SUSE-IU-2024:1741-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:1741-1 Interim 1 1 2025-07-29T17:03:33Z current 2024-11-13T01:00:00Z 2024-11-13T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:1741-1 / google/sles-15-sp6-v20241113-arm64 This image update for google/sles-15-sp6-v20241113-arm64 contains the following changes: Package bash was updated: - Add patch boo1227807.patch * Load completion file eveh if a brace expansion is in the command line included (boo#1227807) Package binutils was updated: - Update to current 2.43.1 branch [PED-10474]: * PR32109 - fuzzing problem * PR32083 - LTO vs overridden common symbols * PR32067 - crash with LTO-plugin and --oformat=binary * PR31956 - LTO vs wrapper symbols * riscv - add Zimop and Zcmop extensions - Adjusted binutils-2.43-branch.diff.gz. - Update to version 2.43: * new .base64 pseudo-op, allowing base64 encoded data as strings * Intel APX: add support for CFCMOV, CCMP, CTEST, zero-upper, NF (APX_F now fully supported) * x86 Intel syntax now warns about more mnemonic suffixes * macros and .irp/.irpc/.rept bodies can use \+ to get at number of times the macro/body was executed * aarch64: support 'armv9.5-a' for -march, add support for LUT and LUT2 * s390: base register operand in D(X,B) and D(L,B) can now be omitted (ala 'D(X,)'); warn when register type doesn't match operand type (use option 'warn-regtype-mismatch=[strict|relaxed|no]' to adjust) * riscv: support various extensions: Zacas, Zcmp, Zfbfmin, Zvfbfmin, Zvfbfwma, Smcsrind/Sscsrind, XCvMem, XCvBi, XCvElw, XSfCease, all at version 1.0; remove support for assembly of privileged spec 1.9.1 (linking support remains) * arm: remove support for some old co-processors: Maverick and FPA * mips: '--trap' now causes either trap or breakpoint instructions to be emitted as per current ISA, instead of always using trap insn and failing when current ISA was incompatible with that * LoongArch: accept .option pseudo-op for fine-grained control of assembly code options; add support for DT_RELR * readelf: now displays RELR relocations in full detail; add -j/--display-section to show just those section(s) content according to their type * objdump/readelf now dump also .eh_frame_hdr (when present) when dumping .eh_frame * gprofng: add event types for AMD Zen3/Zen4 and Intel Ice Lake processors; add minimal support for riscv * linker: - put .got and .got.plt into relro segment - add -z isa-level-report=[none|all|needed|used] to the x86 ELF linker to report needed and used x86-64 ISA levels - add --rosegment option which changes the -z separate-code option so that only one read-only segment is created (instead of two) - add --section-ordering-file &lt;FILE&gt; option to add extra mapping of input sections to output sections - add -plugin-save-temps to store plugin intermediate files permanently - Removed binutils-2.42.tar.bz2, binutils-2.42-branch.diff.gz. - Added binutils-2.43.tar.bz2, binutils-2.43-branch.diff.gz. - Removed upstream patch riscv-no-relax.patch. - Rebased ld-relro.diff and binutils-revert-rela.diff. - binutils-pr22868.diff: Remove obsolete patch - Undefine _FORTIFY_SOURCE when running checks - Allow to disable profiling - Use %patch -P N instead of deprecated %patchN. - riscv-no-relax.patch: RISC-V: Don't generate branch/jump relocation if symbol is local when no-relax - Add binutils-disable-code-arch-error.diff to demote an error about swapped .arch/.code directives to a warning. It happens in the wild. - Update to version 2.42: * Add support for many aarch64 extensions: SVE2.1, SME2.1, B16B16, RASv2, LSE128, GCS, CHK, SPECRES2, LRCPC3, THE, ITE, D128, XS and flags to enable them: '+fcma', '+jscvt', '+frintts', '+flagm2', '+rcpc2' and '+wfxt' * Add experimantal support for GAS to synthesize call-frame-info for some hand-written asm (--scfi=experimental) on x86-64. * Add support for more x86-64 extensions: APX: 32 GPRs, NDD, PUSH2/POP2, PUSHP/POPP; USER_MSR, AVX10.1, PBNDKB, SM4, SM3, SHA512, AVX-VNNI-INT16. * Add support for more RISC-V extensions: T-Head v2.3.0, CORE-V v1.0, SiFive VCIX v1.0. * BPF assembler: ';' separates statements now, and does not introduce line comments anymore (use '#' or '//' for this). * x86-64 ld: Add '-z mark-plt/-z nomark-plt' to mark PLT entries with dynamic tags. * risc-v ld: Add '--[no-]check-uleb128'. * New linker script directive: REVERSE, to be combined with SORT_BY_NAME or SORT_BY_INIT_PRIORITY, reverses the generated order. * New linker options --warn-execstack-objects (warn only about execstack when input object files request it), and --error-execstack plus - -error-rxw-segments to convert the existing warnings into errors. * objdump: Add -Z/--decompress to be used with -s/--full-contents to decompress section contents before displaying. * readelf: Add --extra-sym-info to be used with --symbols (currently prints section name of references section index). * objcopy: Add --set-section-flags for x86_64 to include SHF_X86_64_LARGE. * s390 disassembly: add target-specific disasm option 'insndesc', as in &quot;objdump -M insndesc&quot; to display an instruction description as comment along with the disassembly. - Add binutils-2.42-branch.diff.gz. - Rebased s390-biarch.diff. - Adjusted binutils-revert-hlasm-insns.diff, binutils-revert-plt32-in-branches.diff and binutils-revert-rela.diff for upstream changes. - Removed binutils-2.41-branch.diff.gz, binutils-2.41.tar.bz2, binutils-2.41-branch.diff.gz. - Removed binutils-use-less-memory.diff, binutils-old-makeinfo.diff and riscv-relro.patch (all upstreamed). - Removed add-ulp-section.diff, we use a different mechanism for live patching since a long time. - Add binutils-use-less-memory.diff to be a little nicer to 32bit userspace and huge links. [bsc#1216908] - riscv-relro.patch: RISC-V: Protect .got with relro - Add libzstd-devel to Requires of binutils-devel. (bsc#1215341) Package ca-certificates-mozilla was updated: - Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525) - Added: FIRMAPROFESIONAL CA ROOT-A WEB - Distrust: GLOBALTRUST 2020 - Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356) Added: - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - D-Trust SBR Root CA 1 2022 - D-Trust SBR Root CA 2 2022 - Telekom Security SMIME ECC Root 2021 - Telekom Security SMIME RSA Root 2023 - Telekom Security TLS ECC Root 2020 - Telekom Security TLS RSA Root 2023 - TrustAsia Global Root CA G3 - TrustAsia Global Root CA G4 Removed: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - Chambers of Commerce Root - 2008 - Global Chambersign Root - 2008 - Security Communication Root CA - Symantec Class 1 Public Primary Certification Authority - G6 - Symantec Class 2 Public Primary Certification Authority - G6 - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - VeriSign Class 1 Public Primary Certification Authority - G3 - VeriSign Class 2 Public Primary Certification Authority - G3 - remove-trustcor.patch: removed, now upstream - do a versioned obsoletes of &quot;openssl-certs&quot;. Package cloud-regionsrv-client was updated: - Update to 10.3.4 + Modify the message when network access over a specific IP version does not work. This is an informational message and should not look like an error + Inform the user that LTSS registration takes a little longer + Add fix-for-sles12-no-trans_update.patch + SLE 12 family has no products with transactional-update we do not need to look for this condition - From 10.3.3 (bsc#1229472) + Handle changes in process structure to properly identify the running zypper parent process and only check for 1 PID - From 10.3.2 + Remove rgnsrv-clnt-fix-docker-setup.patch included upstream - From 10.3.1 (jsc#PCT-400) + Add support for LTSS registration + Add fix-for-sles12-disable-registry.patch ~ No container support in SLE 12 - Add rgnsrv-clnt-fix-docker-setup.patch (bsc#1229137) + The entry for the update infrastructure registry mirror was written incorrectly causing docker daemon startup to fail. - Update to version 10.3.0 (bsc#1227308, bsc#1222985) + Add support for sidecar registry Podman and rootless Docker support to set up the necessary configuration for the container engines to run as defined + Add running command as root through sudoers file - Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016) + In addition to logging, write message to stderr when registration fails + Detect transactional-update system with read only setup and use the transactional-update command to register + Handle operation in a different target root directory for credentials checking Package containerd was updated: - Update to containerd v1.7.21. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.21&gt; Fixes CVE-2023-47108. bsc#1217070 Fixes CVE-2023-45142. bsc#1228553 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package curl was updated: - Security fix: [bsc#1232528, CVE-2024-9681] * HSTS subdomain overwrites parent cache entry * Add curl-CVE-2024-9681.patch - Make special characters in URL work with aws-sigv4 [bsc#1230516] * aws-sigv4: url encode the canonical path [768909d8] * Add upstream patch: - curl-aws_sigv4-url-encode-the-canonical-path.patch - Security fix: [bsc#1230093, CVE-2024-8096] * curl: OCSP stapling bypass with GnuTLS * Add curl-CVE-2024-8096.patch Package cyrus-sasl was updated: - Make DIGEST-MD5 work with openssl3 ( bsc#1230111 ) RC4 is legacy provided since openSSL3 and requires explicit loading, disable openssl3 depricated API warnings. * Add cyrus-sasl-make-digestmd5-work-ssl3.patch Package deltarpm was updated: - update to deltarpm-3.6.5 * support for archive files bigger than 2GByte [bnc#1230547] - update to deltarpm-3.6.4 * support for threaded zstd * use a tmp file instead of memory to hold the incore data [bsc#1228948] - dropped patches: * deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch - deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch: fixed some C bugs ( incorrect sized memset() , memcpy instead of strcpy, unsigned int) - update to deltarpm-3.6.3 * support for threaded zstd compression - Actually enable zstd compression - update to deltarpm-3.6.2 * support for zstd compression Package lvm2 was updated: - LVM2 mirror attached to another node couldn't be converted into linear LV (bsc#1231796) + bug-1231796_lvconvert-fix-lvconvert-m-0-for-in-sync-legs.patch Package dmidecode was updated: - Update to upstream version 3.6 (jsc#PED-8574): * Support for SMBIOS 3.6.0. This includes new memory device types, new processor upgrades, and Loongarch support. * Support for SMBIOS 3.7.0. This includes new port types, new processor upgrades, new slot characteristics and new fields for memory modules. * Add bash completion. * Decode HPE OEM records 197, 216, 224, 230, 238, 239, 242 and 245. * Implement options --list-strings and --list-types. * Update HPE OEM records 203, 212, 216, 221, 233 and 236. * Update Redfish support. * Bug fixes: Fix enabled slot characteristics not being printed * Minor improvements: Print slot width on its own line Use standard strings for slot width * Add a --no-quirks option. * Drop the CPUID exception list. * Obsoletes dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch, dmidecode-fortify-entry-point-length-checks.patch, dmidecode-split-table-fetching-from-decoding.patch, dmidecode-write-the-whole-dump-file-at-once.patch, dmioem-fix-segmentation-fault-in-dmi_hp_240_attr.patch, dmioem-hpe-oem-record-237-firmware-change.patch, dmioem-typo-fix-virutal-virtual.patch, ensure-dev-mem-is-a-character-device-file.patch, news-fix-typo.patch and use-read_file-to-read-from-dump.patch. Update for HPE servers from upstream: - dmioem-update-hpe-oem-type-238.patch: Decode PCI bus segment in HPE type 238 records. Package dracut was updated: - Update to version 059+suse.541.g3c2df232: * fix(dasd-rules): handle all possible options in `rd.dasd` (bsc#1230110) - Update to version 059+suse.539.gdd3495f7: * fix(dracut.spec): add Builddeps for initrd posttrans macros (bsc#1230639) * fix(zfcp_rules): check for presence of legacy rules (bsc#1230330) Fixes for NVMeoF boot (bsc#1230468): * fix(nvmf): install (only) required nvmf modules * fix(nvmf): require NVMeoF modules * fix(nvmf): move /etc/nvme/host{nqn,id} requirement to hostonly - Update to version 059+suse.531.g48487c31: * feat(systemd*): include systemd config files from /usr/lib/systemd (bsc#1228398) * fix(convertfs): error in conditional expressions (bsc#1228847) Package e2fsprogs was updated: - resize2fs-Check-number-of-group-descriptors-only-if-.patch: resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145) Package glibc was updated: - Apply libc_nonshared.a workaround also on s390x and ppc64le (bsc#1231051) - Use nss-systemd by default also in SLE (bsc#1230638) - s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228042, BZ [#31934]) Package grub2 was updated: - Fix OOM error in loading loopback file (bsc#1230840) * 0001-tpm-Skip-loopback-image-measurement.patch - Fix UEFI PXE boot failure on tagged VLAN network (bsc#1230263) * 0001-efinet-Skip-virtual-VLAN-devices-during-card-enumera.patch - Fix grub screen is filled with artifects from earlier post menu (bsc#1224465) * grub2-SUSE-Add-the-t-hotkey.patch * 0001-fix-grub-screen-filled-with-post-screen-artifects.patch - Fix crash in bli module (bsc#1226497) * 0001-bli-Fix-crash-in-get_part_uuid.patch - Fix btrfs subvolume for platform modules not mounting at runtime when the default subvolume is the topmost root tree (bsc#1228124) * grub2-btrfs-06-subvol-mount.patch - Rediff * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch - Fix error in grub-install when root is on tmpfs (bsc#1226100) * 0001-grub-install-bailout-root-device-probing.patch - Fix input handling in ppc64le grub2 has high latency (bsc#1223535) * 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch Package kernel-default was updated: - ACPICA: executer/exsystem: Don't nag user about every Stall() violating the spec (git-fixes). - ACPICA: Implement ACPI_WARNING_ONCE and ACPI_ERROR_ONCE (stable-fixes). - commit f94e799 - cachefiles: fix dentry leak in cachefiles_open_file() (bsc#1231183). - ceph: remove the incorrect Fw reference check when dirtying pages (bsc#1231182). - commit ba82da7 - can: mcp251xfd: move mcp251xfd_timestamp_start()/stop() into mcp251xfd_chip_start/stop() (stable-fixes). - Refresh patches.suse/can-mcp251xfd-clarify-the-meaning-of-timestamp.patch. - commit 6779985 - USB: serial: pl2303: add device id for Macrosilicon MS3020 (stable-fixes). - powercap/intel_rapl: Add support for AMD family 1Ah (stable-fixes). - ASoC: amd: yc: Add a quirk for MSI Bravo 17 (D7VEK) (stable-fixes). - ASoC: tda7419: fix module autoloading (stable-fixes). - ASoC: intel: fix module autoloading (stable-fixes). - ASoC: Intel: soc-acpi-cht: Make Lenovo Yoga Tab 3 X90F DMI match less strict (stable-fixes). - ALSA: hda: add HDMI codec ID for Intel PTL (stable-fixes). - drm: komeda: Fix an issue related to normalized zpos (stable-fixes). - can: mcp251xfd: mcp251xfd_ring_init(): check TX-coalescing configuration (stable-fixes). - spi: spidev: Add missing spi_device_id for jg10309-01 (git-fixes). - spi: bcm63xx: Enable module autoloading (stable-fixes). - spi: spidev: Add an entry for elgin,jg10309-01 (stable-fixes). - hwmon: (asus-ec-sensors) remove VRM temp X570-E GAMING (stable-fixes). - wifi: iwlwifi: clear trans-&gt;state earlier upon error (stable-fixes). - wifi: mac80211: free skb on error path in ieee80211_beacon_get_ap() (stable-fixes). - wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead (stable-fixes). - wifi: iwlwifi: mvm: pause TCM when the firmware is stopped (stable-fixes). - wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room() (stable-fixes). - wifi: iwlwifi: mvm: fix iwl_mvm_scan_fits() calculation (stable-fixes). - wifi: iwlwifi: lower message level for FW buffer destination (stable-fixes). - platform/x86: x86-android-tablets: Make Lenovo Yoga Tab 3 X90F DMI match less strict (stable-fixes). - pinctrl: at91: make it work with current gpiolib (stable-fixes). - can: mcp251xfd: properly indent labels (stable-fixes). - commit a530f31 - kthread: Fix task state in kthread worker if being frozen (bsc#1231146). - commit fe88a62 - supported.conf: mark adiantum and xctr crypto modules as supported (bsc#1231035) - commit 59d03d7 - Refresh patches.suse/bpf-kprobe-remove-unused-declaring-of-bpf_kprobe_override.patch. - commit 5a0b269 - bpf: Fix use-after-free in bpf_uprobe_multi_link_attach() (git-fixes). - commit 1884922 - tracing: Avoid possible softlockup in tracing_iter_reset() (git-fixes). - commit d5df75c - tracing: Fix overflow in get_free_elt() (git-fixes CVE-2024-43890 bsc#1229764). - commit ceb524e - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry (bsc#1231120 CVE-2024-46822) - commit cc6d7b5 - mailbox: bcm2835: Fix timeout during suspend mode (git-fixes). - mailbox: rockchip: fix a typo in module autoloading (git-fixes). - i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled (git-fixes). - drm/amd/display: handle nulled pipe context in DCE110's set_drr() (git-fixes). - drm/amdgpu: Fix get each xcp macro (git-fixes). - tomoyo: fallback to realpath if symlink's pathname does not exist (git-fixes). - cxl/pci: Fix to record only non-zero ranges (git-fixes). - ata: libata-scsi: Fix ata_msense_control() CDL page reporting (git-fixes). - firmware_loader: Block path traversal (git-fixes). - driver core: Fix a potential null-ptr-deref in module_add_driver() (git-fixes). - driver core: Fix error handling in driver API device_rename() (git-fixes). - ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() (git-fixes). - iio: magnetometer: ak8975: Fix reading for ak099xx sensors (git-fixes). - iio: chemical: bme680: Fix read/write ops to device by adding mutexes (git-fixes). - ABI: testing: fix admv8818 attr description (git-fixes). - iio: adc: ad7606: fix standby gpio state to match the documentation (git-fixes). - iio: adc: ad7606: fix oversampling gpio array (git-fixes). - tty: rp2: Fix reset with non forgiving PCIe host bridges (git-fixes). - USB: class: CDC-ACM: fix race between get_serial and set_serial (git-fixes). - usb: dwc2: drd: fix clock gating on USB role switch (git-fixes). - usb: cdnsp: Fix incorrect usb_request status (git-fixes). - USB: usbtmc: prevent kernel-usb-infoleak (git-fixes). - USB: serial: kobil_sct: restore initial terminal settings (git-fixes). - xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them (git-fixes). - usb: dwc2: Skip clock gating on Broadcom SoCs (git-fixes). - spi: atmel-quadspi: Avoid overwriting delay register settings (git-fixes). - spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time (git-fixes). - spi: atmel-quadspi: Undo runtime PM changes at driver exit time (git-fixes). - rtc: at91sam9: fix OF node leak in probe() error path (git-fixes). - i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition (git-fixes). - remoteproc: k3-r5: Fix error handling when power-up failed (git-fixes). - remoteproc: imx_rproc: Initialize workqueue earlier (git-fixes). - remoteproc: imx_rproc: Correct ddr alias for i.MX8M (git-fixes). - KEYS: prevent NULL pointer dereference in find_asymmetric_key() (git-fixes). - media: i2c: ar0521: Use cansleep version of gpiod_set_value() (git-fixes). - media: ov5675: Fix power on/off delay timings (git-fixes). - media: sun4i_csi: Implement link validate for sun4i_csi subdev (git-fixes). - media: platform: rzg2l-cru: rzg2l-csi2: Add missing MODULE_DEVICE_TABLE (git-fixes). - media: venus: fix use after free bug in venus_remove due to race condition (git-fixes). - media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags (git-fixes). - clk: ti: dra7-atl: Fix leak of of_nodes (git-fixes). - watchdog: imx_sc_wdt: Don't disable WDT in suspend (git-fixes). - pinctrl: single: fix missing error code in pcs_probe() (git-fixes). - xz: cleanup CRC32 edits from 2018 (git-fixes). - ata: pata_macio: Use WARN instead of BUG (stable-fixes). - commit c5ab3ca - Move upstreamed SCSI patches into sorted section - commit aba5747 - kcm: Serialise kcm_sendmsg() for the same socket (CVE-2024-44946 bsc#1230015). - commit 4310760 - nvme-multipath: avoid hang on inaccessible namespaces (bsc#1228244). - kcm: Serialise kcm_sendmsg() for the same socket (CVE-2024-44946,bsc#1230015). - commit a84ca87 - nvme-multipath: system fails to create generic nvme device (bsc#1228244). - commit 4fc57d2 - erofs: fix incorrect symlink detection in fast symlink (git-fixes). - commit 2e1ae75 - afs: Don't cross .backup mountpoint from backup volume (git-fixes). - commit f35dae1 - afs: Revert &quot;afs: Hide silly-rename files from userspace&quot; (git-fixes). - commit 11353bb - scsi: sd: Fix off-by-one error in sd_read_block_characteristics() (bsc#1223848). - commit 621f2fb - scsi: ibmvfc: Add max_sectors module parameter (bsc#1216223). - commit af0ff0f - drm/amd/display: Check denominator crb_pipes before used (CVE-2024-46772 bsc#1230772) - commit 322be4a - blacklist.conf: CVE-2024-46727 bsc#1230707: not applicable No OTG code and all return values from resource_get_otg_master_for_stream() are checked before use. - commit f44b1e7 - arm64: dts: allwinner: h616: Add r_i2c pinctrl nodes (git-fixes). - commit 642d7e6 - arm64: dts: imx8-ss-dma: Fix adc0 closing brace location (git-fixes). - commit 970cc49 - arm64: dts: rockchip: Correct vendor prefix for Hardkernel ODROID-M1 (git-fixes). - commit 87f0ae6 - arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency (git-fixes). - commit 1582b94 - arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity (git-fixes). - commit 3b2ebbf - arm64: dts: exynos: exynos7885-jackpotlte: Correct RAM amount to 4GB (git-fixes). - commit 1059c29 - arm64: signal: Fix some under-bracketed UAPI macros (git-fixes). - commit 9704ff3 - arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma (git-fixes). - commit 6052a8c - arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma (git-fixes). - commit 8b3743b - Update patches.suse/powerpc-pseries-make-max-polling-consistent-for-long.patch (bsc#1215199 jsc#PED-10954). - Update patches.suse/security-integrity-fix-pointer-to-ESL-data-and-.patch (bsc#1012628 jsc#PED-5085 jsc#PED-10954). - commit ec9be2c - arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E (git-fixes). - commit 7527015 - arm64: acpi: Move get_cpu_for_acpi_id() to a header (git-fixes). - commit 42389f0 - ipmi:ssif: Improve detecting during probing (bsc#1228771) Move patch into the sorted section. - commit 77cf6fc - Update patches.suse/ALSA-line6-Fix-racy-access-to-midibuf.patch (stable-fixes CVE-2024-44954 bsc#1230176). - Update patches.suse/ASoC-dapm-Fix-UAF-for-snd_soc_pcm_runtime-object.patch (git-fixes CVE-2024-46798 bsc#1230830). - Update patches.suse/Bluetooth-btnxpuart-Fix-Null-pointer-dereference-in-.patch (stable-fixes CVE-2024-46749 bsc#1230780). - Update patches.suse/Bluetooth-btnxpuart-Shutdown-timer-and-prevent-rearm.patch (stable-fixes CVE-2024-44962 bsc#1230213). - Update patches.suse/HID-amd_sfh-free-driver_data-after-destroying-hid-de.patch (stable-fixes CVE-2024-46746 bsc#1230751). - Update patches.suse/HID-cougar-fix-slab-out-of-bounds-Read-in-cougar_rep.patch (stable-fixes CVE-2024-46747 bsc#1230752). - Update patches.suse/Input-MT-limit-max-slots.patch (stable-fixes CVE-2024-45008 bsc#1230248). - Update patches.suse/Input-uinput-reject-requests-with-unreasonable-numbe.patch (stable-fixes CVE-2024-46745 bsc#1230748). - Update patches.suse/KVM-arm64-Make-ICC_-SGI-_EL1-undef-in-the-absence-of.patch (git-fixes CVE-2024-46707 bsc#1230582). - Update patches.suse/KVM-s390-fix-validity-interception-issue-when-gisa-is-switched-off.patch (git-fixes bsc#1229167 CVE-2024-45005 bsc#1230173). - Update patches.suse/PCI-Add-missing-bridge-lock-to-pci_bus_lock.patch (stable-fixes CVE-2024-46750 bsc#1230783). - Update patches.suse/Squashfs-sanity-check-symbolic-link-size.patch (git-fixes CVE-2024-46744 bsc#1230747). - Update patches.suse/VMCI-Fix-use-after-free-when-removing-resource-in-vm.patch (git-fixes CVE-2024-46738 bsc#1230731). - Update patches.suse/bpf-Fix-a-kernel-verifier-crash-in-stacksafe.patch (bsc#1225903 CVE-2024-45020 bsc#1230433). - Update patches.suse/btrfs-fix-race-between-direct-IO-write-and-fsync-whe.patch (git-fixes CVE-2024-46734 bsc#1230726). - Update patches.suse/can-bcm-Remove-proc-entry-when-dev-is-unregistered.patch (git-fixes CVE-2024-46771 bsc#1230766). - Update patches.suse/can-mcp251x-fix-deadlock-if-an-interrupt-occurs-duri.patch (git-fixes CVE-2024-46791 bsc#1230821). - Update patches.suse/char-xillybus-Check-USB-endpoints-when-probing-devic.patch (git-fixes CVE-2024-45011 bsc#1230440). - Update patches.suse/char-xillybus-Don-t-destroy-workqueue-from-work-item.patch (stable-fixes CVE-2024-45007 bsc#1230175). - Update patches.suse/dmaengine-altera-msgdma-properly-free-descriptor-in-.patch (stable-fixes CVE-2024-46716 bsc#1230715). - Update patches.suse/driver-core-Fix-uevent_show-vs-driver-detach-race.patch (git-fixes CVE-2024-44952 bsc#1230178). - Update patches.suse/driver-iio-add-missing-checks-on-iio_info-s-callback.patch (stable-fixes CVE-2024-46715 bsc#1230700). - Update patches.suse/drm-amd-display-Assign-linear_pitch_alignment-even-f.patch (stable-fixes CVE-2024-46732 bsc#1230711). - Update patches.suse/drm-amd-display-Check-UnboundedRequestEnabled-s-valu.patch (stable-fixes CVE-2024-46778 bsc#1230776). - Update patches.suse/drm-amd-display-Check-denominator-pbn_div-before-use.patch (stable-fixes CVE-2024-46773 bsc#1230791). - Update patches.suse/drm-amd-display-Check-index-for-aux_rd_interval-befo.patch (stable-fixes CVE-2024-46728 bsc#1230703). - Update patches.suse/drm-amd-display-Ensure-array-index-tg_inst-won-t-be-.patch (stable-fixes CVE-2024-46730 bsc#1230701). - Update patches.suse/drm-amd-display-Ensure-index-calculation-will-not-ov.patch (stable-fixes CVE-2024-46726 bsc#1230706). - Update patches.suse/drm-amd-display-Run-DC_LOG_DC-after-checking-link-li.patch (stable-fixes CVE-2024-46776 bsc#1230775). - Update patches.suse/drm-amd-display-Skip-wbscl_set_scaler_filter-if-filt.patch (stable-fixes CVE-2024-46714 bsc#1230699). - Update patches.suse/drm-amd-display-avoid-using-null-object-of-framebuff.patch (git-fixes CVE-2024-46694 bsc#1230511). - Update patches.suse/drm-amd-pm-fix-the-Out-of-bounds-read-warning.patch (stable-fixes CVE-2024-46731 bsc#1230709). - Update patches.suse/drm-amdgpu-Fix-out-of-bounds-read-of-df_v1_7_channel.patch (stable-fixes CVE-2024-46724 bsc#1230725). - Update patches.suse/drm-amdgpu-Fix-out-of-bounds-write-warning.patch (stable-fixes CVE-2024-46725 bsc#1230705). - Update patches.suse/drm-amdgpu-Forward-soft-recovery-errors-to-userspace.patch (stable-fixes CVE-2024-44961 bsc#1230207). - Update patches.suse/drm-amdgpu-Validate-TA-binary-size.patch (stable-fixes CVE-2024-44977 bsc#1230217). - Update patches.suse/drm-amdgpu-fix-dereference-after-null-check.patch (stable-fixes CVE-2024-46720 bsc#1230724). - Update patches.suse/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch (stable-fixes CVE-2024-46722 bsc#1230712). - Update patches.suse/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch (stable-fixes CVE-2024-46723 bsc#1230702). - Update patches.suse/drm-mgag200-Bind-I2C-lifetime-to-DRM-device.patch (git-fixes CVE-2024-44967 bsc#1230224). - Update patches.suse/drm-msm-dpu-cleanup-FB-if-dpu_format_populate_layout.patch (git-fixes CVE-2024-44982 bsc#1230204). - Update patches.suse/drm-msm-dpu-move-dpu_encoder-s-connector-assignment-.patch (git-fixes CVE-2024-45015 bsc#1230444). - Update patches.suse/drm-vmwgfx-Fix-prime-with-external-buffers.patch (git-fixes CVE-2024-46709 bsc#1230539). - Update patches.suse/fs-netfs-fscache_cookie-add-missing-n_accesses-check.patch (bsc#1229455 CVE-2024-45000 bsc#1230170). - Update patches.suse/fscache-delete-fscache_cookie_lru_timer-when-fscache-.patch (bsc#1230602 CVE-2024-46786 bsc#1230813). - Update patches.suse/fuse-Initialize-beyond-EOF-page-contents-before-setti.patch (bsc#1229456 CVE-2024-44947). - Update patches.suse/hwmon-adc128d818-Fix-underflows-seen-when-writing-li.patch (stable-fixes CVE-2024-46759 bsc#1230814). - Update patches.suse/hwmon-lm95234-Fix-underflows-seen-when-writing-limit.patch (stable-fixes CVE-2024-46758 bsc#1230812). - Update patches.suse/hwmon-nct6775-core-Fix-underflows-seen-when-writing-.patch (stable-fixes CVE-2024-46757 bsc#1230809). - Update patches.suse/hwmon-w83627ehf-Fix-underflows-seen-when-writing-lim.patch (stable-fixes CVE-2024-46756 bsc#1230806). - Update patches.suse/media-dvb-usb-v2-af9035-Fix-null-ptr-deref-in-af9035.patch (git-fixes CVE-2023-52915 bsc#1230270). - Update patches.suse/misc-fastrpc-Fix-double-free-of-buf-in-error-path.patch (git-fixes CVE-2024-46741 bsc#1230749). - Update patches.suse/mmc-mmc_test-Fix-NULL-dereference-on-allocation-fail.patch (git-fixes CVE-2024-45028 bsc#1230450). - Update patches.suse/msft-hv-3046-uio_hv_generic-Fix-kernel-NULL-pointer-dereference-i.patch (git-fixes CVE-2024-46739 bsc#1230732). - Update patches.suse/msft-hv-3048-net-mana-Fix-error-handling-in-mana_create_txq-rxq-s.patch (git-fixes CVE-2024-46784 bsc#1230771). - Update patches.suse/net-ethernet-mtk_wed-fix-use-after-free-panic-in-mtk.patch (git-fixes CVE-2024-44997 bsc#1230232). - Update patches.suse/net-mana-Fix-RX-buf-alloc_size-alignment-and-atomic-.patch (bsc#1229086 CVE-2024-45001 bsc#1230244). - Update patches.suse/net-phy-Fix-missing-of_node_put-for-leds.patch (git-fixes CVE-2024-46767 bsc#1230787). - Update patches.suse/nfc-pn533-Add-poll-mod-list-filling-check.patch (git-fixes CVE-2024-46676 bsc#1230535). - Update patches.suse/nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch (git-fixes CVE-2024-46781 bsc#1230768). - Update patches.suse/nilfs2-protect-references-to-superblock-parameters-exposed-in-sysfs.patch (git-fixes CVE-2024-46780 bsc#1230808). - Update patches.suse/nouveau-firmware-use-dma-non-coherent-allocator.patch (git-fixes CVE-2024-45012 bsc#1230441). - Update patches.suse/nvmet-tcp-fix-kernel-crash-if-commands-allocation-fa.patch (git-fixes CVE-2024-46737 bsc#1230730). - Update patches.suse/pci-hotplug-pnv_php-Fix-hotplug-driver-crash-on-Powe.patch (stable-fixes CVE-2024-46761 