ORIG.patch (git-fixes CVE-2024-43840 bsc#1229344). - Update patches.suse/btrfs-fix-double-inode-unlock-for-direct-IO-sync-wri.patch (git-fixes CVE-2024-43885 bsc#1229747). - Update patches.suse/btrfs-fix-extent-map-use-after-free-when-adding-page.patch (git-fixes CVE-2024-42314 bsc#1229355). - Update patches.suse/cgroup-cpuset-Prevent-UAF-in-proc_cpuset_show.patch (bsc#1228801 CVE-2024-43853 bsc#1229292). - Update patches.suse/crypto-ccp-Fix-null-pointer-dereference-in-__sev_snp.patch (git-fixes CVE-2024-43874 bsc#1229487). - Update patches.suse/devres-Fix-memory-leakage-caused-by-driver-API-devm_.patch (git-fixes CVE-2024-43871 bsc#1229490). - Update patches.suse/dma-fix-call-order-in-dmam_free_coherent.patch (git-fixes CVE-2024-43856 bsc#1229346). - Update patches.suse/drm-admgpu-fix-dereferencing-null-pointer-context.patch (stable-fixes CVE-2024-43906 bsc#1229785). - Update patches.suse/drm-amd-display-Add-NULL-check-for-afb-before-derefe.patch (stable-fixes CVE-2024-43903 bsc#1229781). - Update patches.suse/drm-amd-display-Add-null-checker-before-passing-vari.patch (stable-fixes CVE-2024-43902 bsc#1229767). - Update patches.suse/drm-amd-display-Skip-Recompute-DSC-Params-if-no-Stre.patch (stable-fixes CVE-2024-43895 bsc#1229755). - Update patches.suse/drm-amd-pm-Fix-the-null-pointer-dereference-for-vega.patch (stable-fixes CVE-2024-43905 bsc#1229784). - Update patches.suse/drm-amdgpu-Fix-the-null-pointer-dereference-to-ras_m.patch (stable-fixes CVE-2024-43908 bsc#1229788). - Update patches.suse/drm-amdgpu-pm-Fix-the-null-pointer-dereference-for-s.patch (stable-fixes CVE-2024-43909 bsc#1229789). - Update patches.suse/drm-amdgpu-pm-Fix-the-null-pointer-dereference-in-ap.patch (stable-fixes CVE-2024-43907 bsc#1229787). - Update patches.suse/drm-client-fix-null-pointer-dereference-in-drm_clien.patch (git-fixes CVE-2024-43894 bsc#1229746). - Update patches.suse/drm-gma500-fix-null-pointer-dereference-in-cdv_intel.patch (git-fixes CVE-2024-42310 bsc#1229358). - Update patches.suse/drm-gma500-fix-null-pointer-dereference-in-psb_intel.patch (git-fixes CVE-2024-42309 bsc#1229359). - Update patches.suse/drm-nouveau-prime-fix-refcount-underflow.patch (git-fixes CVE-2024-43867 bsc#1229493). - Update patches.suse/drm-qxl-Add-check-for-drm_cvt_mode.patch (git-fixes CVE-2024-43829 bsc#1229341). - Update patches.suse/drm-vmwgfx-Fix-a-deadlock-in-dma-buf-fence-polling.patch (git-fixes CVE-2024-43863 bsc#1229497). - Update patches.suse/exfat-fix-potential-deadlock-on-__exfat_get_dentry_set.patch (git-fixes CVE-2024-42315 bsc#1229354). - Update patches.suse/gpio-prevent-potential-speculation-leaks-in-gpio_dev.patch (stable-fixes CVE-2024-44931 bsc#1229837). - Update patches.suse/hfs-fix-to-initialize-fields-of-hfs_inode_info-after-hfs_alloc_inode.patch (git-fixes CVE-2024-42311 bsc#1229413). - Update patches.suse/iio-Fix-the-sorting-functionality-in-iio_gts_build_a.patch (git-fixes CVE-2024-43825 bsc#1229298). - Update patches.suse/jfs-Fix-array-index-out-of-bounds-in-diFree.patch (git-fixes CVE-2024-43858 bsc#1229414). - Update patches.suse/jfs-Fix-shift-out-of-bounds-in-dbDiscardAG.patch (git-fixes CVE-2024-44938 bsc#1229792). - Update patches.suse/jfs-fix-null-ptr-deref-in-dtInsertEntry.patch (git-fixes CVE-2024-44939 bsc#1229820). - Update patches.suse/kobject_uevent-Fix-OOB-access-within-zap_modalias_en.patch (git-fixes CVE-2024-42292 bsc#1229373). - Update patches.suse/kvm-s390-Reject-memory-region-operations-for-ucontrol-VMs.patch (git-fixes bsc#1229168 CVE-2024-43819 bsc#1229290). - Update patches.suse/leds-trigger-Unregister-sysfs-attributes-before-call.patch (git-fixes CVE-2024-43830 bsc#1229305). - Update patches.suse/lib-objagg-Fix-general-protection-fault.patch (git-fixes CVE-2024-43846 bsc#1229360). - Update patches.suse/libbpf-Use-OPTS_SET-macro-in-bpf_xdp_query.patch (git-fixes CVE-2024-27050 bsc#1223767). - Update patches.suse/mISDN-Fix-a-use-after-free-in-hfcmulti_tx.patch (git-fixes CVE-2024-42280 bsc#1229388). - Update patches.suse/mailbox-mtk-cmdq-Move-devm_mbox_controller_register-.patch (git-fixes CVE-2024-42319 bsc#1229350). - Update patches.suse/md-raid5-fix-deadlock-that-raid5d-wait-for-itself-to-clear-MD_SB_CHANGE_PENDING-151f.patch (git-fixes CVE-2024-39476 bsc#1227437). - Update patches.suse/media-imx-pxp-Fix-ERR_PTR-dereference-in-pxp_probe.patch (git-fixes CVE-2024-42303 bsc#1229365). - Update patches.suse/media-pci-ivtv-Add-check-for-DMA-map-result.patch (git-fixes CVE-2024-43877 bsc#1229484). - Update patches.suse/media-v4l-async-Fix-NULL-pointer-dereference-in-addi.patch (git-fixes CVE-2024-43833 bsc#1229299). - Update patches.suse/media-venus-fix-use-after-free-in-vdec_close.patch (git-fixes CVE-2024-42313 bsc#1229356). - Update patches.suse/media-xc2028-avoid-use-after-free-in-load_firmware_c.patch (stable-fixes CVE-2024-43900 bsc#1229756). - Update patches.suse/memcg-protect-concurrent-access-to-mem_cgroup_idr.patch (git-fixes CVE-2024-43892 bsc#1229761). - Update patches.suse/net-drop-bad-gso-csum_start-and-offset-in-virtio_net.patch (git-fixes CVE-2024-43897 bsc#1229752). - Update patches.suse/net-iucv-fix-use-after-free-in-iucv_sock_close.patch (bsc#1228973 CVE-2024-42271 bsc#1229400). - Update patches.suse/net-missing-check-virtio.patch (git-fixes CVE-2024-43817 bsc#1229312). - Update patches.suse/net-usb-qmi_wwan-fix-memory-leak-for-not-ip-packets.patch (git-fixes CVE-2024-43861 bsc#1229500). - Update patches.suse/nfs-pass-explicit-offset-count-to-trace-events.patch (git-fixes CVE-2024-43826 bsc#1229294). - Update patches.suse/nvme-pci-add-missing-condition-check-for-existence-o.patch (git-fixes CVE-2024-42276 bsc#1229410). - Update patches.suse/padata-Fix-possible-divide-by-0-panic-in-padata_mt_h.patch (git-fixes CVE-2024-43889 bsc#1229743). - Update patches.suse/remoteproc-imx_rproc-Skip-over-memory-region-when-no.patch (git-fixes CVE-2024-43860 bsc#1229319). - Update patches.suse/s390-dasd-fix-error-checks-in-dasd_copy_pair_store.patch (git-fixes bsc#1229173 CVE-2024-42320 bsc#1229349). - Update patches.suse/scsi-lpfc-Revise-lpfc_prep_embed_io-routine-with-pro.patch (bsc#1228857 CVE-2024-43816 bsc#1229318). - Update patches.suse/scsi-qla2xxx-Complete-command-early-within-lock.patch (bsc#1228850 CVE-2024-42287 bsc#1229392). - Update patches.suse/scsi-qla2xxx-During-vport-delete-send-async-logout-e.patch (bsc#1228850 CVE-2024-42289 bsc#1229399). - Update patches.suse/scsi-qla2xxx-Fix-for-possible-memory-corruption.patch (bsc#1228850 CVE-2024-42288 bsc#1229398). - Update patches.suse/scsi-qla2xxx-validate-nvme_local_port-correctly.patch (bsc#1228850 CVE-2024-42286 bsc#1229395). - Update patches.suse/serial-core-check-uartclk-for-zero-to-avoid-divide-b.patch (stable-fixes CVE-2024-43893 bsc#1229759). - Update patches.suse/soc-qcom-pdr-protect-locator_addr-with-the-main-mute.patch (git-fixes CVE-2024-43849 bsc#1229307). - Update patches.suse/soc-xilinx-rename-cpu_number1-to-dummy_cpu_number.patch (git-fixes CVE-2024-43851 bsc#1229313). - Update patches.suse/spi-microchip-core-ensure-TX-and-RX-FIFOs-are-empty-.patch (git-fixes CVE-2024-42279 bsc#1229390). - Update patches.suse/usb-vhci-hcd-Do-not-drop-references-before-new-refer.patch (stable-fixes CVE-2024-43883 bsc#1229707). - Update patches.suse/vhost-vsock-always-initialize-seqpacket_allow.patch (git-fixes CVE-2024-43873 bsc#1229488). - Update patches.suse/wifi-ath12k-change-DMA-direction-while-mapping-reinj.patch (git-fixes CVE-2024-43881 bsc#1229480). - Update patches.suse/wifi-ath12k-fix-invalid-memory-access-while-processi.patch (git-fixes CVE-2024-43847 bsc#1229291). - Update patches.suse/wifi-cfg80211-handle-2x996-RU-allocation-in-cfg80211.patch (git-fixes CVE-2024-43879 bsc#1229482). - Update patches.suse/wifi-nl80211-disallow-setting-special-AP-channel-wid.patch (stable-fixes CVE-2024-43912 bsc#1229830). - Update patches.suse/wifi-rtw89-Fix-array-index-mistake-in-rtw89_sta_info.patch (git-fixes CVE-2024-43842 bsc#1229317). - Update patches.suse/wifi-virt_wifi-avoid-reporting-connection-success-wi.patch (git-fixes CVE-2024-43841 bsc#1229304). - commit 140ec33 - iommu/amd: Convert comma to semicolon (git-fixes). - commit 2714d8b - scsi: lpfc: Fix a possible null pointer dereference (bsc#1229315 CVE-2024-43821). - commit eb73e94 - iommu/vt-d: Fix identity map bounds in si_domain_init() (git-fixes). - commit b4d27e5 - iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace() (git-fixes). - commit bbc9a65 - blacklist.conf: add 053fc4f755ad fuse: fix UAF in rcu pathwalks This commit breaks kABI and the data structure has no free room for the extra field, i.e. memcpy would fail to copy the additional member added by this patch. - commit 941b81c - virtiofs: forbid newlines in tags (bsc#1229940). - commit 61514ce - trace/pid_list: Change gfp flags in pid_list_fill_irq() (git-fixes). - commit 88d1dac - blacklist.conf: add a not-relevant tracing commit - commit 9e3013e - evm: don't copy up 'security.evm' xattr (git-fixes). - commit d3bb5af - afs: fix __afs_break_callback() / afs_drop_open_mmap() race (git-fixes). - commit 150e615 - jfs: define xtree root and page independently (git-fixes). - commit fc62e49 - kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files (git-fixes). - commit 7fa46d1 - gfs2: setattr_chown: Add missing initialization (git-fixes). - commit 9b6ef3b - nfc: pn533: Add poll mod list filling check (git-fixes). - wifi: wfx: repair open network AP mode (git-fixes). - wifi: iwlwifi: fw: fix wgds rev 3 exact size (git-fixes). - wifi: mwifiex: duplicate static structs used in driver instances (git-fixes). - Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination (stable-fixes). - Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 (stable-fixes). - platform/surface: aggregator: Fix warning when controller is destroyed in probe (git-fixes). - thunderbolt: Mark XDomain as unplugged when router is removed (stable-fixes). - Input: MT - limit max slots (stable-fixes). - usb: dwc3: core: Skip setting event buffers for host only controllers (stable-fixes). - platform/x86: lg-laptop: fix %s null argument warning (stable-fixes). - rtc: nct3018y: fix possible NULL dereference (stable-fixes). - usb: gadget: fsl: Increase size of name buffer for endpoints (stable-fixes). - media: drivers/media/dvb-core: copy user arrays safely (stable-fixes). - media: pci: cx23885: check cx23885_vdev_init() return (stable-fixes). - memory: stm32-fmc2-ebi: check regmap_read return value (stable-fixes). - memory: tegra: Skip SID programming if SID registers aren't set (stable-fixes). - Revert &quot;usb: gadget: uvc: cleanup request when not in correct state&quot; (stable-fixes). - usb: gadget: uvc: cleanup request when not in correct state (stable-fixes). - staging: ks7010: disable bh on tx_dev_lock (stable-fixes). - staging: iio: resolver: ad2s1210: fix use before initialization (stable-fixes). - ssb: Fix division by zero issue in ssb_calc_clock_rate (stable-fixes). - commit b84d799 - drm/vmwgfx: Fix prime with external buffers (git-fixes). - drm/i915/dsi: Make Lenovo Yoga Tab 3 X90F DMI match less strict (git-fixes). - drm/amd/display: avoid using null object of framebuffer (git-fixes). - Bluetooth: hci_core: Fix not handling hibernation actions (git-fixes). - drm/amdgpu: Validate TA binary size (stable-fixes). - drm/msm/dpu: take plane rotation into account for wide planes (git-fixes). - drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() (git-fixes). - char: xillybus: Refine workqueue handling (git-fixes). - char: xillybus: Don't destroy workqueue from work item running on it (stable-fixes). - drm/amdgpu: Actually check flags for all context ops (stable-fixes). - drm/amdgpu/jpeg4: properly set atomics vmid field (stable-fixes). - drm/amdgpu/jpeg2: properly set atomics vmid field (stable-fixes). - drm/amd/display: fix s2idle entry for DCN3.5+ (stable-fixes). - drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent (stable-fixes). - hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() (git-fixes). - firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid (stable-fixes). - drm/msm/dpu: capture snapshot on the first commit_done timeout (stable-fixes). - drm/msm/dpu: split dpu_encoder_wait_for_event into two functions (stable-fixes). - drm/lima: set gp bus_stop bit before hard reset (stable-fixes). - drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels (stable-fixes). - gpio: sysfs: extend the critical section for unregistering sysfs devices (stable-fixes). - Bluetooth: bnep: Fix out-of-bound access (stable-fixes). - hwmon: (pc87360) Bounds check data-&gt;innr usage (stable-fixes). - ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data (stable-fixes). - drm/msm/dpu: drop MSM_ENC_VBLANK support (stable-fixes). - drm/msm/dpu: use drmm-managed allocation for dpu_encoder_phys (stable-fixes). - drm/msm/mdss: Rename path references to mdp_path (stable-fixes). - drm/msm/mdss: switch mdss to use devm_of_icc_get() (stable-fixes). - drm/msm/dpu: try multirect based on mdp clock limits (stable-fixes). - drm/msm: Reduce fallout of fence signaling vs reclaim hangs (stable-fixes). - drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode (stable-fixes). - Bluetooth: hci_conn: Check non NULL function before calling for HFP offload (stable-fixes). - i2c: stm32f7: Add atomic_xfer method to driver (stable-fixes). - i2c: riic: avoid potential division by zero (stable-fixes). - i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer (stable-fixes). - i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out (stable-fixes). - ASoC: SOF: Intel: hda-dsp: Make sure that no irq handler is pending before suspend (stable-fixes). - ASoC: cs35l45: Checks index of cs35l45_irqs[] (stable-fixes). - clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider (stable-fixes). - hwmon: (ltc2992) Avoid division by zero (stable-fixes). - commit 1b92ddd - jump_label: Fix the fix, brown paper bags galore (git-fixes). - commit 89b2827 - jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() (git-fixes). - commit 954eaa3 - jump_label: Clarify condition in static_key_fast_inc_not_disabled() (git-fixes). - commit eb457dc - jump_label: Fix concurrency issues in static_key_slow_dec() (git-fixes). - commit 6e92a06 - tracing: Return from tracing_buffers_read() if the file has been closed (bsc#1229136 git-fixes). - commit 8dc8510 - kprobes: Fix to check symbol prefixes correctly (git-fixes). - commit e8b168b - kprobes: Prohibit probing on CFI preamble symbol (git-fixes). - commit 2f9e2b1 - bpf: kprobe: remove unused declaring of bpf_kprobe_override (git-fixes). - commit 4045c94 - wifi: mac80211: fix NULL dereference at band check in starting tx ba session (CVE-2024-43911 bsc#1229827). - commit 0892b94 - syscalls: fix compat_sys_io_pgetevents_time64 usage (git-fixes). - commit b90dd07 - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en (CVE-2024-42277 bsc#1229409). - commit ede2511 - kabi: lib: objagg: Put back removed metod in struct objagg_ops (CVE-2024-43880 bsc#1229481). - commit 9566f2d - net/sched: initialize noop_qdisc owner (git-fixes). - commit 66e8d18 - drm/amd/display: Fix null pointer deref in dcn20_resource.c (CVE-2024-43899 bsc#1229754). - commit 1811990 - blacklist.conf: add 56769ba4b297a629148eb24d554aef72d1ddfd9e - commit e1cb2aa - exec: Fix ToCToU between perm check and set-uid/gid usage (CVE-2024-43882 bsc#1229503). - commit 7a21b9d - ALSA: hda/realtek: support HP Pavilion Aero 13-bg0xxx Mute LED (stable-fixes). - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book3 Ultra (stable-fixes). - ASoC: allow module autoloading for table board_ids (stable-fixes). - ASoC: allow module autoloading for table db1200_pids (stable-fixes). - ASoC: mediatek: mt8188: Mark AFE_DAC_CON0 register as volatile (stable-fixes). - ASoC: SOF: mediatek: Add missing board compatible (stable-fixes). - ALSA: hda/realtek - FIxed ALC285 headphone no sound (stable-fixes). - ALSA: hda/realtek - Fixed ALC256 headphone no sound (stable-fixes). - ALSA: hda/realtek: Enable mute/micmute LEDs on HP Laptop 14-ey0xxx (stable-fixes). - ALSA: hda/realtek: Implement sound init sequence for Samsung Galaxy Book3 Pro 360 (stable-fixes). - commit 97adcb2 - ip6_tunnel: Fix broken GRO (bsc#1229444). - net/mlx5: Always drain health in shutdown callback (CVE-2024-43866 bsc#1229495). - mlxsw: spectrum_acl_erp: Fix object nesting warning (CVE-2024-43880 bsc#1229481). - commit d9a404d - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins (git-fixes). - pinctrl: starfive: jh7110: Correct the level trigger configuration of iev register (git-fixes). - pinctrl: mediatek: common-v2: Fix broken bias-disable for PULL_PU_PD_RSEL_TYPE (git-fixes). - pinctrl: single: fix potential NULL dereference in pcs_get_function() (git-fixes). - ASoC: SOF: amd: Fix for acp init sequence (git-fixes). - ASoC: amd: acp: fix module autoloading (git-fixes). - ALSA: seq: Skip event type filtering for UMP events (git-fixes). - commit 3fa4a0b - ice: Fix NULL pointer access, if PF doesn't support SRIOV_LAG (bsc#1228737). - commit f1a9730 - kABI: vfio: struct virqfd kABI workaround (CVE-2024-26812 bsc#1222808). - commit ae735c0 - net/sched: Fix mirred deadlock on device recursion (CVE-2024-27010 bsc#1223720). - commit 8c34ee8 - Fix reference in patches.suse/netfilter-tproxy-bail-out-if-IP-has-been-disabled-on.patch (CVE-2024-36270 bsc#1226798) - commit 052d917 - net: qdisc: preserve kabi for struct QDisc (CVE-2024-27010 bsc#1223720). - commit e31d466 - mm/userfaultfd: reset ptes when close() for wr-protected ones (CVE-2024-36881 bsc#1225718). - commit 2267d46 - mm/mglru: fix div-by-zero in vmpressure_calc_level() (CVE-2024-42316 bsc#1229353). - commit ba00671 - md/raid1: set max_sectors during early return from choose_slow_rdev() (git-fixes). - md/raid5: recheck if reshape has finished with device_lock held (git-fixes). - md: Don't wait for MD_RECOVERY_NEEDED for HOT_REMOVE_DISK ioctl (git-fixes). - md/raid5: fix spares errors about rcu usage (git-fixes). - md/md-bitmap: fix writing non bitmap pages (git-fixes). - md: fix deadlock between mddev_suspend and flush bio (bsc#1229342, CVE-2024-43855). - md: change the return value type of md_write_start to void (git-fixes). - md: do not delete safemode_timer in mddev_suspend (git-fixes). - md: don't account sync_io if iostats of the disk is disabled (git-fixes). - md: add check for sleepers in md_wakeup_thread() (git-fixes). - md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING (git-fixes). - md: add a mddev_add_trace_msg helper (git-fixes). - Revert &quot;Revert &quot;md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d&quot;&quot; (git-fixes). - md: fix a suspicious RCU usage warning (git-fixes). - md/raid1: support read error check (git-fixes). - commit f1ec0d4 - md: factor out a helper exceed_read_errors() to check read_errors (git-fixes). - Refresh for the above change, patches.suse/md-display-timeout-error.patch. patches.suse/md-raid1-10-add-a-helper-raid1_check_read_range-f298.patch. - commit 035e3f0 - Revert &quot;md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d&quot; (git-fixes). - commit 5cc0fdd - net/mlx5e: Fix CT entry update leaks of modify header context (CVE-2024-43864 bsc#1229496) - commit 316a4fe - ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work (CVE-2024-26631 bsc#1221630). - commit 317a097 - netfilter: nf_tables: unconditionally flush pending work before notifier (CVE-2024-42109 bsc#1228505) - commit 7a6a06c - cxl/region: Avoid null pointer dereference in region lookup (CVE-2024-41084 bsc#1228472) - commit fc1408b - cxl/region: Move cxl_dpa_to_region() work to the region driver (bsc#1228472) - commit ac0e984 - ipv6: fix possible race in __fib6_drop_pcpu_from() (CVE-2024-40905 bsc#1227761) - commit 6fcd399 - ipv6: sr: fix memleak in seg6_hmac_init_algo (CVE-2024-39489 bsc#1227623) - commit c55beb2 - swiotlb: do not set total_used to 0 in swiotlb_create_debugfs_files() (git-fixes). - swiotlb: fix swiotlb_bounce() to do partial sync's correctly (git-fixes). - commit 99fe6bb - tls: fix missing memory barrier in tls_init (CVE-2024-36489 bsc#1226874) - commit 67db543 - iommu: Add kABI workaround patch (bsc#1223742 CVE-2024-27079). - commit c4ebc76 - btrfs: copy dir permission and time when creating a stub subvolume (bsc#1228321). - commit 46e95d1 - nouveau/firmware: use dma non-coherent allocator (git-fixes). - drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1 (git-fixes). - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails (git-fixes). - drm/msm/dp: reset the link phy params before link training (git-fixes). - drm/msm/dp: fix the max supported bpp logic (git-fixes). - drm/msm/dpu: don't play tricks with debug macros (git-fixes). - mmc: mmc_test: Fix NULL dereference on allocation failure (git-fixes). - mmc: dw_mmc: allow biu and ciu clocks to defer (git-fixes). - mmc: mtk-sd: receive cmd8 data when hs400 tuning fail (git-fixes). - commit ec72baf - filelock: Fix fcntl/close race recovery compat path (bsc#1228427 CVE-2024-41020). - commit 2c615e8 - vfio/pci: fix potential memory leak in vfio_intx_enable() (git-fixes). - commit 45c2786 - vfio: Introduce interface to flush virqfd inject workqueue (CVE-2024-26812 bsc#1222808). - commit 0704da7 - vfio/pci: Create persistent INTx handler (CVE-2024-26812 bsc#1222808). - commit c0eeff7 - netfilter: nf_tables: discard table flag update with pending basechain deletion (CVE-2024-35897 bsc#1224510). - netfilter: nf_tables: reject table flag and netdev basechain updates (CVE-2024-35897 bsc#1224510). - commit bc3bca5 - kabi: restore const specifier in flow_offload_route_init() (CVE-2024-27403 bsc#1224415). - netfilter: nft_flow_offload: reset dst in route object after setting up flow (CVE-2024-27403 bsc#1224415). - commit f1d28bc - Bluetooth: MGMT: Add error handling to pair_device() (git-fixes). - Bluetooth: SMP: Fix assumption of Central always being Initiator (git-fixes). - Bluetooth: hci_core: Fix LE quote calculation (git-fixes). - commit 82ede4a - netfilter: nf_tables: fix memleak in map from abort path (CVE-2024-27011 bsc#1223803). - commit df3e052 - KVM: Reject overly excessive IDs in KVM_CREATE_VCPU (git-fixes). - commit acfc6dd - KVM: arm64: Fix __pkvm_init_switch_pgd call ABI (git-fixes). - commit ca5dde8 - KVM: Stop processing *all* memslots when &quot;null&quot; mmu_notifier handler is found (git-fixes). - commit edcaf30 - virt: guest_memfd: fix reference leak on hwpoisoned page (git-fixes). - commit 7ac89c3 - KVM: arm64: AArch32: Fix spurious trapping of conditional instructions (git-fixes). - commit 6b4a32b - KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode (git-fixes). - commit d2c979d - KVM: arm64: Fix AArch32 register narrowing on userspace write (git-fixes). - commit c002253 - KVM: fix kvm_mmu_memory_cache allocation warning (git-fixes). - commit 9570c83 - KVM: Always flush async #PF workqueue when vCPU is being destroyed (git-fixes). - commit bbeeae4 - iommu: Add static iommu_ops-&gt;release_domain (bsc#1223742 CVE-2024-27079). - iommu/vt-d: Fix NULL domain on device release (bsc#1223742 CVE-2024-27079). - Refresh patches.suse/iommu-vt-d-Fix-WARN_ON-in-iommu-probe-path.patch. - commit 5ddde3c - KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY (git-fixes). - commit 7a71a2a - KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler (git-fixes). - commit ebc54df - KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table() (git-fixes). - commit 989930f - KVM: arm64: Add missing memory barriers when switching to pKVM's hyp pgd (git-fixes). - commit 5599b84 - KVM: arm64: vgic-v4: Restore pending state on host userspace write (git-fixes). - commit ba9826d - KVM: arm64: vgic: Force vcpu vgic teardown on vcpu destroy (git-fixes). - commit 26e04aa - KVM: arm64: vgic: Add a non-locking primitive for kvm_vgic_vcpu_destroy() (git-fixes). - commit 686bc1c - netfilter: nft_limit: reject configurations that cause integer overflow (CVE-2024-26668 bsc#1222335). - commit 8ea214b - netfilter: nf_tables: set dormant flag on hook register failure (CVE-2024-26835 bsc#1222967). - commit 8f4d028 - KVM: arm64: vgic: Simplify kvm_vgic_destroy() (git-fixes). - commit 3a96863 - Revert &quot;KVM: Prevent module exit until all VMs are freed&quot; (git-fixes). - commit c075225 - netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain (CVE-2024-26808 bsc#1222634). - commit 7f0379b - KVM: arm64: GICv4: Do not perform a map to a mapped vLPI (git-fixes). - commit 919175d - netfilter: nft_set_pipapo: release elements in clone only from destroy path (CVE-2024-26809 bsc#1222633). - commit d3a3287 - KVM: arm64: vgic-v2: Use cpuid from userspace as vcpu_id (git-fixes). - commit 7b3deae - KVM: arm64: timers: Correctly handle TGE flip with CNTPOFF_EL2 (git-fixes). - commit 48c0cad - netfilter: nf_tables: fix memleak when more than 255 elements expired (CVE-2023-52581 bsc#1220877). - commit 26441fd - KVM: Protect vcpu-&gt;pid dereference via debugfs with RCU (git-fixes). - commit 55ae2a6 - KVM: arm64: timers: Fix resource leaks in kvm_timer_hyp_init() (git-fixes). - commit f80cefe - bpf: Fix updating attached freplace prog in prog_array map (bsc#1229297 CVE-2024-43837). - commit a9d7d77 - dma-direct: Leak pages on dma_set_decrypted() failure (bsc#1224535 CVE-2024-35939). - commit 7de8166 - ice: Add a per-VF limit on number of FDIR filters (CVE-2024-42291 bsc#1229374). - commit ee2b93b - net/mlx5: Fix missing lock on sync reset reload (CVE-2024-42268 bsc#1229391). - commit 268cdf6 - selftests/bpf: Add a test to verify previous stacksafe() fix (bsc#1225903). - bpf: Fix a kernel verifier crash in stacksafe() (bsc#1225903). - commit dab2844 - xdp: fix invalid wait context of page_pool_destroy() (CVE-2024-43834 bsc#1229314) - commit 6348ec4 - clk: mediatek: mt7622-apmixedsys: Fix an error handling path in clk_mt8135_apmixed_probe() (bsc#1224711 CVE-2024-27433). - commit 30e1ef1 - netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() (CVE-2024-36286 bsc#1226801) - commit 3278d5d - netfilter: tproxy: bail out if IP has been disabled on the device (CVE-2024-36270 1226798) - commit 26814d6 - netfilter: nf_conntrack_h323: Add protection for bmp length out of range (CVE-2024-26851 bsc#1223074) - commit 6ad2cbe - net: bridge: mst: fix suspicious rcu usage in br_mst_set_state (CVE-2024-40920 bsc#1227781). - net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state (CVE-2024-40921 bsc#1227784). - net: bridge: mst: fix vlan use-after-free (CVE-2024-36979 bsc#1226604). - commit 7beae73 - blacklist.conf: git-fixes f2eaed1565acc2bdeb5c433f5f6c7bd7a0d62db1 blacklisted since it involves backporting many other commits not that are relevnat only to gdb debug scripts and whose dependent commits may break kABI. - commit 323e420 - erofs: fix inconsistent per-file compression format (bsc#1220252, CVE-2024-26590). - commit 4f99bd1 - perf: hisi: Fix use-after-free when register pmu fails (bsc#1225582 CVE-2023-52859). - commit a50ce06 - printk/panic: Allow cpu backtraces to be written into ringbuffer during panic (bsc#1225607). - commit 1ebfff4 - net: drop bad gso csum_start and offset in virtio_net_hdr (git-fixes). - commit 6d27b13 - selftests/bpf: Test for null-pointer-deref bugfix in resolve_prog_type() (bsc#1229297 CVE-2024-43837). - bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT (bsc#1229297 CVE-2024-43837). - commit 37e60d8 - bpf: simplify btf_get_prog_ctx_type() into btf_is_prog_ctx_type() (git-fixes). - Refresh patches.suse/bpf-don-t-infer-PTR_TO_CTX-for-programs-with-unnamed.patch - Refresh patches.suse/bpf-handle-bpf_user_pt_regs_t-typedef-explicitly-for.patch - bpf: extract bpf_ctx_convert_map logic and make it more reusable (git-fixes). - Refresh patches.suse/bpf-handle-bpf_user_pt_regs_t-typedef-explicitly-for.patch - commit a1a0c24 - vhost: Release worker mutex during flushes (git-fixes). - commit be0d4d9 - virtio: reenable config if freezing device failed (git-fixes). - commit d96d64e - kabi fix for SUNRPC: add a missing rpc_stat for TCP TLS (git-fixes). - SUNRPC: add a missing rpc_stat for TCP TLS (git-fixes). - commit 4fa6f6d - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init() (CVE-2024-42270 bsc#1229404) - commit eb407e1 - netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init() (CVE-2024-42269 bsc#1229402) - commit 6f31e8c - tipc: Return non-zero value from tipc_udp_addr2str() on error (CVE-2024-42284 bsc#1229382) - commit 003e7ab - net: nexthop: Initialize all fields in dumped nexthops (CVE-2024-42283 bsc#1229383) - commit dd830eb - sysctl: always initialize i_uid/i_gid (CVE-2024-42312 bsc#1229357) - commit 683a109 - block: initialize integrity buffer to zero before writing it to media (CVE-2024-43854 bsc#1229345) - commit bc065ac - ipvs: properly dereference pe in ip_vs_add_service (CVE-2024-42322 bsc#1229347) - commit 5abcd51 - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler (git-fixes). - commit efaee02 - net: missing check virtio (git-fixes). - commit 547a4d8 - vhost/vsock: always initialize seqpacket_allow (git-fixes). - commit 1501797 - vhost: Use virtqueue mutex for swapping worker (git-fixes). - commit ee31e9d - nvme-sysfs: add 'tls_keyring' attribute (bsc#1221857). - nvme-sysfs: add 'tls_configured_key' sysfs attribute (bsc#1221857). - nvme: split off TLS sysfs attributes into a separate group (bsc#1221857). - nvme: add a newline to the 'tls_key' sysfs attribute (bsc#1221857). - nvme-tcp: check for invalidated or revoked key (bsc#1221857). - nvme-tcp: sanitize TLS key handling (bsc#1221857). - nvme: tcp: remove unnecessary goto statement (bsc#1221857). - commit 95902b1 - Refresh patches.suse/nvme-fabrics-typo-in-nvmf_parse_key.patch. Move into sorted section. - commit 24e43c3 - vhost-scsi: Handle vhost_vq_work_queue failures for events (git-fixes). - commit bb54ef9 - Update DRM patch reference (CVE-2024-42308 bsc#1229411) - commit ddc1933 - Update patches.suse/nvme-tcp-fix-compile-time-checks-for-TLS-mode.patch (jsc#PED-6252 jsc#PED-5728 jsc#PED-5062 jsc#PED-3535 bsc#1221857). Fix backporting error. - commit 35c7df3 - Update parport patch reference (CVE-2024-42301 bsc#1229407) - commit 6707829 - Refresh patches.suse/nvme-tcp-strict-pdu-pacing-to-avoid-send-stalls-on-T.patch. Use the version which got upload upstream. - commit 4896f98 - blacklist.conf: add ffe6176b7f53 (&quot;virtio: store owner from modules with register_virtio_driver()&quot;) - commit 08df841 - virtio_net: use u64_stats_t infra to avoid data-races (git-fixes). - commit 1825530 - usb: typec: fsa4480: Check if the chip is really there (git-fixes). - commit 771af75 - usb: typec: fsa4480: Add support to swap SBU orientation (git-fixes). - commit b744e01 - usb: typec: fsa4480: add support for Audio Accessory Mode (git-fixes). - commit 471d14e - usb: typec: fsa4480: rework mux &amp; switch setup to handle more states (git-fixes). - commit dc03605 - irqchip/imx-irqsteer: Handle runtime power management correctly (CVE-2024-42290 bsc#1229379). - commit a3bbc63 - landlock: Don't lose track of restrictions on cred_transfer (bsc#1229351 CVE-2024-42318). - commit e161e74 - apparmor: Fix null pointer deref when receiving skb during sock creation (bsc#1229287, CVE-2023-52889). - commit 7a47d08 - kABI fix of: virtio-crypto: handle config changed by work queue (git-fixes). - commit 2e4646f - nvme-multipath: implement &quot;queue-depth&quot; iopolicy (bsc#1227706). - nvme-multipath: prepare for &quot;queue-depth&quot; iopolicy (bsc#1227706). - commit 796fd31 - nilfs2: handle inconsistent state in nilfs_btnode_create_block() (bsc#1229370 CVE-2024-42295). - commit 34231c4 - arm64: dts: imx8mp: Fix pgc vpu locations (git-fixes) - commit 6f29859 - arm64: dts: imx8mp: Fix pgc_mlmix location (git-fixes) - commit 6b6ab8a - soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove (CVE-2024-43850 bsc#1229316). - soc: qcom: icc-bwmon: Set default thresholds dynamically (CVE-2024-43850 bsc#1229316). - commit e842a77 - arm64: dts: imx8mp: add HDMI power-domains (git-fixes) - commit 88b7cca - arm64: dts: imx8mp: Add NPU Node (git-fixes) - commit 55a2e84 - media: mediatek: vcodec: Handle invalid decoder vsi (CVE-2024-43831 bsc#1229309). - commit a7b1ec0 - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures (CVE-2024-43839 bsc#1229301). - net: mana: Add support for page sizes other than 4KB on ARM64 (jsc#PED-8491 bsc#1226530). - commit 24750b5 - Squashfs: fix variable overflow triggered by sysbot (git-fixes). - commit 90b77e5 - squashfs: squashfs_read_data need to check if the length is 0 (git-fixes). - commit 1ab3d64 - jfs: Fix shift-out-of-bounds in dbDiscardAG (git-fixes). - commit f862c1b - jfs: fix null ptr deref in dtInsertEntry (git-fixes). - commit 72d65ab - reiserfs: fix uninit-value in comp_keys (git-fixes). - commit aeea4b8 - Update patches.suse/0001-netlink-add-nla-be16-32-types-to-minlen-array.patch (CVE-2024-26849 bsc#1223053). Fixes: 2747893c94d9b55340403026d9430f2f93947449 - commit 4cf09d7 - virtio-crypto: handle config changed by work queue (git-fixes). - Refresh patches.suse/crypto-virtio-Wait-for-tasklet-to-complete-on-device.patch. - commit 3719b45 - fuse: Initialize beyond-EOF page contents before setting uptodate (bsc#1229456). - fs/netfs/fscache_cookie: add missing &quot;n_accesses&quot; check (bsc#1229455). - commit 1ffdccd - s390/dasd: fix error recovery leading to data corruption on ESE devices (git-fixes bsc#1229452). - commit 421d882 - blacklist.conf: Change entry to alt-commit - Refresh patches.suse/tools-Disable-__packed-attribute-compiler-warning-due-to-Werror-attributes.patch. - commit a7c7d40 - net/iucv: fix the allocation size of iucv_path_table array (git-fixes bsc#1229451). - commit 4e0b259 - blacklist.conf: we don't enable CONFIG_CPUMASK_OFFSTACK on s390 - commit 8a36035 - Refresh patches.suse/0001-drm-mst-Fix-NULL-pointer-dereference-at-drm_dp_add_p.patch (git-fixes) Alt-commit - commit 98e41cf - Refresh patches.suse/drm-i915-vma-Fix-UAF-on-destroy-against-retire-race.patch (git-fixes) Alt-commit - commit 11ef901 - Refresh patches.suse/drm-amd-display-Send-DTBCLK-disable-message-on-first.patch (git-fixes) Alt-commit - commit 6d9aa0a - Refresh patches.suse/drm-amd-display-Fix-DPSTREAM-CLK-on-and-off-sequence.patch (git-fixes) Alt-commit - commit 24768b9 - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() (CVE-2024-41007 bsc#1227863). - commit 35aaaf5 - HID: wacom: Defer calculation of resolution until resolution_code is known (git-fixes). - ALSA: usb: Fix UBSAN warning in parse_audio_unit() (stable-fixes). - commit a485c9b - blacklist.conf: Add libata upstream revert entry (bsc#1229054) - commit 5ded40a - bpf: Fix a segment issue when downgrading gso_size (bsc#1229386 CVE-2024-42281). - commit f593f1f - kABI fix for net/sched: flower: Fix chain template offload (CVE-2024-26669 bsc#1222350). - net/sched: flower: Fix chain template offload (CVE-2024-26669 bsc#1222350). - commit 43f1cd6 - kABI fix for rxrpc: Fix delayed ACKs to not set the reference serial number (CVE-2024-26677 bsc#1222387). - rxrpc: Fix delayed ACKs to not set the reference serial number (CVE-2024-26677 bsc#1222387). - commit c3c3a27 - Update patches.suse/cpu-SMT-Enable-SMT-only-if-a-core-is-online.patch (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes bsc#1229327 ltc#206365). - Update patches.suse/powerpc-topology-Check-if-a-core-is-online.patch (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes bsc#1229327 ltc#206365). - commit fd7ec4b - xprtrdma: Fix rpcrdma_reqs_reset() (git-fixes). - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey (git-fixes). - commit c717fae - SUNRPC: Fix a race to wake a sync task (git-fixes). - nfs: pass explicit offset/count to trace events (git-fixes). - commit 6f41a0a - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server (git-fixes). - NFSD: Support write delegations in LAYOUTGET (git-fixes). - nfs: don't invalidate dentries on transient errors (git-fixes). - nfs: propagate readlink errors in nfs_symlink_filler (git-fixes). - nfs: make the rpc_stat per net namespace (git-fixes). - nfs: expose /proc/net/sunrpc/nfs in net namespaces (git-fixes). - sunrpc: add a struct rpc_stats arg to rpc_create_args (git-fixes). - commit 6ab4001 - Update patches.suse/ata-libata-core-Fix-double-free-on-error.patch (git-fixes CVE-2024-41087 bsc#1228740 bsc#1228466). - Update patches.suse/cachefiles-add-missing-lock-protection-when-polling.patch (bsc#1229256 CVE-2024-42250 bsc#1228977). - Update patches.suse/cachefiles-defer-exposing-anon_fd-until-after-copy_to.patch (bsc#1229251 CVE-2024-40913 bsc#1227839). - Update patches.suse/cachefiles-fix-slab-use-after-free-in-cachefiles_onde.patch (bsc#1229247 CVE-2024-39510 bsc#1227734). - Update patches.suse/cachefiles-fix-slab-use-after-free-in-cachefiles_ondemand_daemon_read.patch (bsc#1229246 CVE-2024-40899 bsc#1227758). - Update patches.suse/drm-i915-gem-Fix-Virtual-Memory-mapping-boundaries-c.patch (git-fixes CVE-2024-42259 bsc#1229156). - Update patches.suse/powerpc-pseries-Whitelist-dtl-slub-object-for-copyin.patch (bsc#1194869 CVE-2024-41065 bsc#1228636). - commit 3fec826 - char: xillybus: Check USB endpoints when probing device (git-fixes). - Revert &quot;misc: fastrpc: Restrict untrusted app to attach to privileged PD&quot; (git-fixes). - tty: atmel_serial: use the correct RTS flag (git-fixes). - tty: serial: fsl_lpuart: mark last busy before uart_add_one_port (git-fixes). - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration (git-fixes). - Revert &quot;usb: typec: tcpm: clear pd_event queue in PORT_RESET&quot; (git-fixes). - commit e3fe681 - blacklist.conf: add unwanted nfs/sunrpc patch - commit 405ec89 - Refresh patches.suse/SUNRPC-avoid-soft-lockup-when-transmitting-UDP-to-re.patch. Add git-commit - commit 7a1e763 - xfs: attr forks require attr, not attr2 (git-fixes). - commit d1644af - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume (git-fixes). - i2c: Use IS_REACHABLE() for substituting empty ACPI functions (git-fixes). - commit 37fcb0e - Move upstreamed powerpc patches into sorted section - commit 7bdd775 - xfs: journal geometry is not properly bounds checked (git-fixes). - commit 7680aeb - arm64: Fix KASAN random tag seed initialization (git-fixes) - commit a300263 - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to (git-fixes) - commit a089c62 - spi: Add empty versions of ACPI functions (stable-fixes). - i2c: Fix conditional for substituting empty ACPI functions (stable-fixes). - commit 3dc083c - gpio: mlxbf3: Support shutdown() function (git-fixes). - ALSA: hda/tas2781: Use correct endian conversion (git-fixes). - ALSA: usb-audio: Support Yamaha P-125 quirk entry (stable-fixes). - ALSA: hda/tas2781: fix wrong calibrated data order (git-fixes). - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET (stable-fixes). - ALSA: hda/realtek: Add support for new HP G12 laptops (stable-fixes). - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 (git-fixes). - ALSA: timer: Relax start tick time check for slave timer elements (git-fixes). - drm/amd/display: Adjust cursor position (git-fixes). - drm/amd/display: fix cursor offset on rotation 180 (git-fixes). - device property: Add cleanup.h based fwnode_handle_put() scope based cleanup (stable-fixes). - commit 51be9a0 - xfs: allow cross-linking special files without project quota (git-fixes). - commit 8d26aca - KVM: nVMX: Check for pending posted interrupts when looking for nested events (git-fixes). - commit 0b1027c - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked() (git-fixes). - commit 47fc351 - xfs: use consistent uid/gid when grabbing dquots for inodes (git-fixes). - commit c1c88ce - xfs: honor init_xattrs in xfs_init_new_inode for !ATTR fs (git-fixes). - commit fae2711 - xfs: allow unlinked symlinks and dirs with zero size (git-fixes). - commit 184b713 - blacklist.conf: add f99b052256f1 (&quot;KVM: SNP: Fix LBR Virtualization for SNP guest&quot;) - commit c9ad47e - KVM: x86/mmu: Bug the VM if KVM tries to split a !hugepage SPTE (git-fixes). - commit 96acab8 - xfs: fix unlink vs cluster buffer instantiation race (git-fixes). - commit 0ae592b - xfs: upgrade the extent counters in xfs_reflink_end_cow_extent later (git-fixes). - commit 730a4f0 - xfs: match lock mode in xfs_buffered_write_iomap_begin() (git-fixes). - commit e70a195 - xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovery (git-fixes). - commit 85919a1 - xfs: don't use current-&gt;journal_info (git-fixes). - commit d96f684 - KVM: nVMX: Request immediate exit iff pending nested event needs injection (git-fixes). - commit 9d306b8 - cachefiles: add missing lock protection when polling (bsc#1229256). - cachefiles: cyclic allocation of msg_id to avoid reuse (bsc#1228499 CVE-2024-41050). - cachefiles: wait for ondemand_object_worker to finish when dropping object (bsc#1228468 CVE-2024-41051). - cachefiles: cancel all requests for the object that is being dropped (bsc#1229255). - cachefiles: stop sending new request when dropping object (bsc#1229254). - cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop (bsc#1229253). - cachefiles: make on-demand read killable (bsc#1229252). - cachefiles: Set object to close if ondemand_id &lt; 0 in copen (bsc#1228643 CVE-2024-41074). - cachefiles: defer exposing anon_fd until after copy_to_user() succeeds (bsc#1229251). - cachefiles: never get a new anonymous fd if ondemand_id is valid (bsc#1229250). - cachefiles: add spin_lock for cachefiles_ondemand_info (bsc#1229249). - cachefiles: add consistency check for copen/cread (bsc#1228646 CVE-2024-41075). - cachefiles: remove err_put_fd label in cachefiles_ondemand_daemon_read() (bsc#1229248). - cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() (bsc#1229247). - cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() (bsc#1229246). - cachefiles, erofs: Fix NULL deref in when cachefiles is not doing ondemand-mode (bsc#1229245). - cachefiles: add restore command to recover inflight ondemand read requests (bsc#1229244). - cachefiles: narrow the scope of triggering EPOLLIN events in ondemand mode (bsc#1229243). - cachefiles: resend an open request if the read request's object is closed (bsc#1229241). - cachefiles: extract ondemand info field from cachefiles_object (bsc#1229240). - cachefiles: introduce object ondemand state (bsc#1229239). - commit 3d893c5 - KVM: nVMX: Add a helper to get highest pending from Posted Interrupt vector (git-fixes). - commit ebf04ff - KVM: VMX: Switch __vmx_exit() and kvm_x86_vendor_exit() in vmx_exit() (git-fixes). - commit 8ef91ee - KVM: x86: Limit check IDs for KVM_SET_BOOT_CPU_ID (git-fixes). - commit 395837f - KVM: VMX: Move posted interrupt descriptor out of VMX code (git-fixes). - commit feb966b - xfs: allow symlinks with short remote targets (bsc#1229160). - commit e82d4ad - blacklist.conf: add 1c682593096a (&quot;xen: privcmd: Switch from mutex to spinlock for irqfds&quot;) - commit 46d4480 - x86/xen: Convert comma to semicolon (git-fixes). - commit c8d2d16 - net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings (bsc#1229154). - net: mana: Fix RX buf alloc_size alignment and atomic op panic (bsc#1229086). - commit 59cb1c7 - wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion (git-fixes). - net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() (git-fixes). - media: Revert &quot;media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()&quot; (git-fixes). - commit daf04e2 - filelock: Remove locks reliably when fcntl/close race is detected (CVE-2024-41012 bsc#1228247). - commit a736b9b - io_uring: fix possible deadlock in io_register_iowq_max_workers() (bsc#1228616 CVE-2024-41080). - commit eae6448 - io_uring: fix io_match_task must_hold (git-fixes). - io_uring: tighten task exit cancellations (git-fixes). - commit f9ce2d8 - io_uring: Fix probe of disabled operations (git-fixes). - io_uring/advise: support 64-bit lengths (git-fixes). - commit 7566a8d - io_uring: Drop per-ctx dummy_ubuf (git-fixes). - commit 2717cc1 - powerpc/kexec_file: fix cpus node update to FDT (bsc#1194869). - powerpc/pseries: Whitelist dtl slub object for copying to userspace (bsc#1194869). - powerpc/kexec: make the update_cpus_node() function public (bsc#1194869). - powerpc/xmon: Check cpu id in commands &quot;c#&quot;, &quot;dp#&quot; and &quot;dx#&quot; (bsc#1194869). - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n (bsc#1194869). - powerpc/io: Avoid clang null pointer arithmetic warnings (bsc#1194869). - powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp (bsc#1194869). - powerpc/kexec: split CONFIG_KEXEC_FILE and CONFIG_CRASH_DUMP (bsc#1194869). - powerpc: xor_vmx: Add '-mhard-float' to CFLAGS (bsc#1194869). - powerpc/radix: Move some functions into #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE (bsc#1194869). - commit 4e7f0fe - blacklist.conf: Add a bunch of superfluous ppc changes reported by git-fixes. - commit 7c2a851 - blacklist.conf: Add ppc more ppc unsupported arch paths and commits. - commit 66e06b4 - blacklist.conf: Add more ppc 32bit paths. - commit 013a9db - arm64: errata: Expand speculative SSBS workaround (again) (git-fixes) - commit e589bbc - arm64: cputype: Add Cortex-A725 definitions (git-fixes) - commit 0d04176 - arm64: cputype: Add Cortex-X1C definitions (git-fixes) - commit 6a5ea61 - arm64: errata: Expand speculative SSBS workaround (git-fixes) - commit f75d6ba - arm64: errata: Unify speculative SSBS errata logic (git-fixes). Update config files. - commit ffaab08 - arm64: cputype: Add Cortex-X925 definitions (git-fixes) - commit 3c8ddb7 - arm64: cputype: Add Cortex-A720 definitions (git-fixes) - commit f5fd7c6 - arm64: cputype: Add Cortex-X3 definitions (git-fixes) - commit d87d988 - arm64: errata: Add workaround for Arm errata 3194386 and 3312417 (git-fixes) Refresh patches.suse/kabi-arm64-reserve-space-in-cpu_hwcaps-and-cpu_hwcap.patch and enable around. - commit b3747ef - arm64: cputype: Add Neoverse-V3 definitions (git-fixes) - commit 78aeee9 - arm64: cputype: Add Cortex-X4 definitions (git-fixes) - commit 2841965 - arm64: barrier: Restore spec_bar() macro (git-fixes) - commit 5c935b6 - arm64: Add Neoverse-V2 part (git-fixes) - commit 0f9f30b - net/rds: fix possible cp null dereference (git-fixes). - commit cac3126 - s390/pci: Add missing virt_to_phys() for directed DIBV (git-fixes bsc#1229174). - commit ea8e3e7 - s390/dasd: fix error checks in dasd_copy_pair_store() (git-fixes bsc#1229173). - commit f5c4fe8 - s390/pci: Allow allocation of more than 1 MSI interrupt (git-fixes bsc#1229172). - s390/pci: Refactor arch_setup_msi_irqs() (git-fixes bsc#1229172). - commit ad8c54b - s390/cpum_cf: Fix endless loop in CF_DIAG event stop (git-fixes bsc#1229171). - commit 94c7469 - s390/uv: Panic for set and remove shared access UVC errors (git-fixes bsc#1229170). - commit 447c271 - s390/sclp: Prevent release of buffer in I/O (git-fixes bsc#1229169). - commit 9daf007 - kvm: s390: Reject memory region operations for ucontrol VMs (git-fixes bsc#1229168). - commit 14a9742 - KVM: s390: fix validity interception issue when gisa is switched off (git-fixes bsc#1229167). - commit 5c4e348 - Update patch reference of USB patch (jsc#PED-10108) - commit edfa08b - USB: serial: debug: do not echo input by default (stable-fixes). - usb: vhci-hcd: Do not drop references before new references are gained (stable-fixes). - serial: core: check uartclk for zero to avoid divide by zero (stable-fixes). - media: xc2028: avoid use-after-free in load_firmware_cb() (stable-fixes). - media: uvcvideo: Fix the bandwdith quirk on USB 3.x (stable-fixes). - media: uvcvideo: Ignore empty TS packets (stable-fixes). - media: amphion: Remove lock in s_ctrl callback (stable-fixes). - wifi: nl80211: don't give key data to userspace (stable-fixes). - PCI: Add Edimax Vendor ID to pci_ids.h (stable-fixes). - wifi: ath12k: fix memory leak in ath12k_dp_rx_peer_frag_setup() (stable-fixes). - wifi: nl80211: disallow setting special AP channel widths (stable-fixes). - gpio: prevent potential speculation leaks in gpio_device_get_desc() (stable-fixes). - commit 2335bf9 - docs: KVM: Fix register ID of SPSR_FIQ (git-fixes). - drm/i915/gem: Adjust vma offset for framebuffer mmap offset (stable-fixes). - drm/amd/display: Skip Recompute DSC Params if no Stream on Link (stable-fixes). - drm/amdgpu: Forward soft recovery errors to userspace (stable-fixes). - drm/dp_mst: Skip CSN if topology probing is not done yet (stable-fixes). - drm/mediatek/dp: Fix spurious kfree() (git-fixes). - drm/amd/display: Add null checker before passing variables (stable-fixes). - Revert &quot;drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update&quot; (stable-fixes). - drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update (stable-fixes). - drm/bridge: analogix_dp: properly handle zero sized AUX transactions (stable-fixes). - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr (stable-fixes). - drm/radeon: Remove __counted_by from StateArray.states[] (git-fixes). - drm/amdgpu: Add lock around VF RLCG interface (stable-fixes). - drm/admgpu: fix dereferencing null pointer context (stable-fixes). - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules (stable-fixes). - drm/amdgpu: Fix the null pointer dereference to ras_manager (stable-fixes). - drm/amdgpu/pm: Fix the null pointer dereference for smu7 (stable-fixes). - drm/amdgpu/pm: Fix the param type of set_power_profile_mode (stable-fixes). - drm/amdgpu: fix potential resource leak warning (stable-fixes). - drm/amd/display: Add delay to improve LTTPR UHBR interop (stable-fixes). - Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading (stable-fixes). - can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd (stable-fixes). - can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum (stable-fixes). - ACPI: SBS: manage alarm sysfs attribute through psy core (stable-fixes). - ACPI: battery: create alarm sysfs attribute atomically (stable-fixes). - clocksource/drivers/sh_cmt: Address race condition for clock events (stable-fixes). - commit 2a8ca72 - Update patch reference for SPI patch (jsc#PED-10105) - commit a896d55 - kabi fix for KVM: s390: fix LPSWEY handling (bsc#1227634 git-fixes). - KVM: s390: fix LPSWEY handling (bsc#1227634 git-fixes). - commit 576de67 - kernfs: Convert kernfs_path_from_node_locked() from strlcpy() to strscpy() (bsc#1229134). - Refresh patches.suse/cgroup-cpuset-Prevent-UAF-in-proc_cpuset_show.patch. - commit bc8376b - Update patch reference for iwlwifi fix (jsc#PED-10055) - commit 73fda85 - Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table (bsc#1229056). - commit 0ae7f4e - bpf: hardcode BPF_PROG_PACK_SIZE to 2MB * num_possible_nodes() (git-fixes). - bpf: don't infer PTR_TO_CTX for programs with unnamed context type (git-fixes). - bpf: handle bpf_user_pt_regs_t typedef explicitly for PTR_TO_CTX global arg (git-fixes). - bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly (git-fixes). - commit dd0591b - net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket (CVE-2024-42246 bsc#1228989). - commit 12865c8 - tools/resolve_btfids: Fix comparison of distinct pointer types warning in resolve_btfids (git-fixes). - tools/resolve_btfids: fix build with musl libc (git-fixes). - commit f42b517 - btrfs: fix leak of qgroup extent records after transaction abort (git-fixes). - btrfs: fix ordered extent split error handling in btrfs_dio_submit_io (git-fixes). - btrfs: use irq safe locking when running and adding delayed iputs (git-fixes). - commit 59b18df - btrfs: fix extent map use-after-free when adding pages to compressed bio (git-fixes). - commit b3e7c96 - Drop libata patch that caused a regression (bsc#1229054) - commit 3d5faca - btrfs: fix double inode unlock for direct IO sync writes (git-fixes). - btrfs: fix corruption after buffer fault in during direct IO append write (git-fixes). - btrfs: use a btrfs_inode local variable at btrfs_sync_file() (git-fixes). - btrfs: pass a btrfs_inode to btrfs_wait_ordered_range() (git-fixes). - btrfs: pass a btrfs_inode to btrfs_fdatawrite_range() (git-fixes). - btrfs: use a btrfs_inode in the log context (struct btrfs_log_ctx) (git-fixes). - btrfs: make btrfs_finish_ordered_extent() return void (git-fixes). - btrfs: ensure fast fsync waits for ordered extents after a write failure (git-fixes). - btrfs: rename err to ret in btrfs_direct_write() (git-fixes). - btrfs: uninline some static inline helpers from tree-log.h (git-fixes). - btrfs: use btrfs_finish_ordered_extent to complete buffered writes (git-fixes). - btrfs: use btrfs_finish_ordered_extent to complete direct writes (git-fixes). - btrfs: use btrfs_finish_ordered_extent to complete compressed writes (git-fixes). - btrfs: open code end_extent_writepage in end_bio_extent_writepage (git-fixes). - btrfs: add a btrfs_finish_ordered_extent helper (git-fixes). - btrfs: factor out a btrfs_queue_ordered_fn helper (git-fixes). - btrfs: factor out a can_finish_ordered_extent helper (git-fixes). - btrfs: use bbio-&gt;ordered in btrfs_csum_one_bio (git-fixes). - btrfs: add an ordered_extent pointer to struct btrfs_bio (git-fixes). - btrfs: open code btrfs_bio_end_io in btrfs_dio_submit_io (git-fixes). - btrfs: add a is_data_bbio helper (git-fixes). - btrfs: remove btrfs_add_ordered_extent (git-fixes). - btrfs: pass an ordered_extent to btrfs_submit_compressed_write (git-fixes). - btrfs: pass an ordered_extent to btrfs_reloc_clone_csums (git-fixes). - btrfs: merge the two calls to btrfs_add_ordered_extent in run_delalloc_nocow (git-fixes). - btrfs: limit write bios to a single ordered extent (git-fixes). - commit 90ea198 - powerpc/topology: Check if a core is online (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes). - cpu/SMT: Enable SMT only if a core is online (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes). - commit 3d340df - Update patch reference for MD patch (jsc#PED-10029 jsc#PED-10045) - commit 1bf8fd1 - Update patch refefernce for MFD patch (jsc#PED-10029) - commit f36d989 - platform/x86/amd/hsmp: Check HSMP support on AMD family of processors (jsc#PED-8779). - commit c606582 - platform/x86/amd/hsmp: switch to use device_add_groups() (jsc#PED-8779). - commit 4007799 - platform/x86/amd/hsmp: Change devm_kzalloc() to devm_kcalloc() (jsc#PED-8779). - commit 9854658 - platform/x86/amd/hsmp: Remove extra parenthesis and add a space (jsc#PED-8779). - commit 0a84b39 - platform/x86/amd/hsmp: Check num_sockets against MAX_AMD_SOCKETS (jsc#PED-8779). - commit 85ba4b7 - platform/x86/amd/hsmp: Non-ACPI support for AMD F1A_M00~0Fh (jsc#PED-8779). - commit 1b89039 - platform/x86/amd/hsmp: Add support for ACPI based probing (jsc#PED-8779). - commit 73c2646 - platform/x86/amd/hsmp: Restructure sysfs group creation (jsc#PED-8779). - commit 9e31807 - platform/x86/amd/hsmp: Move dev from platdev to hsmp_socket (jsc#PED-8779). - commit f6baa58 - platform/x86/amd/hsmp: Define a struct to hold mailbox regs (jsc#PED-8779). - commit 07f864e - platform/x86/amd/hsmp: Create static func to handle platdev (jsc#PED-8779). - commit d5ea9be - platform/x86/amd/hsmp: Cache pci_dev in struct hsmp_socket (jsc#PED-8779). - commit d314cb6 - platform/x86/amd/hsmp: Move hsmp_test to probe (jsc#PED-8779). - commit b00829d - tools/resolve_btfids: Fix cross-compilation to non-host endianness (git-fixes). - tools/resolve_btfids: Refactor set sorting with types from btf_ids.h (git-fixes). - libbpf: Use OPTS_SET() macro in bpf_xdp_query() (git-fixes). - commit 6fc7b9e - libbpf: Add missing LIBBPF_API annotation to libbpf_set_memlock_rlim API (git-fixes). - selftests/bpf: Disable IPv6 for lwt_redirect test (git-fixes). - libbpf: Fix faccessat() usage on Android (git-fixes). - selftests/bpf: Wait for the netstamp_needed_key static key to be turned on (git-fixes). - commit 89d6f3b - selftests/bpf: Fix the flaky tc_redirect_dtime test (git-fixes). - selftest/bpf: Add map_in_maps with BPF_MAP_TYPE_PERF_EVENT_ARRAY values (git-fixes). - libbpf: Apply map_set_def_max_entries() for inner_maps on creation (git-fixes). - selftests/bpf: Fix potential premature unload in bpf_testmod (git-fixes). - bpftool: Silence build warning about calloc() (git-fixes). - commit 7aaf2fc - x86/asm: Use %c/%n instead of %P operand modifier in asm templates (git-fixes). - Refresh patches.suse/x86-uaccess-Fix-missed-zeroing-of-ia32-u64-get_user-range-.patch. - commit 97ffc68 - selftests/bpf: Fix up xdp bonding test wrt feature flags (git-fixes). - selftests/bpf: fix compiler warnings in RELEASE=1 mode (git-fixes). - selftests/bpf: Relax time_tai test for equal timestamps in tai_forward (git-fixes). - bpf: Set uattr-&gt;batch.count as zero before batched update or deletion (git-fixes). - bpf: Remove unnecessary wait from bpf_map_copy_value() (git-fixes). - commit 19ebfe6 - bpf: enforce precision of R0 on callback return (git-fixes). - selftests/bpf: Fix erroneous bitmask operation (git-fixes). - bpf/tests: Remove duplicate JSGT tests (git-fixes). - bpftool: mark orphaned programs during prog show (git-fixes). - commit 2b6a18e - bpf: Fix a few selftest failures due to llvm18 change (git-fixes). - selftests/bpf: Fix issues in setup_classid_environment() (git-fixes). - selftests/bpf: Add assert for user stacks in test_task_stack (git-fixes). - selftests/bpf: Fix pyperf180 compilation failure with clang18 (git-fixes). - bpf: Add crosstask check to __bpf_get_stack (git-fixes). - commit fce00e9 - bpf, lpm: Fix check prefixlen before walking trie (git-fixes). - selftests/bpf: satisfy compiler by having explicit return in btf test (git-fixes). - selftests/bpf: fix RELEASE=1 build for tc_opts (git-fixes). - bpf: Fix prog_array_map_poke_run map poke update (git-fixes). - commit ca200c8 - scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add() (bsc#1228754 CVE-2024-42159 git-fixes). - scsi: mpi3mr: Sanitise num_phys (bsc#1228754 CVE-2024-42159). - commit e024eb0 - selftests/bpf: check if max number of bpf_loop iterations is tracked (git-fixes). Refresh patches.suse/selftests-bpf-test-case-for-callback_depth-states-pr.patch. - selftests/bpf: fix bpf_loop_bench for new callback verification scheme (git-fixes). - selftests/bpf: Add netkit to tc_redirect selftest (git-fixes). - selftests/bpf: De-veth-ize the tc_redirect test case (git-fixes). - bpf: fix control-flow graph checking in privileged mode (git-fixes). - commit 27db2c6 - bpf: Fix check_stack_write_fixed_off() to correctly spill imm (git-fixes). - bpf: Fix unnecessary -EBUSY from htab_lock_bucket (git-fixes). - commit b5c430e - mm/shmem: disable PMD-sized page cache if needed (CVE-2024-42241 bsc#1228986). - commit 8ecdd91 - x86/mm: Fix pti_clone_pgtable() alignment assumption (git-fixes). - commit 1d041a1 - x86/mm: Fix pti_clone_entry_text() for i386 (git-fixes). - commit 5407674 - x86/pci: Skip early E820 check for ECAM region (git-fixes). - commit 7ac1bfc - x86/mtrr: Check if fixed MTRRs exist before saving them (git-fixes). - commit 03de6ee - x86/entry/64: Remove obsolete comment on tracing vs. SYSRET (git-fixes). - commit 41708c1 - memcg: protect concurrent access to mem_cgroup_idr (git-fixes). - commit e9979b2 - Revert &quot;sched/fair: Make sure to try to detach at least one movable task&quot; (CVE-2024-42245 bsc#1228978). - commit bff0dc0 - selftests/bpf: Make linked_list failure test more robust (git-fixes). - bpf: Ensure proper register state printing for cond jumps (git-fixes). - commit 2ec4f49 - ipv6: sr: fix incorrect unregister order (git-fixes). - commit f975fdd - ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735 bsc#1222372). - commit 75aaed9 - bpftool: Align output skeleton ELF code (git-fixes). - samples/bpf: syscall_tp_user: Fix array out-of-bound access (git-fixes). - samples/bpf: syscall_tp_user: Rename num_progs into nr_tests (git-fixes). - bpf: Fix kfunc callback register type handling (git-fixes). - commit ee3cca0 - bpf: Detect IP == ksym.end as part of BPF program (git-fixes). - commit b5b57d0 - selftests/bpf: Skip module_fentry_shadow test when bpf_testmod is not available (git-fixes). - commit 85b5d5e - bpftool: Fix -Wcast-qual warning (git-fixes). - commit 0417873 - net: bridge: switchdev: Skip MDB replays of deferred events on offload (CVE-2024-26837 bsc#1222973). - commit 2f55c98 - s390/pkey: Wipe copies of protected- and secure-keys (CVE-2024-42155 bsc#1228733). - s390/pkey: Wipe copies of clear-key structures on failure (CVE-2024-42156 bsc#1228722). - s390/pkey: Wipe sensitive data on failure (CVE-2024-42157 bsc#1228727). - s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings (CVE-2024-42158 bsc#1228720). - s390/pkey: introduce dynamic debugging for pkey (bsc#1228720). - s390/pkey: harmonize pkey s390 debug feature calls (bsc#1228720). - commit 72f0617 - usb: gadget: u_serial: Set start_delayed during suspend (git-fixes). - usb: gadget: core: Check for unset descriptor (git-fixes). - usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed (git-fixes). - driver core: Fix uevent_show() vs driver detach race (git-fixes). - thermal/drivers/broadcom: Fix race between removal and clock disable (git-fixes). - thermal: bcm2835: Convert to platform remove callback returning void (stable-fixes). - commit 9bfd8af - selftests/bpf: Cover verifier checks for mutating sockmap/sockhash (bsc#1226885 CVE-2024-38662). - Revert &quot;bpf, sockmap: Prevent lock inversion deadlock in map delete elem&quot; (bsc#1226885 CVE-2024-38662). - bpf: Allow delete from sockmap/sockhash only if update is allowed (bsc#1226885 CVE-2024-38662). - commit 7f528cf - rpm/kernel-binary.spec.in: fix klp_symbols macro The commit below removed openSUSE filter from %ifs of the klp_symbols definition. But it removed -c of grep too and that causes: error: syntax error in expression: 01 &amp;&amp; ( || 1 ) error: ^ error: unmatched (: 01 &amp;&amp; ( || 1 ) error: ^ error: kernel-default.spec:137: bad %if condition: 01 &amp;&amp; ( || 1 ) So reintroduce -c to the PTF's grep. Fixes: fd0b293bebaf (kernel-binary.spec.in: Enable klp_symbols on openSUSE Tumbleweed (boo#1229042).) - commit 4a36fe3 - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume (git-fixes). - i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume (git-fixes). - i2c: smbus: Send alert notifications to all devices if source not found (git-fixes). - i2c: smbus: Improve handling of stuck alerts (git-fixes). - spi: spi-fsl-lpspi: Fix scldiv calculation (git-fixes). - spi: spidev: Add missing spi_device_id for bh2228fv (git-fixes). - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation (git-fixes). - drm/client: fix null pointer dereference in drm_client_modeset_probe (git-fixes). - commit e093c66 - Update patch references for ASoC regression fixes (bsc#1229045 bsc#1229046) - commit 4e3f007 - rpm/kernel-binary.spec.in: Fix build regression The previous fix forgot to take over grep -c option that broke the conditional expression - commit d29edf2 - Moved upstreamed ASoC patch into sorted section - commit 3058bc3 - ASoC: cs35l56: Patch CS35L56_IRQ1_MASK_18 to the default value (stable-fixes). - ASoC: amd: yc: Support mic on Lenovo Thinkpad E14 Gen 6 (stable-fixes). - ASoC: cs35l56: Handle OTP read latency over SoundWire (stable-fixes). - ASoC: nau8822: Lower debug print priority (stable-fixes). - ASoC: fsl_micfil: Expand the range of FIFO watermark mask (stable-fixes). - ASoC: amd: yc: Support mic on HP 14-em0002la (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks (stable-fixes). - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 (stable-fixes). - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list (stable-fixes). - ALSA: line6: Fix racy access to midibuf (stable-fixes). - ASoC: cs35l56: Patch CS35L56_IRQ1_MASK_18 to the default value (stable-fixes). - ASoC: amd: yc: Support mic on Lenovo Thinkpad E14 Gen 6 (stable-fixes). - ASoC: cs35l56: Handle OTP read latency over SoundWire (stable-fixes). - ASoC: nau8822: Lower debug print priority (stable-fixes). - ASoC: fsl_micfil: Expand the range of FIFO watermark mask (stable-fixes). - ASoC: amd: yc: Support mic on HP 14-em0002la (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks (stable-fixes). - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 (stable-fixes). - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list (stable-fixes). - ALSA: line6: Fix racy access to midibuf (stable-fixes). - commit a8c8868 - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT (git-fixes). - ASoC: SOF: Remove libraries from topology lookups (git-fixes). - ASoC: codecs: wsa884x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wsa883x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wsa881x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask (git-fixes). - ALSA: usb-audio: Re-add ScratchAmp quirk entries (git-fixes). - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT (git-fixes). - ASoC: SOF: Remove libraries from topology lookups (git-fixes). - ASoC: codecs: wsa884x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wsa883x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wsa881x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask (git-fixes). - ALSA: usb-audio: Re-add ScratchAmp quirk entries (git-fixes). - commit cdc2939 - kernel-binary.spec.in: Enable klp_symbols on openSUSE Tumbleweed (boo#1229042). After the Jump project the kernel used by SLE and openSUSE Leap are the same. As consequence the klp_symbols variable is set, enabling kernel-default-livepatch-devel on both SLE and openSUSE. The current rules to avoid enabling the package exclude openSUSE Tumbleweed alone, which doesn't makes sense for now. Enabling kernel-default-livepatch-devel on TW makes it easier to test the creation of kernel livepatches of the next SLE versions. - commit fd0b293 - Split kABI workaround of recent hyperv fixes (bsc#1229040, bsc#1225745, CVE-2024-36911, bsc#1225717, CVE-2024-36910, bsc#1225744, CVE-2024-36909) - commit 3639306 - Yet more build fix without patches.kabi (bsc#1226502) - commit 6bc3429 - Fix build errors without patches.kabi (bsc#1226502) Now patches.suse/x86-Stop-using-weak-symbols-for-__iowrite32_copy.patch has a full backport and later partially reverted via patches.kabi/kabi-partial-revert-commit-20516d6e51dd.patch - commit 44c5e90 - landlock: Fix d_parent walk (CVE-2024-40938 bsc#1227840). - commit 36de641 - net: fix sk_memory_allocated_{add|sub} vs softirqs (bsc#1228757). - commit a963c0f - minmax: fix up min3() and max3() too (bsc#1229024). - minmax: improve macro expansion and type checking (bsc#1229024). - minmax: simplify min()/max()/clamp() implementation (bsc#1229024). - minmax: don't use max() in situations that want a C constant expression (bsc#1229024). - minmax: make generic MIN() and MAX() macros available everywhere (bsc#1229024). - minmax: simplify and clarify min_t()/max_t() implementation (bsc#1229024). - minmax: add a few more MIN_T/MAX_T users (bsc#1229024). - minmax: avoid overly complicated constant expressions in VM code (bsc#1229024). - drm/radeon/evergreen_cs: Clean up errors in evergreen_cs.c (bsc#1229024). - commit c64c296 - Update patches.suse/ALSA-emux-improve-patch-ioctl-data-validation.patch (stable-fixes CVE-2024-42097 bsc#1228766). - Update patches.suse/ASoC-SOF-Intel-hda-fix-null-deref-on-system-suspend-.patch (git-fixes CVE-2024-41037 bsc#1228508). - Update patches.suse/ASoC-amd-acp-add-a-null-check-for-chip_pdev-structur.patch (git-fixes CVE-2024-42074 bsc#1228481). - Update patches.suse/ASoC-fsl-asoc-card-set-priv-pdev-before-using-it.patch (git-fixes CVE-2024-42089 bsc#1228450). - Update patches.suse/Bluetooth-ISO-Check-socket-flag-instead-of-hcon.patch (git-fixes CVE-2024-42141 bsc#1228502). - Update patches.suse/Bluetooth-Ignore-too-large-handle-values-in-BIG.patch (git-fixes CVE-2024-42133 bsc#1228511). - Update patches.suse/Bluetooth-hci_core-cancel-all-works-upon-hci_unregis.patch (stable-fixes CVE-2024-41063 bsc#1228580). - Update patches.suse/Bluetooth-qca-Fix-BT-enable-failure-again-for-QCA639.patch (git-fixes CVE-2024-42137 bsc#1228563). - Update patches.suse/PCI-MSI-Fix-UAF-in-msi_capability_init.patch (git-fixes CVE-2024-41096 bsc#1228479). - Update patches.suse/RDMA-restrack-Fix-potential-invalid-address-access.patch (git-fixes CVE-2024-42080 bsc#1228673). - Update patches.suse/USB-core-Fix-duplicate-endpoint-bug-by-clearing-rese.patch (git-fixes CVE-2024-41035 bsc#1228485). - Update patches.suse/USB-serial-mos7840-fix-crash-on-resume.patch (git-fixes CVE-2024-42244 bsc#1228967). - Update patches.suse/ata-libata-core-Fix-null-pointer-dereference-on-erro.patch (git-fixes CVE-2024-41098 bsc#1228467). - Update patches.suse/bluetooth-hci-disallow-setting-handle-bigger-than-HC.patch (git-fixes CVE-2024-42132 bsc#1228492). - Update patches.suse/bpf-Fail-bpf_timer_cancel-when-callback-is-being-can.patch (bsc#1228531 CVE-2024-41045 CVE-2024-42239 bsc#1228979). - Update patches.suse/can-mcp251xfd-fix-infinite-loop-when-xmit-fails.patch (git-fixes CVE-2024-41088 bsc#1228469). - Update patches.suse/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch (stable-fixes CVE-2024-42136 bsc#1228758). - Update patches.suse/crypto-aead-cipher-zeroize-key-buffer-after-use.patch (stable-fixes CVE-2024-42229 bsc#1228708). - Update patches.suse/crypto-ecdh-explicitly-zeroize-private_key.patch (stable-fixes CVE-2024-42098 bsc#1228779). - Update patches.suse/drm-amd-display-ASSERT-when-failing-to-find-index-by.patch (stable-fixes CVE-2024-42117 bsc#1228582). - Update patches.suse/drm-amd-display-Check-index-msg_id-before-read-or-wr.patch (stable-fixes CVE-2024-42121 bsc#1228590). - Update patches.suse/drm-amd-display-Check-pipe-offset-before-setting-vbl.patch (stable-fixes CVE-2024-42120 bsc#1228588). - Update patches.suse/drm-amd-display-Fix-array-index-out-of-bounds-in-dml.patch (stable-fixes CVE-2024-41061 bsc#1228572). - Update patches.suse/drm-amd-display-Fix-overlapping-copy-within-dml_core.patch (stable-fixes CVE-2024-42227 bsc#1228707). - Update patches.suse/drm-amd-display-Skip-finding-free-audio-for-unknown-.patch (stable-fixes CVE-2024-42119 bsc#1228584). - Update patches.suse/drm-amd-display-Skip-pipe-if-the-pipe-idx-not-set-pr.patch (stable-fixes CVE-2024-42064 bsc#1228586). - Update patches.suse/drm-amdgpu-Fix-signedness-bug-in-sdma_v4_0_process_t.patch (git-fixes CVE-2024-41022 bsc#1228429). - Update patches.suse/drm-amdgpu-Using-uninitialized-value-size-when-calli.patch (stable-fixes CVE-2024-42228 bsc#1228667). - Update patches.suse/drm-amdgpu-avoid-using-null-object-of-framebuffer.patch (stable-fixes CVE-2024-41093 bsc#1228660). - Update patches.suse/drm-fbdev-dma-Only-set-smem_start-is-enable-per-modu.patch (git-fixes CVE-2024-41094 bsc#1228458). - Update patches.suse/drm-i915-gt-Fix-potential-UAF-by-revoke-of-fence-reg.patch (git-fixes CVE-2024-41092 bsc#1228483). - Update patches.suse/drm-lima-fix-shared-irq-handling-on-driver-remove.patch (stable-fixes CVE-2024-42127 bsc#1228721). - Update patches.suse/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-66edf3f.patch (stable-fixes CVE-2024-41095 bsc#1228662). - Update patches.suse/drm-nouveau-dispnv04-fix-null-pointer-dereference-in.patch (stable-fixes CVE-2024-41089 bsc#1228658). - Update patches.suse/drm-nouveau-fix-null-pointer-dereference-in-nouveau_.patch (git-fixes CVE-2024-42101 bsc#1228495). - Update patches.suse/drm-panel-ilitek-ili9881c-Fix-warning-with-GPIO-cont.patch (stable-fixes CVE-2024-42087 bsc#1228677). - Update patches.suse/drm-radeon-check-bo_va-bo-is-non-NULL-before-using-i.patch (stable-fixes CVE-2024-41060 bsc#1228567). - Update patches.suse/filelock-fix-potential-use-after-free-in-posix_lock_inode.patch (git-fixes CVE-2024-41049 bsc#1228486). - Update patches.suse/firmware-cs_dsp-Fix-overflow-checking-of-wmfw-header.patch (git-fixes CVE-2024-41039 bsc#1228515). - Update patches.suse/firmware-cs_dsp-Prevent-buffer-overrun-when-processi.patch (git-fixes CVE-2024-41038 bsc#1228509). - Update patches.suse/firmware-cs_dsp-Return-error-if-block-header-overflo.patch (git-fixes CVE-2024-42238 bsc#1228991). - Update patches.suse/firmware-cs_dsp-Use-strnlen-on-name-fields-in-V1-wmf.patch (git-fixes CVE-2024-41056 bsc#1228480). - Update patches.suse/firmware-cs_dsp-Validate-payload-length-before-proce.patch (git-fixes CVE-2024-42237 bsc#1228992). - Update patches.suse/genirq-cpuhotplug-x86-vector-Prevent-vector-leak-dur.patch (git-fixes CVE-2024-31076 bsc#1226765). - Update patches.suse/gpio-davinci-Validate-the-obtained-number-of-IRQs.patch (git-fixes CVE-2024-42092 bsc#1228447). - Update patches.suse/gpio-pca953x-fix-pca953x_irq_bus_sync_unlock-race.patch (stable-fixes CVE-2024-42253 bsc#1229005). - Update patches.suse/i2c-pnx-Fix-potential-deadlock-warning-from-del_time.patch (git-fixes CVE-2024-42153 bsc#1228510). - Update patches.suse/iio-chemical-bme680-Fix-overflows-in-compensate-func.patch (git-fixes CVE-2024-42086 bsc#1228452). - Update patches.suse/jffs2-Fix-potential-illegal-address-access-in-jffs2_free_inode.patch (git-fixes CVE-2024-42115 bsc#1228656). - Update patches.suse/libceph-fix-race-between-delayed_work-and-ceph_monc_s.patch (bsc#1228192 CVE-2024-42232 bsc#1228959). - Update patches.suse/media-dvb-frontends-tda10048-Fix-integer-overflow.patch (stable-fixes CVE-2024-42223 bsc#1228726). - Update patches.suse/misc-fastrpc-Fix-memory-leak-in-audio-daemon-attach-.patch (git-fixes CVE-2024-41025 bsc#1228527). - Update patches.suse/misc-fastrpc-Restrict-untrusted-app-to-attach-to-pri.patch (git-fixes CVE-2024-41024 bsc#1228525). - Update patches.suse/mm-Avoid-overflows-in-dirty-throttling-logic.patch (bsc#1222364 CVE-2024-26720 CVE-2024-42131 bsc#1228650). - Update patches.suse/msft-hv-3022-net-mana-Fix-possible-double-free-in-error-handling-.patch (git-fixes CVE-2024-42069 bsc#1228463). - Update patches.suse/net-can-j1939-Initialize-unused-data-in-j1939_send_o.patch (git-fixes CVE-2024-42076 bsc#1228484). - Update patches.suse/net-can-j1939-enhanced-error-handling-for-tightly-re.patch (git-fixes CVE-2023-52887 bsc#1228426). - Update patches.suse/nfc-nci-Add-the-inconsistency-check-between-the-inpu.patch (stable-fixes CVE-2024-42130 bsc#1228687). - Update patches.suse/nilfs2-add-missing-check-for-inode-numbers-on-direct.patch (stable-fixes CVE-2024-42104 bsc#1228654). - Update patches.suse/nvme-avoid-double-free-special-payload.patch (git-fixes CVE-2024-41073 bsc#1228635). - Update patches.suse/nvmet-always-initialize-cqe.result.patch (git-fixes CVE-2024-41079 bsc#1228615). - Update patches.suse/nvmet-fix-a-possible-leak-when-destroy-a-ctrl-during.patch (git-fixes CVE-2024-42152 bsc#1228724). - Update patches.suse/ocfs2-fix-DIO-failure-due-to-insufficient-transaction-credits.patch (git-fixes CVE-2024-42077 bsc#1228516). - Update patches.suse/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xatt.patch (bsc#1228410 CVE-2024-41016). - Update patches.suse/orangefs-fix-out-of-bounds-fsid-access.patch (git-fixes CVE-2024-42143 bsc#1228748). - Update patches.suse/pinctrl-fix-deadlock-in-create_pinctrl-when-handling.patch (git-fixes CVE-2024-42090 bsc#1228449). - Update patches.suse/platform-x86-toshiba_acpi-Fix-array-out-of-bounds-ac.patch (git-fixes CVE-2024-41028 bsc#1228539). - Update patches.suse/powerpc-Avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch (bsc#1221645 ltc#205739 bsc#1223191 CVE-2024-42126 bsc#1228718). - Update patches.suse/powerpc-pseries-Fix-scv-instruction-crash-with-kexec.patch (bsc#1194869 CVE-2024-42230 bsc#1228489). - Update patches.suse/thermal-drivers-mediatek-lvts_thermal-Check-NULL-ptr.patch (stable-fixes CVE-2024-42144 bsc#1228666). - Update patches.suse/usb-atm-cxacru-fix-endpoint-checking-in-cxacru_bind.patch (git-fixes CVE-2024-41097 bsc#1228513). - Update patches.suse/usb-dwc3-core-remove-lock-of-otg-mode-during-gadget-.patch (git-fixes CVE-2024-42085 bsc#1228456). - Update patches.suse/usb-gadget-configfs-Prevent-OOB-read-write-in-usb_st.patch (stable-fixes CVE-2024-42236 bsc#1228964). - Update patches.suse/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch (stable-fixes CVE-2024-42226 bsc#1228709). - Update patches.suse/wifi-cfg80211-restrict-NL80211_ATTR_TXQ_QUANTUM-valu.patch (git-fixes CVE-2024-42114 bsc#1228564). - Update patches.suse/wifi-cfg80211-wext-add-extra-SIOCSIWSCAN-data-check.patch (stable-fixes CVE-2024-41072 bsc#1228626). - Update patches.suse/wifi-mac80211-Avoid-address-calculations-via-out-of-.patch (stable-fixes CVE-2024-41071 bsc#1228625). - Update patches.suse/wifi-mt76-replace-skb_put-with-skb_put_zero.patch (stable-fixes CVE-2024-42225 bsc#1228710). - Update patches.suse/wifi-rtw89-fw-scan-offload-prohibit-all-6-GHz-channe.patch (bsc#1227149 CVE-2024-42125 bsc#1228674). - Update patches.suse/x86-bhi-Avoid-warning-in-DB-handler-due-to-BHI-mitigation (git-fixes CVE-2024-42240 bsc#1228966). Add CVE references. - commit dfa8582 - Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor (git-fixes). - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() (git-fixes). - net: usb: qmi_wwan: fix memory leak for not ip packets (git-fixes). - padata: Fix possible divide-by-0 panic in padata_mt_helper() (git-fixes). - kcov: properly check for softirq context (git-fixes). - commit fc99a65 - wireguard: allowedips: avoid unaligned 64-bit memory accesses (CVE-2024-42247 bsc#1228988). - commit 12abe6d - selftests/bpf: Add netlink helper library (bsc#1228021 CVE-2024-41010). - Fix BPF selftest build failure - commit c3e9de4 - x86/numa: Fix the sort compare func used in numa_fill_memblks() (git-fixes). - x86/numa: Fix the address overlap check in numa_fill_memblks() (git-fixes). - commit b42baa2 - inet_diag: Initialize pad field in struct inet_diag_req_v2 (CVE-2024-42106 bsc#1228493). - commit 87d015b - x86/numa: Fix SRAT lookup of CFMWS ranges with numa_fill_memblks() (git-fixes). - ACPI/NUMA: Apply SRAT proximity domain to entire CFMWS window (git-fixes). - x86/numa: Introduce numa_fill_memblks() (git-fixes). - commit 7f40727 - ACPI: processor_idle: use raw_safe_halt() in acpi_idle_play_dead() (git-fixes). - perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09 (git-fixes). - commit 23f94eb - Update patches.suse/crypto-hisilicon-debugfs-Fix-debugfs-uninit-process-.patch (bsc#1228764 CVE-2024-42147). - commit 9b42aa7 - serial: 8250_omap: Fix Errata i2310 with RX FIFO level check (bsc#1228446 CVE-2024-42095). - commit 6d3406b - serial: 8250_omap: Implementation of Errata i2310 (bsc#1228446 CVE-2024-42095). - commit a3bd324 - net/iucv: fix use after free in iucv_sock_close() (bsc#1228973). - commit c3ed1a0 - s390/sclp: Fix sclp_init() cleanup on failure (bsc#1228579 CVE-2024-41068). - commit a8db9f2 - config.sh: generate and install compile_commands.json (bsc#1228971) This file contains the command line options used to compile every C file. It's useful for the livepatching team. - kernel-binary: generate and install compile_commands.json (bsc#1228971) This file contains the command line options used to compile every C file. It's useful for the livepatching team. - commit 15eff3e - irqdomain: Fixed unbalanced fwnode get and put (git-fixes). - genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline (git-fixes). - genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware (git-fixes). - genirq/matrix: Exclude managed interrupts in irq_matrix_allocated() (git-fixes). - commit 592adb3 - selftests/bpf: Test pinning bpf timer to a core (bsc#1228531 CVE-2024-41045). - Refresh patches.suse/selftests-bpf-Test-racing-between-bpf_timer_cancel_a.patch - commit 1026c30 - bpf: Add ability to pin bpf timer to calling CPU (bsc#1228531 CVE-2024-41045). - commit 060adb3 - power: supply: qcom_battmgr: return EAGAIN when firmware service is not up (git-fixes). - power: supply: axp288_charger: Round constant_charge_voltage writes down (git-fixes). - power: supply: axp288_charger: Fix constant_charge_voltage writes (git-fixes). - commit 5ff04d3 - selftests/bpf: Add timer lockup selftest (bsc#1228531 CVE-2024-41045). - bpf: Defer work in bpf_timer_cancel_and_free (bsc#1228531 CVE-2024-41045). - bpf: Fail bpf_timer_cancel when callback is being cancelled (bsc#1228531 CVE-2024-41045). - bpf: replace bpf_timer_cancel_and_free with a generic helper (bsc#1228531 CVE-2024-41045). - bpf: replace bpf_timer_set_callback with a generic helper (bsc#1228531 CVE-2024-41045). - bpf: replace bpf_timer_init with a generic helper (bsc#1228531 CVE-2024-41045). - bpf: make timer data struct more generic (bsc#1228531 CVE-2024-41045). - bpf: Check map-&gt;usercnt after timer-&gt;timer is assigned (bsc#1228531 CVE-2024-41045). - commit a65dc5b - Move upstreamed sound patches into sorted section - commit df9598d - ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx (bsc#1227182). - commit 645364b - tcp: avoid too many retransmit packets (CVE-2024-41007 bsc#1227863). - commit 8f47fe6 - mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file (CVE-2024-42138 bsc#1228500). - ice: Don't process extts if PTP is disabled (CVE-2024-42107 bsc#1228494). - ice: Fix improper extts handling (CVE-2024-42139 bsc#1228503). - net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx() (CVE-2024-42110 bsc#1228501). - net: txgbe: initialize num_q_vectors for MSI/INTx interrupts (CVE-2024-42113 bsc#1228568). - bnx2x: Fix multiple UBSAN array-index-out-of-bounds (CVE-2024-42148 bsc#1228487). - net/mlx5: E-switch, Create ingress ACL when needed (CVE-2024-42142 bsc#1228491). - mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems (CVE-2024-42073 bsc#1228457). - gve: Account for stopped queues when reading NIC stats (CVE-2024-42162 bsc#1228706). - commit e94d07a - blacklist.conf: add some IRQ HANDLING ones - commit 404c094 - packaging: Add case-sensitive perl option parsing A recent change in Getopt::Long [1]: Changes in version 2.55 - ---------------------- * Fix long standing bug that duplicate options were not detected when the options differ in case while ignore_case is in effect. This will now yield a warning and become a fatal error in a future release. perl defaults to ignore_case by default, switch it off to avoid accidental misparsing of options. This was suggested after similar change in scripts/. - commit e978477 - xdp: Remove WARN() from __xdp_reg_mem_model() (bsc#1228482 CVE-2024-42082). - commit 73e7677 - arm64: jump_label: Ensure patched jump_labels are visible to all CPUs (git-fixes) - commit 2480247 - KVM: arm64: Fix clobbered ELR in sync abort/SError (git-fixes) - commit 90dba9e - bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG (git-fixes) - commit e10a18b - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process (git-fixes) - commit bae6c4b - nvme-pci: do not directly handle subsys reset fallout (bsc#1220066). - commit 2082e5f - platform/x86/intel/ifs: Initialize union ifs_status to zero (git-fixes). - commit b291cc1 - scsi: qedi: Fix crash while reading debugfs attribute (bsc#1227929 CVE-2024-40978). - block/ioctl: prefer different overflow check (bsc#1227867 CVE-2024-41000). - commit 4cc5e60 - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() (CVE-2024-40995 bsc#1227830). - commit 0580a17 - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN (git-fixes). - RDMA/mana_ib: Use virtual address in dma regions for MRs (git-fixes). - commit 9336dc6 - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD (bsc#1228756 CVE-2024-42161). - commit 64d3ad2 - ASoC: topology: Fix route memory corruption (CVE-2024-41069 bsc#1228644). - ASoC: topology: Clean up route loading (CVE-2024-41069 bsc#1228644). - commit 30d44d4 - md-cluster: keeping kabi compatibility for upstream commit 35a0a409fa26 (bsc#1223395). - md-cluster: fix no recovery job when adding/re-adding a disk (bsc#1223395). - md-cluster: fix hanging issue while a new disk adding (bsc#1223395). - commit dac906f - tools/perf: Fix timing issue with parallel threads in perf bench wake-up-parallel (bsc#1227747). - tools/perf: Fix perf bench epoll to enable the run when some CPU's are offline (bsc#1227747). - tools/perf: Fix perf bench futex to enable the run when some CPU's are offline (bsc#1227747). - commit 7bc1e4f - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap() (bsc#1194869). - KVM: PPC: Book3S HV: Fix the set_one_reg for MMCR3 (bsc#1194869). - commit f36d7ca - KVM: PPC: Book3S HV: Handle pending exceptions on guest entry with MSR_EE (bsc#1215199). - commit 6051d0b - blacklist.conf: KVM PPC APIv2 enablement not included. - commit b36c39a - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet (CVE-2024-39506 bsc#1227729). - commit 6f4e943 - kabi/severity: add nvme common code The nvme common code is also allowed to change the data structures, there are only internal users. - commit 3abdbd5 - apparmor: unpack transition table if dfa is not present (bsc#1226031). - commit 10a598f - scsi: lpfc: Update lpfc version to 14.4.0.3 (bsc#1228857). - scsi: lpfc: Revise lpfc_prep_embed_io routine with proper endian macro usages (bsc#1228857). - scsi: lpfc: Fix incorrect request len mbox field when setting trunking via sysfs (bsc#1228857). - scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info (bsc#1228857). - scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (bsc#1228857). - scsi: lpfc: Relax PRLI issue conditions after GID_FT response (bsc#1228857). - scsi: lpfc: Allow DEVICE_RECOVERY mode after RSCN receipt if in PRLI_ISSUE state (bsc#1228857). - scsi: lpfc: Cancel ELS WQE instead of issuing abort when SLI port is inactive (bsc#1228857). - commit c4b9763 - scsi: qla2xxx: Convert comma to semicolon (bsc#1228850). - scsi: qla2xxx: Update version to 10.02.09.300-k (bsc#1228850). - scsi: qla2xxx: Use QP lock to search for bsg (bsc#1228850). - scsi: qla2xxx: Reduce fabric scan duplicate code (bsc#1228850). - scsi: qla2xxx: Fix optrom version displayed in FDMI (bsc#1228850). - scsi: qla2xxx: During vport delete send async logout explicitly (bsc#1228850). - scsi: qla2xxx: Complete command early within lock (bsc#1228850). - scsi: qla2xxx: Fix flash read failure (bsc#1228850). - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds (bsc#1228850). - scsi: qla2xxx: Fix for possible memory corruption (bsc#1228850). - scsi: qla2xxx: validate nvme_local_port correctly (bsc#1228850). - scsi: qla2xxx: Unable to act on RSCN for port online (bsc#1228850). - scsi: qla2xxx: Remove unused struct 'scsi_dif_tuple' (bsc#1228850). - scsi: qla2xxx: Fix debugfs output for fw_resource_count (bsc#1228850). - scsi: qla2xxx: Indent help text (bsc#1228850). - scsi: qla2xxx: Drop driver owner assignment (bsc#1228850). - scsi: qla2xxx: Avoid possible run-time warning with long model_num (bsc#1228850). - string.h: Introduce memtostr() and memtostr_pad() (bsc#1228849). - commit 072d194 - nvme-pci: add missing condition check for existence of mapped data (git-fixes). - nvme-pci: Fix the instructions for disabling power management (git-fixes). - nvmet-auth: fix nvmet_auth hash error handling (git-fixes). - nvmet: make 'tsas' attribute idempotent for RDMA (git-fixes). - nvme: fixup comment for nvme RDMA Provider Type (git-fixes). - nvmet: do not return 'reserved' for empty TSAS values (git-fixes). - nvme: fix NVME_NS_DEAC may incorrectly identifying the disk as EXT_LBA (git-fixes). - nvmet: always initialize cqe.result (git-fixes). - nvme: avoid double free special payload (git-fixes). - nvmet: fix a possible leak when destroy a ctrl during qp establishment (git-fixes). - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset (git-fixes). - nvme-multipath: find NUMA path only for online numa-node (git-fixes). - commit 7935501 - check-for-config-changes: ignore also GCC_ASM_GOTO_OUTPUT_BROKEN Mainline commit f2f6a8e88717 (&quot;init/Kconfig: remove CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND&quot;) replaced GCC_ASM_GOTO_OUTPUT_WORKAROUND with GCC_ASM_GOTO_OUTPUT_BROKEN. Ignore both when checking config changes. - commit b60be3e - RDMA: Fix netdev tracker in ib_device_set_netdev (git-fixes) - commit 3130571 - bnxt_re: Fix imm_data endianness (git-fixes) - commit 49ce7dd - RDMA/hns: Fix mbx timing out before CMD execution is completed (git-fixes) - commit 09de886 - RDMA/hns: Fix insufficient extend DB for VFs. (git-fixes) - commit 9e511e1 - RDMA/hns: Fix undifined behavior caused by invalid max_sge (git-fixes) - commit 75c8a8f - RDMA/hns: Fix shift-out-bounds when max_inline_data is 0 (git-fixes) - commit f76d2ac - RDMA/hns: Fix missing pagesize and alignment check in FRMR (git-fixes) - commit 3200c5d - RDMA/hns: Fix unmatch exception handling when init eq table fails (git-fixes) - commit 1c3f5bc - RDMA/hns: Fix soft lockup under heavy CEQE load (git-fixes) - commit bae3b01 - RDMA/hns: Check atomic wr length (git-fixes) - commit 53b999f - RDMA/device: Return error earlier if port in not valid (git-fixes) - commit 1a6c9cf - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs (git-fixes) - commit ecbc61e - RDMA/mlx4: Fix truncated output warning in alias_GUID.c (git-fixes) - commit 9a0a984 - RDMA/mlx4: Fix truncated output warning in mad.c (git-fixes) - commit e923a91 - RDMA/cache: Release GID table even if leak is detected (git-fixes) - commit e73316e - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE (git-fixes) - commit ee50dd0 - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs (git-fixes) - commit 6b71029 - IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145) - commit 673df57 - xfs: convert comma to semicolon (git-fixes). - commit 8f18daf - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() (git-fixes). - commit 1aa4511 - kABI workaround for sound core UMP conversion (stable-fixes). - commit b9e008a - ALSA: seq: ump: Explicitly reset RPN with Null RPN (stable-fixes). - ALSA: seq: ump: Transmit RPN/NRPN message at each MSB/LSB data reception (stable-fixes). - ALSA: seq: ump: Use the common RPN/bank conversion context (stable-fixes). - ALSA: ump: Explicitly reset RPN with Null RPN (stable-fixes). - ALSA: ump: Transmit RPN/NRPN message at each MSB/LSB data reception (stable-fixes). - commit 508da4c - kabi/severities: ignore kABI for FireWire sound local symbols (bsc#1208783) - commit 041506f - Drop doubly put References tags in sound patches - commit 92b6eba - Revert &quot;ALSA: firewire-lib: operate for period elapse event in process context&quot; (bsc#1208783). - commit 2045d7f - Revert &quot;ALSA: firewire-lib: obsolete workqueue for period update&quot; (bsc#1208783). - commit 09a87ea - spi: microchip-core: switch to use modern name (stable-fixes). - Refresh patches.suse/spi-microchip-core-defer-asserting-chip-select-until.patch. - commit 31d15b3 - spi: microchip-core: fix init function not setting the master and motorola modes (git-fixes). - drm/amdgpu: reset vm state machine after gpu reset(vram lost) (stable-fixes). - drm/amd/display: Check for NULL pointer (stable-fixes). - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell (stable-fixes). - efi/libstub: Zero initialize heap allocated struct screen_info (git-fixes). - PCI: loongson: Enable MSI in LS7A Root Complex (stable-fixes). - dev/parport: fix the array out-of-bounds risk (stable-fixes). - clk: qcom: kpss-xcc: Return of_clk_add_hw_provider to transfer the error (git-fixes). - clk: qcom: Park shared RCGs upon registration (git-fixes). - clk: qcom: gpucc-sa8775p: Update wait_val fields for GPU GDSC's (git-fixes). - clk: qcom: gpucc-sa8775p: Park RCG's clk source at XO during disable (git-fixes). - clk: qcom: gpucc-sa8775p: Remove the CLK_IS_CRITICAL and ALWAYS_ON flags (git-fixes). - clk: qcom: gcc-sa8775p: Update the GDSC wait_val fields and flags (git-fixes). - clk: qcom: gpucc-sm8350: Park RCG's clk source at XO during disable (git-fixes). - clk: qcom: camcc-sc7280: Add parent dependency to all camera GDSCs (git-fixes). - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock (git-fixes). - clk: en7523: fix rate divider for slic and spi clocks (git-fixes). - drm/etnaviv: don't block scheduler when GPU is still active (stable-fixes). - media: uvcvideo: Add quirk for invalid dev_sof in Logitech C920 (git-fixes). - media: uvcvideo: Quirk for invalid dev_sof in Logitech C922 (stable-fixes). - ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error (stable-fixes). - ata: libata-scsi: Do not overwrite valid sense data when CK_COND=1 (stable-fixes). - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591 (stable-fixes). - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables (stable-fixes). - wifi: rtw88: usb: Fix disconnection after beacon loss (stable-fixes). - media: uvcvideo: Disable autosuspend for Insta360 Link (stable-fixes). - sbitmap: use READ_ONCE to access map-&gt;word (stable-fixes). - Bluetooth: Add device 13d3:3572 IMC Networks Bluetooth Radio (stable-fixes). - commit 5fabaee - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G (stable-fixes). - commit ae4c81e - ALSA: hda: Conditionally use snooping for AMD HDMI (git-fixes). - ALSA: usb-audio: Correct surround channels in UAC1 channel map (git-fixes). - ALSA: seq: ump: Optimize conversions from SysEx to UMP (git-fixes). - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode (git-fixes). - drm/vmwgfx: Fix overlay when using Screen Targets (git-fixes). - drm/vmwgfx: Fix a deadlock in dma buf fence polling (git-fixes). - drm/virtio: Fix type of dma-fence context variable (git-fixes). - drm/nouveau: prime: fix refcount underflow (git-fixes). - drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll() (git-fixes). - drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro (git-fixes). - i915/perf: Remove code to update PWR_CLK_STATE for gen12 (git-fixes). - commit 581e0b5 - ptp: fix integer overflow in max_vclocks_store (bsc#1227829 CVE-2024-40994). - commit f2dc01f - Update patches.suse/79b5b4b18bc8-mlxsw-spectrum_acl_tcam-Fix-possible-use-after-free-.patch (CVE-2024-35854 bsc#1224636 CVE-2024-35855 bsc#1224694). - Update patches.suse/ACPICA-Revert-ACPICA-avoid-Info-mapping-multiple-BAR.patch (git-fixes CVE-2024-40984 bsc#1227820). - Update patches.suse/ALSA-hda-cs35l41-Possible-null-pointer-dereference-i.patch (git-fixes CVE-2024-40964 bsc#1227818). - Update patches.suse/ALSA-hda-cs35l56-Fix-lifetime-of-cs_dsp-instance.patch (git-fixes CVE-2024-39491 bsc#1227627). - Update patches.suse/Bluetooth-hci_core-Fix-possible-buffer-overflow.patch (git-fixes CVE-2024-26889 bsc#1228195). - Update patches.suse/HID-core-remove-unnecessary-WARN_ON-in-implement.patch (git-fixes CVE-2024-39509 bsc#1227733). - Update patches.suse/HID-logitech-dj-Fix-memory-leak-in-logi_dj_recv_swit.patch (git-fixes CVE-2024-40934 bsc#1227796). - Update patches.suse/KVM-SVM-WARN-on-vNMI-NMI-window-iff-NMIs-are-outrigh.patch (git-fixes CVE-2024-39483 bsc#1227494). - Update patches.suse/KVM-arm64-Fix-circular-locking-dependency.patch (bsc#1222463 (CVE-2024-26691) CVE-2024-26691). - Update patches.suse/RDMA-mlx5-Add-check-for-srq-max_sge-attribute.patch (git-fixes CVE-2024-40990 bsc#1227824). - Update patches.suse/RDMA-rxe-Fix-responder-length-checking-for-UD-reques.patch (git-fixes CVE-2024-40992 bsc#1227826). - Update patches.suse/SUNRPC-Fix-loop-termination-condition-in-gss_free_in.patch (git-fixes CVE-2024-36288 bsc#1226834). - Update patches.suse/USB-class-cdc-wdm-Fix-CPU-lockup-caused-by-excessive.patch (git-fixes CVE-2024-40904 bsc#1227772). - Update patches.suse/arm64-asm-bug-Add-.align-2-to-the-end-of-__BUG_ENTRY.patch (git-fixes CVE-2024-39488 bsc#1227618). - Update patches.suse/ata-libata-core-Fix-double-free-on-error.patch (git-fixes CVE-2024-41087 bsc#1228740). - Update patches.suse/ax25-Fix-refcount-imbalance-on-inbound-connections.patch (git-fixes CVE-2024-40910 bsc#1227832). - Update patches.suse/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch (stable-fixes CVE-2024-40981 bsc#1227864). - Update patches.suse/btrfs-zoned-allocate-dummy-checksums-for-zoned-NODAT.patch (bsc#1223731 CVE-2024-26944 CVE-2024-40962 bsc#1227815). - Update patches.suse/cachefiles-remove-requests-from-xarray-during-flushin.patch (bsc#1226588 CVE-2024-40900 bsc#1227760). - Update patches.suse/cpufreq-amd-pstate-fix-memory-leak-on-CPU-EPP-exit.patch (stable-fixes CVE-2024-40997 bsc#1227853). - Update patches.suse/crypto-hisilicon-sec-Fix-memory-leak-for-sec-resourc.patch (stable-fixes CVE-2024-41002 bsc#1227870). - Update patches.suse/crypto-qat-Fix-ADF_DEV_RESET_SYNC-memory-leak.patch (git-fixes CVE-2024-39493 bsc#1227620). - Update patches.suse/cxl-region-Fix-memregion-leaks-in-devm_cxl_add_regio.patch (git-fixes CVE-2024-40936 bsc#1227833). - Update patches.suse/drivers-core-synchronize-really_probe-and-dev_uevent.patch (git-fixes CVE-2024-39501 bsc#1227754). - Update patches.suse/drm-amdgpu-fix-UBSAN-warning-in-kv_dpm.c.patch (stable-fixes CVE-2024-40987 bsc#1228235). - Update patches.suse/drm-amdkfd-don-t-allow-mapping-the-MMIO-HDP-page-wit.patch (CVE-2024-41011 bsc#1228115 git-fixes bsc#1228114). - Update patches.suse/drm-bridge-cdns-mhdp8546-Fix-possible-null-pointer-d.patch (git-fixes CVE-2024-38548 bsc#1228202). - Update patches.suse/drm-drm_file-Fix-pid-refcounting-race.patch (git-fixes CVE-2024-39486 bsc#1227492). - Update patches.suse/drm-exynos-hdmi-report-safe-640x480-mode-as-a-fallba.patch (git-fixes CVE-2024-40916 bsc#1227846). - Update patches.suse/drm-exynos-vidi-fix-memory-leak-in-.get_modes.patch (stable-fixes CVE-2024-40932 bsc#1227828). - Update patches.suse/drm-i915-dpt-Make-DPT-object-unshrinkable.patch (git-fixes CVE-2024-40924 bsc#1227787). - Update patches.suse/drm-komeda-check-for-error-valued-pointer.patch (git-fixes CVE-2024-39505 bsc#1227728). - Update patches.suse/drm-lima-mask-irqs-in-timeout-path-before-hard-reset.patch (stable-fixes CVE-2024-40976 bsc#1227893). - Update patches.suse/drm-nouveau-don-t-attempt-to-schedule-hpd_work-on-he.patch (git-fixes CVE-2024-40926 bsc#1227791). - Update patches.suse/drm-radeon-fix-UBSAN-warning-in-kv_dpm.c.patch (stable-fixes CVE-2024-40988 bsc#1227957). - Update patches.suse/drm-shmem-helper-Fix-BUG_ON-on-mmap-PROT_WRITE-MAP_P.patch (git-fixes CVE-2024-39497 bsc#1227722). - Update patches.suse/io_uring-io-wq-Use-set_bit-and-test_bit-at-worker-fl.patch (git-fixes CVE-2024-39508 bsc#1227732). - Update patches.suse/io_uring-rsrc-don-t-lock-while-TASK_RUNNING.patch (git-fixes CVE-2024-40922 bsc#1227785). - Update patches.suse/io_uring-sqpoll-work-around-a-potential-audit-memory.patch (git-fixes CVE-2024-41001 bsc#1227869). - Update patches.suse/iommu-Return-right-value-in-iommu_sva_bind_device.patch (git-fixes CVE-2024-40945 bsc#1227802). - Update patches.suse/jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch (bsc#1227383 CVE-2024-40902 bsc#1227764). - Update patches.suse/mmc-davinci-Don-t-strip-remove-function-when-driver-.patch (git-fixes CVE-2024-39484 bsc#1227493). - Update patches.suse/nfs-Handle-error-of-rpc_proc_register-in-nfs_net_ini.patch (git-fixes CVE-2024-36939 bsc#1225838). - Update patches.suse/ocfs2-fix-races-between-hole-punching-and-AIO-DIO.patch (git-fixes CVE-2024-40943 bsc#1227849). - Update patches.suse/serial-imx-Introduce-timeout-when-waiting-on-transmi.patch (stable-fixes CVE-2024-40967 bsc#1227891). - Update patches.suse/sock_map-avoid-race-between-sock_map_close-and-sk_ps.patch (bsc#1225475 CVE-2023-52735 CVE-2024-39500 bsc#1227724). - Update patches.suse/ssb-Fix-potential-NULL-pointer-dereference-in-ssb_de.patch (stable-fixes CVE-2024-40982 bsc#1227865). - Update patches.suse/tracing-Build-event-generation-tests-only-as-modules.patch (git-fixes CVE-2024-41004 bsc#1227851). - Update patches.suse/tracing-trigger-Fix-to-return-error-if-failed-to-alloc-snapshot.patch (git-fixes CVE-2024-26920 bsc#1228237). - Update patches.suse/usb-typec-tcpm-fix-use-after-free-case-in-tcpm_regis.patch (git-fixes CVE-2024-40903 bsc#1227766). - Update patches.suse/vmci-prevent-speculation-leaks-by-sanitizing-event-i.patch (git-fixes CVE-2024-39499 bsc#1227725). - Update patches.suse/wifi-ath11k-rely-on-mac80211-debugfs-handling-for-vi.patch (bsc#1227149 CVE-2024-26637 bsc#1221652). - Update patches.suse/wifi-cfg80211-Lock-wiphy-in-cfg80211_get_station.patch (git-fixes CVE-2024-40911 bsc#1227792). - Update patches.suse/wifi-cfg80211-detect-stuck-ECSA-element-in-probe-res.patch (bsc#1227149 CVE-2024-26683 bsc#1222434). - Update patches.suse/wifi-cfg80211-validate-HE-operation-element-parsing.patch (bsc#1227149 CVE-2024-40930 bsc#1228236). - Update patches.suse/wifi-iwlwifi-Use-request_module_nowait.patch (bsc#1227149 CVE-2024-36970 bsc#1226127). - Update patches.suse/wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch (git-fixes CVE-2024-40929 bsc#1227774). - Update patches.suse/wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch (git-fixes CVE-2024-40941 bsc#1227771). - Update patches.suse/wifi-iwlwifi-mvm-pick-the-version-of-SESSION_PROTECT.patch (bsc#1227149 CVE-2024-35913 bsc#1224485). - Update patches.suse/wifi-mac80211-Fix-deadlock-in-ieee80211_sta_ps_deliv.patch (git-fixes CVE-2024-40912 bsc#1227790). - Update patches.suse/wifi-mac80211-improve-CSA-ECSA-connection-refusal.patch (bsc#1227149 CVE-2024-26682 bsc#1222433). - Update patches.suse/wifi-mac80211-mesh-Fix-leak-of-mesh_preq_queue-objec.patch (git-fixes CVE-2024-40942 bsc#1227770). - Update patches.suse/wifi-mt76-connac-check-for-null-before-dereferencing.patch (bsc#1227149 CVE-2024-38609 bsc#1226751). - Update patches.suse/wifi-mt76-mt7921s-fix-potential-hung-tasks-during-ch.patch (stable-fixes CVE-2024-40977 bsc#1227950). - Update patches.suse/wifi-mt76-mt7925e-fix-use-after-free-in-free_irq.patch (bsc#1227149 CVE-2024-27049 bsc#1223763). - Update patches.suse/wifi-mt76-mt7996-fix-potential-memory-leakage-when-r.patch (bsc#1227149 CVE-2024-38563 bsc#1226743). - Update patches.suse/x86-kexec-Fix-bug-with-call-depth-tracking.patch (git-fixes CVE-2024-40944 bsc#1227883). - Update patches.suse/xhci-Handle-TD-clearing-for-multiple-streams-case.patch (git-fixes CVE-2024-40927 bsc#1227816). - commit 2cd72fd - Update patches.suse/SUNRPC-Fix-UAF-in-svc_tcp_listen_data_ready.patch (bsc#1012628 CVE-2023-52885 bsc#1227750). - Update patches.suse/USB-core-Fix-race-by-not-overwriting-udev-descriptor.patch (bsc#1213123 CVE-2023-37453 CVE-2023-52886 bsc#1227981). - Update patches.suse/btrfs-zoned-fix-lock-ordering-in-btrfs_zone_activate.patch (bsc#1223731 CVE-2024-26944 CVE-2023-52668 bsc#1224690). - Update patches.suse/wifi-ath12k-fix-the-error-handler-of-rfkill-config.patch (bsc#1227149 CVE-2023-52688 bsc#1224631). - commit 0637df8 - scsi: qedf: Make qedf_execute_tmf() non-preemptible (CVE-2024-42124 bsc#1228705) - commit a8638c5 - x86: stop playing stack games in profile_pc() (bsc#1228633 CVE-2024-42096). - commit 5c85064 - net: dsa: mv88e6xxx: Correct check for empty list (CVE-2024-42224 bsc#1228723) - commit 48e8710 - skmsg: Skip zero length skb in sk_msg_recvmsg (CVE-2024-41048 bsc#1228565) - commit 1a6942b - netns: Make get_net_ns() handle zero refcount net (CVE-2024-40958 bsc#1227812). - commit f6c7d72 - nvme_core: scan namespaces asynchronously (bsc#1224105). - commit e6f41be - net: wwan: iosm: Fix tainted pointer delete is case of region creation fail (CVE-2024-40939 bsc#1227799). - commit 0b93a9f - nsh: Restore skb-&gt;{protocol,data,mac_header} for outer header in nsh_gso_segment() (CVE-2024-36933 bsc#1225832). - commit 6740d82 - blacklist.conf: Add 943ad0b62e3c kernel: rerun task_work while freezing in get_signal() and related io_uring fix. - commit ead5c32 - net: core: reject skb_copy(_expand) for fraglist GSO skbs (CVE-2024-36929 bsc#1225814). - commit e49ed10 - blacklist.conf: Add 7a4479680d7f cgroup_misc: add kernel-doc comments for enum misc_res_type - commit fe05fa4 - cgroup/cpuset: Prevent UAF in proc_cpuset_show() (bsc#1228801). - commit 8707a09 - Drop MD patches that caused dependency cycles Also the patch was placed in a wrong directory. Deleted: patches.kabi/0002-md-cluster-fix-no-recovery-job-when-adding-re-adding.patch patches.suse/0001-md-cluster-fix-hanging-issue-while-a-new-disk-adding.patch - commit f696a5b - net: phy: micrel: Fix the KSZ9131 MDI-X status issue (git-fixes). - Bluetooth: hci_sync: Fix suspending with wrong filter policy (git-fixes). - Bluetooth: btintel: Fail setup on error (git-fixes). - wifi: ath12k: fix soft lockup on suspend (git-fixes). - wifi: cfg80211: fix reporting failed MLO links status with cfg80211_connect_done (git-fixes). - wifi: mac80211: use monitor sdata with driver only if desired (git-fixes). - net: phy: realtek: add support for RTL8366S Gigabit PHY (git-fixes). - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read (git-fixes). - commit f33a0c2 - ppp: reject claimed-as-LCP but actually malformed packets (CVE-2024-41044 bsc#1228530). - ibmvnic: Add tx check to prevent skb leak (CVE-2024-41066 bsc#1228640). - net/dpaa2: Avoid explicit cpumask var allocation on stack (CVE-2024-42093 bsc#1228680). - commit 960e23f - drm/amd/display: Add NULL pointer check for kzalloc (bsc#1228591 CVE-2024-42122) - commit 22c79c5 - workqueue: Improve scalability of workqueue watchdog touch (bsc#1193454). - commit 3c83768 - workqueue: wq_watchdog_touch is always called with valid CPU (bsc#1193454). - commit 5cd5767 - btrfs: qgroup: fix quota root leak after quota disable failure (bsc#1228655 CVE-2024-41078). - commit d598dd5 - KVM: arm64: Disassociate vcpus from redistributor region on teardown (CVE-2024-40989 bsc#1227823). - commit 8e9651c - powerpc/eeh: avoid possible crash when edev-&gt;pdev changes (CVE-2024-41064 bsc#1228599). - commit 2510511 - net: ks8851: Fix deadlock with the SPI chip variant (CVE-2024-41036 bsc#1228496) - commit 3cf617f - net/sched: Fix UAF when resolving a clash (CVE-2024-41040 bsc#1228518) - commit dea6a81 - btrfs: make sure that WRITTEN is set on all metadata blocks (CVE-2024-35949 bsc#1224700) Changes: adjust returned error codes to -EUCLEAN and drop definition of the enum error. - commit 7880179 - ila: block BH in ila_output() (CVE-2024-41081 bsc#1228617) - commit b832793 - NFSv4: Fix memory leak in nfs4_set_security_label (CVE-2024-41076 bsc#1228649) - commit c2db2a8 - gfs2: Fix NULL pointer dereference in gfs2_log_flush (bsc#1228672 CVE-2024-42079). - commit 61cd0c5 - Update patch reference for ASoC fix (CVE-2024-41069 bsc#1228644) - commit bc5c8af - Update patches.suse/nilfs2-fix-inode-number-range-checks.patch (stable-fixes bsc#1228665 CVE-2024-42105). - commit c8d5b4d - Update patches.suse/hfsplus-fix-uninit-value-in-copy_name.patch (git-fixes bsc#1228561 CVE-2024-41059). - commit f1238d0 - cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() (bsc#1228462 CVE-2024-41057). - cachefiles: fix slab-use-after-free in fscache_withdraw_volume() (bsc#1228459 CVE-2024-41058). - netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume() (bsc#1228459 bsc#1228462). - commit a80ddf3 - platform/chrome: cros_ec_proto: Lock device when updating MKBP version (git-fixes). - commit ab277a6 - ocfs2: add bounds checking to ocfs2_check_dir_entry() (bsc#1228409 CVE-2024-41015). - ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() (bsc#1228410). - ocfs2: add bounds checking to ocfs2_xattr_find_entry() (bsc#1228410 CVE-2024-41016). - commit ec6fa65 - platform/chrome: cros_ec_proto: Lock device when updating MKBP version (git-fixes). - commit d441a76 - Update patch reference of dmaengine fix (CVE-2024-40956 bsc#1227810) - commit d7e764c - vfio/pci: Disable auto-enable of exclusive INTx IRQ (bsc#1222625 CVE-2024-27437). - commit de8901b - mm: vmalloc: check if a hash-index is in cpu_possible_mask (CVE-2024-41032 bsc#1228460) - commit 9b04845 - seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors (CVE-2024-40957 bsc#1227811) - commit a8ab7dd - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port() (CVE-2024-41041 bsc#1228520) - commit 74b98cc - net: do not leave a dangling sk pointer, when socket creation fails (CVE-2024-40954 bsc#1227808) - commit 5ea4aa9 - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers (CVE-2024-42070 bsc#1228470) - commit 3ac6386 - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() (bsc#1228581 CVE-2024-41070). - commit 89912c7 - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() (CVE-2024-40959 bsc#1227884). - commit 3a174d1 - Update config files. Disable vdpa drivers for Alibaba ENI and SolidNET (jsc#PED-8954, bsc#1227834) - commit 9287d7f - selftests/bpf: Extend tcx tests to cover late tcx_entry release (bsc#1228021 CVE-2024-41010). - bpf: Fix too early release of tcx_entry (bsc#1228021 CVE-2024-41010). - commit 57180df - selftests/bpf: Add more ring buffer test coverage (bsc#1228020 CVE-2024-41009). - bpf: Fix overrunning reservations in ringbuf (bsc#1228020 CVE-2024-41009). - commit cd82cf6 - md-cluster: fix no recovery job when adding/re-adding a disk (bsc#1223395). - md-cluster: fix hanging issue while a new disk adding (bsc#1223395). - commit d3c6e61 - rpm/guards: fix precedence issue with control flow operator With perl 5.40 it report the following error on rpm/guards script: Possible precedence issue with control flow operator (exit) at scripts/guards line 208. Fix the issue by adding parenthesis around ternary operator. - commit dfba20e - blacklist.conf: Add 9c573cd31343 randomize_kstack: Improve entropy diffusion - commit 095be15 - blacklist.conf: kABI - commit 1dd3f93 - blacklist.conf: spelling fix in comment - commit de0ca0a - blacklist.conf: cleanup, no code change - commit 19384b6 - blacklist.conf: pure cleanup - commit 21ff021 - blacklist.conf: pure cleanup - commit fef6015 Package util-linux was updated: - Skip aarch64 decode path for rest of the architectures (bsc#1229476, util-linux-lscpu-skip-aarch64-decode.patch). Package curl was updated: - Make special characters in URL work with aws-sigv4 [bsc#1230516] * aws-sigv4: url encode the canonical path [768909d8] * Add upstream patch: - curl-aws_sigv4-url-encode-the-canonical-path.patch - Security fix: [bsc#1230093, CVE-2024-8096] * curl: OCSP stapling bypass with GnuTLS * Add curl-CVE-2024-8096.patch Package expat was updated: - Security fix (bsc#1229932, CVE-2024-45492): detect integer overflow in function nextScaffoldPart * Added expat-CVE-2024-45492.patch - Security fix (bsc#1229931, CVE-2024-45491): detect integer overflow in dtdCopy * Added expat-CVE-2024-45491.patch - Security fix (bsc#1229930, CVE-2024-45490): reject negative len for XML_ParseBuffer * Added expat-CVE-2024-45490.patch Package ncurses was updated: - Add patch ncurses-6.1-boo1229028.patch (boo#1229028) * Allow that terminal description based on static fallback entries can be freed. Package openssl-3 was updated: - Security fix: [bsc#1230698, CVE-2024-41996] * Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used * Added openssl-3-CVE-2024-41996.patch Package libpcap was updated: - enable rdma support (bsc#1230894) - Security fix: [bsc#1230034, CVE-2024-8006] * libpcap: NULL pointer derefence in pcap_findalldevs_ex() * Add libpcap-CVE-2024-8006.patch - Security fix: [bsc#1230020, CVE-2023-7256] * libpcap: double free via addrinfo in sock_initaddress() * Add libpcap-CVE-2023-7256.patch Package python3 was updated: - Add CVE-2024-6232-ReDOS-backtrack-tarfile.patch prevent ReDos via excessive backtracking while parsing header values (bsc#1230227, CVE-2024-6232). - Add CVE-2024-5642-switch-off-NPN.patch switching off the NPN support eliminating bsc#1227233 (CVE-2024-5642). - Add CVE-2024-6923-email-hdr-inject.patch to prevent email header injection due to unquoted newlines (bsc#1228780, CVE-2024-6923). - Add CVE-2024-7592-quad-complex-cookies.patch fixing quadratic complexity in parsing cookies with backslashes (bsc#1229596, CVE-2024-7592) - %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999) - Remove %suse_update_desktop_file macro as it is not useful any more. - Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378). Package libsolv was updated: - removed dependency on external find program in the repo2solv tool- bindings: fix return value of repodata.add_solv() - new SOLVER_FLAG_FOCUS_NEW flag - bump version to 0.7.30 Package systemd was updated: - Import commit 44943af96be1422c2d7bdf271e4a77b42f4b41ec (merge of v254.18) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/51fd0b7b9d11bb932370f4bcc3e849f8c0b3bc06...44943af96be1422c2d7bdf271e4a77b42f4b41ec - Add 5003-99-systemd.rules-rework-SYSTEMD_READY-logic-for-devi.patch (bsc#1229518) - Import commit 51fd0b7b9d11bb932370f4bcc3e849f8c0b3bc06 0512d0d1fc cgroup: Rename effective limits internal table (jsc#PED-5659) 765846b70b cgroup: Restrict effective limits with global resource provision (jsc#PED-5659) e29909088b test: Add effective cgroup limits testing (jsc#PED-5659) beacac6df0 test: Convert rlimit test to subtest of generic limit testing (jsc#PED-5659) e3b789e512 cgroup: Add EffectiveMemoryMax=, EffectiveMemoryHigh= and EffectiveTasksMax= properties (jsc#PED-5659) 5aa063ae16 bus-print-properties: prettify more unset properties a53122c9bd bus-print-properties: ignore CGROUP_LIMIT_MAX for Memory*{Current, Peak} 8418791441 cgroup: rename TasksMax structure to CGroupTasksMax - Drop 5003-cgroup-rename-TasksMax-structure-to-CGroupTasksMax.patch 5004-bus-print-properties-ignore-CGROUP_LIMIT_MAX-for-Mem.patch 5005-bus-print-properties-prettify-more-unset-properties.patch 5006-cgroup-Add-EffectiveMemoryMax-EffectiveMemoryHigh-an.patch 5007-test-Convert-rlimit-test-to-subtest-of-generic-limit.patch 5008-test-Add-effective-cgroup-limits-testing.patch 5009-cgroup-Restrict-effective-limits-with-global-resourc.patch 5010-cgroup-Rename-effective-limits-internal-table.patch These patches have been merged in the SUSE/254 branch. - Don't try to restart the udev socket units anymore (bsc#1228809) There's currently no way to restart a socket activable service and its socket units &quot;atomically&quot; and safely. - Make the 32bit version of libudev.so available again (bsc#1228223) The symlink for building 32bit applications was mistakenly dropped when the content of libudev-devel was merged into systemd-devel. Provide the 32bit flavor of systemd-devel again, which should restore the plug and play support in Wine for 32bit windows applications. - Import commit cbad4b6dbbec36616c04f2d26e2e568936c789ab (merge of v254.17) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/2ef89364315e1ca71606768f1bb4d63aaee66209...cbad4b6dbbec36616c04f2d26e2e568936c789ab - Import commit 2ef89364315e1ca71606768f1bb4d63aaee66209 (merge of v254.16) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/957aeb6452837326866e1f89092e6d0e0665fc10...2ef89364315e1ca71606768f1bb4d63aaee66209 - Don't mention any rpm macros inside comments, even if escaped (bsc#1228091) Otherwise pesign-obs-integration ends up re-packaging systemd with all macros inside comments unescaped leading to unpredictable behavior. Now why rpm expands rpm macros inside comments is the question... Package libzypp was updated: - Deprecate librpmDb::db_const_iterator default ctor (bsc#1230267) It's preferred to explicitly tell the root directory of the system whose database you want to query. - version 17.35.11 (35) - API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267) - Conflicts: zypper &lt;= 1.14.76 - version 17.35.10 (35) - single_rpmtrans: fix installation of .src.rpms (bsc#1228647) - version 17.35.9 (35) - Make sure not to statically linked installed tools (bsc#1228787) - version 17.35.8 (35) - MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208) - version 17.35.7 (35) - Export CredentialManager for legacy YAST versions (bsc#1228420) - version 17.35.6 (35) - Export asSolvable for YAST (bsc#1228420) - Fix 4 typos in zypp.conf. - version 17.35.5 (35) - Fix typo in the geoip update pipeline (bsc#1228206) - Export RepoVariablesStringReplacer for yast2 (bsc#1228138) - version 17.35.4 (35) - Translation: updated .pot file. - Conflict with python zypp-plugin &lt; 0.6.4 (bsc#1227793) Older zypp-plugins reject stomp headers including a '-'. Like the 'content-length' header we may send. - Fix int overflow in Provider (fixes #559) This patch fixes an issue in safe_strtonum which caused timestamps to overflow in the Provider message parser. - Fix error reporting on repoindex.xml parse error (bsc#1227625) - version 17.35.3 (35) - Keep UrlResolverPlugin API public (fixes #560) - Blacklist /snap executables for 'zypper ps' (bsc#1226014) - Fix handling of buddies when applying locks (bsc#1225267) Buddy pairs (like -release package and product) internally share the same status object. When applying locks from query results the locked bit must be set if either item is locked. - version 17.35.2 (35) - Install zypp/APIConfig.h legacy include (fixes #557) - version 17.35.1 (35) - Update soname due to RepoManager refactoring and cleanup. - version 17.35.0 (35) - Workaround broken libsolv-tools-base requirements (fixes openSUSE/zypper#551) - Strip ssl_clientkey from repo urls (bsc#1226030) - Remove protobuf build dependency. - Lazily attach medium during refresh workflows (bsc#1223094) - Refactor RepoManager and add Service workflows. - version 17.34.2 (34) Package logrotate was updated: - Backport 'ignoreduplicates' configuration flag (jsc#PED-10366) * Added patch logrotate-ignore-duplicates.patch * Allows log processing with duplicate logfile matches Package makedumpfile was updated: - don't reserve disk space for flattened format (bsc#1226183) * Add make-reserve_diskspace-do-nothing-for-flattened-form.patch Package pam-config was updated: - Change check for existence of modules. If we have a biarch architecture, we check that the 64bit PAM module is there and report an error if not. For the 32bit variant, we only issue a warning. [pam-config-change-check-for-existence-of-modules.patch, bsc#1227216] Package perl-Bootloader was updated: - merge gh#openSUSE/perl-bootloader#176- handle missing grub_installdevice on powerpc (bsc#1230070) - 1.8.2 Package rsyslog was updated: - restart daemon after update at the end of the transaction (bsc#1230984) Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.14. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.14&gt;. Includes the patch for CVE-2024-45310. bsc#1230092 - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch Package suseconnect-ng was updated: - Update version to 1.12: - Set the filesystem root on zypper when given (bsc#1230229,bsc#1229014) Package zypper was updated: - API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267) - BuildRequires: libzypp-devel &gt;= 17.35.10. - Fix wrong numbers used in CommitSummary skipped/failed messages. - version 1.14.77 - Show rpm install size before installing (bsc#1224771) If filesystem snapshots are taken before the installation (e.g. by snapper) no disk space is freed by removing old packages. In this case the install size of all packages is a hint how much additional disk space is needed by the new packages static content. - version 1.14.76 - Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly (bsc#1227205) - version 1.14.75 - Let_readline_abort_on_Ctrl-C (bsc#1226493) - packages: add '--system' to show @System packages (bsc#222971) - version 1.14.74 - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - BuildRequires: libzypp-devel &gt;= 17.33.0. - Delay zypp lock until command options are parsed (bsc#1223766) - version 1.14.73 - Unify message format(fixes #485) - version 1.14.72 - switch cmake build type to RelWithDebInfo - modernize spec file (remove Authors section, use proper macros, remove redundant clean section, don't mark man pages as doc) - switch to -O2 -fvisibility=hidden -fpie: * PIC is not needed as no shared lib is built * fstack-protector-strong is default on modern dists and would be downgraded by fstack-protector * default visibility hidden allows better optimisation * O2 is reducing inlining bloat - &gt; 18% reduced binary size - remove procps requires (was only for ZMD which is dropped) (jsc#PED-8153) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-chost-byos-v20241004-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 containerd-1.7.21-150000.117.1 containerd-ctr-1.7.21-150000.117.1 dracut-059+suse.541.g3c2df232-150600.3.11.2 e2fsprogs-1.47.0-150600.4.6.2 fipscheck-1.7.0-150600.3.3.2 glibc-2.38-150600.14.11.2 glibc-locale-2.38-150600.14.11.2 glibc-locale-base-2.38-150600.14.11.2 grub2-2.12-150600.8.6.1 grub2-arm64-efi-2.12-150600.8.6.1 kernel-default-6.4.0-150600.23.22.1 libblkid1-2.39.3-150600.4.12.2 libcom_err2-1.47.0-150600.4.6.2 libcurl4-8.6.0-150600.4.9.2 libexpat1-2.4.4-150400.3.22.1 libext2fs2-1.47.0-150600.4.6.2 libfdisk1-2.39.3-150600.4.12.2 libfipscheck1-1.7.0-150600.3.3.2 libmount1-2.39.3-150600.4.12.2 libncurses6-6.1-150000.5.27.1 libopenssl3-3.1.4-150600.5.18.1 libpcap1-1.10.4-150600.3.6.2 libpython3_6m1_0-3.6.15-150300.10.72.1 libsmartcols1-2.39.3-150600.4.12.2 libsolv-tools-base-0.7.30-150600.8.2.1 libsystemd0-254.18-150600.4.15.10 libudev1-254.18-150600.4.15.10 libuuid1-2.39.3-150600.4.12.2 libzypp-17.35.11-150600.3.24.1 logrotate-3.18.1-150400.3.10.1 makedumpfile-1.7.4-150600.3.3.2 ncurses-utils-6.1-150000.5.27.1 openssl-3-3.1.4-150600.5.18.1 pam-config-1.1-150600.16.3.1 perl-Bootloader-1.8.2-150600.3.3.1 python3-3.6.15-150300.10.72.1 python3-base-3.6.15-150300.10.72.1 rsyslog-8.2406.0-150600.12.6.2 rsyslog-module-relp-8.2406.0-150600.12.6.2 runc-1.1.14-150000.70.1 suseconnect-ng-1.12.0-150600.3.8.2 systemd-254.18-150600.4.15.10 terminfo-6.1-150000.5.27.1 terminfo-base-6.1-150000.5.27.1 udev-254.18-150600.4.15.10 util-linux-2.39.3-150600.4.12.2 util-linux-systemd-2.39.3-150600.4.12.2 zypper-1.14.77-150600.10.11.2 containerd-1.7.21-150000.117.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 containerd-ctr-1.7.21-150000.117.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 dracut-059+suse.541.g3c2df232-150600.3.11.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 e2fsprogs-1.47.0-150600.4.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 fipscheck-1.7.0-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 glibc-2.38-150600.14.11.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 glibc-locale-2.38-150600.14.11.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 glibc-locale-base-2.38-150600.14.11.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 grub2-2.12-150600.8.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 grub2-arm64-efi-2.12-150600.8.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 kernel-default-6.4.0-150600.23.22.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libblkid1-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libcom_err2-1.47.0-150600.4.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libcurl4-8.6.0-150600.4.9.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libexpat1-2.4.4-150400.3.22.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libext2fs2-1.47.0-150600.4.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libfdisk1-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libfipscheck1-1.7.0-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libmount1-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libncurses6-6.1-150000.5.27.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libopenssl3-3.1.4-150600.5.18.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libpcap1-1.10.4-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libpython3_6m1_0-3.6.15-150300.10.72.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libsmartcols1-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libsolv-tools-base-0.7.30-150600.8.2.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libsystemd0-254.18-150600.4.15.10 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libudev1-254.18-150600.4.15.10 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libuuid1-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 libzypp-17.35.11-150600.3.24.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 logrotate-3.18.1-150400.3.10.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 makedumpfile-1.7.4-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 ncurses-utils-6.1-150000.5.27.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 openssl-3-3.1.4-150600.5.18.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 pam-config-1.1-150600.16.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 perl-Bootloader-1.8.2-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 python3-3.6.15-150300.10.72.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 python3-base-3.6.15-150300.10.72.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 rsyslog-8.2406.0-150600.12.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 rsyslog-module-relp-8.2406.0-150600.12.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 runc-1.1.14-150000.70.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 suseconnect-ng-1.12.0-150600.3.8.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 systemd-254.18-150600.4.15.10 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 terminfo-6.1-150000.5.27.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 terminfo-base-6.1-150000.5.27.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 udev-254.18-150600.4.15.10 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 util-linux-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 util-linux-systemd-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 zypper-1.14.77-150600.10.11.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64 An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c. CVE-2023-37453 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it. CVE-2023-45142 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:containerd-1.7.21-150000.117.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:containerd-ctr-1.7.21-150000.117.1 important OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. CVE-2023-47108 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:containerd-1.7.21-150000.117.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:containerd-ctr-1.7.21-150000.117.1 important In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN's are such that [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end pfn contains the device memory PFN's as well, the compaction triggered will try on the device memory PFN's too though they end up in NOP(because pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When from other core, the section mappings are being removed for the ZONE_DEVICE region, that the PFN in question belongs to, on which compaction is currently being operated is resulting into the kernel crash with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1]. compact_zone() memunmap_pages ------------- --------------- __pageblock_pfn_to_page ...... (a)pfn_valid(): valid_section()//return true (b)__remove_pages()-> sparse_remove_section()-> section_deactivate(): [Free the array ms->usage and set ms->usage = NULL] pfn_section_valid() [Access ms->usage which is NULL] NOTE: From the above it can be said that the race is reduced to between the pfn_valid()/pfn_section_valid() and the section deactivate with SPASEMEM_VMEMAP enabled. The commit b943f045a9af("mm/sparse: fix kernel crash with pfn_section_valid check") tried to address the same problem by clearing the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns false thus ms->usage is not accessed. Fix this issue by the below steps: a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage. b) RCU protected read side critical section will either return NULL when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage. c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No attempt will be made to access ->usage after this as the SECTION_HAS_MEM_MAP is cleared thus valid_section() return false. Thanks to David/Pavan for their inputs on this patch. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/ On Snapdragon SoC, with the mentioned memory configuration of PFN's as [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of issues daily while testing on a device farm. For this particular issue below is the log. Though the below log is not directly pointing to the pfn_section_valid(){ ms->usage;}, when we loaded this dump on T32 lauterbach tool, it is pointing. [ 540.578056] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 540.578068] Mem abort info: [ 540.578070] ESR = 0x0000000096000005 [ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits [ 540.578077] SET = 0, FnV = 0 [ 540.578080] EA = 0, S1PTW = 0 [ 540.578082] FSC = 0x05: level 1 translation fault [ 540.578085] Data abort info: [ 540.578086] ISV = 0, ISS = 0x00000005 [ 540.578088] CM = 0, WnR = 0 [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--) [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c [ 540.579454] lr : compact_zone+0x994/0x1058 [ 540.579460] sp : ffffffc03579b510 [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640 [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000 [ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140 [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff [ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001 [ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440 [ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4 [ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000 ---truncated--- CVE-2023-52489 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memleak when more than 255 elements expired When more than 255 elements expired we're supposed to switch to a new gc container structure. This never happens: u8 type will wrap before reaching the boundary and nft_trans_gc_space() always returns true. This means we recycle the initial gc container structure and lose track of the elements that came before. While at it, don't deref 'gc' after we've passed it to call_rcu. CVE-2023-52581 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix the error handler of rfkill config When the core rfkill config throws error, it should free the allocated resources. Currently it is not freeing the core pdev create resources. Avoid this issue by calling the core pdev destroy in the error handler of core rfkill config. Found this issue in the code review and it is compile tested only. CVE-2023-52688 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself sock_map proto callbacks should never call themselves by design. Protect against bugs like [1] and break out of the recursive loop to avoid a stack overflow in favor of a resource leak. [1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ CVE-2023-52735 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf: hisi: Fix use-after-free when register pmu fails When we fail to register the uncore pmu, the pmu context may not been allocated. The error handing will call cpuhp_state_remove_instance() to call uncore pmu offline callback, which migrate the pmu context. Since that's liable to lead to some kind of use-after-free. Use cpuhp_state_remove_instance_nocalls() instead of cpuhp_state_remove_instance() so that the notifiers don't execute after the PMU device has been failed to register. CVE-2023-52859 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket. CVE-2023-52885 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 important In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new This patch enhances error handling in scenarios with RTS (Request to Send) messages arriving closely. It replaces the less informative WARN_ON_ONCE backtraces with a new error handling method. This provides clearer error messages and allows for the early termination of problematic sessions. Previously, sessions were only released at the end of j1939_xtp_rx_rts(). Potentially this could be reproduced with something like: testj1939 -r vcan0:0x80 & while true; do # send first RTS cansend vcan0 18EC8090#1014000303002301; # send second RTS cansend vcan0 18EC8090#1014000303002301; # send abort cansend vcan0 18EC8090#ff00000000002301; done CVE-2023-52887 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix null pointer deref when receiving skb during sock creation The panic below is observed when receiving ICMP packets with secmark set while an ICMP raw socket is being created. SK_CTX(sk)->label is updated in apparmor_socket_post_create(), but the packet is delivered to the socket before that, causing the null pointer dereference. Drop the packet if label context is not set. BUG: kernel NULL pointer dereference, address: 000000000000004c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020 RIP: 0010:aa_label_next_confined+0xb/0x40 Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2 RSP: 0018:ffffa92940003b08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002 R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400 R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000 FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0 PKRU: 55555554 Call Trace: <IRQ> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x7f/0x180 ? asm_exc_page_fault+0x26/0x30 ? aa_label_next_confined+0xb/0x40 apparmor_secmark_check+0xec/0x330 security_sock_rcv_skb+0x35/0x50 sk_filter_trim_cap+0x47/0x250 sock_queue_rcv_skb_reason+0x20/0x60 raw_rcv+0x13c/0x210 raw_local_deliver+0x1f3/0x250 ip_protocol_deliver_rcu+0x4f/0x2f0 ip_local_deliver_finish+0x76/0xa0 __netif_receive_skb_one_core+0x89/0xa0 netif_receive_skb+0x119/0x170 ? __netdev_alloc_skb+0x3d/0x140 vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a] __napi_poll+0x28/0x1b0 net_rx_action+0x2a4/0x380 __do_softirq+0xd1/0x2c8 __irq_exit_rcu+0xbb/0xf0 common_interrupt+0x86/0xa0 </IRQ> <TASK> asm_common_interrupt+0x26/0x40 RIP: 0010:apparmor_socket_post_create+0xb/0x200 Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48 RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286 RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003 R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748 ? __pfx_apparmor_socket_post_create+0x10/0x10 security_socket_post_create+0x4b/0x80 __sock_create+0x176/0x1f0 __sys_socket+0x89/0x100 __x64_sys_socket+0x17/0x20 do_syscall_64+0x5d/0x90 ? do_syscall_64+0x6c/0x90 ? do_syscall_64+0x6c/0x90 ? do_syscall_64+0x6c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc CVE-2023-52889 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In affected libpcap versions during the setup of a remote packet capture the internal function sock_initaddress() calls getaddrinfo() and possibly freeaddrinfo(), but does not clearly indicate to the caller function whether freeaddrinfo() still remains to be called after the function returns. This makes it possible in some scenarios that both the function and its caller call freeaddrinfo() for the same allocated memory block. A similar problem was reported in Apple libpcap, to which Apple assigned CVE-2023-40400. CVE-2023-7256 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:libpcap1-1.10.4-150600.3.6.2 moderate In the Linux kernel, the following vulnerability has been resolved: erofs: fix inconsistent per-file compression format EROFS can select compression algorithms on a per-file basis, and each per-file compression algorithm needs to be marked in the on-disk superblock for initialization. However, syzkaller can generate inconsistent crafted images that use an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA algorithmtype even it's not set in `sbi->available_compr_algs`. This can lead to an unexpected "BUG: kernel NULL pointer dereference" if the corresponding decompressor isn't built-in. Fix this by checking against `sbi->available_compr_algs` for each m_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset bitmap is now fixed together since it was harmless previously. CVE-2024-26590 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work idev->mc_ifc_count can be written over without proper locking. Originally found by syzbot [1], fix this issue by encapsulating calls to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with mutex_lock() and mutex_unlock() accordingly as these functions should only be called with mc_lock per their declarations. [1] BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0: mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline] ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725 addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949 addrconf_notify+0x310/0x980 notifier_call_chain kernel/notifier.c:93 [inline] raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461 __dev_notify_flags+0x205/0x3d0 dev_change_flags+0xab/0xd0 net/core/dev.c:8685 do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916 rtnl_group_changelink net/core/rtnetlink.c:3458 [inline] __rtnl_newlink net/core/rtnetlink.c:3717 [inline] rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754 rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558 netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910 ... write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1: mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700 worker_thread+0x525/0x730 kernel/workqueue.c:2781 ... CVE-2024-26631 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: rely on mac80211 debugfs handling for vif mac80211 started to delete debugfs entries in certain cases, causing a ath11k to crash when it tried to delete the entries later. Fix this by relying on mac80211 to delete the entries when appropriate and adding them from the vif_add_debugfs handler. CVE-2024-26637 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit. CVE-2024-26668 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab374e>] __kmalloc+0x4e/0x90 [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0 [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0 [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90 [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0 [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460 [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0 [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated--- CVE-2024-26669 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference. CVE-2024-26677 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: improve CSA/ECSA connection refusal As mentioned in the previous commit, we pretty quickly found that some APs have ECSA elements stuck in their probe response, so using that to not attempt to connect while CSA is happening we never connect to such an AP. Improve this situation by checking more carefully and ignoring the ECSA if cfg80211 has previously detected the ECSA element being stuck in the probe response. Additionally, allow connecting to an AP that's switching to a channel it's already using, unless it's using quiet mode. In this case, we may just have to adjust bandwidth later. If it's actually switching channels, it's better not to try to connect in the middle of that. CVE-2024-26682 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: detect stuck ECSA element in probe resp We recently added some validation that we don't try to connect to an AP that is currently in a channel switch process, since that might want the channel to be quiet or we might not be able to connect in time to hear the switching in a beacon. This was in commit c09c4f31998b ("wifi: mac80211: don't connect to an AP while it's in a CSA process"). However, we promptly got a report that this caused new connection failures, and it turns out that the AP that we now cannot connect to is permanently advertising an extended channel switch announcement, even with quiet. The AP in question was an Asus RT-AC53, with firmware 3.0.0.4.380_10760-g21a5898. As a first step, attempt to detect that we're dealing with such a situation, so mac80211 can use this later. CVE-2024-26683 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix circular locking dependency The rule inside kvm enforces that the vcpu->mutex is taken *inside* kvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires the kvm->lock while already holding the vcpu->mutex lock from kvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by protecting the hyp vm handle with the config_lock, much like we already do for other forms of VM-scoped data. CVE-2024-26691 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-26720 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family. CVE-2024-26735 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain Remove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER event is reported, otherwise a stale reference to netdevice remains in the hook list. CVE-2024-26808 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") which came after: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path"). CVE-2024-26809 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Create persistent INTx handler A vulnerability exists where the eventfd for INTx signaling can be deconfigured, which unregisters the IRQ handler but still allows eventfds to be signaled with a NULL context through the SET_IRQS ioctl or through unmask irqfd if the device interrupt is pending. Ideally this could be solved with some additional locking; the igate mutex serializes the ioctl and config space accesses, and the interrupt handler is unregistered relative to the trigger, but the irqfd path runs asynchronous to those. The igate mutex cannot be acquired from the atomic context of the eventfd wake function. Disabling the irqfd relative to the eventfd registration is potentially incompatible with existing userspace. As a result, the solution implemented here moves configuration of the INTx interrupt handler to track the lifetime of the INTx context object and irq_type configuration, rather than registration of a particular trigger eventfd. Synchronization is added between the ioctl path and eventfd_signal() wrapper such that the eventfd trigger can be dynamically updated relative to in-flight interrupts or irqfd callbacks. CVE-2024-26812 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: set dormant flag on hook register failure We need to set the dormant flag again if we fail to register the hooks. During memory pressure hook registration can fail and we end up with a table marked as active but no registered hooks. On table/base chain deletion, nf_tables will attempt to unregister the hook again which yields a warn splat from the nftables core. CVE-2024-26835 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: switchdev: Skip MDB replays of deferred events on offload Before this change, generation of the list of MDB events to replay would race against the creation of new group memberships, either from the IGMP/MLD snooping logic or from user configuration. While new memberships are immediately visible to walkers of br->mdb_list, the notification of their existence to switchdev event subscribers is deferred until a later point in time. So if a replay list was generated during a time that overlapped with such a window, it would also contain a replay of the not-yet-delivered event. The driver would thus receive two copies of what the bridge internally considered to be one single event. On destruction of the bridge, only a single membership deletion event was therefore sent. As a consequence of this, drivers which reference count memberships (at least DSA), would be left with orphan groups in their hardware database when the bridge was destroyed. This is only an issue when replaying additions. While deletion events may still be pending on the deferred queue, they will already have been removed from br->mdb_list, so no duplicates can be generated in that scenario. To a user this meant that old group memberships, from a bridge in which a port was previously attached, could be reanimated (in hardware) when the port joined a new bridge, without the new bridge's knowledge. For example, on an mv88e6xxx system, create a snooping bridge and immediately add a port to it: root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \ > ip link set dev x3 up master br0 And then destroy the bridge: root@infix-06-0b-00:~$ ip link del dev br0 root@infix-06-0b-00:~$ mvls atu ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a DEV:0 Marvell 88E6393X 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a root@infix-06-0b-00:~$ The two IPv6 groups remain in the hardware database because the port (x3) is notified of the host's membership twice: once via the original event and once via a replay. Since only a single delete notification is sent, the count remains at 1 when the bridge is destroyed. Then add the same port (or another port belonging to the same hardware domain) to a new bridge, this time with snooping disabled: root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \ > ip link set dev x3 up master br1 All multicast, including the two IPv6 groups from br0, should now be flooded, according to the policy of br1. But instead the old memberships are still active in the hardware database, causing the switch to only forward traffic to those groups towards the CPU (port 0). Eliminate the race in two steps: 1. Grab the write-side lock of the MDB while generating the replay list. This prevents new memberships from showing up while we are generating the replay list. But it leaves the scenario in which a deferred event was already generated, but not delivered, before we grabbed the lock. Therefore: 2. Make sure that no deferred version of a replay event is already enqueued to the switchdev deferred queue, before adding it to the replay list, when replaying additions. CVE-2024-26837 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netlink: add nla be16/32 types to minlen array BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline] BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline] BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline] BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631 nla_validate_range_unsigned lib/nlattr.c:222 [inline] nla_validate_int_range lib/nlattr.c:336 [inline] validate_nla lib/nlattr.c:575 [inline] ... The message in question matches this policy: [NFTA_TARGET_REV] = NLA_POLICY_MAX(NLA_BE32, 255), but because NLA_BE32 size in minlen array is 0, the validation code will read past the malformed (too small) attribute. Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing: those likely should be added too. CVE-2024-26849 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: Add protection for bmp length out of range UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts that are out of bounds for their data type. vmlinux get_bitmap(b=75) + 712 <net/netfilter/nf_conntrack_h323_asn1.c:0> vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956 <net/netfilter/nf_conntrack_h323_asn1.c:592> vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 <net/netfilter/nf_conntrack_h323_asn1.c:814> vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 <net/netfilter/nf_conntrack_h323_asn1.c:576> vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 <net/netfilter/nf_conntrack_h323_asn1.c:814> vmlinux DecodeRasMessage() + 304 <net/netfilter/nf_conntrack_h323_asn1.c:833> vmlinux ras_help() + 684 <net/netfilter/nf_conntrack_h323_main.c:1728> vmlinux nf_confirm() + 188 <net/netfilter/nf_conntrack_proto.c:137> Due to abnormal data in skb->data, the extension bitmap length exceeds 32 when decoding ras message then uses the length to make a shift operation. It will change into negative after several loop. UBSAN load could detect a negative shift as an undefined behaviour and reports exception. So we add the protection to avoid the length exceeding 32. Or else it will return out of range error and stop decoding. CVE-2024-26851 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy. CVE-2024-26889 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing/trigger: Fix to return error if failed to alloc snapshot Fix register_snapshot_trigger() to return error code if it failed to allocate a snapshot instead of 0 (success). Unless that, it will register snapshot trigger without an error. CVE-2024-26920 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free in do_zone_finish() Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070. BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007 CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0x200/0x3e0 kasan_report+0xd8/0x110 ? do_zone_finish+0x91a/0xb90 [btrfs] ? do_zone_finish+0x91a/0xb90 [btrfs] do_zone_finish+0x91a/0xb90 [btrfs] btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs] ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] ? btrfs_put_root+0x2d/0x220 [btrfs] ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs] cleaner_kthread+0x21e/0x380 [btrfs] ? __pfx_cleaner_kthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 3493983: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_alloc_device+0xb3/0x4e0 [btrfs] device_list_add.constprop.0+0x993/0x1630 [btrfs] btrfs_scan_one_device+0x219/0x3d0 [btrfs] btrfs_control_ioctl+0x26e/0x310 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 3494056: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3f/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x32/0x70 kfree+0x11b/0x320 btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs] btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs] btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] btrfs_ioctl+0xb27/0x57d0 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400) The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb This UAF happens because we're accessing stale zone information of a already removed btrfs_device in do_zone_finish(). The sequence of events is as follows: btrfs_dev_replace_start btrfs_scrub_dev btrfs_dev_replace_finishing btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced btrfs_rm_dev_replace_free_srcdev btrfs_free_device <-- device freed cleaner_kthread btrfs_delete_unused_bgs btrfs_zone_finish do_zone_finish <-- refers the freed device The reason for this is that we're using a ---truncated--- CVE-2024-26944 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: Always flush async #PF workqueue when vCPU is being destroyed Always flush the per-vCPU async #PF workqueue when a vCPU is clearing its completion queue, e.g. when a VM and all its vCPUs is being destroyed. KVM must ensure that none of its workqueue callbacks is running when the last reference to the KVM _module_ is put. Gifting a reference to the associated VM prevents the workqueue callback from dereferencing freed vCPU/VM memory, but does not prevent the KVM module from being unloaded before the callback completes. Drop the misguided VM refcount gifting, as calling kvm_put_kvm() from async_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will result in deadlock. async_pf_execute() can't return until kvm_put_kvm() finishes, and kvm_put_kvm() can't return until async_pf_execute() finishes: WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm] Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events async_pf_execute [kvm] RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm] Call Trace: <TASK> async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> ---[ end trace 0000000000000000 ]--- INFO: task kworker/8:1:251 blocked for more than 120 seconds. Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000 Workqueue: events async_pf_execute [kvm] Call Trace: <TASK> __schedule+0x33f/0xa40 schedule+0x53/0xc0 schedule_timeout+0x12a/0x140 __wait_for_common+0x8d/0x1d0 __flush_work.isra.0+0x19f/0x2c0 kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm] kvm_arch_destroy_vm+0x78/0x1b0 [kvm] kvm_put_kvm+0x1c1/0x320 [kvm] async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> If kvm_clear_async_pf_completion_queue() actually flushes the workqueue, then there's no need to gift async_pf_execute() a reference because all invocations of async_pf_execute() will be forced to complete before the vCPU and its VM are destroyed/freed. And that in turn fixes the module unloading bug as __fput() won't do module_put() on the last vCPU reference until the vCPU has been freed, e.g. if closing the vCPU file also puts the last reference to the KVM module. Note that kvm_check_async_pf_completion() may also take the work item off the completion queue and so also needs to flush the work queue, as the work will not be seen by kvm_clear_async_pf_completion_queue(). Waiting on the workqueue could theoretically delay a vCPU due to waiting for the work to complete, but that's a very, very small chance, and likely a very small delay. kvm_arch_async_page_present_queued() unconditionally makes a new request, i.e. will effectively delay entering the guest, so the remaining work is really just: trace_kvm_async_pf_completed(addr, cr2_or_gpa); __kvm_vcpu_wake_up(vcpu); mmput(mm); and mmput() can't drop the last reference to the page tables if the vCPU is still alive, i.e. the vCPU won't get stuck tearing down page tables. Add a helper to do the flushing, specifically to deal with "wakeup all" work items, as they aren't actually work items, i.e. are never placed in a workqueue. Trying to flush a bogus workqueue entry rightly makes __flush_work() complain (kudos to whoever added that sanity check). Note, commit 5f6de5cbebee ("KVM: Prevent module exit until al ---truncated--- CVE-2024-26976 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix mirred deadlock on device recursion When the mirred action is used on a classful egress qdisc and a packet is mirrored or redirected to self we hit a qdisc lock deadlock. See trace below. [..... other info removed for brevity....] [ 82.890906] [ 82.890906] ============================================ [ 82.890906] WARNING: possible recursive locking detected [ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W [ 82.890906] -------------------------------------------- [ 82.890906] ping/418 is trying to acquire lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] but task is already holding lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] other info that might help us debug this: [ 82.890906] Possible unsafe locking scenario: [ 82.890906] [ 82.890906] CPU0 [ 82.890906] ---- [ 82.890906] lock(&sch->q.lock); [ 82.890906] lock(&sch->q.lock); [ 82.890906] [ 82.890906] *** DEADLOCK *** [ 82.890906] [..... other info removed for brevity....] Example setup (eth0->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 Another example(eth0->eth1->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth1 tc qdisc add dev eth1 root handle 1: htb default 30 tc filter add dev eth1 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 We fix this by adding an owner field (CPU id) to struct Qdisc set after root qdisc is entered. When the softirq enters it a second time, if the qdisc owner is the same CPU, the packet is dropped to break the loop. CVE-2024-27010 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memleak in map from abort path The delete set command does not rely on the transaction object for element removal, therefore, a combination of delete element + delete set from the abort path could result in restoring twice the refcount of the mapping. Check for inactive element in the next generation for the delete element command in the abort path, skip restoring state if next generation bit has been already cleared. This is similar to the activate logic using the set walk iterator. [ 6170.286929] ------------[ cut here ]------------ [ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.287071] Modules linked in: [...] [ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365 [ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f [ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202 [ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000 [ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750 [ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55 [ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10 [ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100 [ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000 [ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0 [ 6170.287962] Call Trace: [ 6170.287967] <TASK> [ 6170.287973] ? __warn+0x9f/0x1a0 [ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.288092] ? report_bug+0x1b1/0x1e0 [ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.288092] ? report_bug+0x1b1/0x1e0 [ 6170.288104] ? handle_bug+0x3c/0x70 [ 6170.288112] ? exc_invalid_op+0x17/0x40 [ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20 [ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables] [ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables] [ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables] CVE-2024-27011 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925e: fix use-after-free in free_irq() From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76_REMOVED flag to indicate the device was removed and do not run into the resource access anymore. CVE-2024-27049 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: libbpf: Use OPTS_SET() macro in bpf_xdp_query() When the feature_flags and xdp_zc_max_segs fields were added to the libbpf bpf_xdp_query_opts, the code writing them did not use the OPTS_SET() macro. This causes libbpf to write to those fields unconditionally, which means that programs compiled against an older version of libbpf (with a smaller size of the bpf_xdp_query_opts struct) will have its stack corrupted by libbpf writing out of bounds. The patch adding the feature_flags field has an early bail out if the feature_flags field is not part of the opts struct (via the OPTS_HAS) macro, but the patch adding xdp_zc_max_segs does not. For consistency, this fix just changes the assignments to both fields to use the OPTS_SET() macro. CVE-2024-27050 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix NULL domain on device release In the kdump kernel, the IOMMU operates in deferred_attach mode. In this mode, info->domain may not yet be assigned by the time the release_device function is called. It leads to the following crash in the crash kernel: BUG: kernel NULL pointer dereference, address: 000000000000003c ... RIP: 0010:do_raw_spin_lock+0xa/0xa0 ... _raw_spin_lock_irqsave+0x1b/0x30 intel_iommu_release_device+0x96/0x170 iommu_deinit_device+0x39/0xf0 __iommu_group_remove_device+0xa0/0xd0 iommu_bus_notifier+0x55/0xb0 notifier_call_chain+0x5a/0xd0 blocking_notifier_call_chain+0x41/0x60 bus_notify+0x34/0x50 device_del+0x269/0x3d0 pci_remove_bus_device+0x77/0x100 p2sb_bar+0xae/0x1d0 ... i801_probe+0x423/0x740 Use the release_domain mechanism to fix it. The scalable mode context entry which is not part of release domain should be cleared in release_device(). CVE-2024-27079 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_flow_offload: reset dst in route object after setting up flow dst is transferred to the flow object, route object does not own it anymore. Reset dst in route object, otherwise if flow_offload_add() fails, error path releases dst twice, leading to a refcount underflow. CVE-2024-27403 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: mt7622-apmixedsys: Fix an error handling path in clk_mt8135_apmixed_probe() 'clk_data' is allocated with mtk_devm_alloc_clk_data(). So calling mtk_free_clk_data() explicitly in the remove function would lead to a double-free. Remove the redundant call. CVE-2024-27433 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Disable auto-enable of exclusive INTx IRQ Currently for devices requiring masking at the irqchip for INTx, ie. devices without DisINTx support, the IRQ is enabled in request_irq() and subsequently disabled as necessary to align with the masked status flag. This presents a window where the interrupt could fire between these events, resulting in the IRQ incrementing the disable depth twice. This would be unrecoverable for a user since the masked flag prevents nested enables through vfio. Instead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx is never auto-enabled, then unmask as required. CVE-2024-27437 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline The absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of interrupt affinity reconfiguration via procfs. Instead, the change is deferred until the next instance of the interrupt being triggered on the original CPU. When the interrupt next triggers on the original CPU, the new affinity is enforced within __irq_move_irq(). A vector is allocated from the new CPU, but the old vector on the original CPU remains and is not immediately reclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming process is delayed until the next trigger of the interrupt on the new CPU. Upon the subsequent triggering of the interrupt on the new CPU, irq_complete_move() adds a task to the old CPU's vector_cleanup list if it remains online. Subsequently, the timer on the old CPU iterates over its vector_cleanup list, reclaiming old vectors. However, a rare scenario arises if the old CPU is outgoing before the interrupt triggers again on the new CPU. In that case irq_force_complete_move() is not invoked on the outgoing CPU to reclaim the old apicd->prev_vector because the interrupt isn't currently affine to the outgoing CPU, and irq_needs_fixup() returns false. Even though __vector_schedule_cleanup() is later called on the new CPU, it doesn't reclaim apicd->prev_vector; instead, it simply resets both apicd->move_in_progress and apicd->prev_vector to 0. As a result, the vector remains unreclaimed in vector_matrix, leading to a CPU vector leak. To address this issue, move the invocation of irq_force_complete_move() before the irq_needs_fixup() call to reclaim apicd->prev_vector, if the interrupt is currently or used to be affine to the outgoing CPU. Additionally, reclaim the vector in __vector_schedule_cleanup() as well, following a warning message, although theoretically it should never see apicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU. CVE-2024-31076 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash delayed work migrates filters from one region to another according to the number of available credits. The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration. The destruction of a region that still has filters referencing it can result in a use-after-free [1]. Fix by not destroying the region if migration failed. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70 mlxsw_sp_acl_atcam_entry_del+0x81/0x210 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_region_destroy+0x272/0x310 mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 CVE-2024-35854 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: discard table flag update with pending basechain deletion Hook unregistration is deferred to the commit phase, same occurs with hook updates triggered by the table dormant flag. When both commands are combined, this results in deleting a basechain while leaving its hook still registered in the core. CVE-2024-35897 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/rds: fix possible cp null dereference cp might be null, calling cp->cp_conn would produce null dereference [Simon Horman adds:] Analysis: * cp is a parameter of __rds_rdma_map and is not reassigned. * The following call-sites pass a NULL cp argument to __rds_rdma_map() - rds_get_mr() - rds_get_mr_for_dest * Prior to the code above, the following assumes that cp may be NULL (which is indicative, but could itself be unnecessary) trans_private = rs->rs_transport->get_mr( sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL, args->vec.addr, args->vec.bytes, need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED); * The code modified by this patch is guarded by IS_ERR(trans_private), where trans_private is assigned as per the previous point in this analysis. The only implementation of get_mr that I could locate is rds_ib_get_mr() which can return an ERR_PTR if the conn (4th) argument is NULL. * ret is set to PTR_ERR(trans_private). rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL. Thus ret may be -ENODEV in which case the code in question will execute. Conclusion: * cp may be NULL at the point where this patch adds a check; this patch does seem to address a possible bug CVE-2024-35902 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF When we want to know whether we should look for the mac_id or the link_id in struct iwl_mvm_session_prot_notif, we should look at the version of SESSION_PROTECTION_NOTIF. This causes WARNINGs: WARNING: CPU: 0 PID: 11403 at drivers/net/wireless/intel/iwlwifi/mvm/time-event.c:959 iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm] RIP: 0010:iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm] Code: 00 49 c7 84 24 48 07 00 00 00 00 00 00 41 c6 84 24 78 07 00 00 ff 4c 89 f7 e8 e9 71 54 d9 e9 7d fd ff ff 0f 0b e9 23 fe ff ff <0f> 0b e9 1c fe ff ff 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffb4bb00003d40 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff9ae63a361000 RCX: ffff9ae4a98b60d4 RDX: ffff9ae4588499c0 RSI: 0000000000000305 RDI: ffff9ae4a98b6358 RBP: ffffb4bb00003d68 R08: 0000000000000003 R09: 0000000000000010 R10: ffffb4bb00003d00 R11: 000000000000000f R12: ffff9ae441399050 R13: ffff9ae4761329e8 R14: 0000000000000001 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff9ae7af400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055fb75680018 CR3: 00000003dae32006 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <IRQ> ? show_regs+0x69/0x80 ? __warn+0x8d/0x150 ? iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm] ? report_bug+0x196/0x1c0 ? handle_bug+0x45/0x80 ? exc_invalid_op+0x1c/0xb0 ? asm_exc_invalid_op+0x1f/0x30 ? iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm] iwl_mvm_rx_common+0x115/0x340 [iwlmvm] iwl_mvm_rx_mq+0xa6/0x100 [iwlmvm] iwl_pcie_rx_handle+0x263/0xa10 [iwlwifi] iwl_pcie_napi_poll_msix+0x32/0xd0 [iwlwifi] CVE-2024-35913 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-direct: Leak pages on dma_set_decrypted() failure On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. DMA could free decrypted/shared pages if dma_set_decrypted() fails. This should be a rare case. Just leak the pages in this case instead of freeing them. CVE-2024-35939 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: make sure that WRITTEN is set on all metadata blocks We previously would call btrfs_check_leaf() if we had the check integrity code enabled, which meant that we could only run the extended leaf checks if we had WRITTEN set on the header flags. This leaves a gap in our checking, because we could end up with corruption on disk where WRITTEN isn't set on the leaf, and then the extended leaf checks don't get run which we rely on to validate all of the item pointers to make sure we don't access memory outside of the extent buffer. However, since 732fab95abe2 ("btrfs: check-integrity: remove CONFIG_BTRFS_FS_CHECK_INTEGRITY option") we no longer call btrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only ever call it on blocks that are being written out, and thus have WRITTEN set, or that are being read in, which should have WRITTEN set. Add checks to make sure we have WRITTEN set appropriately, and then make sure __btrfs_check_leaf() always does the item checking. This will protect us from file systems that have been corrupted and no longer have WRITTEN set on some of the blocks. This was hit on a crafted image tweaking the WRITTEN bit and reported by KASAN as out-of-bound access in the eb accessors. The example is a dir item at the end of an eb. [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2 [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f] [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1 [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0 [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206 [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0 [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748 [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9 [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8 [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000 [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0 [2.621] Call Trace: [2.621] <TASK> [2.621] ? show_regs+0x74/0x80 [2.621] ? die_addr+0x46/0xc0 [2.621] ? exc_general_protection+0x161/0x2a0 [2.621] ? asm_exc_general_protection+0x26/0x30 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? btrfs_get_16+0x34b/0x6d0 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? __pfx_btrfs_get_16+0x10/0x10 [2.621] ? __pfx_mutex_unlock+0x10/0x10 [2.621] btrfs_match_dir_item_name+0x101/0x1a0 [2.621] btrfs_lookup_dir_item+0x1f3/0x280 [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10 [2.621] btrfs_get_tree+0xd25/0x1910 [ copy more details from report ] CVE-2024-35949 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: tproxy: bail out if IP has been disabled on the device syzbot reports: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] [..] RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62 Call Trace: nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline] nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168 __in_dev_get_rcu() can return NULL, so check for this. CVE-2024-36270 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() syzbot reported that nf_reinject() could be called without rcu_read_lock() : WARNING: suspicious RCU usage 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.4/13427: #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471 #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172 stack backtrace: CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline] nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397 nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline] instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172 rcu_do_batch kernel/rcu/tree.c:2196 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK> CVE-2024-36286 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix loop termination condition in gss_free_in_token_pages() The in_token->pages[] array is not NULL terminated. This results in the following KASAN splat: KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f] CVE-2024-36288 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix missing memory barrier in tls_init In tls_init(), a write memory barrier is missing, and store-store reordering may cause NULL dereference in tls_{setsockopt,getsockopt}. CPU0 CPU1 ----- ----- // In tls_init() // In tls_ctx_create() ctx = kzalloc() ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1) // In update_sk_prot() WRITE_ONCE(sk->sk_prot, tls_prots) -(2) // In sock_common_setsockopt() READ_ONCE(sk->sk_prot)->setsockopt() // In tls_{setsockopt,getsockopt}() ctx->sk_proto->setsockopt() -(3) In the above scenario, when (1) and (2) are reordered, (3) can observe the NULL value of ctx->sk_proto, causing NULL dereference. To fix it, we rely on rcu_assign_pointer() which implies the release barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is initialized, we can ensure that ctx->sk_proto are visible when changing sk->sk_prot. CVE-2024-36489 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: reset ptes when close() for wr-protected ones Userfaultfd unregister includes a step to remove wr-protect bits from all the relevant pgtable entries, but that only covered an explicit UFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself. Cover that too. This fixes a WARN trace. The only user visible side effect is the user can observe leftover wr-protect bits even if the user close()ed on an userfaultfd when releasing the last reference of it. However hopefully that should be harmless, and nothing bad should happen even if so. This change is now more important after the recent page-table-check patch we merged in mm-unstable (446dd9ad37d0 ("mm/page_table_check: support userfault wr-protect entries")), as we'll do sanity check on uffd-wp bits without vma context. So it's better if we can 100% guarantee no uffd-wp bit leftovers, to make sure each report will be valid. CVE-2024-36881 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2024-36907 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The netvsc driver could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl to decide whether to free the memory. CVE-2024-36911 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: core: reject skb_copy(_expand) for fraglist GSO skbs SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become invalid. Return NULL if such an skb is passed to skb_copy or skb_copy_expand, in order to prevent a crash on a potential later call to skb_gso_segment. CVE-2024-36929 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). syzbot triggered various splats (see [0] and links) by a crafted GSO packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols: ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls skb_mac_gso_segment() to invoke inner protocol GSO handlers. nsh_gso_segment() does the following for the original skb before calling skb_mac_gso_segment() 1. reset skb->network_header 2. save the original skb->{mac_heaeder,mac_len} in a local variable 3. pull the NSH header 4. resets skb->mac_header 5. set up skb->mac_len and skb->protocol for the inner protocol. and does the following for the segmented skb 6. set ntohs(ETH_P_NSH) to skb->protocol 7. push the NSH header 8. restore skb->mac_header 9. set skb->mac_header + mac_len to skb->network_header 10. restore skb->mac_len There are two problems in 6-7 and 8-9. (a) After 6 & 7, skb->data points to the NSH header, so the outer header (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev. Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH), skb_pull() in the first nsh_gso_segment() will make skb->data point to the middle of the outer NSH or Ethernet header because the Ethernet header is not pulled by the second nsh_gso_segment(). (b) While restoring skb->{mac_header,network_header} in 8 & 9, nsh_gso_segment() does not assume that the data in the linear buffer is shifted. However, udp6_ufo_fragment() could shift the data and change skb->mac_header accordingly as demonstrated by syzbot. If this happens, even the restored skb->mac_header points to the middle of the outer header. It seems nsh_gso_segment() has never worked with outer headers so far. At the end of nsh_gso_segment(), the outer header must be restored for the segmented skb, instead of the NSH header. To do that, let's calculate the outer header position relatively from the inner header and set skb->{data,mac_header,protocol} properly. [0]: BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline] BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668 ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668 ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222 __netdev_start_xmit include/linux/netdevice.h:4989 [inline] netdev_start_xmit include/linux/netdevice.h:5003 [inline] xmit_one net/core/dev.c:3547 [inline] dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563 __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351 dev_queue_xmit include/linux/netdevice.h:3171 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook mm/slub.c:3819 [inline] slab_alloc_node mm/slub.c:3860 [inline] __do_kmalloc_node mm/slub.c:3980 [inline] __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 __ ---truncated--- CVE-2024-36933 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfs: Handle error of rpc_proc_register() in nfs_net_init(). syzkaller reported a warning [0] triggered while destroying immature netns. rpc_proc_register() was called in init_nfs_fs(), but its error has been ignored since at least the initial commit 1da177e4c3f4 ("Linux-2.6.12-rc2"). Recently, commit d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces") converted the procfs to per-netns and made the problem more visible. Even when rpc_proc_register() fails, nfs_net_init() could succeed, and thus nfs_net_exit() will be called while destroying the netns. Then, remove_proc_entry() will be called for non-existing proc directory and trigger the warning below. Let's handle the error of rpc_proc_register() properly in nfs_net_init(). [0]: name 'nfs' WARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711 Modules linked in: CPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711 Code: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb RSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c RDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc R13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8 FS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310 nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438 ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170 setup_net+0x46c/0x660 net/core/net_namespace.c:372 copy_net_ns+0x244/0x590 net/core/net_namespace.c:505 create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228 ksys_unshare+0x342/0x760 kernel/fork.c:3322 __do_sys_unshare kernel/fork.c:3393 [inline] __se_sys_unshare kernel/fork.c:3391 [inline] __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x7f30d0febe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000 </TASK> CVE-2024-36939 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: Use request_module_nowait This appears to work around a deadlock regression that came in with the LED merge in 6.9. The deadlock happens on my system with 24 iwlwifi radios, so maybe it something like all worker threads are busy and some work that needs to complete cannot complete. [also remove unnecessary "load_module" var and now-wrong comment] CVE-2024-36970 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: mst: fix vlan use-after-free syzbot reported a suspicious rcu usage[1] in bridge's mst code. While fixing it I noticed that nothing prevents a vlan to be freed while walking the list from the same path (br forward delay timer). Fix the rcu usage and also make sure we are not accessing freed memory by making br_mst_vlan_set_state use rcu read lock. [1] WARNING: suspicious RCU usage 6.9.0-rc6-syzkaller #0 Not tainted ----------------------------- net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage! ... stack backtrace: CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nbp_vlan_group net/bridge/br_private.h:1599 [inline] br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105 br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47 br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429 run_timer_base kernel/time/timer.c:2438 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448 __do_softirq+0x2c6/0x980 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758 Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25 RSP: 0018:ffffc90013657100 EFLAGS: 00000206 RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001 RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60 RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0 R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28 R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246 CVE-2024-36979 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is assigned to mhdp_state->current_mode, and there is a dereference of it in drm_mode_set_name(), which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Fix this bug add a check of mhdp_state->current_mode. CVE-2024-38548 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix potential memory leakage when reading chip temperature Without this commit, reading chip temperature will cause memory leakage. CVE-2024-38563 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: connac: check for null before dereferencing The wcid can be NULL. It should be checked for validity before dereferencing it to avoid crash. CVE-2024-38609 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Allow delete from sockmap/sockhash only if update is allowed We have seen an influx of syzkaller reports where a BPF program attached to a tracepoint triggers a locking rule violation by performing a map_delete on a sockmap/sockhash. We don't intend to support this artificial use scenario. Extend the existing verifier allowed-program-type check for updating sockmap/sockhash to also cover deleting from a map. From now on only BPF programs which were previously allowed to update sockmap/sockhash can delete from these map types. CVE-2024-38662 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING Xiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with small possibility, the root cause is exactly the same as commit bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"") However, Dan reported another hang after that, and junxiao investigated the problem and found out that this is caused by plugged bio can't issue from raid5d(). Current implementation in raid5d() has a weird dependence: 1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear MD_SB_CHANGE_PENDING; 2) raid5d() handles IO in a deadloop, until all IO are issued; 3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared; This behaviour is introduce before v2.6, and for consequence, if other context hold 'reconfig_mutex', and md_check_recovery() can't update super_block, then raid5d() will waste one cpu 100% by the deadloop, until 'reconfig_mutex' is released. Refer to the implementation from raid1 and raid10, fix this problem by skipping issue IO if MD_SB_CHANGE_PENDING is still set after md_check_recovery(), daemon thread will be woken up when 'reconfig_mutex' is released. Meanwhile, the hang problem will be fixed as well. CVE-2024-39476 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked When requesting an NMI window, WARN on vNMI support being enabled if and only if NMIs are actually masked, i.e. if the vCPU is already handling an NMI. KVM's ABI for NMIs that arrive simultanesouly (from KVM's point of view) is to inject one NMI and pend the other. When using vNMI, KVM pends the second NMI simply by setting V_NMI_PENDING, and lets the CPU do the rest (hardware automatically sets V_NMI_BLOCKING when an NMI is injected). However, if KVM can't immediately inject an NMI, e.g. because the vCPU is in an STI shadow or is running with GIF=0, then KVM will request an NMI window and trigger the WARN (but still function correctly). Whether or not the GIF=0 case makes sense is debatable, as the intent of KVM's behavior is to provide functionality that is as close to real hardware as possible. E.g. if two NMIs are sent in quick succession, the probability of both NMIs arriving in an STI shadow is infinitesimally low on real hardware, but significantly larger in a virtual environment, e.g. if the vCPU is preempted in the STI shadow. For GIF=0, the argument isn't as clear cut, because the window where two NMIs can collide is much larger in bare metal (though still small). That said, KVM should not have divergent behavior for the GIF=0 case based on whether or not vNMI support is enabled. And KVM has allowed simultaneous NMIs with GIF=0 for over a decade, since commit 7460fb4a3400 ("KVM: Fix simultaneous NMIs"). I.e. KVM's GIF=0 handling shouldn't be modified without a *really* good reason to do so, and if KVM's behavior were to be modified, it should be done irrespective of vNMI support. CVE-2024-39483 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text) CVE-2024-39484 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/drm_file: Fix pid refcounting race <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de> filp->pid is supposed to be a refcounted pointer; however, before this patch, drm_file_update_pid() only increments the refcount of a struct pid after storing a pointer to it in filp->pid and dropping the dev->filelist_mutex, making the following race possible: process A process B ========= ========= begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid B>, 1) mutex_unlock(&dev->filelist_mutex) begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid A>, 1) mutex_unlock(&dev->filelist_mutex) get_pid(<pid A>) synchronize_rcu() put_pid(<pid B>) *** pid B reaches refcount 0 and is freed here *** get_pid(<pid B>) *** UAF *** synchronize_rcu() put_pid(<pid A>) As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y because it requires RCU to detect a quiescent state in code that is not explicitly calling into the scheduler. This race leads to use-after-free of a "struct pid". It is probably somewhat hard to hit because process A has to pass through a synchronize_rcu() operation while process B is between mutex_unlock() and get_pid(). Fix it by ensuring that by the time a pointer to the current task's pid is stored in the file, an extra reference to the pid has been taken. This fix also removes the condition for synchronize_rcu(); I think that optimization is unnecessary complexity, since in that case we would usually have bailed out on the lockless check above. CVE-2024-39486 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY When CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes to bug_table entries, and as a result the last entry in a bug table will be ignored, potentially leading to an unexpected panic(). All prior entries in the table will be handled correctly. The arm64 ABI requires that struct fields of up to 8 bytes are naturally-aligned, with padding added within a struct such that struct are suitably aligned within arrays. When CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is: struct bug_entry { signed int bug_addr_disp; // 4 bytes signed int file_disp; // 4 bytes unsigned short line; // 2 bytes unsigned short flags; // 2 bytes } ... with 12 bytes total, requiring 4-byte alignment. When CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is: struct bug_entry { signed int bug_addr_disp; // 4 bytes unsigned short flags; // 2 bytes < implicit padding > // 2 bytes } ... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing padding, requiring 4-byte alginment. When we create a bug_entry in assembly, we align the start of the entry to 4 bytes, which implicitly handles padding for any prior entries. However, we do not align the end of the entry, and so when CONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding bytes. For the main kernel image this is not a problem as find_bug() doesn't depend on the trailing padding bytes when searching for entries: for (bug = __start___bug_table; bug < __stop___bug_table; ++bug) if (bugaddr == bug_addr(bug)) return bug; However for modules, module_bug_finalize() depends on the trailing bytes when calculating the number of entries: mod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry); ... and as the last bug_entry lacks the necessary padding bytes, this entry will not be counted, e.g. in the case of a single entry: sechdrs[i].sh_size == 6 sizeof(struct bug_entry) == 8; sechdrs[i].sh_size / sizeof(struct bug_entry) == 0; Consequently module_find_bug() will miss the last bug_entry when it does: for (i = 0; i < mod->num_bugs; ++i, ++bug) if (bugaddr == bug_addr(bug)) goto out; ... which can lead to a kenrel panic due to an unhandled bug. This can be demonstrated with the following module: static int __init buginit(void) { WARN(1, "hello\n"); return 0; } static void __exit bugexit(void) { } module_init(buginit); module_exit(bugexit); MODULE_LICENSE("GPL"); ... which will trigger a kernel panic when loaded: ------------[ cut here ]------------ hello Unexpected kernel BRK exception at EL1 Internal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: hello(O+) CPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8 Hardware name: linux,dummy-virt (DT) pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : buginit+0x18/0x1000 [hello] lr : buginit+0x18/0x1000 [hello] sp : ffff800080533ae0 x29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000 x26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58 x23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0 x20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006 x17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720 x14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312 x11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8 x8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000 x5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0 Call trace: buginit+0x18/0x1000 [hello] do_one_initcall+0x80/0x1c8 do_init_module+0x60/0x218 load_module+0x1ba4/0x1d70 __do_sys_init_module+0x198/0x1d0 __arm64_sys_init_module+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc ---truncated--- CVE-2024-39488 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix memleak in seg6_hmac_init_algo seg6_hmac_init_algo returns without cleaning up the previous allocations if one fails, so it's going to leak all that memory and the crypto tfms. Update seg6_hmac_exit to only free the memory when allocated, so we can reuse the code directly. CVE-2024-39489 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l56: Fix lifetime of cs_dsp instance The cs_dsp instance is initialized in the driver probe() so it should be freed in the driver remove(). Also fix a missing call to cs_dsp_remove() in the error path of cs35l56_hda_common_probe(). The call to cs_dsp_remove() was being done in the component unbind callback cs35l56_hda_unbind(). This meant that if the driver was unbound and then re-bound it would be using an uninitialized cs_dsp instance. It is best to initialize the cs_dsp instance in probe() so that it can return an error if it fails. The component binding API doesn't have any error handling so there's no way to handle a failure if cs_dsp was initialized in the bind. CVE-2024-39491 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak Using completion_done to determine whether the caller has gone away only works after a complete call. Furthermore it's still possible that the caller has not yet called wait_for_completion, resulting in another potential UAF. Fix this by making the caller use cancel_work_sync and then freeing the memory safely. CVE-2024-39493 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot: BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags)); Return -EINVAL early if COW mapping is detected. This bug affects all drm drivers using default shmem helpers. It can be reproduced by this simple example: void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset); ptr[0] = 0; CVE-2024-39497 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: vmci: prevent speculation leaks by sanitizing event in event_deliver() Coverity spotted that event_msg is controlled by user-space, event_msg->event_data.event is passed to event_deliver() and used as an index without sanitization. This change ensures that the event index is sanitized to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Only compile tested, no access to HW. CVE-2024-39499 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drivers: core: synchronize really_probe() and dev_uevent() Synchronize the dev->driver usage in really_probe() and dev_uevent(). These can run in different threads, what can result in the following race condition for dev->driver uninitialization: Thread #1: ========== really_probe() { ... probe_failed: ... device_unbind_cleanup(dev) { ... dev->driver = NULL; // <= Failed probe sets dev->driver to NULL ... } ... } Thread #2: ========== dev_uevent() { ... if (dev->driver) // If dev->driver is NULLed from really_probe() from here on, // after above check, the system crashes add_uevent_var(env, "DRIVER=%s", dev->driver->name); ... } really_probe() holds the lock, already. So nothing needs to be done there. dev_uevent() is called with lock held, often, too. But not always. What implies that we can't add any locking in dev_uevent() itself. So fix this race by adding the lock to the non-protected path. This is the path where above race is observed: dev_uevent+0x235/0x380 uevent_show+0x10c/0x1f0 <= Add lock here dev_attr_show+0x3a/0xa0 sysfs_kf_seq_show+0x17c/0x250 kernfs_seq_show+0x7c/0x90 seq_read_iter+0x2d7/0x940 kernfs_fop_read_iter+0xc6/0x310 vfs_read+0x5bc/0x6b0 ksys_read+0xeb/0x1b0 __x64_sys_read+0x42/0x50 x64_sys_call+0x27ad/0x2d30 do_syscall_64+0xcd/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Similar cases are reported by syzkaller in https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a But these are regarding the *initialization* of dev->driver dev->driver = drv; As this switches dev->driver to non-NULL these reports can be considered to be false-positives (which should be "fixed" by this commit, as well, though). The same issue was reported and tried to be fixed back in 2015 in https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/ already. CVE-2024-39501 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/komeda: check for error-valued pointer komeda_pipeline_get_state() may return an error-valued pointer, thus check the pointer for negative or null value before dereferencing. CVE-2024-39505 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value, but then it is unconditionally passed to skb_add_rx_frag() which looks strange and could lead to null pointer dereference. lio_vf_rep_copy_packet() call trace looks like: octeon_droq_process_packets octeon_droq_fast_process_packets octeon_droq_dispatch_pkt octeon_create_recv_info ...search in the dispatch_list... ->disp_fn(rdisp->rinfo, ...) lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...) In this path there is no code which sets pg_info->page to NULL. So this check looks unneeded and doesn't solve potential problem. But I guess the author had reason to add a check and I have no such card and can't do real test. In addition, the code in the function liquidio_push_packet() in liquidio/lio_core.c does exactly the same. Based on this, I consider the most acceptable compromise solution to adjust this issue by moving skb_add_rx_frag() into conditional scope. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-39506 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq to address potential data races. The structure io_worker->flags may be accessed through various data paths, leading to concurrency issues. When KCSAN is enabled, it reveals data races occurring in io_worker_handle_work and io_wq_activate_free_worker functions. BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28: io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569) io_wq_worker (io_uring/io-wq.c:?) <snip> read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5: io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285) io_wq_enqueue (io_uring/io-wq.c:947) io_queue_iowq (io_uring/io_uring.c:524) io_req_task_submit (io_uring/io_uring.c:1511) io_handle_tw_list (io_uring/io_uring.c:1198) <snip> Line numbers against commit 18daea77cca6 ("Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm"). These races involve writes and reads to the same memory location by different tasks running on different CPUs. To mitigate this, refactor the code to use atomic operations such as set_bit(), test_bit(), and clear_bit() instead of basic "and" and "or" operations. This ensures thread-safe manipulation of worker flags. Also, move `create_index` to avoid holes in the structure. CVE-2024-39508 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: core: remove unnecessary WARN_ON() in implement() Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 Modules linked in: CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline] RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 ... Call Trace: <TASK> __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline] usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636 hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... CVE-2024-39509 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60 Read of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963 CPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564 Call Trace: kasan_report+0x93/0xc0 cachefiles_ondemand_daemon_read+0xb41/0xb60 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0 Allocated by task 116: kmem_cache_alloc+0x140/0x3a0 cachefiles_lookup_cookie+0x140/0xcd0 fscache_cookie_state_machine+0x43c/0x1230 [...] Freed by task 792: kmem_cache_free+0xfe/0x390 cachefiles_put_object+0x241/0x480 fscache_cookie_state_machine+0x5c8/0x1230 [...] ================================================================== Following is the process that triggers the issue: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_withdraw_cookie cachefiles_ondemand_clean_object(object) cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req msg->object_id = req->object->ondemand->ondemand_id ------ restore ------ cachefiles_ondemand_restore xas_for_each(&xas, req, ULONG_MAX) xas_set_mark(&xas, CACHEFILES_REQ_NEW) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req copy_to_user(_buffer, msg, n) xa_erase(&cache->reqs, id) complete(&REQ_A->done) ------ close(fd) ------ cachefiles_ondemand_fd_release cachefiles_put_object cachefiles_put_object kmem_cache_free(cachefiles_object_jar, object) REQ_A->object->ondemand->ondemand_id // object UAF !!! When we see the request within xa_lock, req->object must not have been freed yet, so grab the reference count of object before xa_unlock to avoid the above issue. CVE-2024-39510 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0 Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962 CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542 Call Trace: kasan_report+0x94/0xc0 cachefiles_ondemand_daemon_read+0x609/0xab0 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0 Allocated by task 626: __kmalloc+0x1df/0x4b0 cachefiles_ondemand_send_req+0x24d/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] Freed by task 626: kfree+0xf1/0x2c0 cachefiles_ondemand_send_req+0x568/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] ================================================================== Following is the process that triggers the issue: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req cachefiles_ondemand_get_fd copy_to_user(_buffer, msg, n) process_open_req(REQ_A) ------ restore ------ cachefiles_ondemand_restore xas_for_each(&xas, req, ULONG_MAX) xas_set_mark(&xas, CACHEFILES_REQ_NEW); cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req write(devfd, ("copen %u,%llu", msg->msg_id, size)); cachefiles_ondemand_copen xa_erase(&cache->reqs, id) complete(&REQ_A->done) kfree(REQ_A) cachefiles_ondemand_get_fd(REQ_A) fd = get_unused_fd_flags file = anon_inode_getfile fd_install(fd, file) load = (void *)REQ_A->msg.data; load->fd = fd; // load UAF !!! This issue is caused by issuing a restore command when the daemon is still alive, which results in a request being processed multiple times thus triggering a UAF. So to avoid this problem, add an additional reference count to cachefiles_req, which is held while waiting and reading, and then released when the waiting and reading is over. Note that since there is only one reference count for waiting, we need to avoid the same request being completed multiple times, so we can only complete the request if it is successfully removed from the xarray. CVE-2024-40899 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: remove requests from xarray during flushing requests Even with CACHEFILES_DEAD set, we can still read the requests, so in the following concurrency the request may be used after it has been freed: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read // close dev fd cachefiles_flush_reqs complete(&REQ_A->done) kfree(REQ_A) xa_lock(&cache->reqs); cachefiles_ondemand_select_req req->msg.opcode != CACHEFILES_OP_READ // req use-after-free !!! xa_unlock(&cache->reqs); xa_destroy(&cache->reqs) Hence remove requests from cache->reqs when flushing them to avoid accessing freed requests. CVE-2024-40900 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: xattr: fix buffer overflow for invalid xattr When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all up by properly restricting the size of the debug hex dump in the kernel log. CVE-2024-40902 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps There could be a potential use-after-free case in tcpm_register_source_caps(). This could happen when: * new (say invalid) source caps are advertised * the existing source caps are unregistered * tcpm_register_source_caps() returns with an error as usb_power_delivery_register_capabilities() fails This causes port->partner_source_caps to hold on to the now freed source caps. Reset port->partner_source_caps value to NULL after unregistering existing source caps. CVE-2024-40903 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages The syzbot fuzzer found that the interrupt-URB completion callback in the cdc-wdm driver was taking too long, and the driver's immediate resubmission of interrupt URBs with -EPROTO status combined with the dummy-hcd emulation to cause a CPU lockup: cdc_wdm 1-1:1.0: nonzero urb status received: -71 cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625] CPU#0 Utilization every 4s during lockup: #1: 98% system, 0% softirq, 3% hardirq, 0% idle #2: 98% system, 0% softirq, 3% hardirq, 0% idle #3: 98% system, 0% softirq, 3% hardirq, 0% idle #4: 98% system, 0% softirq, 3% hardirq, 0% idle #5: 98% system, 1% softirq, 3% hardirq, 0% idle Modules linked in: irq event stamp: 73096 hardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline] hardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994 hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582 softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588 CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Testing showed that the problem did not occur if the two error messages -- the first two lines above -- were removed; apparently adding material to the kernel log takes a surprisingly large amount of time. In any case, the best approach for preventing these lockups and to avoid spamming the log with thousands of error messages per second is to ratelimit the two dev_err() calls. Therefore we replace them with dev_err_ratelimited(). CVE-2024-40904 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible race in __fib6_drop_pcpu_from() syzbot found a race in __fib6_drop_pcpu_from() [1] If compiler reads more than once (*ppcpu_rt), second read could read NULL, if another cpu clears the value in rt6_get_pcpu_route(). Add a READ_ONCE() to prevent this race. Also add rcu_read_lock()/rcu_read_unlock() because we rely on RCU protection while dereferencing pcpu_rt. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: netns cleanup_net RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984 Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48 RSP: 0018:ffffc900040df070 EFLAGS: 00010206 RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16 RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091 RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8 R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline] fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline] fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038 fib6_del_route net/ipv6/ip6_fib.c:1998 [inline] fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043 fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205 fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127 fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175 fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255 __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271 rt6_sync_down_dev net/ipv6/route.c:4906 [inline] rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911 addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855 addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992 call_netdevice_notifiers_extack net/core/dev.c:2030 [inline] call_netdevice_notifiers net/core/dev.c:2044 [inline] dev_close_many+0x333/0x6a0 net/core/dev.c:1585 unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193 unregister_netdevice_many net/core/dev.c:11276 [inline] default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CVE-2024-40905 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release(). CVE-2024-40910 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Lock wiphy in cfg80211_get_station Wiphy should be locked before calling rdev_get_station() (see lockdep assert in ieee80211_get_station()). This fixes the following kernel NULL dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000 [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] SMP Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705 Hardware name: RPT (r1) (DT) Workqueue: bat_events batadv_v_elp_throughput_metric_update pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core] lr : sta_set_sinfo+0xcc/0xbd4 sp : ffff000007b43ad0 x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98 x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000 x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000 x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000 x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000 x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90 x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000 Call trace: ath10k_sta_statistics+0x10/0x2dc [ath10k_core] sta_set_sinfo+0xcc/0xbd4 ieee80211_get_station+0x2c/0x44 cfg80211_get_station+0x80/0x154 batadv_v_elp_get_throughput+0x138/0x1fc batadv_v_elp_throughput_metric_update+0x1c/0xa4 process_one_work+0x1ec/0x414 worker_thread+0x70/0x46c kthread+0xdc/0xe0 ret_from_fork+0x10/0x20 Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814) This happens because STA has time to disconnect and reconnect before batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In this situation, ath10k_sta_state() can be in the middle of resetting arsta data when the work queue get chance to be scheduled and ends up accessing it. Locking wiphy prevents that. CVE-2024-40911 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from softirq context. However using only spin_lock() to get sta->ps_lock in ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to take this same lock ending in deadlock. Below is an example of rcu stall that arises in such situation. rcu: INFO: rcu_sched self-detected stall on CPU rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996 rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4) CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742 Hardware name: RPT (r1) (DT) pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : queued_spin_lock_slowpath+0x58/0x2d0 lr : invoke_tx_handlers_early+0x5b4/0x5c0 sp : ffff00001ef64660 x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8 x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000 x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000 x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000 x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80 x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440 x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880 x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8 Call trace: queued_spin_lock_slowpath+0x58/0x2d0 ieee80211_tx+0x80/0x12c ieee80211_tx_pending+0x110/0x278 tasklet_action_common.constprop.0+0x10c/0x144 tasklet_action+0x20/0x28 _stext+0x11c/0x284 ____do_softirq+0xc/0x14 call_on_irq_stack+0x24/0x34 do_softirq_own_stack+0x18/0x20 do_softirq+0x74/0x7c __local_bh_enable_ip+0xa0/0xa4 _ieee80211_wake_txqs+0x3b0/0x4b8 __ieee80211_wake_queue+0x12c/0x168 ieee80211_add_pending_skbs+0xec/0x138 ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480 ieee80211_mps_sta_status_update.part.0+0xd8/0x11c ieee80211_mps_sta_status_update+0x18/0x24 sta_apply_parameters+0x3bc/0x4c0 ieee80211_change_station+0x1b8/0x2dc nl80211_set_station+0x444/0x49c genl_family_rcv_msg_doit.isra.0+0xa4/0xfc genl_rcv_msg+0x1b0/0x244 netlink_rcv_skb+0x38/0x10c genl_rcv+0x34/0x48 netlink_unicast+0x254/0x2bc netlink_sendmsg+0x190/0x3b4 ____sys_sendmsg+0x1e8/0x218 ___sys_sendmsg+0x68/0x8c __sys_sendmsg+0x44/0x84 __arm64_sys_sendmsg+0x20/0x28 do_el0_svc+0x6c/0xe8 el0_svc+0x14/0x48 el0t_64_sync_handler+0xb0/0xb4 el0t_64_sync+0x14c/0x150 Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise on the same CPU that is holding the lock. CVE-2024-40912 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: defer exposing anon_fd until after copy_to_user() succeeds After installing the anonymous fd, we can now see it in userland and close it. However, at this point we may not have gotten the reference count of the cache, but we will put it during colse fd, so this may cause a cache UAF. So grab the cache reference count before fd_install(). In addition, by kernel convention, fd is taken over by the user land after fd_install(), and the kernel should not call close_fd() after that, i.e., it should call fd_install() after everything is ready, thus fd_install() is called after copy_to_user() succeeds. CVE-2024-40913 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found When reading EDID fails and driver reports no modes available, the DRM core adds an artificial 1024x786 mode to the connector. Unfortunately some variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not able to drive such mode, so report a safe 640x480 mode instead of nothing in case of the EDID reading failure. This fixes the following issue observed on Trats2 board since commit 13d5b040363c ("drm/exynos: do not return negative values from .get_modes()"): [drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations exynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops) exynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops) exynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b) exynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops) exynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops) [drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1 exynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state panel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c exynos-mixer 12c10000.mixer: timeout waiting for VSYNC ------------[ cut here ]------------ WARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8 [CRTC:70:crtc-1] vblank wait timed out Modules linked in: CPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events_unbound deferred_probe_work_func Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x68/0x88 dump_stack_lvl from __warn+0x7c/0x1c4 __warn from warn_slowpath_fmt+0x11c/0x1a8 warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8 drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184 commit_tail from drm_atomic_helper_commit+0x168/0x190 drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0 drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40 drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4 __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c drm_fb_helper_set_par from fbcon_init+0x3d8/0x550 fbcon_init from visual_init+0xc0/0x108 visual_init from do_bind_con_driver+0x1b8/0x3a4 do_bind_con_driver from do_take_over_console+0x140/0x1ec do_take_over_console from do_fbcon_takeover+0x70/0xd0 do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac fbcon_fb_registered from register_framebuffer+0x190/0x21c register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574 __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0 exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94 drm_client_register from exynos_drm_bind+0x160/0x190 exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8 try_to_bring_up_aggregate_device from __component_add+0xb0/0x170 __component_add from mixer_probe+0x74/0xcc mixer_probe from platform_probe+0x5c/0xb8 platform_probe from really_probe+0xe0/0x3d8 really_probe from __driver_probe_device+0x9c/0x1e4 __driver_probe_device from driver_probe_device+0x30/0xc0 driver_probe_device from __device_attach_driver+0xa8/0x120 __device_attach_driver from bus_for_each_drv+0x80/0xcc bus_for_each_drv from __device_attach+0xac/0x1fc __device_attach from bus_probe_device+0x8c/0x90 bus_probe_device from deferred_probe_work_func+0 ---truncated--- CVE-2024-40916 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: mst: fix suspicious rcu usage in br_mst_set_state I converted br_mst_set_state to RCU to avoid a vlan use-after-free but forgot to change the vlan group dereference helper. Switch to vlan group RCU deref helper to fix the suspicious rcu usage warning. CVE-2024-40920 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state Pass the already obtained vlan group pointer to br_mst_vlan_set_state() instead of dereferencing it again. Each caller has already correctly dereferenced it for their context. This change is required for the following suspicious RCU dereference fix. No functional changes intended. CVE-2024-40921 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: don't lock while !TASK_RUNNING There is a report of io_rsrc_ref_quiesce() locking a mutex while not TASK_RUNNING, which is due to forgetting restoring the state back after io_run_task_work_sig() and attempts to break out of the waiting loop. do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffff815d2494>] prepare_to_wait+0xa4/0x380 kernel/sched/wait.c:237 WARNING: CPU: 2 PID: 397056 at kernel/sched/core.c:10099 __might_sleep+0x114/0x160 kernel/sched/core.c:10099 RIP: 0010:__might_sleep+0x114/0x160 kernel/sched/core.c:10099 Call Trace: <TASK> __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0xb4/0x940 kernel/locking/mutex.c:752 io_rsrc_ref_quiesce+0x590/0x940 io_uring/rsrc.c:253 io_sqe_buffers_unregister+0xa2/0x340 io_uring/rsrc.c:799 __io_uring_register io_uring/register.c:424 [inline] __do_sys_io_uring_register+0x5b9/0x2400 io_uring/register.c:613 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 CVE-2024-40922 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915/dpt: Make DPT object unshrinkable In some scenarios, the DPT object gets shrunk but the actual framebuffer did not and thus its still there on the DPT's vm->bound_list. Then it tries to rewrite the PTEs via a stale CPU mapping. This causes panic. [vsyrjala: Add TODO comment] (cherry picked from commit 51064d471c53dcc8eddd2333c3f1c1d9131ba36c) CVE-2024-40924 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: don't attempt to schedule hpd_work on headless cards If the card doesn't have display hardware, hpd_work and hpd_lock are left uninitialized which causes BUG when attempting to schedule hpd_work on runtime PM resume. Fix it by adding headless flag to DRM and skip any hpd if it's set. CVE-2024-40926 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: xhci: Handle TD clearing for multiple streams case When multiple streams are in use, multiple TDs might be in flight when an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for each, to ensure everything is reset properly and the caches cleared. Change the logic so that any N>1 TDs found active for different streams are deferred until after the first one is processed, calling xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to queue another command until we are done with all of them. Also change the error/"should never happen" paths to ensure we at least clear any affected TDs, even if we can't issue a command to clear the hardware cache, and complain loudly with an xhci_warn() if this ever happens. This problem case dates back to commit e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.") early on in the XHCI driver's life, when stream support was first added. It was then identified but not fixed nor made into a warning in commit 674f8438c121 ("xhci: split handling halted endpoints into two steps"), which added a FIXME comment for the problem case (without materially changing the behavior as far as I can tell, though the new logic made the problem more obvious). Then later, in commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs."), it was acknowledged again. [Mathias: commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs.") was a targeted regression fix to the previously mentioned patch. Users reported issues with usb stuck after unmounting/disconnecting UAS devices. This rolled back the TD clearing of multiple streams to its original state.] Apparently the commit author was aware of the problem (yet still chose to submit it): It was still mentioned as a FIXME, an xhci_dbg() was added to log the problem condition, and the remaining issue was mentioned in the commit description. The choice of making the log type xhci_dbg() for what is, at this point, a completely unhandled and known broken condition is puzzling and unfortunate, as it guarantees that no actual users would see the log in production, thereby making it nigh undebuggable (indeed, even if you turn on DEBUG, the message doesn't really hint at there being a problem at all). It took me *months* of random xHC crashes to finally find a reliable repro and be able to do a deep dive debug session, which could all have been avoided had this unhandled, broken condition been actually reported with a warning, as it should have been as a bug intentionally left in unfixed (never mind that it shouldn't have been left in at all). > Another fix to solve clearing the caches of all stream rings with > cancelled TDs is needed, but not as urgent. 3 years after that statement and 14 years after the original bug was introduced, I think it's finally time to fix it. And maybe next time let's not leave bugs unfixed (that are actually worse than the original bug), and let's actually get people to review kernel commits please. Fixes xHC crashes and IOMMU faults with UAS devices when handling errors/faults. Easiest repro is to use `hdparm` to mark an early sector (e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop. At least in the case of JMicron controllers, the read errors end up having to cancel two TDs (for two queued requests to different streams) and the one that didn't get cleared properly ends up faulting the xHC entirely when it tries to access DMA pages that have since been unmapped, referred to by the stale TDs. This normally happens quickly (after two or three loops). After this fix, I left the `cat` in a loop running overnight and experienced no xHC failures, with all read errors recovered properly. Repro'd and tested on an Apple M1 Mac Mini (dwc3 host). On systems without an IOMMU, this bug would instead silently corrupt freed memory, making this a ---truncated--- CVE-2024-40927 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first. CVE-2024-40929 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: validate HE operation element parsing Validate that the HE operation element has the correct length before parsing it. CVE-2024-40930 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/exynos/vidi: fix memory leak in .get_modes() The duplicated EDID is never freed. Fix it. CVE-2024-40932 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Fix a memory leak on logi_dj_recv_send_report() error path. CVE-2024-40934 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cxl/region: Fix memregion leaks in devm_cxl_add_region() Move the mode verification to __create_region() before allocating the memregion to avoid the memregion leaks. CVE-2024-40936 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: landlock: Fix d_parent walk The WARN_ON_ONCE() in collect_domain_accesses() can be triggered when trying to link a root mount point. This cannot work in practice because this directory is mounted, but the VFS check is done after the call to security_path_link(). Do not use source directory's d_parent when the source directory is the mount point. [mic: Fix commit message] CVE-2024-40938 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: wwan: iosm: Fix tainted pointer delete is case of region creation fail In case of region creation fail in ipc_devlink_create_region(), previously created regions delete process starts from tainted pointer which actually holds error code value. Fix this bug by decreasing region index before delete. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-40939 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't read past the mfuart notifcation In case the firmware sends a notification that claims it has more data than it has, we will read past that was allocated for the notification. Remove the print of the buffer, we won't see it by default. If needed, we can see the content with tracing. This was reported by KFENCE. CVE-2024-40941 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects The hwmp code use objects of type mesh_preq_queue, added to a list in ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath gets deleted, ex mesh interface is removed, the entries in that list will never get cleaned. Fix this by flushing all corresponding items of the preq_queue in mesh_path_flush_pending(). This should take care of KASAN reports like this: unreferenced object 0xffff00000668d800 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s) hex dump (first 32 bytes): 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h..... 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>........... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 unreferenced object 0xffff000009051f00 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s) hex dump (first 32 bytes): 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h..... 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy..... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 CVE-2024-40942 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix races between hole punching and AIO+DIO After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block", fstests/generic/300 become from always failed to sometimes failed: ======================================================================== [ 473.293420 ] run fstests generic/300 [ 475.296983 ] JBD2: Ignoring recovery information on journal [ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode. [ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found [ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted. [ 494.292018 ] OCFS2: File system is now read-only. [ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30 [ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3 fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072 ========================================================================= In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten extents to a list. extents are also inserted into extent tree in ocfs2_write_begin_nolock. Then another thread call fallocate to puch a hole at one of the unwritten extent. The extent at cpos was removed by ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list found there is no such extent at the cpos. T1 T2 T3 inode lock ... insert extents ... inode unlock ocfs2_fallocate __ocfs2_change_file_space inode lock lock ip_alloc_sem ocfs2_remove_inode_range inode ocfs2_remove_btree_range ocfs2_remove_extent ^---remove the extent at cpos 78723 ... unlock ip_alloc_sem inode unlock ocfs2_dio_end_io ocfs2_dio_end_io_write lock ip_alloc_sem ocfs2_mark_extent_written ocfs2_change_extent_flag ocfs2_search_extent_list ^---failed to find extent ... unlock ip_alloc_sem In most filesystems, fallocate is not compatible with racing with AIO+DIO, so fix it by adding to wait for all dio before fallocate/punch_hole like ext4. CVE-2024-40943 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Fix bug with call depth tracking The call to cc_platform_has() triggers a fault and system crash if call depth tracking is active because the GS segment has been reset by load_segments() and GS_BASE is now 0 but call depth tracking uses per-CPU variables to operate. Call cc_platform_has() earlier in the function when GS is still valid. [ bp: Massage. ] CVE-2024-40944 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu: Return right value in iommu_sva_bind_device() iommu_sva_bind_device() should return either a sva bond handle or an ERR_PTR value in error cases. Existing drivers (idxd and uacce) only check the return value with IS_ERR(). This could potentially lead to a kernel NULL pointer dereference issue if the function returns NULL instead of an error pointer. In reality, this doesn't cause any problems because iommu_sva_bind_device() only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA. In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will return an error, and the device drivers won't call iommu_sva_bind_device() at all. CVE-2024-40945 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: do not leave a dangling sk pointer, when socket creation fails It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded and stripped): ================================================================== BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) Read of size 8 at addr ffff888007110dd8 by task traceroute/299 CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_report (mm/kasan/report.c:603) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e bpf_trampoline_6442506592+0x47/0xaf __sock_release (net/socket.c:652) __sock_create (net/socket.c:1601) ... Allocated by task 299 on cpu 2 at 78.328492s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) sk_prot_alloc (net/core/sock.c:2075) sk_alloc (net/core/sock.c:2134) inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 299 on cpu 2 at 78.328502s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) kasan_save_free_info (mm/kasan/generic.c:582) poison_slab_object (mm/kasan/common.c:242) __kasan_slab_free (mm/kasan/common.c:256) kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by clearing the struct socket reference in sk_common_release() to cover all protocol families create functions, which may already attached the reference to the sk object with sock_init_data(). CVE-2024-40954 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator when the descriptor is reused by another thread without it being deleted from the list. CVE-2024-40956 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for PREROUTING hook, in PREROUTING hook, we should passing a valid indev, and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer dereference, as below: [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090 [74830.655633] #PF: supervisor read access in kernel mode [74830.657888] #PF: error_code(0x0000) - not-present page [74830.659500] PGD 0 P4D 0 [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI ... [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter] ... [74830.689725] Call Trace: [74830.690402] <IRQ> [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables] [74830.694275] ? __die_body.cold+0x8/0xd [74830.695205] ? page_fault_oops+0xac/0x140 [74830.696244] ? exc_page_fault+0x62/0x150 [74830.697225] ? asm_exc_page_fault+0x22/0x30 [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter] [74830.699540] ipt_do_table+0x286/0x710 [ip_tables] [74830.700758] ? ip6_route_input+0x19d/0x240 [74830.701752] nf_hook_slow+0x3f/0xb0 [74830.702678] input_action_end_dx4+0x19b/0x1e0 [74830.703735] ? input_action_end_t+0xe0/0xe0 [74830.704734] seg6_local_input_core+0x2d/0x60 [74830.705782] lwtunnel_input+0x5b/0xb0 [74830.706690] __netif_receive_skb_one_core+0x63/0xa0 [74830.707825] process_backlog+0x99/0x140 [74830.709538] __napi_poll+0x2c/0x160 [74830.710673] net_rx_action+0x296/0x350 [74830.711860] __do_softirq+0xcb/0x2ac [74830.713049] do_softirq+0x63/0x90 input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback(): static bool rpfilter_is_loopback(const struct sk_buff *skb, const struct net_device *in) { // in is NULL return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK; } CVE-2024-40957 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netns: Make get_net_ns() handle zero refcount net Syzkaller hit a warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 Modules linked in: CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xdf/0x1d0 Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1 RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001 RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139 R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4 R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040 FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0xa3/0xc0 ? __warn+0xa5/0x1c0 ? refcount_warn_saturate+0xdf/0x1d0 ? report_bug+0x1fc/0x2d0 ? refcount_warn_saturate+0xdf/0x1d0 ? handle_bug+0xa1/0x110 ? exc_invalid_op+0x3c/0xb0 ? asm_exc_invalid_op+0x1f/0x30 ? __warn_printk+0xcc/0x140 ? __warn_printk+0xd5/0x140 ? refcount_warn_saturate+0xdf/0x1d0 get_net_ns+0xa4/0xc0 ? __pfx_get_net_ns+0x10/0x10 open_related_ns+0x5a/0x130 __tun_chr_ioctl+0x1616/0x2370 ? __sanitizer_cov_trace_switch+0x58/0xa0 ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30 ? __pfx_tun_chr_ioctl+0x10/0x10 tun_chr_ioctl+0x2f/0x40 __x64_sys_ioctl+0x11b/0x160 x64_sys_call+0x1211/0x20d0 do_syscall_64+0x9e/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5b28f165d7 Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8 RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7 RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003 RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0 R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730 R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... This is trigger as below: ns0 ns1 tun_set_iff() //dev is tun0 tun->dev = dev //ip link set tun0 netns ns1 put_net() //ref is 0 __tun_chr_ioctl() //TUNGETDEVNETNS net = dev_net(tun->dev); open_related_ns(&net->ns, get_net_ns); //ns1 get_net_ns() get_net() //addition on 0 Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this CVE-2024-40958 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64 Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00 RSP: 0018:ffffc90000117378 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7 RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98 RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000 R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline] xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline] xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541 xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline] xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201 xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline] xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309 ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256 send6+0x611/0xd20 drivers/net/wireguard/socket.c:139 wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178 wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200 wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40 wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CVE-2024-40959 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind() The cs35l41_hda_unbind() function clears the hda_component entry matching it's index and then dereferences the codec pointer held in the first element of the hda_component array, this is an issue when the device index was 0. Instead use the codec pointer stashed in the cs35l41_hda structure as it will still be valid. CVE-2024-40964 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: imx: Introduce timeout when waiting on transmitter empty By waiting at most 1 second for USR2_TXDC to be set, we avoid a potential deadlock. In case of the timeout, there is not much we can do, so we simply ignore the transmitter state and optimistically try to continue. CVE-2024-40967 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/lima: mask irqs in timeout path before hard reset There is a race condition in which a rendering job might take just long enough to trigger the drm sched job timeout handler but also still complete before the hard reset is done by the timeout handler. This runs into race conditions not expected by the timeout handler. In some very specific cases it currently may result in a refcount imbalance on lima_pm_idle, with a stack dump such as: [10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0 ... [10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0 ... [10136.669628] Call trace: [10136.669634] lima_devfreq_record_idle+0xa0/0xb0 [10136.669646] lima_sched_pipe_task_done+0x5c/0xb0 [10136.669656] lima_gp_irq_handler+0xa8/0x120 [10136.669666] __handle_irq_event_percpu+0x48/0x160 [10136.669679] handle_irq_event+0x4c/0xc0 We can prevent that race condition entirely by masking the irqs at the beginning of the timeout handler, at which point we give up on waiting for that job entirely. The irqs will be enabled again at the next hard reset which is already done as a recovery by the timeout handler. CVE-2024-40976 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921s: fix potential hung tasks during chip recovery During chip recovery (e.g. chip reset), there is a possible situation that kernel worker reset_work is holding the lock and waiting for kernel thread stat_worker to be parked, while stat_worker is waiting for the release of the same lock. It causes a deadlock resulting in the dumping of hung tasks messages and possible rebooting of the device. This patch prevents the execution of stat_worker during the chip recovery. CVE-2024-40977 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedi: Fix crash while reading debugfs attribute The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly on a __user pointer, which results into the crash. To fix this issue, use a small local stack buffer for sprintf() and then call simple_read_from_buffer(), which in turns make the copy_to_user() call. BUG: unable to handle page fault for address: 00007f4801111000 PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0 Oops: 0002 [#1] PREEMPT SMP PTI Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023 RIP: 0010:memcpy_orig+0xcd/0x130 RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202 RAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f RDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000 RBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572 R10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff R13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af FS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? page_fault_oops+0x183/0x510 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x22/0x30 ? memcpy_orig+0xcd/0x130 vsnprintf+0x102/0x4c0 sprintf+0x51/0x80 qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324] full_proxy_read+0x50/0x80 vfs_read+0xa5/0x2e0 ? folio_add_new_anon_rmap+0x44/0xa0 ? set_pte_at+0x15/0x30 ? do_pte_missing+0x426/0x7f0 ksys_read+0xa5/0xe0 do_syscall_64+0x58/0x80 ? __count_memcg_events+0x46/0x90 ? count_memcg_event_mm+0x3d/0x60 ? handle_mm_fault+0x196/0x2f0 ? do_user_addr_fault+0x267/0x890 ? exc_page_fault+0x69/0x150 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f4800f20b4d CVE-2024-40978 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: batman-adv: bypass empty buckets in batadv_purge_orig_ref() Many syzbot reports are pointing to soft lockups in batadv_purge_orig_ref() [1] Root cause is unknown, but we can avoid spending too much time there and perhaps get more interesting reports. [1] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621] Modules linked in: irq event stamp: 6182794 hardirqs last enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271 CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_purge_orig pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline] pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388 lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 sp : ffff800099007970 x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000 x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001 x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4 x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0 x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001 x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000 Call trace: __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline] __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51 lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103 sp : ffff800093a17d30 x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4 x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002 x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000 x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396 x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001 ---truncated--- CVE-2024-40981 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 low ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-40982 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Undo the modifications made in commit d410ee5109a1 ("ACPICA: avoid "Info: mapping multiple BARs. Your kernel is fine.""). The initial purpose of this commit was to stop memory mappings for operation regions from overlapping page boundaries, as it can trigger warnings if different page attributes are present. However, it was found that when this situation arises, mapping continues until the boundary's end, but there is still an attempt to read/write the entire length of the map, leading to a NULL pointer deference. For example, if a four-byte mapping request is made but only one byte is mapped because it hits the current page boundary's end, a four-byte read/write attempt is still made, resulting in a NULL pointer deference. Instead, map the entire length, as the ACPI specification does not mandate that it must be within the same page boundary. It is permissible for it to be mapped across different regions. CVE-2024-40984 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix UBSAN warning in kv_dpm.c Adds bounds check for sumo_vid_mapping_entry. CVE-2024-40987 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix UBSAN warning in kv_dpm.c Adds bounds check for sumo_vid_mapping_entry. CVE-2024-40988 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Disassociate vcpus from redistributor region on teardown When tearing down a redistributor region, make sure we don't have any dangling pointer to that region stored in a vcpu. CVE-2024-40989 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 important In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Add check for srq max_sge attribute max_sge attribute is passed by the user, and is inserted and used unchecked, so verify that the value doesn't exceed maximum allowed value before using it. CVE-2024-40990 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix responder length checking for UD request packets According to the IBA specification: If a UD request packet is detected with an invalid length, the request shall be an invalid request and it shall be silently dropped by the responder. The responder then waits for a new request packet. commit 689c5421bfe0 ("RDMA/rxe: Fix incorrect responder length checking") defers responder length check for UD QPs in function `copy_data`. But it introduces a regression issue for UD QPs. When the packet size is too large to fit in the receive buffer. `copy_data` will return error code -EINVAL. Then `send_data_in` will return RESPST_ERR_MALFORMED_WQE. UD QP will transfer into ERROR state. CVE-2024-40992 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ptp: fix integer overflow in max_vclocks_store On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc() to do the allocation to prevent this. CVE-2024-40994 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 important In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() syzbot found hanging tasks waiting on rtnl_lock [1] A reproducer is available in the syzbot bug. When a request to add multiple actions with the same index is sent, the second request will block forever on the first request. This holds rtnl_lock, and causes tasks to hang. Return -EAGAIN to prevent infinite looping, while keeping documented behavior. [1] INFO: task kworker/1:0:5088 blocked for more than 143 seconds. Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000 Workqueue: events_power_efficient reg_check_chans_work Call Trace: <TASK> context_switch kernel/sched/core.c:5409 [inline] __schedule+0xf15/0x5d00 kernel/sched/core.c:6746 __schedule_loop kernel/sched/core.c:6823 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6838 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 wiphy_lock include/net/cfg80211.h:5953 [inline] reg_leave_invalid_chans net/wireless/reg.c:2466 [inline] reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481 CVE-2024-40995 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: fix memory leak on CPU EPP exit The cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is not freed in the analogous exit function, so fix that. [ rjw: Subject and changelog edits ] CVE-2024-40997 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: block/ioctl: prefer different overflow check Running syzkaller with the newly reintroduced signed integer overflow sanitizer shows this report: [ 62.982337] ------------[ cut here ]------------ [ 62.985692] cgroup: Invalid name [ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46 [ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1 [ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long' [ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1 [ 62.999369] random: crng reseeded on system resumption [ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000) [ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 [ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 63.000682] Call Trace: [ 63.000686] <TASK> [ 63.000731] dump_stack_lvl+0x93/0xd0 [ 63.000919] __get_user_pages+0x903/0xd30 [ 63.001030] __gup_longterm_locked+0x153e/0x1ba0 [ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50 [ 63.001072] ? try_get_folio+0x29c/0x2d0 [ 63.001083] internal_get_user_pages_fast+0x1119/0x1530 [ 63.001109] iov_iter_extract_pages+0x23b/0x580 [ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220 [ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410 [ 63.001297] __iomap_dio_rw+0xab4/0x1810 [ 63.001316] iomap_dio_rw+0x45/0xa0 [ 63.001328] ext4_file_write_iter+0xdde/0x1390 [ 63.001372] vfs_write+0x599/0xbd0 [ 63.001394] ksys_write+0xc8/0x190 [ 63.001403] do_syscall_64+0xd4/0x1b0 [ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60 [ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 63.001535] RIP: 0033:0x7f7fd3ebf539 [ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539 [ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004 [ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000 [ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8 ... [ 63.018142] ---[ end trace ]--- Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang; It was re-enabled in the kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow sanitizer"). Let's rework this overflow checking logic to not actually perform an overflow during the check itself, thus avoiding the UBSAN splat. [1]: https://github.com/llvm/llvm-project/pull/82432 CVE-2024-41000 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/sqpoll: work around a potential audit memory leak kmemleak complains that there's a memory leak related to connect handling: unreferenced object 0xffff0001093bdf00 (size 128): comm "iou-sqp-455", pid 457, jiffies 4294894164 hex dump (first 32 bytes): 02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 2e481b1a): [<00000000c0a26af4>] kmemleak_alloc+0x30/0x38 [<000000009c30bb45>] kmalloc_trace+0x228/0x358 [<000000009da9d39f>] __audit_sockaddr+0xd0/0x138 [<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8 [<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4 [<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48 [<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4 [<00000000d999b491>] ret_from_fork+0x10/0x20 which can can happen if: 1) The command type does something on the prep side that triggers an audit call. 2) The thread hasn't done any operations before this that triggered an audit call inside ->issue(), where we have audit_uring_entry() and audit_uring_exit(). Work around this by issuing a blanket NOP operation before the SQPOLL does anything. CVE-2024-41001 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/sec - Fix memory leak for sec resource release The AIV is one of the SEC resources. When releasing resources, it need to release the AIV resources at the same time. Otherwise, memory leakage occurs. The aiv resource release is added to the sec resource release function. CVE-2024-41002 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Build event generation tests only as modules The kprobes and synth event generation test modules add events and lock (get a reference) those event file reference in module init function, and unlock and delete it in module exit function. This is because those are designed for playing as modules. If we make those modules as built-in, those events are left locked in the kernel, and never be removed. This causes kprobe event self-test failure as below. [ 97.349708] ------------[ cut here ]------------ [ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.357106] Modules linked in: [ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14 [ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90 [ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286 [ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000 [ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68 [ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000 [ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000 [ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000 [ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0 [ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 97.391196] Call Trace: [ 97.391967] <TASK> [ 97.392647] ? __warn+0xcc/0x180 [ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.395181] ? report_bug+0xbd/0x150 [ 97.396234] ? handle_bug+0x3e/0x60 [ 97.397311] ? exc_invalid_op+0x1a/0x50 [ 97.398434] ? asm_exc_invalid_op+0x1a/0x20 [ 97.399652] ? trace_kprobe_is_busy+0x20/0x20 [ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90 [ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.403773] ? init_kprobe_trace+0x50/0x50 [ 97.404972] do_one_initcall+0x112/0x240 [ 97.406113] do_initcall_level+0x95/0xb0 [ 97.407286] ? kernel_init+0x1a/0x1a0 [ 97.408401] do_initcalls+0x3f/0x70 [ 97.409452] kernel_init_freeable+0x16f/0x1e0 [ 97.410662] ? rest_init+0x1f0/0x1f0 [ 97.411738] kernel_init+0x1a/0x1a0 [ 97.412788] ret_from_fork+0x39/0x50 [ 97.413817] ? rest_init+0x1f0/0x1f0 [ 97.414844] ret_from_fork_asm+0x11/0x20 [ 97.416285] </TASK> [ 97.417134] irq event stamp: 13437323 [ 97.418376] hardirqs last enabled at (13437337): [<ffffffff8110bc0c>] console_unlock+0x11c/0x150 [ 97.421285] hardirqs last disabled at (13437370): [<ffffffff8110bbf1>] console_unlock+0x101/0x150 [ 97.423838] softirqs last enabled at (13437366): [<ffffffff8108e17f>] handle_softirqs+0x23f/0x2a0 [ 97.426450] softirqs last disabled at (13437393): [<ffffffff8108e346>] __irq_exit_rcu+0x66/0xd0 [ 97.428850] ---[ end trace 0000000000000000 ]--- And also, since we can not cleanup dynamic_event file, ftracetest are failed too. To avoid these issues, build these tests only as modules. CVE-2024-41004 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 low In the Linux kernel, the following vulnerability has been resolved: tcp: avoid too many retransmit packets If a TCP socket is using TCP_USER_TIMEOUT, and the other peer retracted its window to zero, tcp_retransmit_timer() can retransmit a packet every two jiffies (2 ms for HZ=1000), for about 4 minutes after TCP_USER_TIMEOUT has 'expired'. The fix is to make sure tcp_rtx_probe0_timed_out() takes icsk->icsk_user_timeout into account. Before blamed commit, the socket would not timeout after icsk->icsk_user_timeout, but would use standard exponential backoff for the retransmits. Also worth noting that before commit e89688e3e978 ("net: tcp: fix unexcepted socket die when snd_wnd is 0"), the issue would last 2 minutes instead of 4. CVE-2024-41007 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that "owns" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter. CVE-2024-41009 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix too early release of tcx_entry Pedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported an issue that the tcx_entry can be released too early leading to a use after free (UAF) when an active old-style ingress or clsact qdisc with a shared tc block is later replaced by another ingress or clsact instance. Essentially, the sequence to trigger the UAF (one example) can be as follows: 1. A network namespace is created 2. An ingress qdisc is created. This allocates a tcx_entry, and &tcx_entry->miniq is stored in the qdisc's miniqp->p_miniq. At the same time, a tcf block with index 1 is created. 3. chain0 is attached to the tcf block. chain0 must be connected to the block linked to the ingress qdisc to later reach the function tcf_chain0_head_change_cb_del() which triggers the UAF. 4. Create and graft a clsact qdisc. This causes the ingress qdisc created in step 1 to be removed, thus freeing the previously linked tcx_entry: rtnetlink_rcv_msg() => tc_modify_qdisc() => qdisc_create() => clsact_init() [a] => qdisc_graft() => qdisc_destroy() => __qdisc_destroy() => ingress_destroy() [b] => tcx_entry_free() => kfree_rcu() // tcx_entry freed 5. Finally, the network namespace is closed. This registers the cleanup_net worker, and during the process of releasing the remaining clsact qdisc, it accesses the tcx_entry that was already freed in step 4, causing the UAF to occur: cleanup_net() => ops_exit_list() => default_device_exit_batch() => unregister_netdevice_many() => unregister_netdevice_many_notify() => dev_shutdown() => qdisc_put() => clsact_destroy() [c] => tcf_block_put_ext() => tcf_chain0_head_change_cb_del() => tcf_chain_head_change_item() => clsact_chain_head_change() => mini_qdisc_pair_swap() // UAF There are also other variants, the gist is to add an ingress (or clsact) qdisc with a specific shared block, then to replace that qdisc, waiting for the tcx_entry kfree_rcu() to be executed and subsequently accessing the current active qdisc's miniq one way or another. The correct fix is to turn the miniq_active boolean into a counter. What can be observed, at step 2 above, the counter transitions from 0->1, at step [a] from 1->2 (in order for the miniq object to remain active during the replacement), then in [b] from 2->1 and finally [c] 1->0 with the eventual release. The reference counter in general ranges from [0,2] and it does not need to be atomic since all access to the counter is protected by the rtnl mutex. With this in place, there is no longer a UAF happening and the tcx_entry is freed at the correct time. CVE-2024-41010 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages We don't get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space. CVE-2024-41011 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 important In the Linux kernel, the following vulnerability has been resolved: filelock: Remove locks reliably when fcntl/close race is detected When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. Separately, posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle). After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory. Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush(). CVE-2024-41012 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: add bounds checking to ocfs2_check_dir_entry() This adds sanity checks for ocfs2_dir_entry to make sure all members of ocfs2_dir_entry don't stray beyond valid memory region. CVE-2024-41015 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 low In the Linux kernel, the following vulnerability has been resolved: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() xattr in ocfs2 maybe 'non-indexed', which saved with additional space requested. It's better to check if the memory is out of bound before memcmp, although this possibility mainly comes from crafted poisonous images. CVE-2024-41016 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: filelock: Fix fcntl/close race recovery compat path When I wrote commit 3cad1bc01041 ("filelock: Remove locks reliably when fcntl/close race is detected"), I missed that there are two copies of the code I was patching: The normal version, and the version for 64-bit offsets on 32-bit kernels. Thanks to Greg KH for stumbling over this while doing the stable backport... Apply exactly the same fix to the compat path for 32-bit kernels. CVE-2024-41020 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() The "instance" variable needs to be signed for the error handling to work. CVE-2024-41022 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-41024 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix memory leak in audio daemon attach operation Audio PD daemon send the name as part of the init IOCTL call. This name needs to be copied to kernel for which memory is allocated. This memory is never freed which might result in memory leak. Free the memory when it is not needed. CVE-2024-41025 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_acpi: Fix array out-of-bounds access In order to use toshiba_dmi_quirks[] together with the standard DMI matching functions, it must be terminated by a empty entry. Since this entry is missing, an array out-of-bounds access occurs every time the quirk list is processed. Fix this by adding the terminating empty entry. CVE-2024-41028 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: check if a hash-index is in cpu_possible_mask The problem is that there are systems where cpu_possible_mask has gaps between set CPUs, for example SPARC. In this scenario addr_to_vb_xa() hash function can return an index which accesses to not-possible and not setup CPU area using per_cpu() macro. This results in an oops on SPARC. A per-cpu vmap_block_queue is also used as hash table, incorrectly assuming the cpu_possible_mask has no gaps. Fix it by adjusting an index to a next possible CPU. CVE-2024-41032 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor Syzbot has identified a bug in usbcore (see the Closes: tag below) caused by our assumption that the reserved bits in an endpoint descriptor's bEndpointAddress field will always be 0. As a result of the bug, the endpoint_is_duplicate() routine in config.c (and possibly other routines as well) may believe that two descriptors are for distinct endpoints, even though they have the same direction and endpoint number. This can lead to confusion, including the bug identified by syzbot (two descriptors with matching endpoint numbers and directions, where one was interrupt and the other was bulk). To fix the bug, we will clear the reserved bits in bEndpointAddress when we parse the descriptor. (Note that both the USB-2.0 and USB-3.1 specs say these bits are "Reserved, reset to zero".) This requires us to make a copy of the descriptor earlier in usb_parse_endpoint() and use the copy instead of the original when checking for duplicates. CVE-2024-41035 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Fix deadlock with the SPI chip variant When SMP is enabled and spinlocks are actually functional then there is a deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi and ks8851_irq: watchdog: BUG: soft lockup - CPU#0 stuck for 27s! call trace: queued_spin_lock_slowpath+0x100/0x284 do_raw_spin_lock+0x34/0x44 ks8851_start_xmit_spi+0x30/0xb8 ks8851_start_xmit+0x14/0x20 netdev_start_xmit+0x40/0x6c dev_hard_start_xmit+0x6c/0xbc sch_direct_xmit+0xa4/0x22c __qdisc_run+0x138/0x3fc qdisc_run+0x24/0x3c net_tx_action+0xf8/0x130 handle_softirqs+0x1ac/0x1f0 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x3c/0x58 do_softirq_own_stack+0x1c/0x28 __irq_exit_rcu+0x54/0x9c irq_exit_rcu+0x10/0x1c el1_interrupt+0x38/0x50 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x64/0x68 __netif_schedule+0x6c/0x80 netif_tx_wake_queue+0x38/0x48 ks8851_irq+0xb8/0x2c8 irq_thread_fn+0x2c/0x74 irq_thread+0x10c/0x1b0 kthread+0xc8/0xd8 ret_from_fork+0x10/0x20 This issue has not been identified earlier because tests were done on a device with SMP disabled and so spinlocks were actually NOPs. Now use spin_(un)lock_bh for TX queue related locking to avoid execution of softirq work synchronously that would lead to a deadlock. CVE-2024-41036 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: fix null deref on system suspend entry When system enters suspend with an active stream, SOF core calls hw_params_upon_resume(). On Intel platforms with HDA DMA used to manage the link DMA, this leads to call chain of hda_dsp_set_hw_params_upon_resume() -> hda_dsp_dais_suspend() -> hda_dai_suspend() -> hda_ipc4_post_trigger() A bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first, which clears hext_stream->link_substream, and then hda_ipc4_post_trigger() is called with a NULL snd_pcm_substream pointer. CVE-2024-41037 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers Check that all fields of a V2 algorithm header fit into the available firmware data buffer. The wmfw V2 format introduced variable-length strings in the algorithm block header. This means the overall header length is variable, and the position of most fields varies depending on the length of the string fields. Each field must be checked to ensure that it does not overflow the firmware data buffer. As this ia bugfix patch, the fixes avoid making any significant change to the existing code. This makes it easier to review and less likely to introduce new bugs. CVE-2024-41038 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix overflow checking of wmfw header Fix the checking that firmware file buffer is large enough for the wmfw header, to prevent overrunning the buffer. The original code tested that the firmware data buffer contained enough bytes for the sums of the size of the structs wmfw_header + wmfw_adsp1_sizes + wmfw_footer But wmfw_adsp1_sizes is only used on ADSP1 firmware. For ADSP2 and Halo Core the equivalent struct is wmfw_adsp2_sizes, which is 4 bytes longer. So the length check didn't guarantee that there are enough bytes in the firmware buffer for a header with wmfw_adsp2_sizes. This patch splits the length check into three separate parts. Each of the wmfw_header, wmfw_adsp?_sizes and wmfw_footer are checked separately before they are used. CVE-2024-41039 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix UAF when resolving a clash KASAN reports the following UAF: BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] Read of size 1 at addr ffff888c07603600 by task handler130/6469 Call Trace: <IRQ> dump_stack_lvl+0x48/0x70 print_address_description.constprop.0+0x33/0x3d0 print_report+0xc0/0x2b0 kasan_report+0xd0/0x120 __asan_load1+0x6c/0x80 tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] tcf_ct_act+0x886/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 __irq_exit_rcu+0x82/0xc0 irq_exit_rcu+0xe/0x20 common_interrupt+0xa1/0xb0 </IRQ> <TASK> asm_common_interrupt+0x27/0x40 Allocated by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_alloc_info+0x1e/0x40 __kasan_krealloc+0x133/0x190 krealloc+0xaa/0x130 nf_ct_ext_add+0xed/0x230 [nf_conntrack] tcf_ct_act+0x1095/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 Freed by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_free_info+0x2b/0x60 ____kasan_slab_free+0x180/0x1f0 __kasan_slab_free+0x12/0x30 slab_free_freelist_hook+0xd2/0x1a0 __kmem_cache_free+0x1a2/0x2f0 kfree+0x78/0x120 nf_conntrack_free+0x74/0x130 [nf_conntrack] nf_ct_destroy+0xb2/0x140 [nf_conntrack] __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack] nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack] __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack] tcf_ct_act+0x12ad/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 The ct may be dropped if a clash has been resolved but is still passed to the tcf_ct_flow_table_process_conn function for further usage. This issue can be fixed by retrieving ct from skb again after confirming conntrack. CVE-2024-41040 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). syzkaller triggered the warning [0] in udp_v4_early_demux(). In udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount of the looked-up sk and use sock_pfree() as skb->destructor, so we check SOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace period. Currently, SOCK_RCU_FREE is flagged for a bound socket after being put into the hash table. Moreover, the SOCK_RCU_FREE check is done too early in udp_v[46]_early_demux() and sk_lookup(), so there could be a small race window: CPU1 CPU2 ---- ---- udp_v4_early_demux() udp_lib_get_port() | |- hlist_add_head_rcu() |- sk = __udp4_lib_demux_lookup() | |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk)); `- sock_set_flag(sk, SOCK_RCU_FREE) We had the same bug in TCP and fixed it in commit 871019b22d1b ("net: set SOCK_RCU_FREE before inserting socket into hashtable"). Let's apply the same fix for UDP. [0]: WARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599 Modules linked in: CPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599 Code: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52 RSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c RDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001 RBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680 R13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e FS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <TASK> ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349 ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624 __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738 netif_receive_skb_internal net/core/dev.c:5824 [inline] netif_receive_skb+0x271/0x300 net/core/dev.c:5884 tun_rx_batched drivers/net/tun.c:1549 [inline] tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002 tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x76f/0x8d0 fs/read_write.c:590 ksys_write+0xbf/0x190 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x41/0x50 fs/read_write.c:652 x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fc44a68bc1f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48 RSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f R ---truncated--- CVE-2024-41041 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 low In the Linux kernel, the following vulnerability has been resolved: ppp: reject claimed-as-LCP but actually malformed packets Since 'ppp_async_encode()' assumes valid LCP packets (with code from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that LCP packet has an actual body beyond PPP_LCP header bytes, and reject claimed-as-LCP but actually malformed data otherwise. CVE-2024-41044 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Defer work in bpf_timer_cancel_and_free Currently, the same case as previous patch (two timer callbacks trying to cancel each other) can be invoked through bpf_map_update_elem as well, or more precisely, freeing map elements containing timers. Since this relies on hrtimer_cancel as well, it is prone to the same deadlock situation as the previous patch. It would be sufficient to use hrtimer_try_to_cancel to fix this problem, as the timer cannot be enqueued after async_cancel_and_free. Once async_cancel_and_free has been done, the timer must be reinitialized before it can be armed again. The callback running in parallel trying to arm the timer will fail, and freeing bpf_hrtimer without waiting is sufficient (given kfree_rcu), and bpf_timer_cb will return HRTIMER_NORESTART, preventing the timer from being rearmed again. However, there exists a UAF scenario where the callback arms the timer before entering this function, such that if cancellation fails (due to timer callback invoking this routine, or the target timer callback running concurrently). In such a case, if the timer expiration is significantly far in the future, the RCU grace period expiration happening before it will free the bpf_hrtimer state and along with it the struct hrtimer, that is enqueued. Hence, it is clear cancellation needs to occur after async_cancel_and_free, and yet it cannot be done inline due to deadlock issues. We thus modify bpf_timer_cancel_and_free to defer work to the global workqueue, adding a work_struct alongside rcu_head (both used at _different_ points of time, so can share space). Update existing code comments to reflect the new state of affairs. CVE-2024-41045 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: skmsg: Skip zero length skb in sk_msg_recvmsg When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch platform, the following kernel panic occurs: [...] Oops[#1]: CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018 ... ... ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560 ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 0000000c (PPLV0 +PIE +PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) BADV: 0000000000000040 PRID: 0014c011 (Loongson-64bit, Loongson-3C5000) Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...) Stack : ... Call Trace: [<9000000004162774>] copy_page_to_iter+0x74/0x1c0 [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560 [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0 [<90000000049aae34>] inet_recvmsg+0x54/0x100 [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0 [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0 [<900000000481e27c>] sys_recvfrom+0x1c/0x40 [<9000000004c076ec>] do_syscall+0x8c/0xc0 [<9000000003731da4>] handle_syscall+0xc4/0x160 Code: ... ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception Kernel relocated by 0x3510000 .text @ 0x9000000003710000 .data @ 0x9000000004d70000 .bss @ 0x9000000006469400 ---[ end Kernel panic - not syncing: Fatal exception ]--- [...] This crash happens every time when running sockmap_skb_verdict_shutdown subtest in sockmap_basic. This crash is because a NULL pointer is passed to page_address() in the sk_msg_recvmsg(). Due to the different implementations depending on the architecture, page_address(NULL) will trigger a panic on Loongarch platform but not on x86 platform. So this bug was hidden on x86 platform for a while, but now it is exposed on Loongarch platform. The root cause is that a zero length skb (skb->len == 0) was put on the queue. This zero length skb is a TCP FIN packet, which was sent by shutdown(), invoked in test_sockmap_skb_verdict_shutdown(): shutdown(p1, SHUT_WR); In this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no page is put to this sge (see sg_set_page in sg_set_page), but this empty sge is queued into ingress_msg list. And in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by sg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it to kmap_local_page() and to page_address(), then kernel panics. To solve this, we should skip this zero length skb. So in sk_msg_recvmsg(), if copy is zero, that means it's a zero length skb, skip invoking copy_page_to_iter(). We are using the EFAULT return triggered by copy_page_to_iter to check for is_fin in tcp_bpf.c. CVE-2024-41048 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen. CVE-2024-41049 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: cyclic allocation of msg_id to avoid reuse Reusing the msg_id after a maliciously completed reopen request may cause a read request to remain unprocessed and result in a hung, as shown below: t1 | t2 | t3 ------------------------------------------------- cachefiles_ondemand_select_req cachefiles_ondemand_object_is_close(A) cachefiles_ondemand_set_object_reopening(A) queue_work(fscache_object_wq, &info->work) ondemand_object_worker cachefiles_ondemand_init_object(A) cachefiles_ondemand_send_req(OPEN) // get msg_id 6 wait_for_completion(&req_A->done) cachefiles_ondemand_daemon_read // read msg_id 6 req_A cachefiles_ondemand_get_fd copy_to_user // Malicious completion msg_id 6 copen 6,-1 cachefiles_ondemand_copen complete(&req_A->done) // will not set the object to close // because ondemand_id && fd is valid. // ondemand_object_worker() is done // but the object is still reopening. // new open req_B cachefiles_ondemand_init_object(B) cachefiles_ondemand_send_req(OPEN) // reuse msg_id 6 process_open_req copen 6,A.size // The expected failed copen was executed successfully Expect copen to fail, and when it does, it closes fd, which sets the object to close, and then close triggers reopen again. However, due to msg_id reuse resulting in a successful copen, the anonymous fd is not closed until the daemon exits. Therefore read requests waiting for reopen to complete may trigger hung task. To avoid this issue, allocate the msg_id cyclically to avoid reusing the msg_id for a very short duration of time. CVE-2024-41050 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: wait for ondemand_object_worker to finish when dropping object When queuing ondemand_object_worker() to re-open the object, cachefiles_object is not pinned. The cachefiles_object may be freed when the pending read request is completed intentionally and the related erofs is umounted. If ondemand_object_worker() runs after the object is freed, it will incur use-after-free problem as shown below. process A processs B process C process D cachefiles_ondemand_send_req() // send a read req X // wait for its completion // close ondemand fd cachefiles_ondemand_fd_release() // set object as CLOSE cachefiles_ondemand_daemon_read() // set object as REOPENING queue_work(fscache_wq, &info->ondemand_work) // close /dev/cachefiles cachefiles_daemon_release cachefiles_flush_reqs complete(&req->done) // read req X is completed // umount the erofs fs cachefiles_put_object() // object will be freed cachefiles_ondemand_deinit_obj_info() kmem_cache_free(object) // both info and object are freed ondemand_object_worker() When dropping an object, it is no longer necessary to reopen the object, so use cancel_work_sync() to cancel or wait for ondemand_object_worker() to finish. CVE-2024-41051 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files Use strnlen() instead of strlen() on the algorithm and coefficient name string arrays in V1 wmfw files. In V1 wmfw files the name is a NUL-terminated string in a fixed-size array. cs_dsp should protect against overrunning the array if the NUL terminator is missing. CVE-2024-41056 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109 CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566 Call Trace: <TASK> kasan_report+0x93/0xc0 cachefiles_withdraw_cookie+0x4d9/0x600 fscache_cookie_state_machine+0x5c8/0x1230 fscache_cookie_worker+0x91/0x1c0 process_one_work+0x7fa/0x1800 [...] Allocated by task 117: kmalloc_trace+0x1b3/0x3c0 cachefiles_acquire_volume+0xf3/0x9c0 fscache_create_volume_work+0x97/0x150 process_one_work+0x7fa/0x1800 [...] Freed by task 120301: kfree+0xf1/0x2c0 cachefiles_withdraw_cache+0x3fa/0x920 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 do_exit+0x87a/0x29b0 [...] ================================================================== Following is the process that triggers the issue: p1 | p2 ------------------------------------------------------------ fscache_begin_lookup fscache_begin_volume_access fscache_cache_is_live(fscache_cache) cachefiles_daemon_release cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache fscache_withdraw_cache fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN); cachefiles_withdraw_objects(cache) fscache_wait_for_objects(fscache) atomic_read(&fscache_cache->object_count) == 0 fscache_perform_lookup cachefiles_lookup_cookie cachefiles_alloc_object refcount_set(&object->ref, 1); object->volume = volume fscache_count_object(vcookie->cache); atomic_inc(&fscache_cache->object_count) cachefiles_withdraw_volumes cachefiles_withdraw_volume fscache_withdraw_volume __cachefiles_free_volume kfree(cachefiles_volume) fscache_cookie_state_machine cachefiles_withdraw_cookie cache = object->volume->cache; // cachefiles_volume UAF !!! After setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups to complete first, and then wait for fscache_cache->object_count == 0 to avoid the cookie exiting after the volume has been freed and triggering the above issue. Therefore call fscache_withdraw_volume() before calling cachefiles_withdraw_objects(). This way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two cases will occur: 1) fscache_begin_lookup fails in fscache_begin_volume_access(). 2) fscache_withdraw_volume() will ensure that fscache_count_object() has been executed before calling fscache_wait_for_objects(). CVE-2024-41057 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 important In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in fscache_withdraw_volume() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370 Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798 CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565 Call Trace: kasan_check_range+0xf6/0x1b0 fscache_withdraw_volume+0x2e1/0x370 cachefiles_withdraw_volume+0x31/0x50 cachefiles_withdraw_cache+0x3ad/0x900 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 Allocated by task 5820: __kmalloc+0x1df/0x4b0 fscache_alloc_volume+0x70/0x600 __fscache_acquire_volume+0x1c/0x610 erofs_fscache_register_volume+0x96/0x1a0 erofs_fscache_register_fs+0x49a/0x690 erofs_fc_fill_super+0x6c0/0xcc0 vfs_get_super+0xa9/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] Freed by task 5820: kfree+0xf1/0x2c0 fscache_put_volume.part.0+0x5cb/0x9e0 erofs_fscache_unregister_fs+0x157/0x1b0 erofs_kill_sb+0xd9/0x1c0 deactivate_locked_super+0xa3/0x100 vfs_get_super+0x105/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] ================================================================== Following is the process that triggers the issue: mount failed | daemon exit ------------------------------------------------------------ deactivate_locked_super cachefiles_daemon_release erofs_kill_sb erofs_fscache_unregister_fs fscache_relinquish_volume __fscache_relinquish_volume fscache_put_volume(fscache_volume, fscache_volume_put_relinquish) zero = __refcount_dec_and_test(&fscache_volume->ref, &ref); cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache cachefiles_withdraw_volumes list_del_init(&volume->cache_link) fscache_free_volume(fscache_volume) cache->ops->free_volume cachefiles_free_volume list_del_init(&cachefiles_volume->cache_link); kfree(fscache_volume) cachefiles_withdraw_volume fscache_withdraw_volume fscache_volume->n_accesses // fscache_volume UAF !!! The fscache_volume in cache->volumes must not have been freed yet, but its reference count may be 0. So use the new fscache_try_get_volume() helper function try to get its reference count. If the reference count of fscache_volume is 0, fscache_put_volume() is freeing it, so wait for it to be removed from cache->volumes. If its reference count is not 0, call cachefiles_withdraw_volume() with reference count protection to avoid the above issue. CVE-2024-41058 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value in copy_name [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. CVE-2024-41059 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 important In the Linux kernel, the following vulnerability has been resolved: drm/radeon: check bo_va->bo is non-NULL before using it The call to radeon_vm_clear_freed might clear bo_va->bo, so we have to check it before dereferencing it. CVE-2024-41060 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport [Why] Potential out of bounds access in dml2_calculate_rq_and_dlg_params() because the value of out_lowest_state_idx used as an index for FCLKChangeSupport array can be greater than 1. [How] Currently dml2 core specifies identical values for all FCLKChangeSupport elements. Always use index 0 in the condition to avoid out of bounds access. CVE-2024-41061 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bluetooth/l2cap: sync sock recv cb and release The problem occurs between the system call to close the sock and hci_rx_work, where the former releases the sock and the latter accesses it without lock protection. CPU0 CPU1 ---- ---- sock_close hci_rx_work l2cap_sock_release hci_acldata_packet l2cap_sock_kill l2cap_recv_frame sk_free l2cap_conless_channel l2cap_sock_recv_cb If hci_rx_work processes the data that needs to be received before the sock is closed, then everything is normal; Otherwise, the work thread may access the released sock when receiving data. Add a chan mutex in the rx callback of the sock to achieve synchronization between the sock release and recv cb. Sock is dead, so set chan data to NULL, avoid others use invalid sock pointer. CVE-2024-41062 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: cancel all works upon hci_unregister_dev() syzbot is reporting that calling hci_release_dev() from hci_error_reset() due to hci_dev_put() from hci_error_reset() can cause deadlock at destroy_workqueue(), for hci_error_reset() is called from hdev->req_workqueue which destroy_workqueue() needs to flush. We need to make sure that hdev->{rx_work,cmd_work,tx_work} which are queued into hdev->workqueue and hdev->{power_on,error_reset} which are queued into hdev->req_workqueue are no longer running by the moment destroy_workqueue(hdev->workqueue); destroy_workqueue(hdev->req_workqueue); are called from hci_release_dev(). Call cancel_work_sync() on these work items from hci_unregister_dev() as soon as hdev->list is removed from hci_dev_list. CVE-2024-41063 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: avoid possible crash when edev->pdev changes If a PCI device is removed during eeh_pe_report_edev(), edev->pdev will change and can cause a crash, hold the PCI rescan/remove lock while taking a copy of edev->pdev->bus. CVE-2024-41064 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Whitelist dtl slub object for copying to userspace Reading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-* results in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as shown below. kernel BUG at mm/usercopy.c:102! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85 Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8 REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3) MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 2828220f XER: 0000000e CFAR: c0000000001fdc80 IRQMASK: 0 [ ... GPRs omitted ... ] NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0 LR [c0000000005d23d0] usercopy_abort+0x74/0xb0 Call Trace: usercopy_abort+0x74/0xb0 (unreliable) __check_heap_object+0xf8/0x120 check_heap_object+0x218/0x240 __check_object_size+0x84/0x1a4 dtl_file_read+0x17c/0x2c4 full_proxy_read+0x8c/0x110 vfs_read+0xdc/0x3a0 ksys_read+0x84/0x144 system_call_exception+0x124/0x330 system_call_vectored_common+0x15c/0x2ec --- interrupt: 3000 at 0x7fff81f3ab34 Commit 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") requires that only whitelisted areas in slab/slub objects can be copied to userspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY. Dtl contains hypervisor dispatch events which are expected to be read by privileged users. Hence mark this safe for user access. Specify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the entire object. CVE-2024-41065 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Add tx check to prevent skb leak Below is a summary of how the driver stores a reference to an skb during transmit: tx_buff[free_map[consumer_index]]->skb = new_skb; free_map[consumer_index] = IBMVNIC_INVALID_MAP; consumer_index ++; Where variable data looks like this: free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3] consumer_index^ tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null] The driver has checks to ensure that free_map[consumer_index] pointed to a valid index but there was no check to ensure that this index pointed to an unused/null skb address. So, if, by some chance, our free_map and tx_buff lists become out of sync then we were previously risking an skb memory leak. This could then cause tcp congestion control to stop sending packets, eventually leading to ETIMEDOUT. Therefore, add a conditional to ensure that the skb address is null. If not then warn the user (because this is still a bug that should be patched) and free the old pointer to prevent memleak/tcp problems. CVE-2024-41066 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix sclp_init() cleanup on failure If sclp_init() fails it only partially cleans up: if there are multiple failing calls to sclp_init() sclp_state_change_event will be added several times to sclp_reg_list, which results in the following warning: ------------[ cut here ]------------ list_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10. WARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3 Krnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 ... Call Trace: [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8 ([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8) [<000003ffe0a8d37e>] sclp_init+0x40e/0x450 [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0 [<000003ffe15b77a6>] do_initcalls+0x126/0x150 [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8 [<000003ffe0d6650e>] kernel_init+0x2e/0x180 [<000003ffe000301c>] __ret_from_fork+0x3c/0x60 [<000003ffe0d759ca>] ret_from_fork+0xa/0x30 Fix this by removing sclp_state_change_event from sclp_reg_list when sclp_init() fails. CVE-2024-41068 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: topology: Fix references to freed memory Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed. CVE-2024-41069 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 important In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). It looks up `stt` from tablefd, but then continues to use it after doing fdput() on the returned fd. After the fdput() the tablefd is free to be closed by another thread. The close calls kvm_spapr_tce_release() and then release_spapr_tce_table() (via call_rcu()) which frees `stt`. Although there are calls to rcu_read_lock() in kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent the UAF, because `stt` is used outside the locked regions. With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF: BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV Call Trace: dump_stack_lvl+0xb4/0x108 (unreliable) print_report+0x2b4/0x6ec kasan_report+0x118/0x2b0 __asan_load4+0xb8/0xd0 kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] kvm_vfio_set_attr+0x524/0xac0 [kvm] kvm_device_ioctl+0x144/0x240 [kvm] sys_ioctl+0x62c/0x1810 system_call_exception+0x190/0x440 system_call_vectored_common+0x15c/0x2ec ... Freed by task 0: ... kfree+0xec/0x3e0 release_spapr_tce_table+0xd4/0x11c [kvm] rcu_core+0x568/0x16a0 handle_softirqs+0x23c/0x920 do_softirq_own_stack+0x6c/0x90 do_softirq_own_stack+0x58/0x90 __irq_exit_rcu+0x218/0x2d0 irq_exit+0x30/0x80 arch_local_irq_restore+0x128/0x230 arch_local_irq_enable+0x1c/0x30 cpuidle_enter_state+0x134/0x5cc cpuidle_enter+0x6c/0xb0 call_cpuidle+0x7c/0x100 do_idle+0x394/0x410 cpu_startup_entry+0x60/0x70 start_secondary+0x3fc/0x410 start_secondary_prolog+0x10/0x14 Fix it by delaying the fdput() until `stt` is no longer in use, which is effectively the entire function. To keep the patch minimal add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or __cleanup style cleanup. With the fix in place the test case no longer triggers the UAF. CVE-2024-41070 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-41071 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: wext: add extra SIOCSIWSCAN data check In 'cfg80211_wext_siwscan()', add extra check whether number of channels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed IW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise. CVE-2024-41072 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned. CVE-2024-41073 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: Set object to close if ondemand_id < 0 in copen If copen is maliciously called in the user mode, it may delete the request corresponding to the random id. And the request may have not been read yet. Note that when the object is set to reopen, the open request will be done with the still reopen state in above case. As a result, the request corresponding to this object is always skipped in select_req function, so the read request is never completed and blocks other process. Fix this issue by simply set object to close if its id < 0 in copen. CVE-2024-41074 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: add consistency check for copen/cread This prevents malicious processes from completing random copen/cread requests and crashing the system. Added checks are listed below: * Generic, copen can only complete open requests, and cread can only complete read requests. * For copen, ondemand_id must not be 0, because this indicates that the request has not been read by the daemon. * For cread, the object corresponding to fd and req should be the same. CVE-2024-41075 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFSv4: Fix memory leak in nfs4_set_security_label We leak nfs_fattr and nfs4_label every time we set a security xattr. CVE-2024-41076 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 low In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix quota root leak after quota disable failure If during the quota disable we fail when cleaning the quota tree or when deleting the root from the root tree, we jump to the 'out' label without ever dropping the reference on the quota root, resulting in a leak of the root since fs_info->quota_root is no longer pointing to the root (we have set it to NULL just before those steps). Fix this by always doing a btrfs_put_root() call under the 'out' label. This is a problem that exists since qgroups were first added in 2012 by commit bed92eae26cc ("Btrfs: qgroup implementation and prototypes"), but back then we missed a kfree on the quota root and free_extent_buffer() calls on its root and commit root nodes, since back then roots were not yet reference counted. CVE-2024-41078 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 low In the Linux kernel, the following vulnerability has been resolved: nvmet: always initialize cqe.result The spec doesn't mandate that the first two double words (aka results) for the command queue entry need to be set to 0 when they are not used (not specified). Though, the target implemention returns 0 for TCP and FC but not for RDMA. Let's make RDMA behave the same and thus explicitly initializing the result field. This prevents leaking any data from the stack. CVE-2024-41079 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring: fix possible deadlock in io_register_iowq_max_workers() The io_register_iowq_max_workers() function calls io_put_sq_data(), which acquires the sqd->lock without releasing the uring_lock. Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock before acquiring sqd->lock"), this can lead to a potential deadlock situation. To resolve this issue, the uring_lock is released before calling io_put_sq_data(), and then it is re-acquired after the function call. This change ensures that the locks are acquired in the correct order, preventing the possibility of a deadlock. CVE-2024-41080 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ila: block BH in ila_output() As explained in commit 1378817486d6 ("tipc: block BH before using dst_cache"), net/core/dst_cache.c helpers need to be called with BH disabled. ila_output() is called from lwtunnel_output() possibly from process context, and under rcu_read_lock(). We might be interrupted by a softirq, re-enter ila_output() and corrupt dst_cache data structures. Fix the race by using local_bh_disable(). CVE-2024-41081 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cxl/region: Avoid null pointer dereference in region lookup cxl_dpa_to_region() looks up a region based on a memdev and DPA. It wrongly assumes an endpoint found mapping the DPA is also of a fully assembled region. When not true it leads to a null pointer dereference looking up the region name. This appears during testing of region lookup after a failure to assemble a BIOS defined region or if the lookup raced with the assembly of the BIOS defined region. Failure to clean up BIOS defined regions that fail assembly is an issue in itself and a fix to that problem will alleviate some of the impact. It will not alleviate the race condition so let's harden this path. The behavior change is that the kernel oops due to a null pointer dereference is replaced with a dev_dbg() message noting that an endpoint was mapped. Additional comments are added so that future users of this function can more clearly understand what it provides. CVE-2024-41084 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780 R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006 FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x6a/0x90 ? kfree+0x2cf/0x2f0 ? exc_invalid_op+0x50/0x70 ? kfree+0x2cf/0x2f0 ? asm_exc_invalid_op+0x1a/0x20 ? ata_host_alloc+0xf5/0x120 [libata] ? ata_host_alloc+0xf5/0x120 [libata] ? kfree+0x2cf/0x2f0 ata_host_alloc+0xf5/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Ensure that we will not call kfree(host) twice, by performing the kfree() only if the devres_open_group() call failed. CVE-2024-41087 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: mcp251xfd: fix infinite loop when xmit fails When the mcp251xfd_start_xmit() function fails, the driver stops processing messages, and the interrupt routine does not return, running indefinitely even after killing the running application. Error messages: [ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16 [ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3). ... and repeat forever. The issue can be triggered when multiple devices share the same SPI interface. And there is concurrent access to the bus. The problem occurs because tx_ring->head increments even if mcp251xfd_start_xmit() fails. Consequently, the driver skips one TX package while still expecting a response in mcp251xfd_handle_tefif_one(). Resolve the issue by starting a workqueue to write the tx obj synchronously if err = -EBUSY. In case of another error, decrement tx_ring->head, remove skb from the echo stack, and drop the message. [mkl: use more imperative wording in patch description] CVE-2024-41088 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode(). Add a check to avoid null pointer dereference. CVE-2024-41089 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix potential UAF by revoke of fence registers CI has been sporadically reporting the following issue triggered by igt@i915_selftest@live@hangcheck on ADL-P and similar machines: <6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence ... <6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled <6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled <3> [414.070354] Unable to pin Y-tiled fence; err:-4 <3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active)) ... <4>[ 609.603992] ------------[ cut here ]------------ <2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301! <4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1 <4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 <4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915] <4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915] ... <4>[ 609.604271] Call Trace: <4>[ 609.604273] <TASK> ... <4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915] <4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915] <4>[ 609.604977] force_unbind+0x24/0xa0 [i915] <4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915] <4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915] <4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915] <4>[ 609.605440] process_scheduled_works+0x351/0x690 ... In the past, there were similar failures reported by CI from other IGT tests, observed on other platforms. Before commit 63baf4f3d587 ("drm/i915/gt: Only wait for GPU activity before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for idleness of vma->active via fence_update(). That commit introduced vma->fence->active in order for the fence_update() to be able to wait selectively on that one instead of vma->active since only idleness of fence registers was needed. But then, another commit 0d86ee35097a ("drm/i915/gt: Make fence revocation unequivocal") replaced the call to fence_update() in i915_vma_revoke_fence() with only fence_write(), and also added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front. No justification was provided on why we might then expect idleness of vma->fence->active without first waiting on it. The issue can be potentially caused by a race among revocation of fence registers on one side and sequential execution of signal callbacks invoked on completion of a request that was using them on the other, still processed in parallel to revocation of those fence registers. Fix it by waiting for idleness of vma->fence->active in i915_vma_revoke_fence(). (cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1) CVE-2024-41092 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid using null object of framebuffer Instead of using state->fb->obj[0] directly, get object from framebuffer by calling drm_gem_fb_get_obj() and return error code when object is null to avoid using null object of framebuffer. CVE-2024-41093 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/fbdev-dma: Only set smem_start is enable per module option Only export struct fb_info.fix.smem_start if that is required by the user and the memory does not come from vmalloc(). Setting struct fb_info.fix.smem_start breaks systems where DMA memory is backed by vmalloc address space. An example error is shown below. [ 3.536043] ------------[ cut here ]------------ [ 3.540716] virt_to_phys used for non-linear address: 000000007fc4f540 (0xffff800086001000) [ 3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98 [ 3.565455] Modules linked in: [ 3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250 [ 3.577310] Hardware name: NXP i.MX95 19X19 board (DT) [ 3.582452] Workqueue: events_unbound deferred_probe_work_func [ 3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3.595233] pc : __virt_to_phys+0x68/0x98 [ 3.599246] lr : __virt_to_phys+0x68/0x98 [ 3.603276] sp : ffff800083603990 [ 3.677939] Call trace: [ 3.680393] __virt_to_phys+0x68/0x98 [ 3.684067] drm_fbdev_dma_helper_fb_probe+0x138/0x238 [ 3.689214] __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0 [ 3.695385] drm_fb_helper_initial_config+0x4c/0x68 [ 3.700264] drm_fbdev_dma_client_hotplug+0x8c/0xe0 [ 3.705161] drm_client_register+0x60/0xb0 [ 3.709269] drm_fbdev_dma_setup+0x94/0x148 Additionally, DMA memory is assumed to by contiguous in physical address space, which is not guaranteed by vmalloc(). Resolve this by checking the module flag drm_leak_fbdev_smem when DRM allocated the instance of struct fb_info. Fbdev-dma then only sets smem_start only if required (via FBINFO_HIDE_SMEM_START). Also guarantee that the framebuffer is not located in vmalloc address space. CVE-2024-41094 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes In nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2024-41095 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI/MSI: Fix UAF in msi_capability_init KFENCE reports the following UAF: BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488 Use-after-free read at 0x0000000024629571 (in kfence-#12): __pci_enable_msi_range+0x2c0/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128 allocated by task 81 on cpu 7 at 10.808142s: __kmem_cache_alloc_node+0x1f0/0x2bc kmalloc_trace+0x44/0x138 msi_alloc_desc+0x3c/0x9c msi_domain_insert_msi_desc+0x30/0x78 msi_setup_msi_desc+0x13c/0x184 __pci_enable_msi_range+0x258/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 freed by task 81 on cpu 7 at 10.811436s: msi_domain_free_descs+0xd4/0x10c msi_domain_free_locked.part.0+0xc0/0x1d8 msi_domain_alloc_irqs_all_locked+0xb4/0xbc pci_msi_setup_msi_irqs+0x30/0x4c __pci_enable_msi_range+0x2a8/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 Descriptor allocation done in: __pci_enable_msi_range msi_capability_init msi_setup_msi_desc msi_insert_msi_desc msi_domain_insert_msi_desc msi_alloc_desc ... Freed in case of failure in __msi_domain_alloc_locked() __pci_enable_msi_range msi_capability_init pci_msi_setup_msi_irqs msi_domain_alloc_irqs_all_locked msi_domain_alloc_locked __msi_domain_alloc_locked => fails msi_domain_free_locked ... That failure propagates back to pci_msi_setup_msi_irqs() in msi_capability_init() which accesses the descriptor for unmasking in the error exit path. Cure it by copying the descriptor and using the copy for the error exit path unmask operation. [ tglx: Massaged change log ] CVE-2024-41096 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix endpoint checking in cxacru_bind() Syzbot is still reporting quite an old issue [1] that occurs due to incomplete checking of present usb endpoints. As such, wrong endpoints types may be used at urb sumbitting stage which in turn triggers a warning in usb_submit_urb(). Fix the issue by verifying that required endpoint types are present for both in and out endpoints, taking into account cmd endpoint type. Unfortunately, this patch has not been tested on real hardware. [1] Syzbot report: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 ... Call Trace: cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649 cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760 cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209 usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055 cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x23c/0xcd0 drivers/base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/core.c:3354 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293 CVE-2024-41097 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix null pointer dereference on error If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle page fault for address: 0000000000003990 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? ata_host_release.cold+0x2f/0x6e [libata] ? ata_host_release.cold+0x2f/0x6e [libata] release_nodes+0x35/0xb0 devres_release_group+0x113/0x140 ata_host_alloc+0xed/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Do not access ata_port struct members unconditionally. CVE-2024-41098 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key. CVE-2024-41996 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:libopenssl3-3.1.4-150600.5.18.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:openssl-3-3.1.4-150600.5.18.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip pipe if the pipe idx not set properly [why] Driver crashes when pipe idx not set properly [how] Add code to skip the pipe that idx not set properly CVE-2024-42064 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix possible double free in error handling path When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), callback function adev_release calls kfree(madev). We shouldn't call kfree(madev) again in the error handling path. Set 'madev' to NULL. CVE-2024-42069 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers register store validation for NFT_DATA_VALUE is conditional, however, the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This only requires a new helper function to infer the register type from the set datatype so this conditional check can be removed. Otherwise, pointer to chain object can be leaked through the registers. CVE-2024-42070 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 low In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems The following two shared buffer operations make use of the Shared Buffer Status Register (SBSR): # devlink sb occupancy snapshot pci/0000:01:00.0 # devlink sb occupancy clearmax pci/0000:01:00.0 The register has two masks of 256 bits to denote on which ingress / egress ports the register should operate on. Spectrum-4 has more than 256 ports, so the register was extended by cited commit with a new 'port_page' field. However, when filling the register's payload, the driver specifies the ports as absolute numbers and not relative to the first port of the port page, resulting in memory corruptions [1]. Fix by specifying the ports relative to the first port of the port page. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 Read of size 1 at addr ffff8881068cb00f by task devlink/1566 [...] Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 mlxsw_devlink_sb_occ_snapshot+0x75/0xb0 devlink_nl_sb_occ_snapshot_doit+0x1f9/0x2a0 genl_family_rcv_msg_doit+0x20c/0x300 genl_rcv_msg+0x567/0x800 netlink_rcv_skb+0x170/0x450 genl_rcv+0x2d/0x40 netlink_unicast+0x547/0x830 netlink_sendmsg+0x8d4/0xdb0 __sys_sendto+0x49b/0x510 __x64_sys_sendto+0xe5/0x1c0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f [...] Allocated by task 1: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 copy_verifier_state+0xbc2/0xfb0 do_check_common+0x2c51/0xc7e0 bpf_check+0x5107/0x9960 bpf_prog_load+0xf0e/0x2690 __sys_bpf+0x1a61/0x49d0 __x64_sys_bpf+0x7d/0xc0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x109/0x170 __kasan_slab_free+0x14/0x30 kfree+0xca/0x2b0 free_verifier_state+0xce/0x270 do_check_common+0x4828/0xc7e0 bpf_check+0x5107/0x9960 bpf_prog_load+0xf0e/0x2690 __sys_bpf+0x1a61/0x49d0 __x64_sys_bpf+0x7d/0xc0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-42073 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: add a null check for chip_pdev structure When acp platform device creation is skipped, chip->chip_pdev value will remain NULL. Add NULL check for chip->chip_pdev structure in snd_acp_resume() function to avoid null pointer dereference. CVE-2024-42074 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: Initialize unused data in j1939_send_one() syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one() creates full frame including unused data, but it doesn't initialize it. This causes the kernel-infoleak issue. Fix this by initializing unused data. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] memcpy_to_msg include/linux/skbuff.h:4113 [inline] raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 ____sys_recvmsg+0x18a/0x620 net/socket.c:2803 ___sys_recvmsg+0x223/0x840 net/socket.c:2845 do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939 __sys_recvmmsg net/socket.c:3018 [inline] __do_sys_recvmmsg net/socket.c:3041 [inline] __se_sys_recvmmsg net/socket.c:3034 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034 x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1313 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 sock_alloc_send_skb include/net/sock.h:1842 [inline] j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline] j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline] j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 12-15 of 16 are uninitialized Memory access of size 16 starts at ffff888120969690 Data copied to user address 00000000200017c0 CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 CVE-2024-42076 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix DIO failure due to insufficient transaction credits The code in ocfs2_dio_end_io_write() estimates number of necessary transaction credits using ocfs2_calc_extend_credits(). This however does not take into account that the IO could be arbitrarily large and can contain arbitrary number of extents. Extent tree manipulations do often extend the current transaction but not in all of the cases. For example if we have only single block extents in the tree, ocfs2_mark_extent_written() will end up calling ocfs2_replace_extent_rec() all the time and we will never extend the current transaction and eventually exhaust all the transaction credits if the IO contains many single block extents. Once that happens a WARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in jbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to this error. This was actually triggered by one of our customers on a heavily fragmented OCFS2 filesystem. To fix the issue make sure the transaction always has enough credits for one extent insert before each call of ocfs2_mark_extent_written(). Heming Zhao said: ------ PANIC: "Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error" PID: xxx TASK: xxxx CPU: 5 COMMAND: "SubmitThread-CA" #0 machine_kexec at ffffffff8c069932 #1 __crash_kexec at ffffffff8c1338fa #2 panic at ffffffff8c1d69b9 #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2] #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2] #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2] #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2] #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2] #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2] #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2] #10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2] #11 dio_complete at ffffffff8c2b9fa7 #12 do_blockdev_direct_IO at ffffffff8c2bc09f #13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2] #14 generic_file_direct_write at ffffffff8c1dcf14 #15 __generic_file_write_iter at ffffffff8c1dd07b #16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2] #17 aio_write at ffffffff8c2cc72e #18 kmem_cache_alloc at ffffffff8c248dde #19 do_io_submit at ffffffff8c2ccada #20 do_syscall_64 at ffffffff8c004984 #21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba CVE-2024-42077 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush). CVE-2024-42079 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/restrack: Fix potential invalid address access struct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME in ib_create_cq(), while if the module exited but forgot del this rdma_restrack_entry, it would cause a invalid address access in rdma_restrack_clean() when print the owner of this rdma_restrack_entry. These code is used to help find one forgotten PD release in one of the ULPs. But it is not needed anymore, so delete them. CVE-2024-42080 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: xdp: Remove WARN() from __xdp_reg_mem_model() syzkaller reports a warning in __xdp_reg_mem_model(). The warning occurs only if __mem_id_init_hash_table() returns an error. It returns the error in two cases: 1. memory allocation fails; 2. rhashtable_init() fails when some fields of rhashtable_params struct are not initialized properly. The second case cannot happen since there is a static const rhashtable_params struct with valid fields. So, warning is only triggered when there is a problem with memory allocation. Thus, there is no sense in using WARN() to handle this error and it can be safely removed. WARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299 CPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299 Call Trace: xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344 xdp_test_run_setup net/bpf/test_run.c:188 [inline] bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377 bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267 bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline] __se_sys_bpf kernel/bpf/syscall.c:5736 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Found by Linux Verification Center (linuxtesting.org) with syzkaller. CVE-2024-42082 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock When config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system to enter suspend status with below command: echo mem > /sys/power/state There will be a deadlock issue occurring. Detailed invoking path as below: dwc3_suspend_common() spin_lock_irqsave(&dwc->lock, flags); <-- 1st dwc3_gadget_suspend(dwc); dwc3_gadget_soft_disconnect(dwc); spin_lock_irqsave(&dwc->lock, flags); <-- 2nd This issue is exposed by commit c7ebd8149ee5 ("usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend") that removes the code of checking whether dwc->gadget_driver is NULL or not. It causes the following code is executed and deadlock occurs when trying to get the spinlock. In fact, the root cause is the commit 5265397f9442("usb: dwc3: Remove DWC3 locking during gadget suspend/resume") that forgot to remove the lock of otg mode. So, remove the redundant lock of otg mode during gadget suspend/resume. CVE-2024-42085 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: chemical: bme680: Fix overflows in compensate() functions There are cases in the compensate functions of the driver that there could be overflows of variables due to bit shifting ops. These implications were initially discussed here [1] and they were mentioned in log message of Commit 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor"). [1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/ CVE-2024-42086 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep The ilitek-ili9881c controls the reset GPIO using the non-sleeping gpiod_set_value() function. This complains loudly when the GPIO controller needs to sleep. As the caller can sleep, use gpiod_set_value_cansleep() to fix the issue. CVE-2024-42087 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: fsl-asoc-card: set priv->pdev before using it priv->pdev pointer was set after being used in fsl_asoc_card_audmux_init(). Move this assignment at the start of the probe function, so sub-functions can correctly use pdev through priv. fsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the dev struct, used with dev_err macros. As priv is zero-initialised, there would be a NULL pointer dereference. Note that if priv->dev is dereferenced before assignment but never used, for example if there is no error to be printed, the driver won't crash probably due to compiler optimisations. CVE-2024-42089 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER In create_pinctrl(), pinctrl_maps_mutex is acquired before calling add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl() calls pinctrl_free(). However, pinctrl_free() attempts to acquire pinctrl_maps_mutex, which is already held by create_pinctrl(), leading to a potential deadlock. This patch resolves the issue by releasing pinctrl_maps_mutex before calling pinctrl_free(), preventing the deadlock. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. CVE-2024-42090 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: davinci: Validate the obtained number of IRQs Value of pdata->gpio_unbanked is taken from Device Tree. In case of broken DT due to any error this value can be any. Without this value validation there can be out of chips->irqs array boundaries access in davinci_gpio_probe(). Validate the obtained nirq value so that it won't exceed the maximum number of IRQs per bank. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-42092 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/dpaa2: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it. CVE-2024-42093 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: 8250_omap: Implementation of Errata i2310 As per Errata i2310[0], Erroneous timeout can be triggered, if this Erroneous interrupt is not cleared then it may leads to storm of interrupts, therefore apply Errata i2310 solution. [0] https://www.ti.com/lit/pdf/sprz536 page 23 CVE-2024-42095 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86: stop playing stack games in profile_pc() The 'profile_pc()' function is used for timer-based profiling, which isn't really all that relevant any more to begin with, but it also ends up making assumptions based on the stack layout that aren't necessarily valid. Basically, the code tries to account the time spent in spinlocks to the caller rather than the spinlock, and while I support that as a concept, it's not worth the code complexity or the KASAN warnings when no serious profiling is done using timers anyway these days. And the code really does depend on stack layout that is only true in the simplest of cases. We've lost the comment at some point (I think when the 32-bit and 64-bit code was unified), but it used to say: Assume the lock function has either no stack frame or a copy of eflags from PUSHF. which explains why it just blindly loads a word or two straight off the stack pointer and then takes a minimal look at the values to just check if they might be eflags or the return pc: Eflags always has bits 22 and up cleared unlike kernel addresses but that basic stack layout assumption assumes that there isn't any lock debugging etc going on that would complicate the code and cause a stack frame. It causes KASAN unhappiness reported for years by syzkaller [1] and others [2]. With no real practical reason for this any more, just remove the code. Just for historical interest, here's some background commits relating to this code from 2006: 0cb91a229364 ("i386: Account spinlocks to the caller during profiling for !FP kernels") 31679f38d886 ("Simplify profile_pc on x86-64") and a code unification from 2009: ef4512882dbe ("x86: time_32/64.c unify profile_pc") but the basics of this thing actually goes back to before the git tree. CVE-2024-42096 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: emux: improve patch ioctl data validation In load_data(), make the validation of and skipping over the main info block match that in load_guspatch(). In load_guspatch(), add checking that the specified patch length matches the actually supplied data, like load_data() already did. CVE-2024-42097 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: ecdh - explicitly zeroize private_key private_key is overwritten with the key parameter passed in by the caller (if present), or alternatively a newly generated private key. However, it is possible that the caller provides a key (or the newly generated key) which is shorter than the previous key. In that scenario, some key material from the previous key would not be overwritten. The easiest solution is to explicitly zeroize the entire private_key array first. Note that this patch slightly changes the behavior of this function: previously, if the ecc_gen_privkey failed, the old private_key would remain. Now, the private_key is always zeroized. This behavior is consistent with the case where params.key is set and ecc_is_key_valid fails. CVE-2024-42098 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes In nouveau_connector_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2024-42101 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: add missing check for inode numbers on directory entries Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis. CVE-2024-42104 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix inode number range checks Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value. This patch (of 3): In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked. As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly. In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment. Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros. Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time. CVE-2024-42105 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: inet_diag: Initialize pad field in struct inet_diag_req_v2 KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw sockets uses the pad field in struct inet_diag_req_v2 for the underlying protocol. This field corresponds to the sdiag_raw_protocol field in struct inet_diag_req_raw. inet_diag_get_exact_compat() converts inet_diag_req to inet_diag_req_v2, but leaves the pad field uninitialized. So the issue occurs when raw_lookup() accesses the sdiag_raw_protocol field. Fix this by initializing the pad field in inet_diag_get_exact_compat(). Also, do the same fix in inet_diag_dump_compat() to avoid the similar issue in the future. [1] BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline] BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71 raw_lookup net/ipv4/raw_diag.c:49 [inline] raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71 raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99 inet_diag_cmd_exact+0x7d9/0x980 inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline] inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426 sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564 sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x332/0x3d0 net/socket.c:745 ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639 __sys_sendmsg net/socket.c:2668 [inline] __do_sys_sendmsg net/socket.c:2677 [inline] __se_sys_sendmsg net/socket.c:2675 [inline] __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675 x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71 raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99 inet_diag_cmd_exact+0x7d9/0x980 inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline] inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426 sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564 sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x332/0x3d0 net/socket.c:745 ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639 __sys_sendmsg net/socket.c:2668 [inline] __do_sys_sendmsg net/socket.c:2677 [inline] __se_sys_sendmsg net/socket.c:2675 [inline] __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675 x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable req.i created at: inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline] inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426 sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 CVE-2024-42106 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Don't process extts if PTP is disabled The ice_ptp_extts_event() function can race with ice_ptp_release() and result in a NULL pointer dereference which leads to a kernel panic. Panic occurs because the ice_ptp_extts_event() function calls ptp_clock_event() with a NULL pointer. The ice driver has already released the PTP clock by the time the interrupt for the next external timestamp event occurs. To fix this, modify the ice_ptp_extts_event() function to check the PTP state and bail early if PTP is not ready. CVE-2024-42107 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally flush pending work before notifier syzbot reports: KASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831 KASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530 KASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597 Read of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45 [..] Workqueue: events nf_tables_trans_destroy_work Call Trace: nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline] nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline] nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597 Problem is that the notifier does a conditional flush, but its possible that the table-to-be-removed is still referenced by transactions being processed by the worker, so we need to flush unconditionally. We could make the flush_work depend on whether we found a table to delete in nf-next to avoid the flush for most cases. AFAICS this problem is only exposed in nf-next, with commit e169285f8c56 ("netfilter: nf_tables: do not store nft_ctx in transaction objects"), with this commit applied there is an unconditional fetch of table->family which is whats triggering the above splat. CVE-2024-42109 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx() The following is emitted when using idxd (DSA) dmanegine as the data mover for ntb_transport that ntb_netdev uses. [74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526 [74412.556784] caller is netif_rx_internal+0x42/0x130 [74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5 [74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024 [74412.581699] Call Trace: [74412.584514] <TASK> [74412.586933] dump_stack_lvl+0x55/0x70 [74412.591129] check_preemption_disabled+0xc8/0xf0 [74412.596374] netif_rx_internal+0x42/0x130 [74412.600957] __netif_rx+0x20/0xd0 [74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev] [74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport] [74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport] [74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd] [74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd] [74412.634046] irq_thread_fn+0x21/0x60 [74412.638134] ? irq_thread+0xa8/0x290 [74412.642218] irq_thread+0x1a0/0x290 [74412.646212] ? __pfx_irq_thread_fn+0x10/0x10 [74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10 [74412.656117] ? __pfx_irq_thread+0x10/0x10 [74412.660686] kthread+0x100/0x130 [74412.664384] ? __pfx_kthread+0x10/0x10 [74412.668639] ret_from_fork+0x31/0x50 [74412.672716] ? __pfx_kthread+0x10/0x10 [74412.676978] ret_from_fork_asm+0x1a/0x30 [74412.681457] </TASK> The cause is due to the idxd driver interrupt completion handler uses threaded interrupt and the threaded handler is not hard or soft interrupt context. However __netif_rx() can only be called from interrupt context. Change the call to netif_rx() in order to allow completion via normal context for dmaengine drivers that utilize threaded irq handling. While the following commit changed from netif_rx() to __netif_rx(), baebdf48c360 ("net: dev: Makes sure netif_rx() can be invoked in any context."), the change should've been a noop instead. However, the code precedes this fix should've been using netif_rx_ni() or netif_rx_any_context(). CVE-2024-42110 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: txgbe: initialize num_q_vectors for MSI/INTx interrupts When using MSI/INTx interrupts, wx->num_q_vectors is uninitialized. Thus there will be kernel panic in wx_alloc_q_vectors() to allocate queue vectors. CVE-2024-42113 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values syzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM to 2^31. We had a similar issue in sch_fq, fixed with commit d9e15a273306 ("pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM") watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24] Modules linked in: irq event stamp: 131135 hardirqs last enabled at (131134): [<ffff80008ae8778c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline] hardirqs last enabled at (131134): [<ffff80008ae8778c>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95 hardirqs last disabled at (131135): [<ffff80008ae85378>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (131135): [<ffff80008ae85378>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_hh_init net/core/neighbour.c:1538 [inline] softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553 softirqs last disabled at (125896): [<ffff80008904166c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: mld mld_ifc_work pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __list_del include/linux/list.h:195 [inline] pc : __list_del_entry include/linux/list.h:218 [inline] pc : list_move_tail include/linux/list.h:310 [inline] pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline] pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 lr : __list_del_entry include/linux/list.h:218 [inline] lr : list_move_tail include/linux/list.h:310 [inline] lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline] lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854 sp : ffff800093d36700 x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000 x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0 x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0 x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0 x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8 x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470 Call trace: __list_del include/linux/list.h:195 [inline] __list_del_entry include/linux/list.h:218 [inline] list_move_tail include/linux/list.h:310 [inline] fq_tin_dequeue include/net/fq_impl.h:112 [inline] ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 wake_tx_push_queue net/mac80211/util.c:294 [inline] ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315 drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline] schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline] ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664 ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966 ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062 __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338 ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547 __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563 neigh_output include/net/neighbour.h:542 [inline] ip6_fini ---truncated--- CVE-2024-42114 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: jffs2: Fix potential illegal address access in jffs2_free_inode During the stress testing of the jffs2 file system,the following abnormal printouts were found: [ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948 [ 2430.649622] Mem abort info: [ 2430.649829] ESR = 0x96000004 [ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits [ 2430.650564] SET = 0, FnV = 0 [ 2430.650795] EA = 0, S1PTW = 0 [ 2430.651032] FSC = 0x04: level 0 translation fault [ 2430.651446] Data abort info: [ 2430.651683] ISV = 0, ISS = 0x00000004 [ 2430.652001] CM = 0, WnR = 0 [ 2430.652558] [0069696969696948] address between user and kernel address ranges [ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33 [ 2430.655008] Hardware name: linux,dummy-virt (DT) [ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2430.656142] pc : kfree+0x78/0x348 [ 2430.656630] lr : jffs2_free_inode+0x24/0x48 [ 2430.657051] sp : ffff800009eebd10 [ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000 [ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000 [ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14 [ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000 [ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000 [ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19 [ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14 [ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302 [ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342 [ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000 [ 2430.664217] Call trace: [ 2430.664528] kfree+0x78/0x348 [ 2430.664855] jffs2_free_inode+0x24/0x48 [ 2430.665233] i_callback+0x24/0x50 [ 2430.665528] rcu_do_batch+0x1ac/0x448 [ 2430.665892] rcu_core+0x28c/0x3c8 [ 2430.666151] rcu_core_si+0x18/0x28 [ 2430.666473] __do_softirq+0x138/0x3cc [ 2430.666781] irq_exit+0xf0/0x110 [ 2430.667065] handle_domain_irq+0x6c/0x98 [ 2430.667447] gic_handle_irq+0xac/0xe8 [ 2430.667739] call_on_irq_stack+0x28/0x54 The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of the jffs_inode_info structure. It was found that all variables in the jffs_inode_info structure were 5a5a5a5a, except for the first member sem. It is suspected that these variables are not initialized because they were set to 5a5a5a5a during memory testing, which is meant to detect uninitialized memory.The sem variable is initialized in the function jffs2_i_init_once, while other members are initialized in the function jffs2_init_inode_info. The function jffs2_init_inode_info is called after iget_locked, but in the iget_locked function, the destroy_inode process is triggered, which releases the inode and consequently, the target member of the inode is not initialized.In concurrent high pressure scenarios, iget_locked may enter the destroy_inode branch as described in the code. Since the destroy_inode functionality of jffs2 only releases the target, the fix method is to set target to NULL in jffs2_i_init_once. CVE-2024-42115 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: ASSERT when failing to find index by plane/stream id [WHY] find_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns an array index and they return -1 when not found; however, -1 is not a valid index number. [HOW] When this happens, call ASSERT(), and return a positive number (which is fewer than callers' array size) instead. This fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity. CVE-2024-42117 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip finding free audio for unknown engine_id [WHY] ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it also means it is uninitialized and does not need free audio. [HOW] Skip and return NULL. This fixes 2 OVERRUN issues reported by Coverity. CVE-2024-42119 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check pipe offset before setting vblank pipe_ctx has a size of MAX_PIPES so checking its index before accessing the array. This fixes an OVERRUN issue reported by Coverity. CVE-2024-42120 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check index msg_id before read or write [WHAT] msg_id is used as an array index and it cannot be a negative value, and therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1). [HOW] Check whether msg_id is valid before reading and setting. This fixes 4 OVERRUN issues reported by Coverity. CVE-2024-42121 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL pointer check for kzalloc [Why & How] Check return pointer of kzalloc before using it. CVE-2024-42122 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Make qedf_execute_tmf() non-preemptible Stop calling smp_processor_id() from preemptible code in qedf_execute_tmf90. This results in BUG_ON() when running an RT kernel. [ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646 [ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf] CVE-2024-42124 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband We have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz sband will be NULL even if it is WiFi 7 chip. So, add NULL handling here to avoid crash. CVE-2024-42125 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. nmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel crash when invoked during real mode interrupt handling (e.g. early HMI/MCE interrupt handler) if percpu allocation comes from vmalloc area. Early HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI() wrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when percpu allocation is from the embedded first chunk. However with CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu allocation can come from the vmalloc area. With kernel command line "percpu_alloc=page" we can force percpu allocation to come from vmalloc area and can see kernel crash in machine_check_early: [ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110 [ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0 [ 1.215719] --- interrupt: 200 [ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable) [ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0 [ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8 Fix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu first chunk is not embedded. CVE-2024-42126 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/lima: fix shared irq handling on driver remove lima uses a shared interrupt, so the interrupt handlers must be prepared to be called at any time. At driver removal time, the clocks are disabled early and the interrupts stay registered until the very end of the remove process due to the devm usage. This is potentially a bug as the interrupts access device registers which assumes clocks are enabled. A crash can be triggered by removing the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled. This patch frees the interrupts at each lima device finishing callback so that the handlers are already unregistered by the time we fully disable clocks. CVE-2024-42127 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfc/nci: Add the inconsistency check between the input data length and count write$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB="610501"], 0xf) Syzbot constructed a write() call with a data length of 3 bytes but a count value of 15, which passed too little data to meet the basic requirements of the function nci_rf_intf_activated_ntf_packet(). Therefore, increasing the comparison between data length and count value to avoid problems caused by inconsistent data length and count. CVE-2024-42130 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX Syzbot hit warning in hci_conn_del() caused by freeing handle that was not allocated using ida allocator. This is caused by handle bigger than HCI_CONN_HANDLE_MAX passed by hci_le_big_sync_established_evt(), which makes code think it's unset connection. Add same check for handle upper bound as in hci_conn_set_handle() to prevent warning. CVE-2024-42132 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Ignore too large handle values in BIG hci_le_big_sync_established_evt is necessary to filter out cases where the handle value is belonging to ida id range, otherwise ida will be erroneously released in hci_conn_cleanup. CVE-2024-42133 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cdrom: rearrange last_media_change check to avoid unintentional overflow When running syzkaller with the newly reintroduced signed integer wrap sanitizer we encounter this splat: [ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33 [ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long') [ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO [ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 [ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 366.027518] Call Trace: [ 366.027523] <TASK> [ 366.027533] dump_stack_lvl+0x93/0xd0 [ 366.027899] handle_overflow+0x171/0x1b0 [ 366.038787] ata1.00: invalid multi_count 32 ignored [ 366.043924] cdrom_ioctl+0x2c3f/0x2d10 [ 366.063932] ? __pm_runtime_resume+0xe6/0x130 [ 366.071923] sr_block_ioctl+0x15d/0x1d0 [ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10 [ 366.077642] blkdev_ioctl+0x419/0x500 [ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10 ... Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang. It was re-enabled in the kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow sanitizer"). Let's rearrange the check to not perform any arithmetic, thus not tripping the sanitizer. CVE-2024-42136 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot Commit 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closed serdev") will cause below regression issue: BT can't be enabled after below steps: cold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure if property enable-gpios is not configured within DT|ACPI for QCA6390. The commit is to fix a use-after-free issue within qca_serdev_shutdown() by adding condition to avoid the serdev is flushed or wrote after closed but also introduces this regression issue regarding above steps since the VSC is not sent to reset controller during warm reboot. Fixed by sending the VSC to reset controller within qca_serdev_shutdown() once BT was ever enabled, and the use-after-free issue is also fixed by this change since the serdev is still opened before it is flushed or wrote. Verified by the reported machine Dell XPS 13 9310 laptop over below two kernel commits: commit e00fc2700a3f ("Bluetooth: btusb: Fix triggering coredump implementation for QCA") of bluetooth-next tree. commit b23d98d46d28 ("Bluetooth: btusb: Fix triggering coredump implementation for QCA") of linus mainline tree. CVE-2024-42137 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file In case of invalid INI file mlxsw_linecard_types_init() deallocates memory but doesn't reset pointer to NULL and returns 0. In case of any error occurred after mlxsw_linecard_types_init() call, mlxsw_linecards_init() calls mlxsw_linecard_types_fini() which performs memory deallocation again. Add pointer reset to NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-42138 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Fix improper extts handling Extts events are disabled and enabled by the application ts2phc. However, in case where the driver is removed when the application is running, a specific extts event remains enabled and can cause a kernel crash. As a side effect, when the driver is reloaded and application is started again, remaining extts event for the channel from a previous run will keep firing and the message "extts on unexpected channel" might be printed to the user. To avoid that, extts events shall be disabled when PTP is released. CVE-2024-42139 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Check socket flag instead of hcon This fixes the following Smatch static checker warning: net/bluetooth/iso.c:1364 iso_sock_recvmsg() error: we previously assumed 'pi->conn->hcon' could be null (line 1359) net/bluetooth/iso.c 1347 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1348 size_t len, int flags) 1349 { 1350 struct sock *sk = sock->sk; 1351 struct iso_pinfo *pi = iso_pi(sk); 1352 1353 BT_DBG("sk %p", sk); 1354 1355 if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 1356 lock_sock(sk); 1357 switch (sk->sk_state) { 1358 case BT_CONNECT2: 1359 if (pi->conn->hcon && ^^^^^^^^^^^^^^ If ->hcon is NULL 1360 test_bit(HCI_CONN_PA_SYNC, &pi->conn->hcon->flags)) { 1361 iso_conn_big_sync(sk); 1362 sk->sk_state = BT_LISTEN; 1363 } else { --> 1364 iso_conn_defer_accept(pi->conn->hcon); ^^^^^^^^^^^^^^ then we're toast 1365 sk->sk_state = BT_CONFIG; 1366 } 1367 release_sock(sk); 1368 return 0; 1369 case BT_CONNECTED: 1370 if (test_bit(BT_SK_PA_SYNC, CVE-2024-42141 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: E-switch, Create ingress ACL when needed Currently, ingress acl is used for three features. It is created only when vport metadata match and prio tag are enabled. But active-backup lag mode also uses it. It is independent of vport metadata match and prio tag. And vport metadata match can be disabled using the following devlink command: # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \ value false cmode runtime If ingress acl is not created, will hit panic when creating drop rule for active-backup lag mode. If always create it, there will be about 5% performance degradation. Fix it by creating ingress acl when needed. If esw_port_metadata is true, ingress acl exists, then create drop rule using existing ingress acl. If esw_port_metadata is false, create ingress acl and then create drop rule. CVE-2024-42142 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-42143 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data Verify that lvts_data is not NULL before using it. CVE-2024-42144 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/core: Implement a limit on UMAD receive List The existing behavior of ib_umad, which maintains received MAD packets in an unbounded list, poses a risk of uncontrolled growth. As user-space applications extract packets from this list, the rate of extraction may not match the rate of incoming packets, leading to potential list overflow. To address this, we introduce a limit to the size of the list. After considering typical scenarios, such as OpenSM processing, which can handle approximately 100k packets per second, and the 1-second retry timeout for most packets, we set the list size limit to 200k. Packets received beyond this limit are dropped, assuming they are likely timed out by the time they are handled by user-space. Notably, packets queued on the receive list due to reasons like timed-out sends are preserved even when the list is full. CVE-2024-42145 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 important In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/debugfs - Fix debugfs uninit process issue During the zip probe process, the debugfs failure does not stop the probe. When debugfs initialization fails, jumping to the error branch will also release regs, in addition to its own rollback operation. As a result, it may be released repeatedly during the regs uninit process. Therefore, the null check needs to be added to the regs uninit process. CVE-2024-42147 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnx2x: Fix multiple UBSAN array-index-out-of-bounds Fix UBSAN warnings that occur when using a system with 32 physical cpu cores or more, or when the user defines a number of Ethernet queues greater than or equal to FP_SB_MAX_E1x using the num_queues module parameter. Currently there is a read/write out of bounds that occurs on the array "struct stats_query_entry query" present inside the "bnx2x_fw_stats_req" struct in "drivers/net/ethernet/broadcom/bnx2x/bnx2x.h". Looking at the definition of the "struct stats_query_entry query" array: struct stats_query_entry query[FP_SB_MAX_E1x+ BNX2X_FIRST_QUEUE_QUERY_IDX]; FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3 meaning the array has a total size of 19. Since accesses to "struct stats_query_entry query" are offset-ted by BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet queues should not exceed FP_SB_MAX_E1x (16). However one of these queues is reserved for FCOE and thus the number of Ethernet queues should be set to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if it is not. This is also described in a comment in the source code in drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition of FP_SB_MAX_E1x. Below is the part of this explanation that it important for this patch /* * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is * control by the number of fast-path status blocks supported by the * device (HW/FW). Each fast-path status block (FP-SB) aka non-default * status block represents an independent interrupts context that can * serve a regular L2 networking queue. However special L2 queues such * as the FCoE queue do not require a FP-SB and other components like * the CNIC may consume FP-SB reducing the number of possible L2 queues * * If the maximum number of FP-SB available is X then: * a. If CNIC is supported it consumes 1 FP-SB thus the max number of * regular L2 queues is Y=X-1 * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor) * c. If the FCoE L2 queue is supported the actual number of L2 queues * is Y+1 * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for * slow-path interrupts) or Y+2 if CNIC is supported (one additional * FP interrupt context for the CNIC). * e. The number of HW context (CID count) is always X or X+1 if FCoE * L2 queue is supported. The cid for the FCoE L2 queue is always X. */ However this driver also supports NICs that use the E2 controller which can handle more queues due to having more FP-SB represented by FP_SB_MAX_E2. Looking at the commits when the E2 support was added, it was originally using the E1x parameters: commit f2e0899f0f27 ("bnx2x: Add 57712 support"). Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver was later updated to take full advantage of the E2 instead of having it be limited to the capabilities of the E1x. But as far as we can tell, the array "stats_query_entry query" was still limited to using the FP-SB available to the E1x cards as part of an oversignt when the driver was updated to take full advantage of the E2, and now with the driver being aware of the greater queue size supported by E2 NICs, it causes the UBSAN warnings seen in the stack traces below. This patch increases the size of the "stats_query_entry query" array by replacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle both types of NICs. Stack traces: UBSAN: array-index-out-of-bounds in drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11 index 20 is out of range for type 'stats_query_entry [19]' CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic #202405052133 Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 ---truncated--- CVE-2024-42148 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet: fix a possible leak when destroy a ctrl during qp establishment In nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we know that a ctrl was allocated (in the admin connect request handler) and we need to release pending AERs, clear ctrl->sqs and sq->ctrl (for nvme-loop primarily), and drop the final reference on the ctrl. However, a small window is possible where nvmet_sq_destroy starts (as a result of the client giving up and disconnecting) concurrently with the nvme admin connect cmd (which may be in an early stage). But *before* kill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq live reference). In this case, sq->ctrl was allocated however after it was captured in a local variable in nvmet_sq_destroy. This prevented the final reference drop on the ctrl. Solve this by re-capturing the sq->ctrl after all inflight request has completed, where for sure sq->ctrl reference is final, and move forward based on that. This issue was observed in an environment with many hosts connecting multiple ctrls simoutanuosly, creating a delay in allocating a ctrl leading up to this race window. CVE-2024-42152 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr When del_timer_sync() is called in an interrupt context it throws a warning because of potential deadlock. The timer is used only to exit from wait_for_completion() after a timeout so replacing the call with wait_for_completion_timeout() allows to remove the problematic timer and its related functions altogether. CVE-2024-42153 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of protected- and secure-keys Although the clear-key of neither protected- nor secure-keys is accessible, this key material should only be visible to the calling process. So wipe all copies of protected- or secure-keys from stack, even in case of an error. CVE-2024-42155 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of clear-key structures on failure Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key. CVE-2024-42156 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe sensitive data on failure Wipe sensitive data from stack also if the copy_to_user() fails. CVE-2024-42157 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Replace memzero_explicit() and kfree() with kfree_sensitive() to fix warnings reported by Coccinelle: WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770) CVE-2024-42158 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed. CVE-2024-42159 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD [Changes from V1: - Use a default branch in the switch statement to initialize `val'.] GCC warns that `val' may be used uninitialized in the BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as: [...] unsigned long long val; \ [...] \ switch (__CORE_RELO(s, field, BYTE_SIZE)) { \ case 1: val = *(const unsigned char *)p; break; \ case 2: val = *(const unsigned short *)p; break; \ case 4: val = *(const unsigned int *)p; break; \ case 8: val = *(const unsigned long long *)p; break; \ } \ [...] val; \ } \ This patch adds a default entry in the switch statement that sets `val' to zero in order to avoid the warning, and random values to be used in case __builtin_preserve_field_info returns unexpected values for BPF_FIELD_BYTE_SIZE. Tested in bpf-next master. No regressions. CVE-2024-42161 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 important In the Linux kernel, the following vulnerability has been resolved: gve: Account for stopped queues when reading NIC stats We now account for the fact that the NIC might send us stats for a subset of queues. Without this change, gve_get_ethtool_stats might make an invalid access on the priv->stats_report->stats array. CVE-2024-42162 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: tda10048: Fix integer overflow state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer when multiplied by pll_mfactor. Create a new 64 bit variable to hold the calculations. CVE-2024-42223 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO busses") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only. CVE-2024-42224 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: replace skb_put with skb_put_zero Avoid potentially reusing uninitialized data CVE-2024-42225 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-42226 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix overlapping copy within dml_core_mode_programming [WHY] &mode_lib->mp.Watermark and &locals->Watermark are the same address. memcpy may lead to unexpected behavior. [HOW] memmove should be used. CVE-2024-42227 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian) CVE-2024-42228 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key. CVE-2024-42229 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix scv instruction crash with kexec kexec on pseries disables AIL (reloc_on_exc), required for scv instruction support, before other CPUs have been shut down. This means they can execute scv instructions after AIL is disabled, which causes an interrupt at an unexpected entry location that crashes the kernel. Change the kexec sequence to disable AIL after other CPUs have been brought down. As a refresher, the real-mode scv interrupt vector is 0x17000, and the fixed-location head code probably couldn't easily deal with implementing such high addresses so it was just decided not to support that interrupt at all. CVE-2024-42230 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: libceph: fix race between delayed_work() and ceph_monc_stop() The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs -- __close_session() doesn't mess with the delayed work in order to avoid interfering with the hunting interval logic. This part was missed in commit b5d91704f53e ("libceph: behave in mon_fault() if cur_mon < 0") and use-after-free can still ensue on monc and objects that hang off of it, with monc->auth and monc->monmap being particularly susceptible to quickly being reused. To fix this: - clear monc->cur_mon and monc->hunting as part of closing the session in ceph_monc_stop() - bail from delayed_work() if monc->cur_mon is cleared, similar to how it's done in mon_fault() and finish_hunting() (based on monc->hunting) - call cancel_delayed_work_sync() after the session is closed CVE-2024-42232 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() Userspace provided string 's' could trivially have the length zero. Left unchecked this will firstly result in an OOB read in the form `if (str[0 - 1] == '\n') followed closely by an OOB write in the form `str[0 - 1] = '\0'`. There is already a validating check to catch strings that are too long. Let's supply an additional check for invalid strings that are too short. CVE-2024-42236 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Validate payload length before processing block Move the payload length check in cs_dsp_load() and cs_dsp_coeff_load() to be done before the block is processed. The check that the length of a block payload does not exceed the number of remaining bytes in the firwmware file buffer was being done near the end of the loop iteration. However, some code before that check used the length field without validating it. CVE-2024-42237 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Return error if block header overflows file Return an error from cs_dsp_power_up() if a block header is longer than the amount of data left in the file. The previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop while there was enough data left in the file for a valid region. This protected against overrunning the end of the file data, but it didn't abort the file processing with an error. CVE-2024-42238 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/bhi: Avoid warning in #DB handler due to BHI mitigation When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler (exc_debug_kernel()) to issue a warning because single-step is used outside the entry_SYSENTER_compat() function. To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY after making sure the TF flag is cleared. The problem can be reproduced with the following sequence: $ cat sysenter_step.c int main() { asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); } $ gcc -o sysenter_step sysenter_step.c $ ./sysenter_step Segmentation fault (core dumped) The program is expected to crash, and the #DB handler will issue a warning. Kernel log: WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160 ... RIP: 0010:exc_debug_kernel+0xd2/0x160 ... Call Trace: <#DB> ? show_regs+0x68/0x80 ? __warn+0x8c/0x140 ? exc_debug_kernel+0xd2/0x160 ? report_bug+0x175/0x1a0 ? handle_bug+0x44/0x90 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? exc_debug_kernel+0xd2/0x160 exc_debug+0x43/0x50 asm_exc_debug+0x1e/0x40 RIP: 0010:clear_bhb_loop+0x0/0xb0 ... </#DB> <TASK> ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d </TASK> [ bp: Massage commit message. ] CVE-2024-42240 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/shmem: disable PMD-sized page cache if needed For shmem files, it's possible that PMD-sized page cache can't be supported by xarray. For example, 512MB page cache on ARM64 when the base page size is 64KB can't be supported by xarray. It leads to errors as the following messages indicate when this sort of xarray entry is split. WARNING: CPU: 34 PID: 7578 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 \ nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject \ nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse xfs \ libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_net \ net_failover virtio_console virtio_blk failover dimlib virtio_mmio CPU: 34 PID: 7578 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x720 sp : ffff8000882af5f0 x29: ffff8000882af5f0 x28: ffff8000882af650 x27: ffff8000882af768 x26: 0000000000000cc0 x25: 000000000000000d x24: ffff00010625b858 x23: ffff8000882af650 x22: ffffffdfc0900000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0900000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000018000000000 x15: 52f8004000000000 x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020 x11: 52f8000000000000 x10: 52f8e1c0ffff6000 x9 : ffffbeb9619a681c x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff00010b02ddb0 x5 : ffffbeb96395e378 x4 : 0000000000000000 x3 : 0000000000000cc0 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x720 truncate_inode_partial_folio+0xdc/0x160 shmem_undo_range+0x2bc/0x6a8 shmem_fallocate+0x134/0x430 vfs_fallocate+0x124/0x2e8 ksys_fallocate+0x4c/0xa0 __arm64_sys_fallocate+0x24/0x38 invoke_syscall.constprop.0+0x7c/0xd8 do_el0_svc+0xb4/0xd0 el0_svc+0x44/0x1d8 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Fix it by disabling PMD-sized page cache when HPAGE_PMD_ORDER is larger than MAX_PAGECACHE_ORDER. As Matthew Wilcox pointed, the page cache in a shmem file isn't represented by a multi-index entry and doesn't have this limitation when the xarry entry is split until commit 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache"). CVE-2024-42241 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 ("USB: serial: use generic method if no alternative is provided in usb serial layer"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ] CVE-2024-42244 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: Revert "sched/fair: Make sure to try to detach at least one movable task" This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06. b0defa7ae03ec changed the load balancing logic to ignore env.max_loop if all tasks examined to that point were pinned. The goal of the patch was to make it more likely to be able to detach a task buried in a long list of pinned tasks. However, this has the unfortunate side effect of creating an O(n) iteration in detach_tasks(), as we now must fully iterate every task on a cpu if all or most are pinned. Since this load balance code is done with rq lock held, and often in softirq context, it is very easy to trigger hard lockups. We observed such hard lockups with a user who affined O(10k) threads to a single cpu. When I discussed this with Vincent he initially suggested that we keep the limit on the number of tasks to detach, but increase the number of tasks we can search. However, after some back and forth on the mailing list, he recommended we instead revert the original patch, as it seems likely no one was actually getting hit by the original issue. CVE-2024-42245 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket When using a BPF program on kernel_connect(), the call can return -EPERM. This causes xs_tcp_setup_socket() to loop forever, filling up the syslog and causing the kernel to potentially freeze up. Neil suggested: This will propagate -EPERM up into other layers which might not be ready to handle it. It might be safer to map EPERM to an error we would be more likely to expect from the network system - such as ECONNREFUSED or ENETDOWN. ECONNREFUSED as error seems reasonable. For programs setting a different error can be out of reach (see handling in 4fbac77d2d09) in particular on kernels which do not have f10d05966196 ("bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean"), thus given that it is better to simply remap for consistent behavior. UDP does handle EPERM in xs_udp_send_request(). CVE-2024-42246 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wireguard: allowedips: avoid unaligned 64-bit memory accesses On the parisc platform, the kernel issues kernel warnings because swap_endian() tries to load a 128-bit IPv6 address from an unaligned memory location: Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df) Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc) Avoid such unaligned memory accesses by instead using the get_unaligned_be64() helper macro. [Jason: replace src[8] in original patch with src+8] CVE-2024-42247 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: add missing lock protection when polling Add missing lock protection in poll routine when iterating xarray, otherwise: Even with RCU read lock held, only the slot of the radix tree is ensured to be pinned there, while the data structure (e.g. struct cachefiles_req) stored in the slot has no such guarantee. The poll routine will iterate the radix tree and dereference cachefiles_req accordingly. Thus RCU read lock is not adequate in this case and spinlock is needed here. CVE-2024-42250 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: pca953x: fix pca953x_irq_bus_sync_unlock race Ensure that `i2c_lock' is held when setting interrupt latch and mask in pca953x_irq_bus_sync_unlock() in order to avoid races. The other (non-probe) call site pca953x_gpio_set_multiple() ensures the lock is held before calling pca953x_write_regs(). The problem occurred when a request raced against irq_bus_sync_unlock() approximately once per thousand reboots on an i.MX8MP based system. * Normal case 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0 0-0022: write register AI|08 {ff,00,00,00,00} Output P3 0-0022: write register AI|12 {fc,00,00,00,00} Config P3 * Race case 0-0022: write register AI|08 {ff,00,00,00,00} Output P3 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register *** 0-0022: write register AI|12 {fc,00,00,00,00} Config P3 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0 CVE-2024-42253 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Fix Virtual Memory mapping boundaries calculation Calculating the size of the mapped area as the lesser value between the requested size and the actual size does not consider the partial mapping offset. This can cause page fault access. Fix the calculation of the starting and ending addresses, the total size is now deduced from the difference between the end and start addresses. Additionally, the calculations have been rewritten in a clearer and more understandable form. [Joonas: Add Requires: tag] Requires: 60a2066c5005 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset") (cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417) CVE-2024-42259 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix missing lock on sync reset reload On sync reset reload work, when remote host updates devlink on reload actions performed on that host, it misses taking devlink lock before calling devlink_remote_reload_actions_performed() which results in triggering lock assert like the following: WARNING: CPU: 4 PID: 1164 at net/devlink/core.c:261 devl_assert_locked+0x3e/0x50 … CPU: 4 PID: 1164 Comm: kworker/u96:6 Tainted: G S W 6.10.0-rc2+ #116 Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0 12/18/2015 Workqueue: mlx5_fw_reset_events mlx5_sync_reset_reload_work [mlx5_core] RIP: 0010:devl_assert_locked+0x3e/0x50 … Call Trace: <TASK> ? __warn+0xa4/0x210 ? devl_assert_locked+0x3e/0x50 ? report_bug+0x160/0x280 ? handle_bug+0x3f/0x80 ? exc_invalid_op+0x17/0x40 ? asm_exc_invalid_op+0x1a/0x20 ? devl_assert_locked+0x3e/0x50 devlink_notify+0x88/0x2b0 ? mlx5_attach_device+0x20c/0x230 [mlx5_core] ? __pfx_devlink_notify+0x10/0x10 ? process_one_work+0x4b6/0xbb0 process_one_work+0x4b6/0xbb0 […] CVE-2024-42268 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init(). ip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id], but the function is exposed to user space before the entry is allocated via register_pernet_subsys(). Let's call register_pernet_subsys() before xt_register_template(). CVE-2024-42269 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). We had a report that iptables-restore sometimes triggered null-ptr-deref at boot time. [0] The problem is that iptable_nat_table_init() is exposed to user space before the kernel fully initialises netns. In the small race window, a user could call iptable_nat_table_init() that accesses net_generic(net, iptable_nat_net_id), which is available only after registering iptable_nat_net_ops. Let's call register_pernet_subsys() before xt_register_template(). [0]: bpfilter: Loaded bpfilter_umh pid 11702 Started bpfilter BUG: kernel NULL pointer dereference, address: 0000000000000013 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 0 P4D 0 PREEMPT SMP NOPTI CPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1 Hardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017 RIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat Code: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c RSP: 0018:ffffbef902843cd0 EFLAGS: 00010246 RAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80 RDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0 RBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240 R10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000 R13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004 FS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? xt_find_table_lock (net/netfilter/x_tables.c:1259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? page_fault_oops (arch/x86/mm/fault.c:727) ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518) ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570) ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat xt_find_table_lock (net/netfilter/x_tables.c:1259) xt_request_find_table_lock (net/netfilter/x_tables.c:1287) get_info (net/ipv4/netfilter/ip_tables.c:965) ? security_capable (security/security.c:809 (discriminator 13)) ? ns_capable (kernel/capability.c:376 kernel/capability.c:397) ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656) ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter nf_getsockopt (net/netfilter/nf_sockopt.c:116) ip_getsockopt (net/ipv4/ip_sockglue.c:1827) __sys_getsockopt (net/socket.c:2327) __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) RIP: 0033:0x7f62844685ee Code: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09 RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0 R10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2 R13: 00007f6284 ---truncated--- CVE-2024-42270 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv. CVE-2024-42271 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: Revert "ALSA: firewire-lib: operate for period elapse event in process context" Commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event in process context") removed the process context workqueue from amdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove its overhead. With RME Fireface 800, this lead to a regression since Kernels 5.14.0, causing an AB/BA deadlock competition for the substream lock with eventual system freeze under ALSA operation: thread 0: * (lock A) acquire substream lock by snd_pcm_stream_lock_irq() in snd_pcm_status64() * (lock B) wait for tasklet to finish by calling tasklet_unlock_spin_wait() in tasklet_disable_in_atomic() in ohci_flush_iso_completions() of ohci.c thread 1: * (lock B) enter tasklet * (lock A) attempt to acquire substream lock, waiting for it to be released: snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed() in update_pcm_pointers() in process_ctx_payloads() in process_rx_packets() of amdtp-stream.c ? tasklet_unlock_spin_wait </NMI> <TASK> ohci_flush_iso_completions firewire_ohci amdtp_domain_stream_pcm_pointer snd_firewire_lib snd_pcm_update_hw_ptr0 snd_pcm snd_pcm_status64 snd_pcm ? native_queued_spin_lock_slowpath </NMI> <IRQ> _raw_spin_lock_irqsave snd_pcm_period_elapsed snd_pcm process_rx_packets snd_firewire_lib irq_target_callback snd_firewire_lib handle_it_packet firewire_ohci context_tasklet firewire_ohci Restore the process context work queue to prevent deadlock AB/BA deadlock competition for ALSA substream lock of snd_pcm_stream_lock_irq() in snd_pcm_status64() and snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed(). revert commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event in process context") Replace inline description to prevent future deadlock. CVE-2024-42274 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-pci: add missing condition check for existence of mapped data nvme_map_data() is called when request has physical segments, hence the nvme_unmap_data() should have same condition to avoid dereference. CVE-2024-42276 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en In sprd_iommu_cleanup() before calling function sprd_iommu_hw_en() dom->sdev is equal to NULL, which leads to null dereference. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-42277 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: TAS2781: Fix tasdev_load_calibrated_data() This function has a reversed if statement so it's either a no-op or it leads to a NULL dereference. CVE-2024-42278 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer While transmitting with rx_len == 0, the RX FIFO is not going to be emptied in the interrupt handler. A subsequent transfer could then read crap from the previous transfer out of the RX FIFO into the start RX buffer. The core provides a register that will empty the RX and TX FIFOs, so do that before each transfer. CVE-2024-42279 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp). CVE-2024-42280 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a segment issue when downgrading gso_size Linearize the skb when downgrading gso_size because it may trigger a BUG_ON() later when the skb is segmented as described in [1,2]. CVE-2024-42281 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: nexthop: Initialize all fields in dumped nexthops struct nexthop_grp contains two reserved fields that are not initialized by nla_put_nh_group(), and carry garbage. This can be observed e.g. with strace (edited for clarity): # ip nexthop add id 1 dev lo # ip nexthop add id 101 group 1 # strace -e recvmsg ip nexthop get id 101 ... recvmsg(... [{nla_len=12, nla_type=NHA_GROUP}, [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52 The fields are reserved and therefore not currently used. But as they are, they leak kernel memory, and the fact they are not just zero complicates repurposing of the fields for new ends. Initialize the full structure. CVE-2024-42283 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address. CVE-2024-42284 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix a use-after-free related to destroying CM IDs iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with an existing struct iw_cm_id (cm_id) as follows: conn_id->cm_id.iw = cm_id; cm_id->context = conn_id; cm_id->cm_handler = cma_iw_handler; rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make sure that cm_work_handler() does not trigger a use-after-free by only freeing of the struct rdma_id_private after all pending work has finished. CVE-2024-42285 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: validate nvme_local_port correctly The driver load failed with error message, qla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef and with a kernel crash, BUG: unable to handle kernel NULL pointer dereference at 0000000000000070 Workqueue: events_unbound qla_register_fcport_fn [qla2xxx] RIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc] RSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000 RDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000 RBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030 R10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4 R13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8 FS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0 Call Trace: qla_nvme_register_remote+0xeb/0x1f0 [qla2xxx] ? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx] qla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx] qla_register_fcport_fn+0x54/0xc0 [qla2xxx] Exit the qla_nvme_register_remote() function when qla_nvme_register_hba() fails and correctly validate nvme_local_port. CVE-2024-42286 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Complete command early within lock A crash was observed while performing NPIV and FW reset, BUG: kernel NULL pointer dereference, address: 000000000000001c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 1 PREEMPT_RT SMP NOPTI RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0 RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0 RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034 R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000 R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000 FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? page_fault_oops+0x16f/0x4a0 ? do_user_addr_fault+0x174/0x7f0 ? exc_page_fault+0x69/0x1a0 ? asm_exc_page_fault+0x22/0x30 ? dma_direct_unmap_sg+0x51/0x1e0 ? preempt_count_sub+0x96/0xe0 qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx] qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx] __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx] The command completion was done early while aborting the commands in driver unload path but outside lock to avoid the WARN_ON condition of performing dma_free_attr within the lock. However this caused race condition while command completion via multiple paths causing system crash. Hence complete the command early in unload path but within the lock to avoid race condition. CVE-2024-42287 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix for possible memory corruption Init Control Block is dereferenced incorrectly. Correctly dereference ICB CVE-2024-42288 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: During vport delete send async logout explicitly During vport delete, it is observed that during unload we hit a crash because of stale entries in outstanding command array. For all these stale I/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but I/Os could not complete while vport delete is in process of deleting. BUG: kernel NULL pointer dereference, address: 000000000000001c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Workqueue: qla2xxx_wq qla_do_work [qla2xxx] RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0 RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0 RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8 R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000 R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0 Call Trace: <TASK> qla2xxx_qpair_sp_free_dma+0x417/0x4e0 ? qla2xxx_qpair_sp_compl+0x10d/0x1a0 ? qla2x00_status_entry+0x768/0x2830 ? newidle_balance+0x2f0/0x430 ? dequeue_entity+0x100/0x3c0 ? qla24xx_process_response_queue+0x6a1/0x19e0 ? __schedule+0x2d5/0x1140 ? qla_do_work+0x47/0x60 ? process_one_work+0x267/0x440 ? process_one_work+0x440/0x440 ? worker_thread+0x2d/0x3d0 ? process_one_work+0x440/0x440 ? kthread+0x156/0x180 ? set_kthread_struct+0x50/0x50 ? ret_from_fork+0x22/0x30 </TASK> Send out async logout explicitly for all the ports during vport delete. CVE-2024-42289 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: irqchip/imx-irqsteer: Handle runtime power management correctly The power domain is automatically activated from clk_prepare(). However, on certain platforms like i.MX8QM and i.MX8QXP, the power-on handling invokes sleeping functions, which triggers the 'scheduling while atomic' bug in the context switch path during device probing: BUG: scheduling while atomic: kworker/u13:1/48/0x00000002 Call trace: __schedule_bug+0x54/0x6c __schedule+0x7f0/0xa94 schedule+0x5c/0xc4 schedule_preempt_disabled+0x24/0x40 __mutex_lock.constprop.0+0x2c0/0x540 __mutex_lock_slowpath+0x14/0x20 mutex_lock+0x48/0x54 clk_prepare_lock+0x44/0xa0 clk_prepare+0x20/0x44 imx_irqsteer_resume+0x28/0xe0 pm_generic_runtime_resume+0x2c/0x44 __genpd_runtime_resume+0x30/0x80 genpd_runtime_resume+0xc8/0x2c0 __rpm_callback+0x48/0x1d8 rpm_callback+0x6c/0x78 rpm_resume+0x490/0x6b4 __pm_runtime_resume+0x50/0x94 irq_chip_pm_get+0x2c/0xa0 __irq_do_set_handler+0x178/0x24c irq_set_chained_handler_and_data+0x60/0xa4 mxc_gpio_probe+0x160/0x4b0 Cure this by implementing the irq_bus_lock/sync_unlock() interrupt chip callbacks and handle power management in them as they are invoked from non-atomic context. [ tglx: Rewrote change log, added Fixes tag ] CVE-2024-42290 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Add a per-VF limit on number of FDIR filters While the iavf driver adds a s/w limit (128) on the number of FDIR filters that the VF can request, a malicious VF driver can request more than that and exhaust the resources for other VFs. Add a similar limit in ice. CVE-2024-42291 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: kobject_uevent: Fix OOB access within zap_modalias_env() zap_modalias_env() wrongly calculates size of memory block to move, so will cause OOB memory access issue if variable MODALIAS is not the last one within its @env parameter, fixed by correcting size to memmove. CVE-2024-42292 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: handle inconsistent state in nilfs_btnode_create_block() Syzbot reported that a buffer state inconsistency was detected in nilfs_btnode_create_block(), triggering a kernel bug. It is not appropriate to treat this inconsistency as a bug; it can occur if the argument block address (the buffer index of the newly created block) is a virtual block number and has been reallocated due to corruption of the bitmap used to manage its allocation state. So, modify nilfs_btnode_create_block() and its callers to treat it as a possible filesystem error, rather than triggering a kernel bug. CVE-2024-42295 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. CVE-2024-42298 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport] CVE-2024-42301 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred. To do so, it polls the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its struct pci_dev cause the kernel to oops. That's because pci_bridge_wait_for_secondary_bus() neglects to hold a reference on the child device. Before v6.3, the function was only called on resume from system sleep or on runtime resume. Holding a reference wasn't necessary back then because the pciehp IRQ thread could never run concurrently. (On resume from system sleep, IRQs are not enabled until after the resume_noirq phase. And runtime resume is always awaited before a PCI device is removed.) However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset"), which introduced that, failed to appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a reference on the child device because dpc_handler() and pciehp may indeed run concurrently. The commit was backported to v5.10+ stable kernels, so that's the oldest one affected. Add the missing reference acquisition. Abridged stack trace: BUG: unable to handle page fault for address: 00000000091400c0 CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 RIP: pci_bus_read_config_dword+0x17/0x50 pci_dev_wait() pci_bridge_wait_for_secondary_bus() dpc_reset_link() pcie_do_recovery() dpc_handler() CVE-2024-42302 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: imx-pxp: Fix ERR_PTR dereference in pxp_probe() devm_regmap_init_mmio() can fail, add a check and bail out in case of error. CVE-2024-42303 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-42308 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2024-42309 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2024-42310 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() Syzbot reports uninitialized value access issue as below: loop0: detected capacity change from 0 to 64 ===================================================== BUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30 hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30 d_revalidate fs/namei.c:862 [inline] lookup_fast+0x89e/0x8e0 fs/namei.c:1649 walk_component fs/namei.c:2001 [inline] link_path_walk+0x817/0x1480 fs/namei.c:2332 path_lookupat+0xd9/0x6f0 fs/namei.c:2485 filename_lookup+0x22e/0x740 fs/namei.c:2515 user_path_at_empty+0x8b/0x390 fs/namei.c:2924 user_path_at include/linux/namei.h:57 [inline] do_mount fs/namespace.c:3689 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x66b/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b BUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline] BUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366 hfs_ext_read_extent fs/hfs/extent.c:196 [inline] hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366 block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271 hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39 filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426 do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553 do_read_cache_page mm/filemap.c:3595 [inline] read_cache_page+0xfb/0x2f0 mm/filemap.c:3604 read_mapping_page include/linux/pagemap.h:755 [inline] hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78 hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204 hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406 mount_bdev+0x628/0x920 fs/super.c:1359 hfs_mount+0xcd/0xe0 fs/hfs/super.c:456 legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610 vfs_get_tree+0xdc/0x5d0 fs/super.c:1489 do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145 path_mount+0xf98/0x26a0 fs/namespace.c:3475 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674 __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2190 [inline] allocate_slab mm/slub.c:2354 [inline] new_slab+0x2d7/0x1400 mm/slub.c:2407 ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540 __slab_alloc mm/slub.c:3625 [inline] __slab_alloc_node mm/slub.c:3678 [inline] slab_alloc_node mm/slub.c:3850 [inline] kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879 alloc_inode_sb include/linux/fs.h:3018 [inline] hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165 alloc_inode+0x83/0x440 fs/inode.c:260 new_inode_pseudo fs/inode.c:1005 [inline] new_inode+0x38/0x4f0 fs/inode.c:1031 hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186 hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228 vfs_mkdir+0x49a/0x700 fs/namei.c:4126 do_mkdirat+0x529/0x810 fs/namei.c:4149 __do_sys_mkdirat fs/namei.c:4164 [inline] __se_sys_mkdirat fs/namei.c:4162 [inline] __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b It missed to initialize .tz_secondswest, .cached_start and .cached_blocks fields in struct hfs_inode_info after hfs_alloc_inode(), fix it. CVE-2024-42311 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: sysctl: always initialize i_uid/i_gid Always initialize i_uid/i_gid inside the sysfs core so set_ownership() can safely skip setting them. Commit 5ec27ec735ba ("fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.") added defaults for i_uid/i_gid when set_ownership() was not implemented. It also missed adjusting net_ctl_set_ownership() to use the same default values in case the computation of a better value failed. CVE-2024-42312 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: venus: fix use after free in vdec_close There appears to be a possible use after free with vdec_close(). The firmware will add buffer release work to the work queue through HFI callbacks as a normal part of decoding. Randomly closing the decoder device from userspace during normal decoding can incur a read after free for inst. Fix it by cancelling the work in vdec_close. CVE-2024-42313 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix extent map use-after-free when adding pages to compressed bio At add_ra_bio_pages() we are accessing the extent map to calculate 'add_size' after we dropped our reference on the extent map, resulting in a use-after-free. Fix this by computing 'add_size' before dropping our extent map reference. CVE-2024-42314 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: exfat: fix potential deadlock on __exfat_get_dentry_set When accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array is allocated in __exfat_get_entry_set. The problem is that the bh-array is allocated with GFP_KERNEL. It does not make sense. In the following cases, a deadlock for sbi->s_lock between the two processes may occur. CPU0 CPU1 ---- ---- kswapd balance_pgdat lock(fs_reclaim) exfat_iterate lock(&sbi->s_lock) exfat_readdir exfat_get_uniname_from_ext_entry exfat_get_dentry_set __exfat_get_dentry_set kmalloc_array ... lock(fs_reclaim) ... evict exfat_evict_inode lock(&sbi->s_lock) To fix this, let's allocate bh-array with GFP_NOFS. CVE-2024-42315 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/mglru: fix div-by-zero in vmpressure_calc_level() evict_folios() uses a second pass to reclaim folios that have gone through page writeback and become clean before it finishes the first pass, since folio_rotate_reclaimable() cannot handle those folios due to the isolation. The second pass tries to avoid potential double counting by deducting scan_control->nr_scanned. However, this can result in underflow of nr_scanned, under a condition where shrink_folio_list() does not increment nr_scanned, i.e., when folio_trylock() fails. The underflow can cause the divisor, i.e., scale=scanned+reclaimed in vmpressure_calc_level(), to become zero, resulting in the following crash: [exception RIP: vmpressure_work_fn+101] process_one_work at ffffffffa3313f2b Since scan_control->nr_scanned has no established semantics, the potential double counting has minimal risks. Therefore, fix the problem by not deducting scan_control->nr_scanned in evict_folios(). CVE-2024-42316 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: landlock: Don't lose track of restrictions on cred_transfer When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost. This basically means that a process with the ability to use the fork() and keyctl() syscalls can get rid of all Landlock restrictions on itself. Fix it by adding a cred_transfer hook that does the same thing as the existing cred_prepare hook. (Implemented by having hook_cred_prepare() call hook_cred_transfer() so that the two functions are less likely to accidentally diverge in the future.) CVE-2024-42318 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() When mtk-cmdq unbinds, a WARN_ON message with condition pm_runtime_get_sync() < 0 occurs. According to the call tracei below: cmdq_mbox_shutdown mbox_free_channel mbox_controller_unregister __devm_mbox_controller_unregister ... The root cause can be deduced to be calling pm_runtime_get_sync() after calling pm_runtime_disable() as observed below: 1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe() to bind the cmdq device to the mbox_controller, so devm_mbox_controller_unregister() will automatically unregister the device bound to the mailbox controller when the device-managed resource is removed. That means devm_mbox_controller_unregister() and cmdq_mbox_shoutdown() will be called after cmdq_remove(). 2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after devm_mbox_controller_register(), so that devm_pm_runtime_disable() will be called after cmdq_remove(), but before devm_mbox_controller_unregister(). To fix this problem, cmdq_probe() needs to move devm_mbox_controller_register() after devm_pm_runtime_enable() to make devm_pm_runtime_disable() be called after devm_mbox_controller_unregister(). CVE-2024-42319 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix error checks in dasd_copy_pair_store() dasd_add_busid() can return an error via ERR_PTR() if an allocation fails. However, two callsites in dasd_copy_pair_store() do not check the result, potentially resulting in a NULL pointer dereference. Fix this by checking the result with IS_ERR() and returning the error up the stack. CVE-2024-42320 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipvs: properly dereference pe in ip_vs_add_service Use pe directly to resolve sparse warning: net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression CVE-2024-42322 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Revise lpfc_prep_embed_io routine with proper endian macro usages On big endian architectures, it is possible to run into a memory out of bounds pointer dereference when FCP targets are zoned. In lpfc_prep_embed_io, the memcpy(ptr, fcp_cmnd, sgl->sge_len) is referencing a little endian formatted sgl->sge_len value. So, the memcpy can cause big endian systems to crash. Redefine the *sgl ptr as a struct sli4_sge_le to make it clear that we are referring to a little endian formatted data structure. And, update the routine with proper le32_to_cpu macro usages. CVE-2024-43816 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: missing check virtio Two missing check in virtio_net_hdr_to_skb() allowed syzbot to crash kernels again 1. After the skb_segment function the buffer may become non-linear (nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere the __skb_linearize function will not be executed, then the buffer will remain non-linear. Then the condition (offset >= skb_headlen(skb)) becomes true, which causes WARN_ON_ONCE in skb_checksum_help. 2. The struct sk_buff and struct virtio_net_hdr members must be mathematically related. (gso_size) must be greater than (needed) otherwise WARN_ON_ONCE. (remainder) must be greater than (needed) otherwise WARN_ON_ONCE. (remainder) may be 0 if division is without remainder. offset+2 (4191) > skb_headlen() (1116) WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303 Modules linked in: CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303 Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209 RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001 RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d FS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777 ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584 ip_finish_output_gso net/ipv4/ip_output.c:286 [inline] __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433 dst_output include/net/dst.h:451 [inline] ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129 iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline] sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3545 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 __sys_sendto+0x255/0x340 net/socket.c:2190 __do_sys_sendto net/socket.c:2202 [inline] __se_sys_sendto net/socket.c:2198 [inline] __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Found by Linux Verification Center (linuxtesting.org) with Syzkaller CVE-2024-43817 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: Adjust error handling in case of absent codec device acpi_get_first_physical_node() can return NULL in several cases (no such device, ACPI table error, reference count drop to 0, etc). Existing check just emit error message, but doesn't perform return. Then this NULL pointer is passed to devm_acpi_dev_add_driver_gpios() where it is dereferenced. Adjust this error handling by adding error code return. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-43818 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: kvm: s390: Reject memory region operations for ucontrol VMs This change rejects the KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM. This is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and would thus result in a null pointer dereference further in. Memory management needs to be performed in userspace and using the ioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP. Also improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2. [frankja@linux.ibm.com: commit message spelling fix, subject prefix fix] CVE-2024-43819 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix a possible null pointer dereference In function lpfc_xcvr_data_show, the memory allocation with kmalloc might fail, thereby making rdp_context a null pointer. In the following context and functions that use this pointer, there are dereferencing operations, leading to null pointer dereference. To fix this issue, a null pointer check should be added. If it is null, use scnprintf to notify the user and return len. CVE-2024-43821 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs() If IORESOURCE_MEM is not provided in Device Tree due to any error, resource_list_first_type() will return NULL and pci_parse_request_of_pci_ranges() will just emit a warning. This will cause a NULL pointer dereference. Fix this bug by adding NULL return check. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-43823 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init() Instead of getting the epc_features from pci_epc_get_features() API, use the cached pci_epf_test::epc_features value to avoid the NULL check. Since the NULL check is already performed in pci_epf_test_bind(), having one more check in pci_epf_test_core_init() is redundant and it is not possible to hit the NULL pointer dereference. Also with commit a01e7214bef9 ("PCI: endpoint: Remove "core_init_notifier" flag"), 'epc_features' got dereferenced without the NULL check, leading to the following false positive Smatch warning: drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747) Thus, remove the redundant NULL check and also use the epc_features:: {msix_capable/msi_capable} flags directly to avoid local variables. [kwilczynski: commit log] CVE-2024-43824 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: Fix the sorting functionality in iio_gts_build_avail_time_table The sorting in iio_gts_build_avail_time_table is not working as intended. It could result in an out-of-bounds access when the time is zero. Here are more details: 1. When the gts->itime_table[i].time_us is zero, e.g., the time sequence is `3, 0, 1`, the inner for-loop will not terminate and do out-of-bound writes. This is because once `times[j] > new`, the value `new` will be added in the current position and the `times[j]` will be moved to `j+1` position, which makes the if-condition always hold. Meanwhile, idx will be added one, making the loop keep running without termination and out-of-bound write. 