bsc#1230761). - Update patches.suse/perf-Fix-event-leak-upon-exit.patch (git-fixes CVE-2024-43870 bsc#1229494). - Update patches.suse/pinctrl-single-fix-potential-NULL-dereference-in-pcs.patch (git-fixes CVE-2024-46685 bsc#1230515). - Update patches.suse/powerpc-qspinlock-Fix-deadlock-in-MCS-queue.patch (bac#1230295 ltc#206656 CVE-2024-46797 bsc#1230831). - Update patches.suse/powerpc-rtas-Prevent-Spectre-v1-gadget-construction-.patch (bsc#1227487 CVE-2024-46774 bsc#1230767). - Update patches.suse/s390-dasd-fix-error-recovery-leading-to-data-corruption-on-ESE-devices.patch (git-fixes bsc#1229452 CVE-2024-45026 bsc#1230454). - Update patches.suse/s390-sclp-Prevent-release-of-buffer-in-I-O.patch (git-fixes bsc#1229169 CVE-2024-44969 bsc#1230200). - Update patches.suse/soc-qcom-cmd-db-Map-shared-memory-as-WC-not-WB.patch (git-fixes CVE-2024-46689 bsc#1230524). - Update patches.suse/thunderbolt-Mark-XDomain-as-unplugged-when-router-is.patch (stable-fixes CVE-2024-46702 bsc#1230589). - Update patches.suse/tty-serial-fsl_lpuart-mark-last-busy-before-uart_add.patch (git-fixes CVE-2024-46706 bsc#1230580). - Update patches.suse/usb-dwc3-core-Prevent-USB-core-invalid-event-buffer-.patch (stable-fixes CVE-2024-46675 bsc#1230533). - Update patches.suse/usb-dwc3-st-fix-probed-platform-device-ref-count-on-.patch (git-fixes CVE-2024-46674 bsc#1230507). - Update patches.suse/usb-gadget-core-Check-for-unset-descriptor.patch (git-fixes CVE-2024-44960 bsc#1230191). - Update patches.suse/usb-typec-ucsi-Fix-null-pointer-dereference-in-trace.patch (stable-fixes CVE-2024-46719 bsc#1230722). - Update patches.suse/wifi-brcmfmac-cfg80211-Handle-SSID-based-pmksa-delet.patch (git-fixes CVE-2024-46672 bsc#1230459). - Update patches.suse/wifi-mwifiex-Do-not-return-unused-priv-in-mwifiex_ge.patch (stable-fixes CVE-2024-46755 bsc#1230802). - Update patches.suse/wifi-rtw88-usb-schedule-rx-work-after-everything-is-.patch (stable-fixes CVE-2024-46760 bsc#1230753). - Update patches.suse/x86-mm-Fix-pti_clone_pgtable-alignment-assumption.patch (git-fixes CVE-2024-44965 bsc#1230221). - Update patches.suse/x86-mtrr-Check-if-fixed-MTRRs-exist-before-saving-them.patch (git-fixes CVE-2024-44948 bsc#1230174). - Update patches.suse/xhci-Fix-Panther-point-NULL-pointer-deref-at-full-sp.patch (git-fixes CVE-2024-45006 bsc#1230247). - commit 6da06c4 - Update patches.suse/gfs2-Fix-NULL-pointer-dereference-in-gfs2_log_flush.patch (bsc#1230948) - commit 90a5b1b - userfaultfd: fix checks for huge PMDs (CVE-2024-46787 bsc#1230815). - commit a236c90 - cachefiles: Fix non-taking of sb_writers around set/removexattr (bsc#1231008). - commit 1b01b3e - RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds (git-fixes) - commit a6683f0 - PCI: dwc: Expose dw_pcie_ep_exit() to module (git-fixes). - Refresh patches.suse/PCI-dwc-endpoint-Introduce-.pre_init-and-.deinit.patch. - commit 34c9950 - PCI: xilinx-nwl: Clean up clock on probe failure/removal (git-fixes). - PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler (git-fixes). - PCI: qcom-ep: Enable controller resources like PHY only after refclk is available (git-fixes). - PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() (git-fixes). - PCI: keystone: Fix if-statement expression in ks_pcie_quirk() (git-fixes). - PCI: imx6: Fix missing call to phy_power_off() in error handling (git-fixes). - PCI: dra7xx: Fix error handling when IRQ request fails in probe (git-fixes). - PCI: dra7xx: Fix threaded IRQ request for &quot;dra7xx-pcie-main&quot; IRQ (git-fixes). - PCI: Wait for Link before restoring Downstream Buses (git-fixes). - commit 1528eee - WIP DO NOT PUSH btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() (CVE-2024-46687 bsc#1230518) - commit 17b4a47 - exfat: fix memory leak in exfat_load_bitmap() (git-fixes). - commit 9f477b0 - net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804 bsc#1222629). - commit 0ca3b23 - Input: ps2-gpio - use IRQF_NO_AUTOEN flag in request_irq() (git-fixes). - commit 45cee3b - blacklist.conf: too risky - commit f0e13c3 - Input: ilitek_ts_i2c - avoid wrong input subsystem sync (git-fixes). - commit e5e587b - Input: tsc2004/5 - fix reset handling on probe (git-fixes). - commit 1366de4 - Input: tsc2004/5 - do not hard code interrupt trigger (git-fixes). - commit 110dbdb - Input: tsc2004/5 - use device core to create driver-specific device attributes (git-fixes). - commit 958966c - Input: adp5588-keys - fix check on return code (git-fixes). - commit d15133c - drm/amd/display: Fix incorrect size calculation for loop (bsc#1230704 CVE-2024-46729) - commit 55d78a7 - RDMA/hns: Fix ah error counter in sw stat not increasing (git-fixes) - commit d7bebcf - RDMA/mlx5: Fix MR cache temp entries cleanup (git-fixes) - commit b0aa848 - RDMA/mlx5: Drop redundant work canceling from clean_keys() (git-fixes) - commit 6800d7e - RDMA/irdma: fix error message in irdma_modify_qp_roce() (git-fixes) - commit dcf63e1 - RDMA/cxgb4: Added NULL check for lookup_atid (git-fixes) - commit 23d3195 - RDMA/mlx5: Obtain upper net device only when needed (git-fixes) - commit ca2d8dc - RDMA/hns: Fix restricted __le16 degrades to integer issue (git-fixes) - commit 4481358 - RDMA/hns: Optimize hem allocation performance (git-fixes) - commit 7afe440 - RDMA/hns: Fix 1bit-ECC recovery address in non-4K OS (git-fixes) - commit 25e36c2 - RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler (git-fixes) - commit a18704a - RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled (git-fixes) - commit 7b15e64 - RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range() (git-fixes) - commit 60eb35c - RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 (git-fixes) - commit 3ab1ca2 - RDMA/hns: Don't modify rq next block addr in HIP09 QPC (git-fixes) - commit 7100eb8 - RDMA/mlx5: Limit usage of over-sized mkeys from the MR cache (git-fixes) - commit 914ed66 - RDMA/mlx5: Fix counter update on MR cache mkey creation (git-fixes) - commit 60e75bb - RDMA/erdma: Return QP state in erdma_query_qp (git-fixes) - commit 09a59c3 - IB/core: Fix ib_cache_setup_one error flow cleanup (git-fixes) - commit 38bf526 - RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from peer (git-fixes) - commit c4f28a8 - RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency (git-fixes) - commit 0456b72 - RDMA/core: Remove unused declaration rdma_resolve_ip_route() (git-fixes) - commit 4cb7201 - blacklist.conf: add one for clang and one PCI git-fixes - commit b26aea4 - Revert &quot;PCI: Extend ACS configurability (bsc#1228090).&quot; (bsc#1229019) This reverts commit 571e4310e81312c847a5caee7e45e66aeea2a169. It breaks ACS on certain platforms. Even 6.11 is affected. So drop for now and investigate. - commit 3b92a44 - blacklist.conf: CVE-2024-44972 bsc#1230212: not applicable Subpage code exists but zoned mode is not enabled being hidden behind CONFIG_BTRFS_DEBUG. - commit ed17920 - btrfs: handle errors from btrfs_dec_ref() properly (CVE-2024-46753 bsc#1230796) - commit 3e3b2cb - blacklist.conf: kABI - commit 05421bb - media: vicodec: allow en/decoder cmd w/o CAPTURE (git-fixes). - commit 62ef4d1 - media: qcom: camss: Remove use_count guard in stop_streaming (git-fixes). - commit ef85228 - Revert &quot;media: tuners: fix error return code of hybrid_tuner_request_state()&quot; (git-fixes). - drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error (git-fixes). - drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error (git-fixes). - commit 48dc3a9 - net: bridge: xmit: make sure we have at least eth header len bytes (CVE-2024-38538 bsc#1226606). - commit 2548071 - PKCS#7: Check codeSigning EKU of certificates in PKCS#7 (bsc#1226666). - commit dbae63e - xen/swiotlb: fix allocated size (git-fixes). - commit 199871d - xen/swiotlb: add alignment check for dma buffers (bsc#1229928). - commit 0ffbc04 - xen: tolerate ACPI NVS memory overlapping with Xen allocated memory (bsc#1226003). - commit 3dc14d8 - xen: allow mapping ACPI data using a different physical address (bsc#1226003). - commit 0928eec - x86/tdx: Fix data leak in mmio_read() (CVE-2024-46794 bsc#1230825) - commit 9a2a1c2 - tcp_bpf: fix return value of tcp_bpf_sendmsg() (CVE-2024-46783 bsc#1230810) - commit eb9d143 - nvme: fix namespace removal list (git-fixes). - commit b45d192 - ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() (CVE-2024-46735 bsc#1230727) - commit 23e039f - Update references for patches.suse/nvmet-tcp-fix-kernel-crash-if-commands-allocation-fa.patch (CVE-2024-46737 bsc#1230730) - commit 8ce7f58 - xen: add capability to remap non-RAM pages to different PFNs (bsc#1226003). - commit 47109fd - net/mlx5e: SHAMPO, Fix incorrect page release (CVE-2024-46717 bsc#1230719) - commit d6a30a9 - xen: move max_pfn in xen_memory_setup() out of function scope (bsc#1226003). - commit 2750357 - xen: move checks for e820 conflicts further up (bsc#1226003). - commit 191a602 - xen: introduce generic helper checking for memory map conflicts (bsc#1226003). - commit eb57cec - xen: use correct end address of kernel for conflict checking (bsc#1226003). - commit c40fc6b - scsi: lpfc: Copyright updates for 14.4.0.4 patches (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Update lpfc version to 14.4.0.4 (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Update PRLO handling in direct attached topology (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Fix unintentional double clearing of vmid_flag (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Remove redundant vport assignment when building an abort request (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Change diagnostic log flag during receipt of unknown ELS cmds (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Fix overflow build issue (bsc#1229429 jsc#PED-9899). - commit 18ec475 - drm/vmwgfx: Prevent unmapping active read buffers (bsc#1230540 CVE-2024-46710) - commit 84f019d - nvme-tcp: fix link failure for TCP auth (git-fixes). - nvmet: Identify-Active Namespace ID List command should reject invalid nsid (git-fixes). - nvme-pci: Add sleep quirk for Samsung 990 Evo (git-fixes). - nvme-pci: allocate tagset on reset if necessary (git-fixes). - nvmet-tcp: fix kernel crash if commands allocation fails (git-fixes). - nvme/pci: Add APST quirk for Lenovo N60z laptop (git-fixes). - nvme: use srcu for iterating namespace list (git-fixes). Refresh: - patches.suse/nvme-tcp-sanitize-tls-key-handling.patch - nvmet-rdma: fix possible bad dereference when freeing rsps (git-fixes). - nvmet-tcp: do not continue for invalid icreq (git-fixes). - nvme: clear caller pointer on identify failure (git-fixes). - nvmet-trace: avoid dereferencing pointer too early (git-fixes). - commit 7382ad4 - Update patches.suse/KVM-arm64-vgic-v2-Check-for-non-NULL-vCPU-in-vgic_v2.patch (git-fixes CVE-2024-36953 bsc#1225812). - Update patches.suse/vfio-pci-fix-potential-memory-leak-in-vfio_intx_enab.patch (git-fixes CVE-2024-38632 bsc#1226860). Add CVE references. - commit c9c3b6f - nilfs2: fix potential oob read in nilfs_btree_check_delete() (git-fixes). - commit cc0f59d - nilfs2: determine empty node blocks as corrupted (git-fixes). - commit 3244e52 - nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() (git-fixes). - commit 90f4e49 - media: mtk-vcodec: potential null pointer deference in SCP (CVE-2024-40973 bsc#1227890) - commit ce5074d - btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() (bsc#1230786 CVE-2024-46751). - btrfs: reduce nesting for extent processing at btrfs_lookup_extent_info() (bsc#1230794 CVE-2024-46752). - btrfs: remove superfluous metadata check at btrfs_lookup_extent_info() (bsc#1230794 CVE-2024-46752). - btrfs: replace BUG_ON() with error handling at update_ref_for_cow() (bsc#1230794 CVE-2024-46752). - btrfs: simplify setting the full backref flag at update_ref_for_cow() (bsc#1230794 CVE-2024-46752). - btrfs: remove NULL transaction support for btrfs_lookup_extent_info() (bsc#1230794 CVE-2024-46752). - btrfs: remove level argument from btrfs_set_block_flags (bsc#1230794 CVE-2024-46752). - commit a1c1176 - btrfs: send: allow cloning non-aligned extent if it ends at i_size (bsc#1230854). - commit e9cad4b - blacklist.conf: kABI - commit 5244a06 - ocfs2: cancel dqi_sync_work before freeing oinfo (git-fixes). - commit 1f37ac4 - ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate (git-fixes). - commit b7bf7eb - ocfs2: remove unreasonable unlock in ocfs2_read_blocks (git-fixes). - commit e2cb129 - ocfs2: fix null-ptr-deref when journal load failed (git-fixes). - commit b463b02 - jfs: fix out-of-bounds in dbNextAG() and diAlloc() (git-fixes). - commit d948d87 - of/irq: Prevent device address out-of-bounds read in interrupt map walk (CVE-2024-46743 bsc#1230756). - commit 300f40a - i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes). - i2c: isch: Add missed 'else' (git-fixes). - i2c: xiic: Wait for TX empty to avoid missed TX NAKs (git-fixes). - i2c: aspeed: Update the stop sw state when the bus recovery occurs (git-fixes). - resource: fix region_intersects() vs add_memory_driver_managed() (git-fixes). - drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() (git-fixes). - drm/msm: fix %s null argument error (git-fixes). - drm/msm/dsi: correct programming sequence for SM8350 / SM8450 (git-fixes). - drm/msm/a5xx: workaround early ring-buffer emptiness check (git-fixes). - drm/msm/a5xx: fix races in preemption evaluation stage (git-fixes). - drm/msm/a5xx: properly clear preemption records on resume (git-fixes). - drm/msm/a5xx: disable preemption in submits by default (git-fixes). - drm/msm: Fix incorrect file name output in adreno_request_fw() (git-fixes). - drm/mediatek: ovl_adaptor: Add missing of_node_put() (git-fixes). - drm: omapdrm: Add missing check for alloc_ordered_workqueue (git-fixes). - drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets (git-fixes). - drm/amd/amdgpu: Properly tune the size of struct (git-fixes). - drm/radeon: properly handle vbios fake edid sizing (git-fixes). - drm/amdgpu: properly handle vbios fake edid sizing (git-fixes). - drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func (git-fixes). - drm/amdgpu: fix a possible null pointer dereference (git-fixes). - drm/radeon: fix null pointer dereference in radeon_add_common_modes (git-fixes). - drm/vc4: hdmi: Handle error case of pm_runtime_resume_and_get (git-fixes). - drm/bridge: lontium-lt8912b: Validate mode in drm_bridge_funcs::mode_valid() (git-fixes). - drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode (git-fixes). - drm/rockchip: vop: Allow 4096px width scaling (git-fixes). - drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 (git-fixes). - drm/rockchip: vop: clear DMA stop bit on RK3066 (git-fixes). - drm/stm: ltdc: check memory returned by devm_kzalloc() (git-fixes). - drm/stm: Fix an error handling path in stm_drm_platform_probe() (git-fixes). - ata: libata: Clear DID_TIME_OUT for ATA PT commands with sense data (git-fixes). - HID: wacom: Do not warn about dropped packets for first packet (git-fixes). - HID: wacom: Support sequence numbers smaller than 16-bit (git-fixes). - tpm: Clean up TPM space after command failure (git-fixes). - ipmi: docs: don't advertise deprecated sysfs entries (git-fixes). - commit b4e4911 - smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() (CVE-2024-46686 bsc#1230517) - commit a155846 - firmware: qcom: scm: Mark get_wq_ctx() as atomic call (CVE-2024-46692 bsc#1230520) - commit ee65da0 - scsi: aacraid: Fix double-free on probe failure (CVE-2024-46673 bsc#1230506) - commit 49aab2b - gtp: fix a potential NULL pointer dereference (CVE-2024-46677 bsc#1230549) - commit 9cdd14b - blacklist.conf: CVE-2024-46711 bsc#1230542: code partially present, fix part of refactoring and fix series The patch to backport is one in a number of about 30 patches refactoring and reworking MPTCP subflow handling. Several other patches are needed just to apply it cleanly but also change some of the logic where the actual fix would apply. - commit 1a03613 - ethtool: check device is present when getting link settings (CVE-2024-46679 bsc#1230556) - commit 68643d1 - md/raid5: avoid BUG_ON() while continue reshape after reassembling (bsc#1229790, CVE-2024-43914). - commit bfb799a - xfs: restrict when we try to align cow fork delalloc to cowextsz hints (git-fixes). - commit 96ac1b7 - clk: Provide !COMMON_CLK dummy for devm_clk_rate_exclusive_get() (bsc#1227885). - commit bf3362b - Replace git-fixes tag by bsc#1226507, patches.suse/md-Don-t-wait-for-MD_RECOVERY_NEEDED-for-HOT_REMOVE_DISK-ioctl-a1fd.patch (bsc#1226507). - commit b04e0cb - closures: Change BUG_ON() to WARN_ON() (bsc#1229004, CVE-2024-42252). - commit 84b7984 - clk: Add a devm variant of clk_rate_exclusive_get() (bsc#1227885). - commit b6fb747 - r8152: add vendor/device ID pair for D-Link DUB-E250 (git-fixes). - Refresh patches.suse/r8152-add-vendor-device-ID-pair-for-ASUS-USB-C2500.patch. - commit 0c077ab - usbnet: ipheth: fix carrier detection in modes 1 and 4 (git-fixes). - commit 591cebb - usbnet: ipheth: do not stop RX on failing RX callback (git-fixes). - commit c58c483 - usbnet: ipheth: drop RX URBs with no payload (git-fixes). - commit 73a78e2 - KVM: arm64: Disallow copying MTE to guest memory while KVM is dirty logging (git-fixes). - commit 3cf4c02 - usbnet: ipheth: remove extraneous rx URB length check (git-fixes). - commit 507443a - usbnet: ipheth: add CDC NCM support (git-fixes). - commit 1bf1d1e - KVM: arm64: Release pfn, i.e. put page, if copying MTE tags hits ZONE_DEVICE (git-fixes). - commit 64bccd6 - usbnet: ipheth: transmit URBs without trailing padding (git-fixes). - usbnet: ipheth: fix risk of NULL pointer deallocation (git-fixes). - commit d804072 - KVM: arm64: Invalidate EL1&amp;0 TLB entries for all VMIDs in nvhe hyp init (git-fixes). - commit 30df9d2 - drm/amd/display: Solve mst monitors blank out problem after resume (git-fixes). - commit cd94b30 - virtio-net: synchronize probe with ndo_set_features (git-fixes). - commit 1a471dd - fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() (git-fixes). - hwmon: (ntc_thermistor) fix module autoloading (git-fixes). - hwmon: (max16065) Fix overflows seen when writing limits (git-fixes). - mtd: powernv: Add check devm_kasprintf() returned value (git-fixes). - mtd: slram: insert break after errors in parsing the map (git-fixes). - power: supply: hwmon: Fix missing temp1_max_alarm attribute (git-fixes). - power: supply: Drop use_cnt check from power_supply_property_is_writeable() (git-fixes). - power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense (git-fixes). - power: supply: axp20x_battery: Remove design from min and max voltage (git-fixes). - pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID (stable-fixes). - drm/amdgpu/atomfirmware: Silence UBSAN warning (stable-fixes). - drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct() (git-fixes). - Input: synaptics - enable SMBus for HP Elitebook 840 G2 (stable-fixes). - Input: ads7846 - ratelimit the spi_sync error message (stable-fixes). - drm/msm/adreno: Fix error return if missing firmware-name (stable-fixes). - scripts: kconfig: merge_config: config files: add a trailing newline (stable-fixes). - platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 (stable-fixes). - platform/surface: aggregator_registry: Add Support for Surface Pro 10 (stable-fixes). - HID: multitouch: Add support for GT7868Q (stable-fixes). - drm/mediatek: Set sensible cursor width/height values to fix crash (stable-fixes). - drm: panel-orientation-quirks: Add quirk for Ayn Loki Max (stable-fixes). - drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero (stable-fixes). - wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change (stable-fixes). - net: phy: vitesse: repair vsc73xx autonegotiation (stable-fixes). - cxl/core: Fix incorrect vendor debug UUID define (git-fixes). - drm/amd/display: Fix FEC_READY write on DP LT (stable-fixes). - drm/amd/display: Defer handling mst up request in resume (stable-fixes). - drm/amd/display: Disable error correction if it's not supported (stable-fixes). - commit 040b0ea - i2c: lpi2c: Avoid calling clk_get_rate during transfer (bsc#1227885 CVE-2024-40965). - commit abb755c - x86/mm/ident_map: Use gbpages only where full GB page should be mapped (bsc#1220382). - x86/kexec: Add EFI config table identity mapping for kexec kernel (bsc#1220382). - commit 26eab5b - Move upstreamed nvme patches into sorted section - commit 1e42d2f - spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ (git-fixes). - commit 1cec71a - ASoC: meson: Remove unused declartion in header file (git-fixes). - ASoC: soc-ac97: Fix the incorrect description (git-fixes). - ASoC: rt5682: Return devm_of_clk_add_hw_provider to transfer the error (git-fixes). - ASoC: tas2781-i2c: Get the right GPIO line (git-fixes). - ASoC: cs42l42: Convert comma to semicolon (git-fixes). - ASoC: rt5682s: Return devm_of_clk_add_hw_provider to transfer the error (git-fixes). - ALSA: hda: cs35l41: fix module autoloading (git-fixes). - selftests: lib: remove strscpy test (git-fixes). - scripts: sphinx-pre-install: remove unnecessary double check for $cur_version (git-fixes). - Documentation: ioctl: document 0x07 ioctl code (git-fixes). - module: Fix KCOV-ignored file name (git-fixes). - reset: k210: fix OF node leak in probe() error path (git-fixes). - reset: berlin: fix OF node leak in probe() error path (git-fixes). - bus: integrator-lm: fix OF node leak in probe() (git-fixes). - soc: fsl: cpm1: tsa: Fix tsa_write8() (git-fixes). - firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() (git-fixes). - firmware: arm_scmi: Fix double free in OPTEE transport (git-fixes). - soc: versatile: integrator: fix OF node leak in probe() error path (git-fixes). - memory: mtk-smi: Use devm_clk_get_enabled() (git-fixes). - memory: tegra186-emc: drop unused to_tegra186_emc() (git-fixes). - spi: bcm63xx: Fix module autoloading (git-fixes). - spi: rpc-if: Add missing MODULE_DEVICE_TABLE (git-fixes). - spi: meson-spicc: convert comma to semicolon (git-fixes). - spi: ppc4xx: handle irq_of_parse_and_map() errors (git-fixes). - regulator: core: Fix regulator_is_supported_voltage() kerneldoc return value (git-fixes). - regulator: core: Fix short description for _regulator_check_status_enabled() (git-fixes). - regulator: Return actual error in of_regulator_bulk_get_all() (git-fixes). - regulator: rt5120: Convert comma to semicolon (git-fixes). - regulator: wm831x-isink: Convert comma to semicolon (git-fixes). - clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() (git-fixes). - commit 994b020 - cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately (git-fixes). - ACPI: CPPC: Fix MASK_VAL() usage (git-fixes). - ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() (git-fixes). - ACPI: sysfs: validate return type of _STR method (git-fixes). - crypto: ccp - do not request interrupt on cmd completion when irqs disabled (git-fixes). - hwrng: mtk - Use devm_pm_runtime_enable (git-fixes). - crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure (git-fixes). - hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume (git-fixes). - hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init (git-fixes). - crypto: iaa - Fix potential use after free bug (git-fixes). - crypto: xor - fix template benchmarking (git-fixes). - can: m_can: m_can_close(): stop clocks after device has been shut down (git-fixes). - can: m_can: enable NAPI before enabling interrupts (git-fixes). - can: bcm: Clear bo-&gt;bcm_proc_read after remove_proc_entry() (git-fixes). - Bluetooth: btusb: Fix not handling ZPL/short-transfer (git-fixes). - Bluetooth: hci_sync: Ignore errors from HCI_OP_REMOTE_NAME_REQ_CANCEL (git-fixes). - Bluetooth: hci_core: Fix sending MGMT_EV_CONNECT_FAILED (git-fixes). - wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc (git-fixes). - wifi: mt76: mt7615: check devm_kasprintf() returned value (git-fixes). - wifi: mt76: mt7921: Check devm_kasprintf() returned value (git-fixes). - wifi: mt76: mt7915: check devm_kasprintf() returned value (git-fixes). - wifi: mt76: mt7996: fix uninitialized TLV data (git-fixes). - wifi: mt76: mt7915: fix rx filter setting for bfee functionality (git-fixes). - wifi: mt76: mt7603: fix mixed declarations and code (git-fixes). - wifi: mt76: connac: fix checksum offload fields of connac3 RXD (git-fixes). - wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he (git-fixes). - wifi: mt76: mt7996: fix EHT beamforming capability check (git-fixes). - wifi: mt76: mt7996: fix HE and EHT beamforming capabilities (git-fixes). - wifi: mt76: mt7996: fix wmm set of station interface to 3 (git-fixes). - wifi: mt76: mt7996: fix traffic delay when switching back to working channel (git-fixes). - wifi: mt76: mt7996: use hweight16 to get correct tx antenna (git-fixes). - wifi: mt76: mt7921: fix wrong UNII-4 freq range check for the channel usage (git-fixes). - wifi: mt76: mt7915: fix oops on non-dbdc mt7986 (git-fixes). - wifi: rtw88: remove CPT execution branch never used (git-fixes). - wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param (git-fixes). - wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() (git-fixes). - wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors (git-fixes). - wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() (git-fixes). - wifi: mac80211: fix the comeback long retry times (git-fixes). - wifi: cfg80211: fix bug of mapping AF3x to incorrect User Priority (git-fixes). - wifi: iwlwifi: mvm: increase the time between ranging measurements (git-fixes). - wifi: mac80211: don't use rate mask for offchannel TX either (git-fixes). - wifi: ath12k: fix invalid AMPDU factor calculation in ath12k_peer_assoc_h_he() (git-fixes). - wifi: ath12k: match WMI BSS chan info structure with firmware definition (git-fixes). - wifi: ath12k: fix BSS chan info request WMI command (git-fixes). - wifi: ath9k: Remove error checks when creating debugfs entries (git-fixes). - wifi: rtw88: always wait for both firmware loading attempts (git-fixes). - wifi: rtw88: 8822c: Fix reported RX band width (git-fixes). - wifi: brcmfmac: introducing fwil query functions (git-fixes). - can: j1939: use correct function name in comment (git-fixes). - commit ffce0ad - net: tighten bad gso csum offset check in virtio_net_hdr (git-fixes). - commit 6b94c45 - blacklist.conf: add 840b2d39a2dc (&quot;virtio_ring: fix KMSAN error for premapped mode&quot;) - commit 2b97440 - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE (git-fixes). - commit aeba695 - blacklist.conf: add 611ff1b1ae98 (&quot;xen: privcmd: Fix possible access to a freed kirqfd instance&quot;) - commit d91e53f - fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF (bsc#1230602). - commit d2c95a5 - Update patches.suse/virtio_net-Fix-napi_skb_cache_put-warning.patch (git-fixes CVE-2024-43835 bsc#1229289). - commit b9542fb - x86/hyperv: fix kexec crash due to VP assist page corruption (git-fixes). - Drivers: hv: vmbus: Fix the misplaced function description (git-fixes). - commit c60d936 - Update references patches.suse/selinux-smack-don-t-bypass-permissions-check-in-inod.patch (stable-fixes CVE-2024-46695 bsc#1230519). - commit 2a7bb57 - NFSv4: Add missing rescheduling points in nfs_client_return_marked_delegations (git-fixes). - commit a563f31 - nfsd: Don't leave work of closing files to a work queue (bsc#1228140). - Refresh patches.suse/nfsd-use-__fput_sync-to-avoid-delayed-closing-of-fil.patch. - commit 83ce74a - ASoC: meson: axg-card: fix 'use-after-free' (git-fixes). - ASoC: codecs: avoid possible garbage value in peb2466_reg_read() (git-fixes). - commit 5a67afd - kABI workaround for soc-qcom pmic_glink changes (CVE-2024-46693 bsc#1230521). - commit 9a06e25 - usb: typec: ucsi: Move unregister out of atomic section (CVE-2024-46691 bsc#1230526). - soc: qcom: pmic_glink: Fix race during initialization (CVE-2024-46693 bsc#1230521). - commit 26dd9b4 - spi: nxp-fspi: fix the KASAN report out-of-bounds bug (git-fixes). - drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl (git-fixes). - drm/nouveau/fb: restore init() for ramgp102 (git-fixes). - dma-buf: heaps: Fix off-by-one in CMA heap fault handler (git-fixes). - drm/i915/guc: prevent a possible int overflow in wq offsets (git-fixes). - usbnet: ipheth: race between ipheth_close and error handling (stable-fixes). - commit 8d8bf2f - md/raid1: Fix data corruption for degraded array with slow disk (bsc#1230455, CVE-2024-45023). - commit 34cd7b5 - perf/x86/intel: Limit the period on Haswell (git-fixes). - perf/x86: Fix smp_processor_id()-in-preemptible warnings (git-fixes). - perf/x86/intel/cstate: Add pkg C2 residency counter for Sierra Forest (git-fixes). - ARM: 9406/1: Fix callchain_trace() return value (git-fixes). - bpf, events: Use prog to emit ksymbol event for main program (git-fixes). - perf/x86/intel: Add a distinct name for Granite Rapids (git-fixes). - perf/x86/intel/ds: Fix non 0 retire latency on Raptorlake (git-fixes). - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR (git-fixes). - perf: Fix event leak upon exit (git-fixes). - perf/x86/intel/cstate: Fix Alderlake/Raptorlake/Meteorlake (git-fixes). - perf: Fix default aux_watermark calculation (git-fixes). - perf: Prevent passing zero nr_pages to rb_alloc_aux() (git-fixes). - perf: Fix perf_aux_size() for greater-than 32-bit size (git-fixes). - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation (git-fixes). - perf/x86/intel/pt: Fix a topa_entry base address calculation (git-fixes). - perf/x86/intel/pt: Fix topa_entry base length (git-fixes). - perf/x86: Serialize set_attr_rdpmc() (git-fixes). - perf/core: Fix missing wakeup when waiting for context reference (git-fixes). - perf/x86/intel: Factor out the initialization code for SPR (git fixes). - perf/x86/intel: Use the common uarch name for the shared functions (git fixes). - commit bb48e43 - blacklist.conf: Add perf git-fix that won't be backported - commit fbbd522 - nvme: move stopping keep-alive into nvme_uninit_ctrl() (CVE-2024-45013 bsc#1230442) - commit ce739c4 - i2c: tegra: Do not mark ACPI devices as irq safe (CVE-2024-45029 bsc#1230451) - commit 2870112 - netfilter: flowtable: initialise extack before