2. If none of the gts->itime_table[i].time_us is zero, the elements will just be copied without being sorted as described in the comment "Sort times from all tables to one and remove duplicates". For more details, please refer to https://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com. CVE-2024-43825 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfs: pass explicit offset/count to trace events nfs_folio_length is unsafe to use without having the folio locked and a check for a NULL ->f_mapping that protects against truncations and can lead to kernel crashes. E.g. when running xfstests generic/065 with all nfs trace points enabled. Follow the model of the XFS trace points and pass in an explіcit offset and length. This has the additional benefit that these values can be more accurate as some of the users touch partial folio ranges. CVE-2024-43826 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/qxl: Add check for drm_cvt_mode Add check for the return value of drm_cvt_mode() and return the error if it fails in order to avoid NULL pointer dereference. CVE-2024-43829 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: leds: trigger: Unregister sysfs attributes before calling deactivate() Triggers which have trigger specific sysfs attributes typically store related data in trigger-data allocated by the activate() callback and freed by the deactivate() callback. Calling device_remove_groups() after calling deactivate() leaves a window where the sysfs attributes show/store functions could be called after deactivation and then operate on the just freed trigger-data. Move the device_remove_groups() call to before deactivate() to close this race window. This also makes the deactivation path properly do things in reverse order of the activation path which calls the activate() callback before calling device_add_groups(). CVE-2024-43830 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Handle invalid decoder vsi Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi is valid for future use. CVE-2024-43831 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Fix NULL pointer dereference in adding ancillary links In v4l2_async_create_ancillary_links(), ancillary links are created for lens and flash sub-devices. These are sub-device to sub-device links and if the async notifier is related to a V4L2 device, the source sub-device of the ancillary link is NULL, leading to a NULL pointer dereference. Check the notifier's sd field is non-NULL in v4l2_async_create_ancillary_links(). [Sakari Ailus: Reword the subject and commit messages slightly.] CVE-2024-43833 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: xdp: fix invalid wait context of page_pool_destroy() If the driver uses a page pool, it creates a page pool with page_pool_create(). The reference count of page pool is 1 as default. A page pool will be destroyed only when a reference count reaches 0. page_pool_destroy() is used to destroy page pool, it decreases a reference count. When a page pool is destroyed, ->disconnect() is called, which is mem_allocator_disconnect(). This function internally acquires mutex_lock(). If the driver uses XDP, it registers a memory model with xdp_rxq_info_reg_mem_model(). The xdp_rxq_info_reg_mem_model() internally increases a page pool reference count if a memory model is a page pool. Now the reference count is 2. To destroy a page pool, the driver should call both page_pool_destroy() and xdp_unreg_mem_model(). The xdp_unreg_mem_model() internally calls page_pool_destroy(). Only page_pool_destroy() decreases a reference count. If a driver calls page_pool_destroy() then xdp_unreg_mem_model(), we will face an invalid wait context warning. Because xdp_unreg_mem_model() calls page_pool_destroy() with rcu_read_lock(). The page_pool_destroy() internally acquires mutex_lock(). Splat looks like: ============================= [ BUG: Invalid wait context ] 6.10.0-rc6+ #4 Tainted: G W ----------------------------- ethtool/1806 is trying to lock: ffffffff90387b90 (mem_id_lock){+.+.}-{4:4}, at: mem_allocator_disconnect+0x73/0x150 other info that might help us debug this: context-{5:5} 3 locks held by ethtool/1806: stack backtrace: CPU: 0 PID: 1806 Comm: ethtool Tainted: G W 6.10.0-rc6+ #4 f916f41f172891c800f2fed Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 Call Trace: <TASK> dump_stack_lvl+0x7e/0xc0 __lock_acquire+0x1681/0x4de0 ? _printk+0x64/0xe0 ? __pfx_mark_lock.part.0+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 lock_acquire+0x1b3/0x580 ? mem_allocator_disconnect+0x73/0x150 ? __wake_up_klogd.part.0+0x16/0xc0 ? __pfx_lock_acquire+0x10/0x10 ? dump_stack_lvl+0x91/0xc0 __mutex_lock+0x15c/0x1690 ? mem_allocator_disconnect+0x73/0x150 ? __pfx_prb_read_valid+0x10/0x10 ? mem_allocator_disconnect+0x73/0x150 ? __pfx_llist_add_batch+0x10/0x10 ? console_unlock+0x193/0x1b0 ? lockdep_hardirqs_on+0xbe/0x140 ? __pfx___mutex_lock+0x10/0x10 ? tick_nohz_tick_stopped+0x16/0x90 ? __irq_work_queue_local+0x1e5/0x330 ? irq_work_queue+0x39/0x50 ? __wake_up_klogd.part.0+0x79/0xc0 ? mem_allocator_disconnect+0x73/0x150 mem_allocator_disconnect+0x73/0x150 ? __pfx_mem_allocator_disconnect+0x10/0x10 ? mark_held_locks+0xa5/0xf0 ? rcu_is_watching+0x11/0xb0 page_pool_release+0x36e/0x6d0 page_pool_destroy+0xd7/0x440 xdp_unreg_mem_model+0x1a7/0x2a0 ? __pfx_xdp_unreg_mem_model+0x10/0x10 ? kfree+0x125/0x370 ? bnxt_free_ring.isra.0+0x2eb/0x500 ? bnxt_free_mem+0x5ac/0x2500 xdp_rxq_info_unreg+0x4a/0xd0 bnxt_free_mem+0x1356/0x2500 bnxt_close_nic+0xf0/0x3b0 ? __pfx_bnxt_close_nic+0x10/0x10 ? ethnl_parse_bit+0x2c6/0x6d0 ? __pfx___nla_validate_parse+0x10/0x10 ? __pfx_ethnl_parse_bit+0x10/0x10 bnxt_set_features+0x2a8/0x3e0 __netdev_update_features+0x4dc/0x1370 ? ethnl_parse_bitset+0x4ff/0x750 ? __pfx_ethnl_parse_bitset+0x10/0x10 ? __pfx___netdev_update_features+0x10/0x10 ? mark_held_locks+0xa5/0xf0 ? _raw_spin_unlock_irqrestore+0x42/0x70 ? __pm_runtime_resume+0x7d/0x110 ethnl_set_features+0x32d/0xa20 To fix this problem, it uses rhashtable_lookup_fast() instead of rhashtable_lookup() with rcu_read_lock(). Using xa without rcu_read_lock() here is safe. xa is freed by __xdp_mem_allocator_rcu_free() and this is called by call_rcu() of mem_xa_remove(). The mem_xa_remove() is called by page_pool_destroy() if a reference count reaches 0. The xa is already protected by the reference count mechanism well in the control plane. So removing rcu_read_lock() for page_pool_destroy() is safe. CVE-2024-43834 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT When loading a EXT program without specifying `attr->attach_prog_fd`, the `prog->aux->dst_prog` will be null. At this time, calling resolve_prog_type() anywhere will result in a null pointer dereference. Example stack trace: [ 8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 [ 8.108262] Mem abort info: [ 8.108384] ESR = 0x0000000096000004 [ 8.108547] EC = 0x25: DABT (current EL), IL = 32 bits [ 8.108722] SET = 0, FnV = 0 [ 8.108827] EA = 0, S1PTW = 0 [ 8.108939] FSC = 0x04: level 0 translation fault [ 8.109102] Data abort info: [ 8.109203] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 8.109399] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 8.109614] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000 [ 8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000 [ 8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 8.112783] Modules linked in: [ 8.113120] CPU: 0 PID: 99 Comm: may_access_dire Not tainted 6.10.0-rc3-next-20240613-dirty #1 [ 8.113230] Hardware name: linux,dummy-virt (DT) [ 8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.113429] pc : may_access_direct_pkt_data+0x24/0xa0 [ 8.113746] lr : add_subprog_and_kfunc+0x634/0x8e8 [ 8.113798] sp : ffff80008283b9f0 [ 8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001 [ 8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000 [ 8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000 [ 8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff [ 8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720 [ 8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 [ 8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4 [ 8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f [ 8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c [ 8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000 [ 8.114126] Call trace: [ 8.114159] may_access_direct_pkt_data+0x24/0xa0 [ 8.114202] bpf_check+0x3bc/0x28c0 [ 8.114214] bpf_prog_load+0x658/0xa58 [ 8.114227] __sys_bpf+0xc50/0x2250 [ 8.114240] __arm64_sys_bpf+0x28/0x40 [ 8.114254] invoke_syscall.constprop.0+0x54/0xf0 [ 8.114273] do_el0_svc+0x4c/0xd8 [ 8.114289] el0_svc+0x3c/0x140 [ 8.114305] el0t_64_sync_handler+0x134/0x150 [ 8.114331] el0t_64_sync+0x168/0x170 [ 8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403) [ 8.118672] ---[ end trace 0000000000000000 ]--- One way to fix it is by forcing `attach_prog_fd` non-empty when bpf_prog_load(). But this will lead to `libbpf_probe_bpf_prog_type` API broken which use verifier log to probe prog type and will log nothing if we reject invalid EXT prog before bpf_check(). Another way is by adding null check in resolve_prog_type(). The issue was introduced by commit 4a9c7bbe2ed4 ("bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT") which wanted to correct type resolution for BPF_PROG_TYPE_TRACING programs. Before that, the type resolution of BPF_PROG_TYPE_EXT prog actually follows the logic below: prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type; It implies that when EXT program is not yet attached to `dst_prog`, the prog type should be EXT itself. This code worked fine in the past. So just keep using it. Fix this by returning `prog->type` for BPF_PROG_TYPE_EXT if `dst_prog` is not present in resolve_prog_type(). CVE-2024-43837 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bna: adjust 'name' buf size of bna_tcb and bna_ccb structures To have enough space to write all possible sprintf() args. Currently 'name' size is 16, but the first '%s' specifier may already need at least 16 characters, since 'bnad->netdev->name' is used there. For '%d' specifiers, assume that they require: * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8 * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX is 16 And replace sprintf with snprintf. Detected using the static analysis tool - Svace. CVE-2024-43839 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls __bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them the struct bpf_tramp_image *im pointer as an argument in R0. The trampoline generation code uses emit_addr_mov_i64() to emit instructions for moving the bpf_tramp_image address into R0, but emit_addr_mov_i64() assumes the address to be in the vmalloc() space and uses only 48 bits. Because bpf_tramp_image is allocated using kzalloc(), its address can use more than 48-bits, in this case the trampoline will pass an invalid address to __bpf_tramp_enter/exit() causing a kernel crash. Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64() as it can work with addresses that are greater than 48-bits. CVE-2024-43840 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: virt_wifi: avoid reporting connection success with wrong SSID When user issues a connection with a different SSID than the one virt_wifi has advertised, the __cfg80211_connect_result() will trigger the warning: WARN_ON(bss_not_found). The issue is because the connection code in virt_wifi does not check the SSID from user space (it only checks the BSSID), and virt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS even if the SSID is different from the one virt_wifi has advertised. Eventually cfg80211 won't be able to find the cfg80211_bss and generate the warning. Fixed it by checking the SSID (from user space) in the connection code. CVE-2024-43841 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size. But then 'rate->he_gi' is used as array index instead of 'status->he_gi'. This can lead to go beyond array boundaries in case of 'rate->he_gi' is not equal to 'status->he_gi' and is bigger than array size. Looks like "copy-paste" mistake. Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-43842 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: lib: objagg: Fix general protection fault The library supports aggregation of objects into other objects only if the parent object does not have a parent itself. That is, nesting is not supported. Aggregation happens in two cases: Without and with hints, where hints are a pre-computed recommendation on how to aggregate the provided objects. Nesting is not possible in the first case due to a check that prevents it, but in the second case there is no check because the assumption is that nesting cannot happen when creating objects based on hints. The violation of this assumption leads to various warnings and eventually to a general protection fault [1]. Before fixing the root cause, error out when nesting happens and warn. [1] general protection fault, probably for non-canonical address 0xdead000000000d90: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 1083 Comm: kworker/1:9 Tainted: G W 6.9.0-rc6-custom-gd9b4f1cca7fb #7 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:mlxsw_sp_acl_erp_bf_insert+0x25/0x80 [...] Call Trace: <TASK> mlxsw_sp_acl_atcam_entry_add+0x256/0x3c0 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0 mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270 mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> CVE-2024-43846 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid memory access while processing fragmented packets The monitor ring and the reo reinject ring share the same ring mask index. When the driver receives an interrupt for the reo reinject ring, the monitor ring is also processed, leading to invalid memory access. Since monitor support is not yet enabled in ath12k, the ring mask for the monitor ring should be removed. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1 CVE-2024-43847 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pdr: protect locator_addr with the main mutex If the service locator server is restarted fast enough, the PDR can rewrite locator_addr fields concurrently. Protect them by placing modification of those fields under the main pdr->lock. CVE-2024-43849 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove The following warning is seen during bwmon_remove due to refcount imbalance, fix this by releasing the OPPs after use. Logs: WARNING: at drivers/opp/core.c:1640 _opp_table_kref_release+0x150/0x158 Hardware name: Qualcomm Technologies, Inc. X1E80100 CRD (DT) ... Call trace: _opp_table_kref_release+0x150/0x158 dev_pm_opp_remove_table+0x100/0x1b4 devm_pm_opp_of_table_release+0x10/0x1c devm_action_release+0x14/0x20 devres_release_all+0xa4/0x104 device_unbind_cleanup+0x18/0x60 device_release_driver_internal+0x1ec/0x228 driver_detach+0x50/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 bwmon_driver_exit+0x18/0x524 [icc_bwmon] __arm64_sys_delete_module+0x184/0x264 invoke_syscall+0x48/0x118 el0_svc_common.constprop.0+0xc8/0xe8 do_el0_svc+0x20/0x2c el0_svc+0x34/0xdc el0t_64_sync_handler+0x13c/0x158 el0t_64_sync+0x190/0x194 --[ end trace 0000000000000000 ]--- CVE-2024-43850 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: xilinx: rename cpu_number1 to dummy_cpu_number The per cpu variable cpu_number1 is passed to xlnx_event_handler as argument "dev_id", but it is not used in this function. So drop the initialization of this variable and rename it to dummy_cpu_number. This patch is to fix the following call trace when the kernel option CONFIG_DEBUG_ATOMIC_SLEEP is enabled: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0 preempt_count: 1, expected: 0 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0 #53 Hardware name: Xilinx Versal vmk180 Eval board rev1.1 (QSPI) (DT) Call trace: dump_backtrace+0xd0/0xe0 show_stack+0x18/0x40 dump_stack_lvl+0x7c/0xa0 dump_stack+0x18/0x34 __might_resched+0x10c/0x140 __might_sleep+0x4c/0xa0 __kmem_cache_alloc_node+0xf4/0x168 kmalloc_trace+0x28/0x38 __request_percpu_irq+0x74/0x138 xlnx_event_manager_probe+0xf8/0x298 platform_probe+0x68/0xd8 CVE-2024-43851 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: Prevent UAF in proc_cpuset_show() An UAF can happen when /proc/cpuset is read as reported in [1]. This can be reproduced by the following methods: 1.add an mdelay(1000) before acquiring the cgroup_lock In the cgroup_path_ns function. 2.$cat /proc/<pid>/cpuset repeatly. 3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ $umount /sys/fs/cgroup/cpuset/ repeatly. The race that cause this bug can be shown as below: (umount) | (cat /proc/<pid>/cpuset) css_release | proc_cpuset_show css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id); css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...); cgroup_destroy_root | mutex_lock(&cgroup_mutex); rebind_subsystems | cgroup_free_root | | // cgrp was freed, UAF | cgroup_path_ns_locked(cgrp,..); When the cpuset is initialized, the root node top_cpuset.css.cgrp will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated &cgroup_root.cgrp. When the umount operation is executed, top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp. The problem is that when rebinding to cgrp_dfl_root, there are cases where the cgroup_root allocated by setting up the root for cgroup v1 is cached. This could lead to a Use-After-Free (UAF) if it is subsequently freed. The descendant cgroups of cgroup v1 can only be freed after the css is released. However, the css of the root will never be released, yet the cgroup_root should be freed when it is unmounted. This means that obtaining a reference to the css of the root does not guarantee that css.cgrp->root will not be freed. Fix this problem by using rcu_read_lock in proc_cpuset_show(). As cgroup_root is kfree_rcu after commit d23b5c577715 ("cgroup: Make operations on the cgroup root_list RCU safe"), css->cgroup won't be freed during the critical section. To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to replace task_get_css with task_css. [1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd CVE-2024-43853 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes. CVE-2024-43854 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: md: fix deadlock between mddev_suspend and flush bio Deadlock occurs when mddev is being suspended while some flush bio is in progress. It is a complex issue. T1. the first flush is at the ending stage, it clears 'mddev->flush_bio' and tries to submit data, but is blocked because mddev is suspended by T4. T2. the second flush sets 'mddev->flush_bio', and attempts to queue md_submit_flush_data(), which is already running (T1) and won't execute again if on the same CPU as T1. T3. the third flush inc active_io and tries to flush, but is blocked because 'mddev->flush_bio' is not NULL (set by T2). T4. mddev_suspend() is called and waits for active_io dec to 0 which is inc by T3. T1 T2 T3 T4 (flush 1) (flush 2) (third 3) (suspend) md_submit_flush_data mddev->flush_bio = NULL; . . md_flush_request . mddev->flush_bio = bio . queue submit_flushes . . . . md_handle_request . . active_io + 1 . . md_flush_request . . wait !mddev->flush_bio . . . . mddev_suspend . . wait !active_io . . . submit_flushes . queue_work md_submit_flush_data . //md_submit_flush_data is already running (T1) . md_handle_request wait resume The root issue is non-atomic inc/dec of active_io during flush process. active_io is dec before md_submit_flush_data is queued, and inc soon after md_submit_flush_data() run. md_flush_request active_io + 1 submit_flushes active_io - 1 md_submit_flush_data md_handle_request active_io + 1 make_request active_io - 1 If active_io is dec after md_handle_request() instead of within submit_flushes(), make_request() can be called directly intead of md_handle_request() in md_submit_flush_data(), and active_io will only inc and dec once in the whole flush process. Deadlock will be fixed. Additionally, the only difference between fixing the issue and before is that there is no return error handling of make_request(). But after previous patch cleaned md_write_start(), make_requst() only return error in raid5_make_request() by dm-raid, see commit 41425f96d7aa ("dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape)". Since dm always splits data and flush operation into two separate io, io size of flush submitted by dm always is 0, make_request() will not be called in md_submit_flush_data(). To prevent future modifications from introducing issues, add WARN_ON to ensure make_request() no error is returned in this context. CVE-2024-43855 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma: fix call order in dmam_free_coherent dmam_free_coherent() frees a DMA allocation, which makes the freed vaddr available for reuse, then calls devres_destroy() to remove and free the data structure used to track the DMA allocation. Between the two calls, it is possible for a concurrent task to make an allocation with the same vaddr and add it to the devres list. If this happens, there will be two entries in the devres list with the same vaddr and devres_destroy() can free the wrong entry, triggering the WARN_ON() in dmam_match. Fix by destroying the devres entry before freeing the DMA allocation. kokonut //net/encryption http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03 CVE-2024-43856 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree CVE-2024-43858 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: remoteproc: imx_rproc: Skip over memory region when node value is NULL In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts number of phandles. But phandles may be empty. So of_parse_phandle() in the parsing loop (0 < a < nph) may return NULL which is later dereferenced. Adjust this issue by adding NULL-return check. Found by Linux Verification Center (linuxtesting.org) with SVACE. [Fixed title to fit within the prescribed 70-75 charcters] CVE-2024-43860 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: fix memory leak for not ip packets Free the unused skb when not ip packets arrive. CVE-2024-43861 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a deadlock in dma buf fence polling Introduce a version of the fence ops that on release doesn't remove the fence from the pending list, and thus doesn't require a lock to fix poll->fence wait->fence unref deadlocks. vmwgfx overwrites the wait callback to iterate over the list of all fences and update their status, to do that it holds a lock to prevent the list modifcations from other threads. The fence destroy callback both deletes the fence and removes it from the list of pending fences, for which it holds a lock. dma buf polling cb unrefs a fence after it's been signaled: so the poll calls the wait, which signals the fences, which are being destroyed. The destruction tries to acquire the lock on the pending fences list which it can never get because it's held by the wait from which it was called. Old bug, but not a lot of userspace apps were using dma-buf polling interfaces. Fix those, in particular this fixes KDE stalls/deadlock. CVE-2024-43863 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix CT entry update leaks of modify header context The cited commit allocates a new modify header to replace the old one when updating CT entry. But if failed to allocate a new one, eg. exceed the max number firmware can support, modify header will be an error pointer that will trigger a panic when deallocating it. And the old modify header point is copied to old attr. When the old attr is freed, the old modify header is lost. Fix it by restoring the old attr to attr when failed to allocate a new modify header context. So when the CT entry is freed, the right modify header context will be freed. And the panic of accessing error pointer is also fixed. CVE-2024-43864 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always drain health in shutdown callback There is no point in recovery during device shutdown. if health work started need to wait for it to avoid races and NULL pointer access. Hence, drain health WQ on shutdown callback. CVE-2024-43866 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix refcount underflow Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and hence the backing ttm_bo) leads to a refcount underflow. Instead of calling nouveau_bo_ref() in the unwind path of drm_gem_object_init(), clean things up manually. (cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5) CVE-2024-43867 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: devres: Fix memory leakage caused by driver API devm_free_percpu() It will cause memory leakage when use driver API devm_free_percpu() to free memory allocated by devm_alloc_percpu(), fixed by using devres_release() instead of devres_destroy() within devm_free_percpu(). CVE-2024-43871 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup under heavy CEQE load CEQEs are handled in interrupt handler currently. This may cause the CPU core staying in interrupt context too long and lead to soft lockup under heavy load. Handle CEQEs in BH workqueue and set an upper limit for the number of CEQE handled by a single call of work handler. CVE-2024-43872 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: vhost/vsock: always initialize seqpacket_allow There are two issues around seqpacket_allow: 1. seqpacket_allow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared, then seqpacket_allow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this). To fix: - initialize seqpacket_allow after allocation - set it unconditionally in set_features CVE-2024-43873 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked Fix a null pointer dereference induced by DEBUG_TEST_DRIVER_REMOVE. Return from __sev_snp_shutdown_locked() if the psp_device or the sev_device structs are not initialized. Without the fix, the driver will produce the following splat: ccp 0000:55:00.5: enabling device (0000 -> 0002) ccp 0000:55:00.5: sev enabled ccp 0000:55:00.5: psp enabled BUG: kernel NULL pointer dereference, address: 00000000000000f0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI CPU: 262 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1+ #29 RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150 Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83 RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb2ea4014b808 RBP: ffffb2ea4014b7e8 R08: 0000000000000106 R09: 000000000003d9c0 R10: 0000000000000001 R11: ffffffffa39ff070 R12: ffff9e49d40590c8 R13: 0000000000000000 R14: ffffb2ea4014b808 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff9e58b1e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000f0 CR3: 0000000418a3e001 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x6f/0xb0 ? __die+0xcc/0xf0 ? page_fault_oops+0x330/0x3a0 ? save_trace+0x2a5/0x360 ? do_user_addr_fault+0x583/0x630 ? exc_page_fault+0x81/0x120 ? asm_exc_page_fault+0x2b/0x30 ? __sev_snp_shutdown_locked+0x2e/0x150 __sev_firmware_shutdown+0x349/0x5b0 ? pm_runtime_barrier+0x66/0xe0 sev_dev_destroy+0x34/0xb0 psp_dev_destroy+0x27/0x60 sp_destroy+0x39/0x90 sp_pci_remove+0x22/0x60 pci_device_remove+0x4e/0x110 really_probe+0x271/0x4e0 __driver_probe_device+0x8f/0x160 driver_probe_device+0x24/0x120 __driver_attach+0xc7/0x280 ? driver_attach+0x30/0x30 bus_for_each_dev+0x10d/0x130 driver_attach+0x22/0x30 bus_add_driver+0x171/0x2b0 ? unaccepted_memory_init_kdump+0x20/0x20 driver_register+0x67/0x100 __pci_register_driver+0x83/0x90 sp_pci_init+0x22/0x30 sp_mod_init+0x13/0x30 do_one_initcall+0xb8/0x290 ? sched_clock_noinstr+0xd/0x10 ? local_clock_noinstr+0x3e/0x100 ? stack_depot_save_flags+0x21e/0x6a0 ? local_clock+0x1c/0x60 ? stack_depot_save_flags+0x21e/0x6a0 ? sched_clock_noinstr+0xd/0x10 ? local_clock_noinstr+0x3e/0x100 ? __lock_acquire+0xd90/0xe30 ? sched_clock_noinstr+0xd/0x10 ? local_clock_noinstr+0x3e/0x100 ? __create_object+0x66/0x100 ? local_clock+0x1c/0x60 ? __create_object+0x66/0x100 ? parameq+0x1b/0x90 ? parse_one+0x6d/0x1d0 ? parse_args+0xd7/0x1f0 ? do_initcall_level+0x180/0x180 do_initcall_level+0xb0/0x180 do_initcalls+0x60/0xa0 ? kernel_init+0x1f/0x1d0 do_basic_setup+0x41/0x50 kernel_init_freeable+0x1ac/0x230 ? rest_init+0x1f0/0x1f0 kernel_init+0x1f/0x1d0 ? rest_init+0x1f0/0x1f0 ret_from_fork+0x3d/0x50 ? rest_init+0x1f0/0x1f0 ret_from_fork_asm+0x11/0x20 </TASK> Modules linked in: CR2: 00000000000000f0 ---[ end trace 0000000000000000 ]--- RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150 Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83 RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000 RDX: 0000000 ---truncated--- CVE-2024-43874 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Clean up error handling in vpci_scan_bus() Smatch complains about inconsistent NULL checking in vpci_scan_bus(): drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021) Instead of printing an error message and then crashing we should return an error code and clean up. Also the NULL check is reversed so it prints an error for success instead of failure. CVE-2024-43875 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup() Avoid large backtrace, it is sufficient to warn the user that there has been a link problem. Either the link has failed and the system is in need of maintenance, or the link continues to work and user has been informed. The message from the warning can be looked up in the sources. This makes an actual link issue less verbose. First of all, this controller has a limitation in that the controller driver has to assist the hardware with transition to L1 link state by writing L1IATN to PMCTRL register, the L1 and L0 link state switching is not fully automatic on this controller. In case of an ASMedia ASM1062 PCIe SATA controller which does not support ASPM, on entry to suspend or during platform pm_test, the SATA controller enters D3hot state and the link enters L1 state. If the SATA controller wakes up before rcar_pcie_wakeup() was called and returns to D0, the link returns to L0 before the controller driver even started its transition to L1 link state. At this point, the SATA controller did send an PM_ENTER_L1 DLLP to the PCIe controller and the PCIe controller received it, and the PCIe controller did set PMSR PMEL1RX bit. Once rcar_pcie_wakeup() is called, if the link is already back in L0 state and PMEL1RX bit is set, the controller driver has no way to determine if it should perform the link transition to L1 state, or treat the link as if it is in L0 state. Currently the driver attempts to perform the transition to L1 link state unconditionally, which in this specific case fails with a PMSR L1FAEG poll timeout, however the link still works as it is already back in L0 state. Reduce this warning verbosity. In case the link is really broken, the rcar_pcie_config_access() would fail, otherwise it will succeed and any system with this controller and ASM1062 can suspend without generating a backtrace. CVE-2024-43876 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: pci: ivtv: Add check for DMA map result In case DMA fails, 'dma->SG_length' is 0. This value is later used to access 'dma->SGarray[dma->SG_length - 1]', which will cause out of bounds access. Add check to return early on invalid value. Adjust warnings accordingly. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-43877 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() Currently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in cfg80211_calculate_bitrate_he(), leading to below warning: kernel: invalid HE MCS: bw:6, ru:6 kernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211] Fix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth. CVE-2024-43879 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_erp: Fix object nesting warning ACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM (A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can contain more ACLs (i.e., tc filters), but the number of masks in each region (i.e., tc chain) is limited. In order to mitigate the effects of the above limitation, the device allows filters to share a single mask if their masks only differ in up to 8 consecutive bits. For example, dst_ip/25 can be represented using dst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the number of masks being used (and therefore does not support mask aggregation), but can contain a limited number of filters. The driver uses the "objagg" library to perform the mask aggregation by passing it objects that consist of the filter's mask and whether the filter is to be inserted into the A-TCAM or the C-TCAM since filters in different TCAMs cannot share a mask. The set of created objects is dependent on the insertion order of the filters and is not necessarily optimal. Therefore, the driver will periodically ask the library to compute a more optimal set ("hints") by looking at all the existing objects. When the library asks the driver whether two objects can be aggregated the driver only compares the provided masks and ignores the A-TCAM / C-TCAM indication. This is the right thing to do since the goal is to move as many filters as possible to the A-TCAM. The driver also forbids two identical masks from being aggregated since this can only happen if one was intentionally put in the C-TCAM to avoid a conflict in the A-TCAM. The above can result in the following set of hints: H1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta H3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta After getting the hints from the library the driver will start migrating filters from one region to another while consulting the computed hints and instructing the device to perform a lookup in both regions during the transition. Assuming a filter with mask X is being migrated into the A-TCAM in the new region, the hints lookup will return H1. Since H2 is the parent of H1, the library will try to find the object associated with it and create it if necessary in which case another hints lookup (recursive) will be performed. This hints lookup for {mask Y, A-TCAM} will either return H2 or H3 since the driver passes the library an object comparison function that ignores the A-TCAM / C-TCAM indication. This can eventually lead to nested objects which are not supported by the library [1]. Fix by removing the object comparison function from both the driver and the library as the driver was the only user. That way the lookup will only return exact matches. I do not have a reliable reproducer that can reproduce the issue in a timely manner, but before the fix the issue would reproduce in several minutes and with the fix it does not reproduce in over an hour. Note that the current usefulness of the hints is limited because they include the C-TCAM indication and represent aggregation that cannot actually happen. This will be addressed in net-next. [1] WARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0 Modules linked in: CPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42 Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:objagg_obj_parent_assign+0xb5/0xd0 [...] Call Trace: <TASK> __objagg_obj_get+0x2bb/0x580 objagg_obj_get+0xe/0x80 mlxsw_sp_acl_erp_mask_get+0xb5/0xf0 mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0 mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270 mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510 process_one_work+0x151/0x370 CVE-2024-43880 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: change DMA direction while mapping reinjected packets For fragmented packets, ath12k reassembles each fragment as a normal packet and then reinjects it into HW ring. In this case, the DMA direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE. Otherwise, an invalid payload may be reinjected into the HW and subsequently delivered to the host. Given that arbitrary memory can be allocated to the skb buffer, knowledge about the data contained in the reinjected buffer is lacking. Consequently, there's a risk of private information being leaked. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1 CVE-2024-43881 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, "chmod o-x,u+s target" makes "target" executable only by uid "root" and gid "cdrom", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group "cdrom" membership can get the permission to execute "target" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of "only cdrom group members can setuid to root". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal. CVE-2024-43882 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: vhci-hcd: Do not drop references before new references are gained At a few places the driver carries stale pointers to references that can still be used. Make sure that does not happen. This strictly speaking closes ZDI-CAN-22273, though there may be similar races in the driver. CVE-2024-43883 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Add error handling to pair_device() hci_conn_params_add() never checks for a NULL value and could lead to a NULL pointer dereference causing a crash. Fixed by adding error handling in the function. CVE-2024-43884 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-43885 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: padata: Fix possible divide-by-0 panic in padata_mt_helper() We are hit with a not easily reproducible divide-by-0 panic in padata.c at bootup time. [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1 [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021 [ 10.017908] Workqueue: events_unbound padata_mt_helper [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0 : [ 10.017963] Call Trace: [ 10.017968] <TASK> [ 10.018004] ? padata_mt_helper+0x39/0xb0 [ 10.018084] process_one_work+0x174/0x330 [ 10.018093] worker_thread+0x266/0x3a0 [ 10.018111] kthread+0xcf/0x100 [ 10.018124] ret_from_fork+0x31/0x50 [ 10.018138] ret_from_fork_asm+0x1a/0x30 [ 10.018147] </TASK> Looking at the padata_mt_helper() function, the only way a divide-by-0 panic can happen is when ps->chunk_size is 0. The way that chunk_size is initialized in padata_do_multithreaded(), chunk_size can be 0 when the min_chunk in the passed-in padata_mt_job structure is 0. Fix this divide-by-0 panic by making sure that chunk_size will be at least 1 no matter what the input parameters are. CVE-2024-43889 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: memcg: protect concurrent access to mem_cgroup_idr Commit 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after many small jobs") decoupled the memcg IDs from the CSS ID space to fix the cgroup creation failures. It introduced IDR to maintain the memcg ID space. The IDR depends on external synchronization mechanisms for modifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace() happen within css callback and thus are protected through cgroup_mutex from concurrent modifications. However idr_remove() for mem_cgroup_idr was not protected against concurrency and can be run concurrently for different memcgs when they hit their refcnt to zero. Fix that. We have been seeing list_lru based kernel crashes at a low frequency in our fleet for a long time. These crashes were in different part of list_lru code including list_lru_add(), list_lru_del() and reparenting code. Upon further inspection, it looked like for a given object (dentry and inode), the super_block's list_lru didn't have list_lru_one for the memcg of that object. The initial suspicions were either the object is not allocated through kmem_cache_alloc_lru() or somehow memcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but returned success. No evidence were found for these cases. Looking more deeply, we started seeing situations where valid memcg's id is not present in mem_cgroup_idr and in some cases multiple valid memcgs have same id and mem_cgroup_idr is pointing to one of them. So, the most reasonable explanation is that these situations can happen due to race between multiple idr_remove() calls or race between idr_alloc()/idr_replace() and idr_remove(). These races are causing multiple memcgs to acquire the same ID and then offlining of one of them would cleanup list_lrus on the system for all of them. Later access from other memcgs to the list_lru cause crashes due to missing list_lru_one. CVE-2024-43892 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: core: check uartclk for zero to avoid divide by zero Calling ioctl TIOCSSERIAL with an invalid baud_base can result in uartclk being zero, which will result in a divide by zero error in uart_get_divisor(). The check for uartclk being zero in uart_set_info() needs to be done before other settings are made as subsequent calls to ioctl TIOCSSERIAL for the same port would be impacted if the uartclk check was done where uartclk gets set. Oops: divide error: 0000 PREEMPT SMP KASAN PTI RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580) Call Trace: <TASK> serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576 drivers/tty/serial/8250/8250_port.c:2589) serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502 drivers/tty/serial/8250/8250_port.c:2741) serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862) uart_change_line_settings (./include/linux/spinlock.h:376 ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222) uart_port_startup (drivers/tty/serial/serial_core.c:342) uart_startup (drivers/tty/serial/serial_core.c:368) uart_set_info (drivers/tty/serial/serial_core.c:1034) uart_set_info_user (drivers/tty/serial/serial_core.c:1059) tty_set_serial (drivers/tty/tty_io.c:2637) tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791) __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893 fs/ioctl.c:893) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Rule: add CVE-2024-43893 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/client: fix null pointer dereference in drm_client_modeset_probe In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is assigned to modeset->mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2024-43894 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip Recompute DSC Params if no Stream on Link [why] Encounter NULL pointer dereference uner mst + dsc setup. BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2 Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022 RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper] Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8> RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224 RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280 RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850 R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000 R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224 FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? plist_add+0xbe/0x100 ? exc_page_fault+0x7c/0x180 ? asm_exc_page_fault+0x26/0x30 ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026] ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026] compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] drm_atomic_check_only+0x5c5/0xa40 drm_mode_atomic_ioctl+0x76e/0xbc0 [how] dsc recompute should be skipped if no mode change detected on the new request. If detected, keep checking whether the stream is already on current state or not. (cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef) CVE-2024-43895 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: drop bad gso csum_start and offset in virtio_net_hdr Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Mitigate with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests. CVE-2024-43897 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null pointer deref in dcn20_resource.c Fixes a hang thats triggered when MPV is run on a DCN401 dGPU: mpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all and then enabling fullscreen playback (double click on the video) The following calltrace will be seen: [ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 181.843997] #PF: supervisor instruction fetch in kernel mode [ 181.844003] #PF: error_code(0x0010) - not-present page [ 181.844009] PGD 0 P4D 0 [ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI [ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu [ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018 [ 181.844044] RIP: 0010:0x0 [ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246 [ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004 [ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400 [ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c [ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8 [ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005 [ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000 [ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0 [ 181.844141] Call Trace: [ 181.844146] <TASK> [ 181.844153] ? show_regs+0x6d/0x80 [ 181.844167] ? __die+0x24/0x80 [ 181.844179] ? page_fault_oops+0x99/0x1b0 [ 181.844192] ? do_user_addr_fault+0x31d/0x6b0 [ 181.844204] ? exc_page_fault+0x83/0x1b0 [ 181.844216] ? asm_exc_page_fault+0x27/0x30 [ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu] [ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu] [ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu] [ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu] [ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu] [ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu] [ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu] [ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu] CVE-2024-43899 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: xc2028: avoid use-after-free in load_firmware_cb() syzkaller reported use-after-free in load_firmware_cb() [1]. The reason is because the module allocated a struct tuner in tuner_probe(), and then the module initialization failed, the struct tuner was released. A worker which created during module initialization accesses this struct tuner later, it caused use-after-free. The process is as follows: task-6504 worker_thread tuner_probe <= alloc dvb_frontend [2] ... request_firmware_nowait <= create a worker ... tuner_remove <= free dvb_frontend ... request_firmware_work_func <= the firmware is ready load_firmware_cb <= but now the dvb_frontend has been freed To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is null, report a warning and just return. [1]: ================================================================== BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0 Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504 Call trace: load_firmware_cb+0x1310/0x17a0 request_firmware_work_func+0x128/0x220 process_one_work+0x770/0x1824 worker_thread+0x488/0xea0 kthread+0x300/0x430 ret_from_fork+0x10/0x20 Allocated by task 6504: kzalloc tuner_probe+0xb0/0x1430 i2c_device_probe+0x92c/0xaf0 really_probe+0x678/0xcd0 driver_probe_device+0x280/0x370 __device_attach_driver+0x220/0x330 bus_for_each_drv+0x134/0x1c0 __device_attach+0x1f4/0x410 device_initial_probe+0x20/0x30 bus_probe_device+0x184/0x200 device_add+0x924/0x12c0 device_register+0x24/0x30 i2c_new_device+0x4e0/0xc44 v4l2_i2c_new_subdev_board+0xbc/0x290 v4l2_i2c_new_subdev+0xc8/0x104 em28xx_v4l2_init+0x1dd0/0x3770 Freed by task 6504: kfree+0x238/0x4e4 tuner_remove+0x144/0x1c0 i2c_device_remove+0xc8/0x290 __device_release_driver+0x314/0x5fc device_release_driver+0x30/0x44 bus_remove_device+0x244/0x490 device_del+0x350/0x900 device_unregister+0x28/0xd0 i2c_unregister_device+0x174/0x1d0 v4l2_device_unregister+0x224/0x380 em28xx_v4l2_init+0x1d90/0x3770 The buggy address belongs to the object at ffff8000d7ca2000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 776 bytes inside of 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800) The buggy address belongs to the page: page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0 flags: 0x7ff800000000100(slab) raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [2] Actually, it is allocated for struct tuner, and dvb_frontend is inside. CVE-2024-43900 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null checker before passing variables Checks null pointer before passing variables to functions. This fixes 3 NULL_RETURNS issues reported by Coverity. CVE-2024-43902 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-43903 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr Check return value and conduct null pointer handling to avoid null pointer dereference. CVE-2024-43905 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/admgpu: fix dereferencing null pointer context When user space sets an invalid ta type, the pointer context will be empty. So it need to check the pointer context before using it CVE-2024-43906 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules Check the pointer value to fix potential null pointer dereference CVE-2024-43907 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix the null pointer dereference to ras_manager Check ras_manager before using it CVE-2024-43908 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/pm: Fix the null pointer dereference for smu7 optimize the code to avoid pass a null pointer (hwmgr->backend) to function smu7_update_edc_leakage_table. CVE-2024-43909 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL dereference at band check in starting tx ba session In MLD connection, link_data/link_conf are dynamically allocated. They don't point to vif->bss_conf. So, there will be no chanreq assigned to vif->bss_conf and then the chan will be NULL. Tweak the code to check ht_supported/vht_supported/has_he/has_eht on sta deflink. Crash log (with rtw89 version under MLO development): [ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 9890.526102] #PF: supervisor read access in kernel mode [ 9890.526105] #PF: error_code(0x0000) - not-present page [ 9890.526109] PGD 0 P4D 0 [ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI [ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1 [ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018 [ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core] [ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211 [ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3 All code ======== 0: f7 e8 imul %eax 2: d5 (bad) 3: 93 xchg %eax,%ebx 4: 3e ea ds (bad) 6: 48 83 c4 28 add $0x28,%rsp a: 89 d8 mov %ebx,%eax c: 5b pop %rbx d: 41 5c pop %r12 f: 41 5d pop %r13 11: 41 5e pop %r14 13: 41 5f pop %r15 15: 5d pop %rbp 16: c3 retq 17: cc int3 18: cc int3 19: cc int3 1a: cc int3 1b: 49 8b 84 24 e0 f1 ff mov -0xe20(%r12),%rax 22: ff 23: 48 8b 80 90 1b 00 00 mov 0x1b90(%rax),%rax 2a:* 83 38 03 cmpl $0x3,(%rax) <-- trapping instruction 2d: 0f 84 37 fe ff ff je 0xfffffffffffffe6a 33: bb ea ff ff ff mov $0xffffffea,%ebx 38: eb cc jmp 0x6 3a: 49 rex.WB 3b: 8b .byte 0x8b 3c: 84 24 10 test %ah,(%rax,%rdx,1) 3f: f3 repz Code starting with the faulting instruction =========================================== 0: 83 38 03 cmpl $0x3,(%rax) 3: 0f 84 37 fe ff ff je 0xfffffffffffffe40 9: bb ea ff ff ff mov $0xffffffea,%ebx e: eb cc jmp 0xffffffffffffffdc 10: 49 rex.WB 11: 8b .byte 0x8b 12: 84 24 10 test %ah,(%rax,%rdx,1) 15: f3 repz [ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246 [ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8 [ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685 [ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873 [ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70 [ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000 [ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000 [ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0 [ 9890.526321] Call Trace: [ 9890.526324] <TASK> [ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479) [ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713) [ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator ---truncated--- CVE-2024-43911 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: disallow setting special AP channel widths Setting the AP channel width is meant for use with the normal 20/40/... MHz channel width progression, and switching around in S1G or narrow channels isn't supported. Disallow that. CVE-2024-43912 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: prevent potential speculation leaks in gpio_device_get_desc() Userspace may trigger a speculative read of an address outside the gpio descriptor array. Users can do that by calling gpio_ioctl() with an offset out of range. Offset is copied from user and then used as an array index to get the gpio descriptor without sanitization in gpio_device_get_desc(). This change ensures that the offset is sanitized by using array_index_nospec() to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. CVE-2024-44931 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: Fix shift-out-of-bounds in dbDiscardAG When searching for the next smaller log2 block, BLKSTOL2() returned 0, causing shift exponent -1 to be negative. This patch fixes the issue by exiting the loop directly when negative shift is found. CVE-2024-44938 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment "p->header.flag & BT-LEAF" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL. CVE-2024-44939 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:kernel-default-6.4.0-150600.23.22.1 moderate runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested. CVE-2024-45310 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:runc-1.1.14-150000.70.1 low An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:libexpat1-2.4.4-150400.3.22.1 moderate An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:libexpat1-2.4.4-150400.3.22.1 moderate An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:libexpat1-2.4.4-150400.3.22.1 moderate CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured). CVE-2024-5642 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:python3-3.6.15-150300.10.72.1 moderate There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. CVE-2024-6232 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:python3-3.6.15-150300.10.72.1 moderate There is a MEDIUM severity vulnerability affecting CPython. The email module didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. CVE-2024-6923 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:python3-3.6.15-150300.10.72.1 important There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. CVE-2024-7592 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:python3-3.6.15-150300.10.72.1 moderate Remote packet capture support is disabled by default in libpcap. When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex(). One of the function arguments can be a filesystem path, which normally means a directory with input data files. When the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer derefence. CVE-2024-8006 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:libpcap1-1.10.4-150600.3.6.2 moderate When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. CVE-2024-8096 Public Cloud Image google/sles-15-sp6-chost-byos-v20241004-arm64:libcurl4-8.6.0-150600.4.9.2 moderate