use (CVE-2024-45018 bsc#1230431) - commit 8b44b15 - net/mlx5e: Take state lock during tx timeout reporter (CVE-2024-45019 bsc#1230432) - commit 2552371 - net/mlx5: Fix IPsec RoCE MPV trace call (CVE-2024-45017 bsc#1230430) - commit 60aac02 - igb: cope with large MAX_SKB_FRAGS (CVE-2024-45030 bsc#1230457) - commit d2d3c69 - Move s390 kabi patch into the kabi section - commit 4ab5d36 - s390/uv: Don't call folio_wait_writeback() without a folio reference (git-fixes bsc#1229380 CVE-2024-43832). - s390/mm: Convert gmap_make_secure to use a folio (git-fixes bsc#1230562). - s390/mm: Convert make_page_secure to use a folio (git-fixes bsc#1230563). - s390: allow pte_offset_map_lock() to fail (git-fixes bsc#1230564). - commit 7069eb7 - mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 (CVE-2024-45022 bsc#1230435). - commit cc8880a - Revert &quot;mm/sparsemem: fix race in accessing memory_section-&gt;usage&quot; This reverts commit 6aa8957889611fbe7f06353f917cfb3d9620a680 to fix a regression (bsc#1230413) - commit 720e36b - Revert &quot;mm, kmsan: fix infinite recursion due to RCU critical section&quot; This reverts commit 16ad73a9f4c2888f3bc28513f5e9a88d753f8741 to fix a regression (bsc#1230413) - commit 2fd5290 - Revert &quot;mm: prevent derefencing NULL ptr in pfn_section_valid()&quot; This reverts commit 35f619d3c421219e07bc89d2d6a37fbff25519fe to fix a refression (bsc#1230413) - commit 7e5afd7 - memcg_write_event_control(): fix a user-triggerable oops (CVE-2024-45021 bsc#1230434). - commit 99a85a8 - platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array (git-fixes). - platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses (git-fixes). - usb: dwc3: core: update LC timer as per USB Spec V3.2 (stable-fixes). - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() (stable-fixes). - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated (stable-fixes). - regmap: maple: work around gcc-14.1 false-positive warning (stable-fixes). - phy: zynqmp: Take the phy mutex in xlate (stable-fixes). - pcmcia: Use resource_size function on resource object (stable-fixes). - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv (stable-fixes). - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) (stable-fixes). - PCI: Add missing bridge lock to pci_bus_lock() (stable-fixes). - usb: gadget: aspeed_udc: validate endpoint index for ast udc (stable-fixes). - usb: uas: set host status byte on data completion error (stable-fixes). - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse (stable-fixes). - media: vivid: don't set HDMI TX controls if there are no HDMI outputs (stable-fixes). - media: vivid: fix wrong sizeimage value for mplane (stable-fixes). - leds: spi-byte: Call of_node_put() on error path (stable-fixes). - wifi: rtw88: usb: schedule rx work after everything is set up (stable-fixes). - wifi: rtw89: wow: prevent to send unexpected H2C during download Firmware (stable-fixes). - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() (stable-fixes). - wifi: ath12k: fix firmware crash due to invalid peer nss (stable-fixes). - wifi: ath12k: fix uninitialize symbol error on ath12k_peer_assoc_h_he() (stable-fixes). - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 (stable-fixes). - wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check (stable-fixes). - commit 3b57fa8 - Squashfs: sanity check symbolic link size (git-fixes). - commit fa6af4a - hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev &gt;= 1.2 (git-fixes). - Input: uinput - reject requests with unreasonable number of slots (stable-fixes). - HID: amd_sfh: free driver_data after destroying hid device (stable-fixes). - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup (stable-fixes). - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup (stable-fixes). - Input: ili210x - use kvmalloc() to allocate buffer for firmware update (stable-fixes). - drm/amdgpu: reject gang submit on reserved VMIDs (stable-fixes). - drm/amdgpu: Set no_hw_access when VF request full GPU fails (stable-fixes). - drm/amdgpu/display: handle gfx12 in amdgpu_dm_plane_format_mod_supported (stable-fixes). - drm/amdgpu: handle gfx12 in amdgpu_display_verify_sizes (stable-fixes). - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6 (stable-fixes). - drm/amd/display: Check denominator pbn_div before used (stable-fixes). - drm/amdgpu: clear RB_OVERFLOW bit when enabling interrupts (stable-fixes). - drm/amdgpu: Fix smatch static checker warning (stable-fixes). - drm/amdgpu: add missing error handling in function amdgpu_gmc_flush_gpu_tlb_pasid (stable-fixes). - drm/amd/display: Check HDCP returned status (stable-fixes). - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes (stable-fixes). - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes (stable-fixes). - hwmon: (lm95234) Fix underflows seen when writing limit attributes (stable-fixes). - hwmon: (adc128d818) Fix underflows seen when writing limit attributes (stable-fixes). - commit 2fa929e - Revert &quot;mm/sparsemem: fix race in accessing memory_section-&gt;usage&quot; This reverts commit 6aa8957889611fbe7f06353f917cfb3d9620a680. - commit 5376e5a - Revert &quot;mm, kmsan: fix infinite recursion due to RCU critical section&quot; This reverts commit 16ad73a9f4c2888f3bc28513f5e9a88d753f8741. - commit 505329c - Revert &quot;mm: prevent derefencing NULL ptr in pfn_section_valid()&quot; This reverts commit 35f619d3c421219e07bc89d2d6a37fbff25519fe. - commit 937414d - ata: libata: Fix memory leak for error path in ata_host_alloc() (git-fixes). - devres: Initialize an uninitialized struct member (stable-fixes). - ASoc: TAS2781: replace beXX_to_cpup with get_unaligned_beXX for potentially broken alignment (stable-fixes). - ASoC: topology: Properly initialize soc_enum values (stable-fixes). - ALSA: hda: Add input value sanity checks to HDMI channel map controls (stable-fixes). - ALSA: control: Apply sanity check of input values for user elements (stable-fixes). - crypto: qat - fix unintentional re-enabling of error interrupts (stable-fixes). - drm/amd/display: Run DC_LOG_DC after checking link-&gt;link_enc (stable-fixes). - drm/amd/display: Check UnboundedRequestEnabled's value (stable-fixes). - drm/amd: Add gfx12 swizzle mode defs (stable-fixes). - Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() (stable-fixes). - can: mcp251xfd: rx: add workaround for erratum DS80000789E 6 of mcp2518fd (stable-fixes). - can: mcp251xfd: rx: prepare to workaround broken RX FIFO head index erratum (stable-fixes). - can: mcp251xfd: mcp251xfd_handle_rxif_ring_uinc(): factor out in separate function (stable-fixes). - can: mcp251xfd: clarify the meaning of timestamp (stable-fixes). - can: kvaser_pciefd: Skip redundant NULL pointer check in ISR (stable-fixes). - ACPI: processor: Fix memory leaks in error paths of processor_add() (stable-fixes). - ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() (stable-fixes). - cpufreq: amd-pstate: fix the highest frequency issue which limits performance (git-fixes). - cpufreq: amd-pstate: Enable amd-pstate preferred core support (stable-fixes). - ACPI: CPPC: Add helper to get the highest performance value (stable-fixes). - Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue (stable-fixes). - Bluetooth: hci_event: Use HCI error defines instead of magic values (stable-fixes). - commit 96be389 - virtio_net: Fix napi_skb_cache_put warning (git-fixes). - commit 860ef0a - virtio_net: fixing XDP for fully checksummed packets handling (git-fixes). - commit 77fb9e7 - s390/dasd: Fix redundant /proc/dasd* entries removal (bsc#1227694). - commit b66530a - Move upstreamed input patch into sorted section - commit e197a51 - blacklist.conf: add db5247d9bf5c (&quot;vhost_task: Handle SIGKILL by flushing work and exiting&quot;) - commit 7acfcbb - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing (git-fixes). - commit 42f7b0c - KVM: x86: Acquire kvm-&gt;srcu when handling KVM_SET_VCPU_EVENTS (git-fixes). - commit 610cfdd - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 (git-fixes). - commit bae7627 - kABI: Workaround kABI change in patches.suse/iommu-dma-Trace-bounce-buffer-usage-when-mapping-buf.patch (git-fixes). - Refresh patches.suse/iommu-dma-Trace-bounce-buffer-usage-when-mapping-buf.patch. - commit d37ca1f - blacklist.conf: add 778c350eb580 (&quot;Revert KVM: async_pf: avoid recursive flushing of work items&quot;) - commit 3ff1683 - KVM: arm64: Do not re-initialize the KVM lock (git-fixes). - commit b05c6c8 - s390/dasd: Remove DMA alignment (LTC#208933 bsc#1230426 git-fixes). - commit 5b1f3c2 - KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr() (git-fixes). - commit 4ccaaf2 - KVM: arm64: Don't pass a TLBI level hint when zapping table entries (git-fixes). - commit e3cb3e5 - blacklist.conf: add f62d4c3eb687 (&quot;KVM: arm64: Don't defer TLB invalidation when zapping table entries&quot;) - commit 80a75dc - blacklist.conf: add c60d847be7b8 (&quot;KVM: arm64: Fix double-free following kvm_pgtable_stage2_free_unlinked()&quot;) - commit 518faac - KVM: arm64: nvhe: Ignore SVE hint in SMCCC function ID (git-fixes). - commit 9d7939a - KVM: arm64: Block unsafe FF-A calls from the host (git-fixes). - commit 6327e50 - minmax: reduce min/max macro expansion in atomisp driver (git-fixes). - commit 6d37707 - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register() (CVE-2024-44971 bsc#1230211) - commit f262d95 - tcp: prevent concurrent execution of tcp_sk_exit_batch (CVE-2024-44991 bsc#1230195) - commit 179b01d - bonding: fix xfrm real_dev null pointer dereference (CVE-2024-44989 bsc#1230193) - commit 5caf0d2 - perf arch events: Fix duplicate RISC-V SBI firmware event name (git-fixes). - commit 4570763 - perf tool: fix dereferencing NULL al-&gt;maps (git-fixes). - commit 5e4751b - perf intel-pt: Fix exclude_guest setting (git-fixes). - commit e69b63b - perf intel-pt: Fix aux_watermark calculation for 64-bit size (git-fixes). - commit e3b3bca - perf report: Fix condition in sort__sym_cmp() (git-fixes). - commit c3e65ee - perf pmus: Fixes always false when compare duplicates aliases (git-fixes). - commit 8eeac69 - tools/perf: Fix the string match for &quot;/tmp/perf-$PID.map&quot; files in dso__load (git-fixes). - commit 9a7d0fb - bonding: fix null pointer deref in bond_ipsec_offload_ok (CVE-2024-44990 bsc#1230194). - media: aspeed: Fix memory overwrite if timing is 1600x900 (CVE-2023-52916 bsc#1230269). - commit 7cce3c7 - perf test: Make test_arm_callgraph_fp.sh more robust (git-fixes). - commit 8d430e5 - perf stat: Fix the hard-coded metrics calculation on the hybrid (git-fixes). - commit 0fe6062 - perf pmu: Assume sysfs events are always the same case (git-fixes). - Refresh patches.suse/perf-pmu-Count-sys-and-cpuid-JSON-events-separately.patch. - commit 0eb9b05 - rtla/osnoise: Prevent NULL dereference in error handling (CVE-2024-45002 bsc#1230169). - net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink (CVE-2024-44970 bsc#1230209). - commit 33e2b5d - lirc: rc_dev_get_from_fd(): fix file leak (git-fixes). - commit b3b20de - thunderbolt: Fix calculation of consumed USB3 bandwidth on a path (git-fixes). - commit c3642e6 - Move fixes into sorted section (bsc#1230119) - commit c8d5e3a - Refresh patches.suse/ipmi-ssif-Improve-detecting-during-probing.patch Add commit id and move away from out-of-tree section - commit ceb6869 - Move upstreamed kaslr patch into sorted section - commit 554594b - net: dsa: mv88e6xxx: Fix out-of-bound access (CVE-2024-44988 bsc#1230192) - commit 5ca3065 - ipv6: prevent UAF in ip6_send_skb() (CVE-2024-44987 bsc#1230185) - commit 075c292 - perf tools: Add/use PMU reverse lookup from config to name (git-fixes). - commit 62632fc - perf tools: Use pmus to describe type from attribute (git-fixes). - commit 3dc616b - perf: script: add raw|disasm arguments to --insn-trace option (git-fixes). - Refresh patches.suse/perf-script-Show-also-errors-for-insn-trace-option.patch. - commit f716aa4 - perf annotate: Use global annotation_options (git-fixes). - Refresh patches.suse/perf-annotate-Fix-annotation_calc_lines-to-pass-correct-address-to-get_srcline.patch. - commit b70a6bc - perf top: Convert to the global annotation_options (git-fixes). - commit c12ae1d - perf report: Convert to the global annotation_options (git-fixes). - commit e5bcc3a - perf annotate: Introduce global annotation_options (git-fixes). - commit b458961 - perf maps: Move symbol maps functions to maps.c (git-fixes). - Refresh patches.suse/perf-symbols-Fix-ownership-of-string-in-dso__load_vmlinux.patch. - commit 93caf35 - perf annotate: Split branch stack cycles information out of 'struct annotation_line' (git-fixes). - commit 733d4c0 - perf machine thread: Remove exited threads by default (git-fixes). - commit 3c4b077 - Update references for patches.suse/ipv6-fix-possible-UAF-in-ip6_finish_output2.patch (CVE-2024-44986 bsc#1230230 bsc#1230206) - commit 814e7ee - bnxt_en: Fix double DMA unmapping for XDP_REDIRECT (CVE-2024-44984 bsc#1230240) - commit 43e2e07 - gtp: pull network headers in gtp_dev_xmit() (CVE-2024-44999 bsc#1230233) - commit 057aaf8 - perf record: Lazy load kernel symbols (git-fixes). - commit 84efd43 - Detect memory allocation failure in annotated_source__alloc_histograms (bsc#1227962). - commit 6424d7a - Add alternate commit id for git-fixes. Refresh patches.suse/perf-evlist-Fix-evlist__new_default-for-1-core-PMU.patch. - commit 3b7c481 - thunderbolt: There are only 5 basic router registers in pre-USB4 routers (git-fixes). - commit 065ac58 - thunderbolt: Fix rollback in tb_port_lane_bonding_enable() for lane 1 (git-fixes). - commit 108e81e - ipmi:ssif: Improve detecting during probing (bsc#1228771) - commit db0a09e - thunderbolt: Fix XDomain rx_lanes_show and tx_lanes_show (git-fixes). - commit b11c099 - Drop soundwire patch that caused a regression (bsc#1230350) Deleted: patches.suse/soundwire-stream-fix-programming-slave-ports-for-non.patch - commit 5c05eeb - btrfs: fix race between direct IO write and fsync when using same fd (git-fixes). - commit dc59ebc - mm/swap: fix race when skipping swapcache (CVE-2024-26759 bsc#1230340). - commit 990c0c6 - kABI workaround for cros_ec stuff (git-fixes). - commit cb01b4e - platform/chrome: cros_ec_lpc: MEC access can use an AML mutex (stable-fixes). - commit d9de020 - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic (git-fixes). - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind (git-fixes). - net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup (git-fixes). - commit 27572d4 - x86/pat: Fix W^X violation false-positives when running as Xen PV guest (bsc#1221527). - commit 9acf0ca - x86/pat: Restructure _lookup_address_cpa() (bsc#1221527). - commit 56f7c9c - powerpc/qspinlock: Fix deadlock in MCS queue (bac#1230295 ltc#206656). - commit c4a2ba1 - Refresh patches.kabi/kabi-dm_blk_ioctl-implement-path-failover-for-SG_IO.patch. - Refresh patches.suse/dm_blk_ioctl-implement-path-failover-for-SG_IO.patch. - commit 73c5a36 - x86/mm: Use lookup_address_in_pgd_attr() in show_fault_oops() (bsc#1221527). - commit 84d383c - x86/pat: Introduce lookup_address_in_pgd_attr() (bsc#1221527). - commit 09ca5ca - drm/amd/display: Replace dm_execute_dmub_cmd with dc_wake_and_execute_dmub_cmd (git-fixes). - commit 6d87705 - wifi: cfg80211: make hash table duplicates more survivable (stable-fixes). - Refresh patches.kabi/wireless-kabi-workaround.patch. - commit 62f6e12 - VMCI: Fix use-after-free when removing resource in vmci_resource_remove() (git-fixes). - misc: fastrpc: Fix double free of 'buf' in error path (git-fixes). - iio: fix scale application in iio_convert_raw_to_processed_unlocked (git-fixes). - iio: adc: ad7124: fix config comparison (git-fixes). - iio: adc: ad7124: fix chip ID mismatch (git-fixes). - iio: buffer-dmaengine: fix releasing dma channel on error (git-fixes). - iio: adc: ad7606: remove frstdata check for serial mode (git-fixes). - staging: iio: frequency: ad9834: Validate frequency parameter value (git-fixes). - usb: dwc3: Avoid waking up gadget during startxfer (git-fixes). - net: usb: qmi_wwan: add MeiG Smart SRM825L (stable-fixes). - drm/gpuvm: fix missing dependency to DRM_EXEC (git-fixes). - drm: panel-orientation-quirks: Add quirk for OrangePi Neo (stable-fixes). - drm/fb-helper: Don't schedule_work() to flush frame buffer during panic() (stable-fixes). - PCI: al: Check IORESOURCE_BUS existence during probe (stable-fixes). - usb: typec: ucsi: Fix null pointer dereference in trace (stable-fixes). - usbip: Don't submit special requests twice (stable-fixes). - media: uvcvideo: Enforce alignment of frame and interval (stable-fixes). - wifi: ath12k: initialize 'ret' in ath12k_dp_rxdma_ring_sel_config_wcn7850() (stable-fixes). - wifi: ath11k: initialize 'ret' in ath11k_qmi_load_file_target_mem() (stable-fixes). - wifi: ath12k: initialize 'ret' in ath12k_qmi_load_file_target_mem() (stable-fixes). - wifi: rtw89: ser: avoid multiple deinit on same CAM (stable-fixes). - wifi: mac80211: check ieee80211_bss_info_change_notify() against MLD (stable-fixes). - wifi: cfg80211: restrict operation during radar detection (stable-fixes). - pwm: xilinx: Fix u32 overflow issue in 32-bit width PWM mode (stable-fixes). - hwmon: (k10temp) Check return value of amd_smn_read() (stable-fixes). - regmap: spi: Fix potential off-by-one when calculating reserved size (stable-fixes). - commit 73bbd93 - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime (git-fixes). - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX (git-fixes). - dma-debug: avoid deadlock between dma debug vs printk and netconsole (stable-fixes). - drm/amdgpu: fix contiguous handling for IB parsing v2 (git-fixes). - dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor (stable-fixes). - dmaengine: altera-msgdma: use irq variant of spin_lock/unlock while invoking callbacks (stable-fixes). - driver: iio: add missing checks on iio_info's callback access (stable-fixes). - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null (stable-fixes). - drm/amd/display: Check BIOS images before it is used (stable-fixes). - drm/amd/display: Avoid overflow from uint32_t to uint8_t (stable-fixes). - drm/amd/display: use preferred link settings for dp signal only (stable-fixes). - drm/amd/display: Remove register from DCN35 DMCUB diagnostic collection (stable-fixes). - drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX (stable-fixes). - drm/amd/display: added NULL check at start of dc_validate_stream (stable-fixes). - drm/amd/display: Wake DMCUB before sending a command for replay feature (stable-fixes). - drm/amd/display: Don't use fsleep for PSR exit waits on dmub replay (stable-fixes). - drm/amdgpu: fix overflowed constant warning in mmhub_set_clockgating() (stable-fixes). - drm/amdgpu: add lock in kfd_process_dequeue_from_device (stable-fixes). - drm/amdgpu: add lock in amdgpu_gart_invalidate_tlb (stable-fixes). - drm/amdgpu: add skip_hw_access checks for sriov (stable-fixes). - drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ (stable-fixes). - drm/meson: plane: Add error handling (stable-fixes). - drm/drm-bridge: Drop conditionals around of_node pointers (stable-fixes). - drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing (stable-fixes). - drm/amdgu: fix Unintentional integer overflow for mall size (stable-fixes). - drm/amdgpu: update type of buf size to u32 for eeprom functions (stable-fixes). - drm/amd/display: Fix pipe addition logic in calc_blocks_to_ungate DCN35 (stable-fixes). - drm/kfd: Correct pinned buffer handling at kfd restore and validate process (stable-fixes). - drm/amd/pm: check negtive return for table entries (stable-fixes). - drm/amdgpu: the warning dereferencing obj for nbio_v7_4 (stable-fixes). - drm/amd/pm: check specific index for smu13 (stable-fixes). - drm/amd/pm: check specific index for aldebaran (stable-fixes). - drm/amdgpu: fix the waring dereferencing hive (stable-fixes). - drm/amdgpu: fix dereference after null check (stable-fixes). - drm/amdgpu: Fix the warning division or modulo by zero (stable-fixes). - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs (stable-fixes). - drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device (stable-fixes). - drm/amdgpu: fix mc_data out-of-bounds read warning (stable-fixes). - drm/amdgpu: fix ucode out-of-bounds read warning (stable-fixes). - drm/amdgpu: Fix uninitialized variable warning in amdgpu_info_ioctl (stable-fixes). - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number (stable-fixes). - drm/amdkfd: Check debug trap enable before write dbg_ev_file (stable-fixes). - drm/amdgpu: Fix out-of-bounds write warning (stable-fixes). - drm/amdgpu: Fix the uninitialized variable warning (stable-fixes). - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response (stable-fixes). - drm/amdgpu/pm: Fix uninitialized variable warning for smu10 (stable-fixes). - drm/amd/pm: fix uninitialized variable warnings for vangogh_ppt (stable-fixes). - drm/amd/amdgpu: Check tbo resource pointer (stable-fixes). - drm/amd/display: Fix index may exceed array range within fpu_update_bw_bounding_box (stable-fixes). - drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration (stable-fixes). - drm/amd/display: Ensure index calculation will not overflow (stable-fixes). - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within decide_fallback_link_setting_max_bw_policy (stable-fixes). - drm/amd/display: Spinlock before reading event (stable-fixes). - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create (stable-fixes). - drm/amd/display: Fix Coverity INTERGER_OVERFLOW within construct_integrated_info (stable-fixes). - drm/amd/display: Check msg_id before processing transcation (stable-fixes). - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] (stable-fixes). - drm/amd/display: Add array index check for hdcp ddc access (stable-fixes). - drm/amd/display: Check index for aux_rd_interval before using (stable-fixes). - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 (stable-fixes). - drm/amd/display: Check gpio_id before used as array index (stable-fixes). - drm/amd/display: Ensure array index tg_inst won't be -1 (stable-fixes). - drm/amdgpu: avoid reading vf2pf info size from FB (stable-fixes). - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr (stable-fixes). - drm/amdgpu: fix uninitialized scalar variable warning (stable-fixes). - drm/amd/pm: fix the Out-of-bounds read warning (stable-fixes). - drm/amd/pm: Fix negative array index read (stable-fixes). - drm/amd/pm: fix warning using uninitialized value of max_vid_step (stable-fixes). - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr (stable-fixes). - drm/amd/pm: fix uninitialized variable warning (stable-fixes). - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc (stable-fixes). - drm/amdgpu: fix overflowed array index read warning (stable-fixes). - drm/amdgpu: Handle sg size limit for contiguous allocation (stable-fixes). - drm/amd/display: Assign linear_pitch_alignment even for VM (stable-fixes). - drm/amd/display: Handle the case which quad_part is equal 0 (stable-fixes). - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr (stable-fixes). - cpufreq: scmi: Avoid overflow of target_freq in fast switch (stable-fixes). - commit e23c4dc - RDMA/efa: Properly handle unexpected AQ completions (git-fixes) - commit 8c8b9e5 - clk: qcom: gcc-sc8280xp: don't use parking clk_ops for QUPs (git-fixes). - clk: qcom: gcc-sm8550: Don't park the USB RCG at registration time (git-fixes). - clk: qcom: gcc-sm8550: Don't use parking clk_ops for QUPs (git-fixes). - clk: qcom: ipq9574: Update the alpha PLL type for GPLLs (git-fixes). - clk: qcom: clk-alpha-pll: Fix zonda set_rate failure when PLL is disabled (git-fixes). - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API (git-fixes). - clk: qcom: clk-alpha-pll: Fix the pll post div mask (git-fixes). - commit 060a67a - ALSA: hda/realtek - Fix inactive headset mic jack for ASUS Vivobook 15 X1504VAP (stable-fixes). - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx (stable-fixes). - ALSA: hda/realtek: Enable Mute Led for HP Victus 15-fb1xxx (stable-fixes). - ALSA: hda/realtek: extend quirks for Clevo V5[46]0 (stable-fixes). - ALSA: hda/realtek: add patch for internal mic in Lenovo V145 (stable-fixes). - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices (stable-fixes). - commit 5538dd8 - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode (git-fixes). - ASoc: SOF: topology: Clear SOF link platform name upon unload (git-fixes). - ASoC: tegra: Fix CBB error during probe() (git-fixes). - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object (git-fixes). - mmc: cqhci: Fix checking of CQHCI_HALT state (git-fixes). - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K (git-fixes). - mmc: sdhci-of-aspeed: fix module autoloading (git-fixes). - mmc: core: apply SD quirks earlier during probe (git-fixes). - gpio: modepin: Enable module autoloading (git-fixes). - gpio: rockchip: fix OF node leak in probe() (git-fixes). - Revert &quot;drm/amdgpu: align pp_power_profile_mode with kernel docs&quot; (stable-fixes). - nouveau: fix the fwsec sb verification register (git-fixes). - drm/i915/fence: Mark debug_fence_free() with __maybe_unused (git-fixes). - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused (git-fixes). - drm/i915: Do not attempt to load the GSC multiple times (git-fixes). - commit 7a89765 - blacklist.conf: CVE-2024-43886 bsc#1229748: not applicable, functionality not present The fix adds a NULL check but it is already there in this codebase. The upstream fix is for patch 5db346c256bbac (&quot;drm/amd/display: update pipe topology log to support subvp&quot;) that adds a secondary display and refactors code so the NULL check gets lost in resource_log_pipe_topology_update(). - commit b9c5bf2 - ipv6: fix possible UAF in ip6_finish_output2() (bsc#1230206) - commit 64f6ea9 - ipv6: prevent possible UAF in ip6_xmit() (CVE-2024-44985 bsc#1230206) - commit 209198a - vfs: Don't evict inode under the inode lru traversing context (CVE-2024-45003 bsc#1230245). - commit 630b67a - Restore dropped fields for bluetooth MGMT/SMP structs (git-fixes). - commit 5313ecb - usbnet: modern method to get random MAC (git-fixes). - net: phy: Fix missing of_node_put() for leds (git-fixes). - Bluetooth: MGMT: Ignore keys being loaded with invalid type (git-fixes). - Revert &quot;Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE&quot; (git-fixes). - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open (git-fixes). - can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD mode (git-fixes). - can: m_can: Release irq on error in m_can_open (git-fixes). - can: bcm: Remove proc entry when dev is unregistered (git-fixes). - spi: rockchip: Resolve unbalanced runtime PM / system PM handling (git-fixes). - regulator: core: Stub devm_regulator_bulk_get_const() if !CONFIG_REGULATOR (git-fixes). - platform/x86: dell-smbios: Fix error path in dell_smbios_init() (git-fixes). - commit b6769e6 - serial: sc16is7xx: fix invalid FIFO access with special register set (CVE-2024-44950 bsc#1230180). - serial: sc16is7xx: fix TX fifo corruption (CVE-2024-44951 bsc#1230181). - serial: sc16is7xx: refactor FIFO access functions to increase commonality (CVE-2024-44951 bsc#1230181). - commit 4ab54b2 - NFS: never reuse a NFSv4.0 lock-owner (bsc#1227726). - commit ed692a4 - atm: idt77252: prevent use after free in dequeue_rx() (CVE-2024-44998 bsc#1230171). - commit fd57936 - tcp: add sanity checks to rx zerocopy (CVE-2024-26640 bsc#1221650). - commit 21286c2 - USB: serial: option: add MeiG Smart SRM825L (git-fixes). - commit 047a639 - nilfs2: fix state management in error path of log writing function (git-fixes). - commit 9b55988 - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller (git-fixes). - commit a322b71 - usb: dwc3: core: Prevent USB core invalid event buffer address access (git-fixes). - commit de7b6b3 - nilfs2: fix missing cleanup on rollforward recovery error (git-fixes). - commit b4149d3 - nilfs2: protect references to superblock parameters exposed in sysfs (git-fixes). - commit e7215f6 - arm64: tlb: Allow range operation for MAX_TLBI_RANGE_PAGES (bsc#1229585) - commit a52467b - arm64: tlb: Improve __TLBI_VADDR_RANGE() (bsc#1229585) - commit 26752eb - arm64: tlb: Fix TLBI RANGE operand (bsc#1229585) - commit 24bd468 - blacklist.conf: (&quot;KVM: arm64: Use TLBI_TTL_UNKNOWN in __kvm_tlb_flush_vmid_range()&quot;) (bsc#1229585) - commit 29fbf2b - arm64/mm: Update tlb invalidation routines for FEAT_LPA2 (bsc#1229585) - commit b8ec0d4 - arm64/mm: Modify range-based tlbi to decrement scale (bsc#1229585) - commit e08c708 - USB: serial: option: add MeiG Smart SRM825L (stable-fixes). - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller (stable-fixes). - usb: dwc3: core: Prevent USB core invalid event buffer address access (stable-fixes). - selinux,smack: don't bypass permissions check in inode_setsecctx hook (stable-fixes). - drm/amdgpu/swsmu: always force a state reprogram on init (stable-fixes). - drm/amdgpu: align pp_power_profile_mode with kernel docs (stable-fixes). - commit 1d64229 - Resort io_uring kABI patches These ended up in the wrong section. Push them to the right place, next to the other io_uring kabi patches. - commit f218522 - kABI: Split kABI out of 'io_uring: Re-add dummy_ubuf for kABI purposes' When introducing this patch, I merged the kABI patch with the actual backport, which is not recommended. Split it up, such that the backport is similar to the upstream patch and handle the kABI issue exactly the same way, but through a separate kABI patch. - commit 5b3aa8f - kABI: Split kABI out of 'io_uring/kbuf: get rid of bl-&gt;is_ready' When introducing this patch, I merged the kABI patch with the actual backport, which is not recommended. Split it up, such that the backport is similar to the upstream patch and handle the kABI issue exactly the same way, but through a separate kABI patch. - commit d39d376 - ext4: sanity check for NULL pointer after ext4_force_shutdown (bsc#1229753 CVE-2024-43898). - commit d9361cb - udf: Fix bogus checksum computation in udf_rename() (bsc#1229389 CVE-2024-43845). - commit 985c73e - ext4: fix infinite loop when replaying fast_commit (bsc#1229394 CVE-2024-43828). - commit c9c168b - block: fix deadlock between sd_remove &amp; sd_release (bsc#1229371 CVE-2024-42294). - commit a556834 - udf: Avoid using corrupted block bitmap buffer (bsc#1229362 CVE-2024-42306). - commit 26b3a5d - ext4: check dot and dotdot of dx_root before making dir indexed (bsc#1229363 CVE-2024-42305). - commit d42c7e5 - mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray (bsc#1229001 CVE-2024-42243). - commit 962c57e - protect the fetch of -&gt;fd[fd] in do_dup2() from mispredictions (bsc#1229334 CVE-2024-42265). - commit 1088a58 - ext4: make sure the first directory block is not a hole (bsc#1229364 CVE-2024-42304). - commit 0ee54f7 - netfilter: ctnetlink: use helper function to calculate expect ID (CVE-2024-44944 bsc#1229899). - commit da9b5c6 - sctp: Fix null-ptr-deref in reuseport_add_sock() (CVE-2024-44935 bsc#1229810). - commit c34ddb2 - perf/x86/uncore: Cleanup unused unit structure (bsc#1230119). - commit 48a66a6 - perf/x86/uncore: Apply the unit control RB tree to PCI uncore units (bsc#1230119). - commit e202e9f - perf/x86/uncore: Apply the unit control RB tree to MSR uncore units (bsc#1230119). - commit 8a1e34d - perf/x86/uncore: Apply the unit control RB tree to MMIO uncore units (bsc#1230119). - commit 956825c - perf/x86/uncore: Retrieve the unit ID from the unit control RB tree (bsc#1230119). - commit 81ab2f7 - perf/x86/uncore: Support per PMU cpumask (bsc#1230119). - commit e0b1be5 - perf/x86/uncore: Save the unit control address of all units (bsc#1230119). - commit 3062251 - perf/x86/intel/uncore: Support HBM and CXL PMON counters (bsc#1230119). - commit a4c2665 - fuse: update stats for pages in dropped aux writeback list (bsc#1230125). - fuse: fix memory leak in fuse_create_open (bsc#1230124). - fuse: use unsigned type for getxattr/listxattr size truncation (bsc#1230123). - commit c8902bc - Split kabi part of dm_blk_ioctl-implement-path-failover-for-SG_IO.patch - kabi: dm_blk_ioctl: implement path failover for SG_IO (bsc#1183045, bsc#1216776). - Refresh patches.suse/dm_blk_ioctl-implement-path-failover-for-SG_IO.patch. - commit 9a2ecb0 - NFSD: Fix frame size warning in svc_export_parse() (git-fixes). - NFSD: Rewrite synopsis of nfsd_percpu_counters_init() (git-fixes). - commit 3ab58b8 - blacklist.conf: These aren't wanted for various reasons. - commit 39478da - kABI: Split kABI out of io_uring/kbuf: protect io_buffer_list teardown with a reference When introducing this patch, I merged the kABI patch with the actual backport, which is not recommended. Split it up, such that the backport is similar to the upstream patch and handle the kABI issue exactly the same way, but through a separate kABI patch. - commit 08e57d6 - blacklist.conf: Add cf3f9a593dab mm: optimize the redundant loop of mm_update_owner_next() - commit 3184f0b - blacklist.conf: d24f05987ce8 cgroup: Avoid extra dereference in css_populate_dir() - commit 922f944 - usb: typec: ucsi: Wait 20ms before reading CCI after a reset (git-fixes). - commit 26d16be - ceph: periodically flush the cap releases (bsc#1230056). - commit e22b6e0 - Bluetooth: Fix usage of __hci_cmd_sync_status (git-fixes). - commit 1bec58d - Bluetooth: L2CAP: Fix deadlock (git-fixes). - commit 13aba13 - net/sched: act_ct: fix skb leak and crash on ooo frags (CVE-2023-52610 bsc#1221610). - commit 7a32533 - bluetooth/l2cap: sync sock recv cb and release (bsc#1228576 CVE-2024-41062). - commit 6553526 - mm: prevent derefencing NULL ptr in pfn_section_valid() (git-fixes). - commit 35f619d - mm, kmsan: fix infinite recursion due to RCU critical section (git-fixes). - commit 16ad73a - mm/sparsemem: fix race in accessing memory_section-&gt;usage (bsc#1221326 CVE-2023-52489). - commit 6aa8957 - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response (git-fixes). - commit 4dc1da1 - xfs: Fix missing interval for missing_owner in xfs fsmap (git-fixes). - commit 5448ab5 - xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code (git-fixes). - commit 288ad9b - xfs: Fix the owner setting issue for rmap query in xfs fsmap (git-fixes). - commit 49b5eec - usb: cdnsp: fix for Link TRB with TC (git-fixes). - usb: dwc3: st: add missing depopulate in probe error path (git-fixes). - usb: dwc3: st: fix probed platform device ref count on probe error path (git-fixes). - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() (git-fixes). - usb: typec: fsa4480: Relax CHIP_ID check (git-fixes). - usb: dwc3: omap: add missing depopulate in probe error path (git-fixes). - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function (git-fixes). - soc: qcom: pmic_glink: Actually communicate when remote goes down (git-fixes). - soc: qcom: cmd-db: Map shared memory as WC, not WB (git-fixes). - commit 7121142 - dmaengine: dw: Add memory bus width verification (git-fixes). - dmaengine: dw: Add peripheral bus width verification (git-fixes). - soundwire: stream: fix programming slave ports for non-continous port maps (git-fixes). - commit b7e9784 - Update patches.suse/0001-net-rds-fix-possible-cp-null-dereference.patch (git-fixes CVE-2024-35902 bsc#1224496). - Update patches.suse/ASoC-TAS2781-Fix-tasdev_load_calibrated_data.patch (git-fixes CVE-2024-42278 bsc#1229403). - Update patches.suse/ASoC-amd-Adjust-error-handling-in-case-of-absent-cod.patch (git-fixes CVE-2024-43818 bsc#1229296). - Update patches.suse/ASoC-fsl-fsl_qmc_audio-Check-devm_kasprintf-returned.patch (git-fixes CVE-2024-42298 bsc#1229369). - Update patches.suse/Bluetooth-MGMT-Add-error-handling-to-pair_device.patch (git-fixes CVE-2024-43884 bsc#1229739). - Update patches.suse/KVM-Always-flush-async-PF-workqueue-when-vCPU-is-bei.patch (git-fixes CVE-2024-26976 bsc#1223635). - Update patches.suse/PCI-DPC-Fix-use-after-free-on-concurrent-DPC-and-hot.patch (git-fixes CVE-2024-42302 bsc#1229366). - Update patches.suse/PCI-endpoint-Clean-up-error-handling-in-vpci_scan_bu.patch (git-fixes CVE-2024-43875 bsc#1229486). - Update patches.suse/PCI-endpoint-pci-epf-test-Make-use-of-cached-epc_fea.patch (git-fixes CVE-2024-43824 bsc#1229320). - Update patches.suse/PCI-keystone-Fix-NULL-pointer-dereference-in-case-of.patch (git-fixes CVE-2024-43823 bsc#1229303). - Update patches.suse/PCI-rcar-Demote-WARN-to-dev_warn_ratelimited-in-rcar.patch (git-fixes CVE-2024-43876 bsc#1229485). - Update patches.suse/RDMA-hns-Fix-soft-lockup-under-heavy-CEQE-load.patch (git-fixes CVE-2024-43872 bsc#1229489). - Update patches.suse/RDMA-iwcm-Fix-a-use-after-free-related-to-destroying.patch (git-fixes CVE-2024-42285 bsc#1229381). - Update patches.suse/Revert-ALSA-firewire-lib-operate-for-period-elapse-e.patch (bsc#1208783 CVE-2024-42274 bsc#1229417). - Update patches.suse/SUNRPC-add-a-missing-rpc_stat-for-TCP-TLS.patch (git-fixes CVE-2024-36907 bsc#1225751). - Update patches.suse/bpf-arm64-Fix-trampoline-for-BPF_TRAMP_F_CALL_ORIG.patch (git-fixes CVE-2024-43840 bsc#1229344). - Update patches.suse/btrfs-fix-double-inode-unlock-for-direct-IO-sync-wri.patch (git-fixes CVE-2024-43885 bsc#1229747). - Update patches.suse/btrfs-fix-extent-map-use-after-free-when-adding-page.patch (git-fixes CVE-2024-42314 bsc#1229355). - Update patches.suse/cgroup-cpuset-Prevent-UAF-in-proc_cpuset_show.patch (bsc#1228801 CVE-2024-43853 bsc#1229292). - Update patches.suse/crypto-ccp-Fix-null-pointer-dereference-in-__sev_snp.patch (git-fixes CVE-2024-43874 bsc#1229487). - Update patches.suse/devres-Fix-memory-leakage-caused-by-driver-API-devm_.patch (git-fixes CVE-2024-43871 bsc#1229490). - Update patches.suse/dma-fix-call-order-in-dmam_free_coherent.patch (git-fixes CVE-2024-43856 bsc#1229346). - Update patches.suse/drm-admgpu-fix-dereferencing-null-pointer-context.patch (stable-fixes CVE-2024-43906 bsc#1229785). - Update patches.suse/drm-amd-display-Add-NULL-check-for-afb-before-derefe.patch (stable-fixes CVE-2024-43903 bsc#1229781). - Update patches.suse/drm-amd-display-Add-null-checker-before-passing-vari.patch (stable-fixes CVE-2024-43902 bsc#1229767). - Update patches.suse/drm-amd-display-Skip-Recompute-DSC-Params-if-no-Stre.patch (stable-fixes CVE-2024-43895 bsc#1229755). - Update patches.suse/drm-amd-pm-Fix-the-null-pointer-dereference-for-vega.patch (stable-fixes CVE-2024-43905 bsc#1229784). - Update patches.suse/drm-amdgpu-Fix-the-null-pointer-dereference-to-ras_m.patch (stable-fixes CVE-2024-43908 bsc#1229788). - Update patches.suse/drm-amdgpu-pm-Fix-the-null-pointer-dereference-for-s.patch (stable-fixes CVE-2024-43909 bsc#1229789). - Update patches.suse/drm-amdgpu-pm-Fix-the-null-pointer-dereference-in-ap.patch (stable-fixes CVE-2024-43907 bsc#1229787). - Update patches.suse/drm-client-fix-null-pointer-dereference-in-drm_clien.patch (git-fixes CVE-2024-43894 bsc#1229746). - Update patches.suse/drm-gma500-fix-null-pointer-dereference-in-cdv_intel.patch (git-fixes CVE-2024-42310 bsc#1229358). - Update patches.suse/drm-gma500-fix-null-pointer-dereference-in-psb_intel.patch (git-fixes CVE-2024-42309 bsc#1229359). - Update patches.suse/drm-nouveau-prime-fix-refcount-underflow.patch (git-fixes CVE-2024-43867 bsc#1229493). - Update patches.suse/drm-qxl-Add-check-for-drm_cvt_mode.patch (git-fixes CVE-2024-43829 bsc#1229341). - Update patches.suse/drm-vmwgfx-Fix-a-deadlock-in-dma-buf-fence-polling.patch (git-fixes CVE-2024-43863 bsc#1229497). - Update patches.suse/exfat-fix-potential-deadlock-on-__exfat_get_dentry_set.patch (git-fixes CVE-2024-42315 bsc#1229354). - Update patches.suse/gpio-prevent-potential-speculation-leaks-in-gpio_dev.patch (stable-fixes CVE-2024-44931 bsc#1229837). - Update patches.suse/hfs-fix-to-initialize-fields-of-hfs_inode_info-after-hfs_alloc_inode.patch (git-fixes CVE-2024-42311 bsc#1229413). - Update patches.suse/iio-Fix-the-sorting-functionality-in-iio_gts_build_a.patch (git-fixes CVE-2024-43825 bsc#1229298). - Update patches.suse/jfs-Fix-array-index-out-of-bounds-in-diFree.patch (git-fixes CVE-2024-43858 bsc#1229414). - Update patches.suse/jfs-Fix-shift-out-of-bounds-in-dbDiscardAG.patch (git-fixes CVE-2024-44938 bsc#1229792). - Update patches.suse/jfs-fix-null-ptr-deref-in-dtInsertEntry.patch (git-fixes CVE-2024-44939 bsc#1229820). - Update patches.suse/kobject_uevent-Fix-OOB-access-within-zap_modalias_en.patch (git-fixes CVE-2024-42292 bsc#1229373). - Update patches.suse/kvm-s390-Reject-memory-region-operations-for-ucontrol-VMs.patch (git-fixes bsc#1229168 CVE-2024-43819 bsc#1229290). - Update patches.suse/leds-trigger-Unregister-sysfs-attributes-before-call.patch (git-fixes CVE-2024-43830 bsc#1229305). - Update patches.suse/lib-objagg-Fix-general-protection-fault.patch (git-fixes CVE-2024-43846 bsc#1229360). - Update patches.suse/libbpf-Use-OPTS_SET-macro-in-bpf_xdp_query.patch (git-fixes CVE-2024-27050 bsc#1223767). - Update patches.suse/mISDN-Fix-a-use-after-free-in-hfcmulti_tx.patch (git-fixes CVE-2024-42280 bsc#1229388). - Update patches.suse/mailbox-mtk-cmdq-Move-devm_mbox_controller_register-.patch (git-fixes CVE-2024-42319 bsc#1229350). - Update patches.suse/md-raid5-fix-deadlock-that-raid5d-wait-for-itself-to-clear-MD_SB_CHANGE_PENDING-151f.patch (git-fixes CVE-2024-39476 bsc#1227437). - Update patches.suse/media-imx-pxp-Fix-ERR_PTR-dereference-in-pxp_probe.patch (git-fixes CVE-2024-42303 bsc#1229365). - Update patches.suse/media-pci-ivtv-Add-check-for-DMA-map-result.patch (git-fixes CVE-2024-43877 bsc#1229484). - Update patches.suse/media-v4l-async-Fix-NULL-pointer-dereference-in-addi.patch (git-fixes CVE-2024-43833 bsc#1229299). - Update patches.suse/media-venus-fix-use-after-free-in-vdec_close.patch (git-fixes CVE-2024-42313 bsc#1229356). - Update patches.suse/media-xc2028-avoid-use-after-free-in-load_firmware_c.patch (stable-fixes CVE-2024-43900 bsc#1229756). - Update patches.suse/memcg-protect-concurrent-access-to-mem_cgroup_idr.patch (git-fixes CVE-2024-43892 bsc#1229761). - Update patches.suse/net-drop-bad-gso-csum_start-and-offset-in-virtio_net.patch (git-fixes CVE-2024-43897 bsc#1229752). - Update patches.suse/net-iucv-fix-use-after-free-in-iucv_sock_close.patch (bsc#1228973 CVE-2024-42271 bsc#1229400). - Update patches.suse/net-missing-check-virtio.patch (git-fixes CVE-2024-43817 bsc#1229312). - Update patches.suse/net-usb-qmi_wwan-fix-memory-leak-for-not-ip-packets.patch (git-fixes CVE-2024-43861 bsc#1229500). - Update patches.suse/nfs-pass-explicit-offset-count-to-trace-events.patch (git-fixes CVE-2024-43826 bsc#1229294). - Update patches.suse/nvme-pci-add-missing-condition-check-for-existence-o.patch (git-fixes CVE-2024-42276 bsc#1229410). - Update patches.suse/padata-Fix-possible-divide-by-0-panic-in-padata_mt_h.patch (git-fixes CVE-2024-43889 bsc#1229743). - Update patches.suse/remoteproc-imx_rproc-Skip-over-memory-region-when-no.patch (git-fixes CVE-2024-43860 bsc#1229319). - Update patches.suse/s390-dasd-fix-error-checks-in-dasd_copy_pair_store.patch (git-fixes bsc#1229173 CVE-2024-42320 bsc#1229349). - Update patches.suse/scsi-lpfc-Revise-lpfc_prep_embed_io-routine-with-pro.patch (bsc#1228857 CVE-2024-43816 bsc#1229318). - Update patches.suse/scsi-qla2xxx-Complete-command-early-within-lock.patch (bsc#1228850 CVE-2024-42287 bsc#1229392). - Update patches.suse/scsi-qla2xxx-During-vport-delete-send-async-logout-e.patch (bsc#1228850 CVE-2024-42289 bsc#1229399). - Update patches.suse/scsi-qla2xxx-Fix-for-possible-memory-corruption.patch (bsc#1228850 CVE-2024-42288 bsc#1229398). - Update patches.suse/scsi-qla2xxx-validate-nvme_local_port-correctly.patch (bsc#1228850 CVE-2024-42286 bsc#1229395). - Update patches.suse/serial-core-check-uartclk-for-zero-to-avoid-divide-b.patch (stable-fixes CVE-2024-43893 bsc#1229759). - Update patches.suse/soc-qcom-pdr-protect-locator_addr-with-the-main-mute.patch (git-fixes CVE-2024-43849 bsc#1229307). - Update patches.suse/soc-xilinx-rename-cpu_number1-to-dummy_cpu_number.patch (git-fixes CVE-2024-43851 bsc#1229313). - Update patches.suse/spi-microchip-core-ensure-TX-and-RX-FIFOs-are-empty-.patch (git-fixes CVE-2024-42279 bsc#1229390). - Update patches.suse/usb-vhci-hcd-Do-not-drop-references-before-new-refer.patch (stable-fixes CVE-2024-43883 bsc#1229707). - Update patches.suse/vhost-vsock-always-initialize-seqpacket_allow.patch (git-fixes CVE-2024-43873 bsc#1229488). - Update patches.suse/wifi-ath12k-change-DMA-direction-while-mapping-reinj.patch (git-fixes CVE-2024-43881 bsc#1229480). - Update patches.suse/wifi-ath12k-fix-invalid-memory-access-while-processi.patch (git-fixes CVE-2024-43847 bsc#1229291). - Update patches.suse/wifi-cfg80211-handle-2x996-RU-allocation-in-cfg80211.patch (git-fixes CVE-2024-43879 bsc#1229482). - Update patches.suse/wifi-nl80211-disallow-setting-special-AP-channel-wid.patch (stable-fixes CVE-2024-43912 bsc#1229830). - Update patches.suse/wifi-rtw89-Fix-array-index-mistake-in-rtw89_sta_info.patch (git-fixes CVE-2024-43842 bsc#1229317). - Update patches.suse/wifi-virt_wifi-avoid-reporting-connection-success-wi.patch (git-fixes CVE-2024-43841 bsc#1229304). - commit 140ec33 - iommu/amd: Convert comma to semicolon (git-fixes). - commit 2714d8b - scsi: lpfc: Fix a possible null pointer dereference (bsc#1229315 CVE-2024-43821). - commit eb73e94 - iommu/vt-d: Fix identity map bounds in si_domain_init() (git-fixes). - commit b4d27e5 - iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace() (git-fixes). - commit bbc9a65 - blacklist.conf: add 053fc4f755ad fuse: fix UAF in rcu pathwalks This commit breaks kABI and the data structure has no free room for the extra field, i.e. memcpy would fail to copy the additional member added by this patch. - commit 941b81c - virtiofs: forbid newlines in tags (bsc#1229940). - commit 61514ce - trace/pid_list: Change gfp flags in pid_list_fill_irq() (git-fixes). - commit 88d1dac - blacklist.conf: add a not-relevant tracing commit - commit 9e3013e - evm: don't copy up 'security.evm' xattr (git-fixes). - commit d3bb5af - afs: fix __afs_break_callback() / afs_drop_open_mmap() race (git-fixes). - commit 150e615 - jfs: define xtree root and page independently (git-fixes). - commit fc62e49 - kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files (git-fixes). - commit 7fa46d1 - gfs2: setattr_chown: Add missing initialization (git-fixes). - commit 9b6ef3b - nfc: pn533: Add poll mod list filling check (git-fixes). - wifi: wfx: repair open network AP mode (git-fixes). - wifi: iwlwifi: fw: fix wgds rev 3 exact size (git-fixes). - wifi: mwifiex: duplicate static structs used in driver instances (git-fixes). - Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination (stable-fixes). - Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 (stable-fixes). - platform/surface: aggregator: Fix warning when controller is destroyed in probe (git-fixes). - thunderbolt: Mark XDomain as unplugged when router is removed (stable-fixes). - Input: MT - limit max slots (stable-fixes). - usb: dwc3: core: Skip setting event buffers for host only controllers (stable-fixes). - platform/x86: lg-laptop: fix %s null argument warning (stable-fixes). - rtc: nct3018y: fix possible NULL dereference (stable-fixes). - usb: gadget: fsl: Increase size of name buffer for endpoints (stable-fixes). - media: drivers/media/dvb-core: copy user arrays safely (stable-fixes). - media: pci: cx23885: check cx23885_vdev_init() return (stable-fixes). - memory: stm32-fmc2-ebi: check regmap_read return value (stable-fixes). - memory: tegra: Skip SID programming if SID registers aren't set (stable-fixes). - Revert &quot;usb: gadget: uvc: cleanup request when not in correct state&quot; (stable-fixes). - usb: gadget: uvc: cleanup request when not in correct state (stable-fixes). - staging: ks7010: disable bh on tx_dev_lock (stable-fixes). - staging: iio: resolver: ad2s1210: fix use before initialization (stable-fixes). - ssb: Fix division by zero issue in ssb_calc_clock_rate (stable-fixes). - commit b84d799 - drm/vmwgfx: Fix prime with external buffers (git-fixes). - drm/i915/dsi: Make Lenovo Yoga Tab 3 X90F DMI match less strict (git-fixes). - drm/amd/display: avoid using null object of framebuffer (git-fixes). - Bluetooth: hci_core: Fix not handling hibernation actions (git-fixes). - drm/amdgpu: Validate TA binary size (stable-fixes). - drm/msm/dpu: take plane rotation into account for wide planes (git-fixes). - drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() (git-fixes). - char: xillybus: Refine workqueue handling (git-fixes). - char: xillybus: Don't destroy workqueue from work item running on it (stable-fixes). - drm/amdgpu: Actually check flags for all context ops (stable-fixes). - drm/amdgpu/jpeg4: properly set atomics vmid field (stable-fixes). - drm/amdgpu/jpeg2: properly set atomics vmid field (stable-fixes). - drm/amd/display: fix s2idle entry for DCN3.5+ (stable-fixes). - drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent (stable-fixes). - hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() (git-fixes). - firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid (stable-fixes). - drm/msm/dpu: capture snapshot on the first commit_done timeout (stable-fixes). - drm/msm/dpu: split dpu_encoder_wait_for_event into two functions (stable-fixes). - drm/lima: set gp bus_stop bit before hard reset (stable-fixes). - drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels (stable-fixes). - gpio: sysfs: extend the critical section for unregistering sysfs devices (stable-fixes). - Bluetooth: bnep: Fix out-of-bound access (stable-fixes). - hwmon: (pc87360) Bounds check data-&gt;innr usage (stable-fixes). - ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data (stable-fixes). - drm/msm/dpu: drop MSM_ENC_VBLANK support (stable-fixes). - drm/msm/dpu: use drmm-managed allocation for dpu_encoder_phys (stable-fixes). - drm/msm/mdss: Rename path references to mdp_path (stable-fixes). - drm/msm/mdss: switch mdss to use devm_of_icc_get() (stable-fixes). - drm/msm/dpu: try multirect based on mdp clock limits (stable-fixes). - drm/msm: Reduce fallout of fence signaling vs reclaim hangs (stable-fixes). - drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode (stable-fixes). - Bluetooth: hci_conn: Check non NULL function before calling for HFP offload (stable-fixes). - i2c: stm32f7: Add atomic_xfer method to driver (stable-fixes). - i2c: riic: avoid potential division by zero (stable-fixes). - i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer (stable-fixes). - i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out (stable-fixes). - ASoC: SOF: Intel: hda-dsp: Make sure that no irq handler is pending before suspend (stable-fixes). - ASoC: cs35l45: Checks index of cs35l45_irqs[] (stable-fixes). - clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider (stable-fixes). - hwmon: (ltc2992) Avoid division by zero (stable-fixes). - commit 1b92ddd - jump_label: Fix the fix, brown paper bags galore (git-fixes). - commit 89b2827 - jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() (git-fixes). - commit 954eaa3 - jump_label: Clarify condition in static_key_fast_inc_not_disabled() (git-fixes). - commit eb457dc - jump_label: Fix concurrency issues in static_key_slow_dec() (git-fixes). - commit 6e92a06 - tracing: Return from tracing_buffers_read() if the file has been closed (bsc#1229136 git-fixes). - commit 8dc8510 - kprobes: Fix to check symbol prefixes correctly (git-fixes). - commit e8b168b - kprobes: Prohibit probing on CFI preamble symbol (git-fixes). - commit 2f9e2b1 - bpf: kprobe: remove unused declaring of bpf_kprobe_override (git-fixes). - commit 4045c94 - wifi: mac80211: fix NULL dereference at band check in starting tx ba session (CVE-2024-43911 bsc#1229827). - commit 0892b94 - syscalls: fix compat_sys_io_pgetevents_time64 usage (git-fixes). - commit b90dd07 - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en (CVE-2024-42277 bsc#1229409). - commit ede2511 - Update references patches.suse/drm-amd-display-Add-null-checks-for-stream-and-plane.patch (CVE-2024-43904 bsc#1229768 stable-fixes) - commit aaa26ef - kabi: lib: objagg: Put back removed metod in struct objagg_ops (CVE-2024-43880 bsc#1229481). - commit 9566f2d - net/sched: initialize noop_qdisc owner (git-fixes). - commit 66e8d18 - drm/amd/display: Fix null pointer deref in dcn20_resource.c (CVE-2024-43899 bsc#1229754). - commit 1811990 - blacklist.conf: add 56769ba4b297a629148eb24d554aef72d1ddfd9e - commit e1cb2aa - exec: Fix ToCToU between perm check and set-uid/gid usage (CVE-2024-43882 bsc#1229503). - commit 7a21b9d - ALSA: hda/realtek: support HP Pavilion Aero 13-bg0xxx Mute LED (stable-fixes). - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book3 Ultra (stable-fixes). - ASoC: allow module autoloading for table board_ids (stable-fixes). - ASoC: allow module autoloading for table db1200_pids (stable-fixes). - ASoC: mediatek: mt8188: Mark AFE_DAC_CON0 register as volatile (stable-fixes). - ASoC: SOF: mediatek: Add missing board compatible (stable-fixes). - ALSA: hda/realtek - FIxed ALC285 headphone no sound (stable-fixes). - ALSA: hda/realtek - Fixed ALC256 headphone no sound (stable-fixes). - ALSA: hda/realtek: Enable mute/micmute LEDs on HP Laptop 14-ey0xxx (stable-fixes). - ALSA: hda/realtek: Implement sound init sequence for Samsung Galaxy Book3 Pro 360 (stable-fixes). - commit 97adcb2 - ip6_tunnel: Fix broken GRO (bsc#1229444). - net/mlx5: Always drain health in shutdown callback (CVE-2024-43866 bsc#1229495). - mlxsw: spectrum_acl_erp: Fix object nesting warning (CVE-2024-43880 bsc#1229481). - commit d9a404d - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins (git-fixes). - pinctrl: starfive: jh7110: Correct the level trigger configuration of iev register (git-fixes). - pinctrl: mediatek: common-v2: Fix broken bias-disable for PULL_PU_PD_RSEL_TYPE (git-fixes). - pinctrl: single: fix potential NULL dereference in pcs_get_function() (git-fixes). - ASoC: SOF: amd: Fix for acp init sequence (git-fixes). - ASoC: amd: acp: fix module autoloading (git-fixes). - ALSA: seq: Skip event type filtering for UMP events (git-fixes). - commit 3fa4a0b - ice: Fix NULL pointer access, if PF doesn't support SRIOV_LAG (bsc#1228737). - commit f1a9730 - kABI: vfio: struct virqfd kABI workaround (CVE-2024-26812 bsc#1222808). - commit ae735c0 - net/sched: Fix mirred deadlock on device recursion (CVE-2024-27010 bsc#1223720). - commit 8c34ee8 - Fix reference in patches.suse/netfilter-tproxy-bail-out-if-IP-has-been-disabled-on.patch (CVE-2024-36270 bsc#1226798) - commit 052d917 - net: qdisc: preserve kabi for struct QDisc (CVE-2024-27010 bsc#1223720). - commit e31d466 - mm/userfaultfd: reset ptes when close() for wr-protected ones (CVE-2024-36881 bsc#1225718). - commit 2267d46 - mm/mglru: fix div-by-zero in vmpressure_calc_level() (CVE-2024-42316 bsc#1229353). - commit ba00671 - md/raid1: set max_sectors during early return from choose_slow_rdev() (git-fixes). - md/raid5: recheck if reshape has finished with device_lock held (git-fixes). - md: Don't wait for MD_RECOVERY_NEEDED for HOT_REMOVE_DISK ioctl (git-fixes). - md/raid5: fix spares errors about rcu usage (git-fixes). - md/md-bitmap: fix writing non bitmap pages (git-fixes). - md: fix deadlock between mddev_suspend and flush bio (bsc#1229342, CVE-2024-43855). - md: change the return value type of md_write_start to void (git-fixes). - md: do not delete safemode_timer in mddev_suspend (git-fixes). - md: don't account sync_io if iostats of the disk is disabled (git-fixes). - md: add check for sleepers in md_wakeup_thread() (git-fixes). - md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING (git-fixes). - md: add a mddev_add_trace_msg helper (git-fixes). - Revert &quot;Revert &quot;md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d&quot;&quot; (git-fixes). - md: fix a suspicious RCU usage warning (git-fixes). - md/raid1: support read error check (git-fixes). - commit f1ec0d4 - md: factor out a helper exceed_read_errors() to check read_errors (git-fixes). - Refresh for the above change, patches.suse/md-display-timeout-error.patch. patches.suse/md-raid1-10-add-a-helper-raid1_check_read_range-f298.patch. - commit 035e3f0 - Revert &quot;md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d&quot; (git-fixes). - commit 5cc0fdd - net/mlx5e: Fix CT entry update leaks of modify header context (CVE-2024-43864 bsc#1229496) - commit 316a4fe - rpm/check-for-config-changes: Exclude ARCH_USING_PATCHABLE_FUNCTION_ENTRY gcc version dependent, at least on ppc - commit 16da158 - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg (bsc#1226846 CVE-2024-38596). - Update patches.suse/af_unix-Fix-data-races-around-sk-sk_shutdown.patch (git-fixes bsc#1226846). - commit 7ceb0cd - ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work (CVE-2024-26631 bsc#1221630). - commit 317a097 - netfilter: nf_tables: unconditionally flush pending work before notifier (CVE-2024-42109 bsc#1228505) - commit 7a6a06c - cxl/region: Avoid null pointer dereference in region lookup (CVE-2024-41084 bsc#1228472) - commit fc1408b - cxl/region: Move cxl_dpa_to_region() work to the region driver (bsc#1228472) - commit ac0e984 - ipv6: fix possible race in __fib6_drop_pcpu_from() (CVE-2024-40905 bsc#1227761) - commit 6fcd399 - ipv6: sr: fix memleak in seg6_hmac_init_algo (CVE-2024-39489 bsc#1227623) - commit c55beb2 - swiotlb: do not set total_used to 0 in swiotlb_create_debugfs_files() (git-fixes). - swiotlb: fix swiotlb_bounce() to do partial sync's correctly (git-fixes). - commit 99fe6bb - x86/kaslr: Expose and use the end of the physical memory address space (bsc#1229443). - commit 5b98c4e - tls: fix missing memory barrier in tls_init (CVE-2024-36489 bsc#1226874) - commit 67db543 - iommu: Add kABI workaround patch (bsc#1223742 CVE-2024-27079). - commit c4ebc76 - btrfs: copy dir permission and time when creating a stub subvolume (bsc#1228321). - commit 46e95d1 - nouveau/firmware: use dma non-coherent allocator (git-fixes). - drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1 (git-fixes). - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails (git-fixes). - drm/msm/dp: reset the link phy params before link training (git-fixes). - drm/msm/dp: fix the max supported bpp logic (git-fixes). - drm/msm/dpu: don't play tricks with debug macros (git-fixes). - mmc: mmc_test: Fix NULL dereference on allocation failure (git-fixes). - mmc: dw_mmc: allow biu and ciu clocks to defer (git-fixes). - mmc: mtk-sd: receive cmd8 data when hs400 tuning fail (git-fixes). - commit ec72baf - filelock: Fix fcntl/close race recovery compat path (bsc#1228427 CVE-2024-41020). - commit 2c615e8 - vfio/pci: fix potential memory leak in vfio_intx_enable() (git-fixes). - commit 45c2786 - vfio: Introduce interface to flush virqfd inject workqueue (CVE-2024-26812 bsc#1222808). - commit 0704da7 - vfio/pci: Create persistent INTx handler (CVE-2024-26812 bsc#1222808). - commit c0eeff7 - netfilter: nf_tables: discard table flag update with pending basechain deletion (CVE-2024-35897 bsc#1224510). - netfilter: nf_tables: reject table flag and netdev basechain updates (CVE-2024-35897 bsc#1224510). - commit bc3bca5 - kabi: restore const specifier in flow_offload_route_init() (CVE-2024-27403 bsc#1224415). - netfilter: nft_flow_offload: reset dst in route object after setting up flow (CVE-2024-27403 bsc#1224415). - commit f1d28bc - Bluetooth: MGMT: Add error handling to pair_device() (git-fixes). - Bluetooth: SMP: Fix assumption of Central always being Initiator (git-fixes). - Bluetooth: hci_core: Fix LE quote calculation (git-fixes). - commit 82ede4a - netfilter: nf_tables: fix memleak in map from abort path (CVE-2024-27011 bsc#1223803). - commit df3e052 - KVM: Reject overly excessive IDs in KVM_CREATE_VCPU (git-fixes). - commit acfc6dd - KVM: arm64: Fix __pkvm_init_switch_pgd call ABI (git-fixes). - commit ca5dde8 - KVM: Stop processing *all* memslots when &quot;null&quot; mmu_notifier handler is found (git-fixes). - commit edcaf30 - virt: guest_memfd: fix reference leak on hwpoisoned page (git-fixes). - commit 7ac89c3 - KVM: arm64: AArch32: Fix spurious trapping of conditional instructions (git-fixes). - commit 6b4a32b - KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode (git-fixes). - commit d2c979d - KVM: arm64: Fix AArch32 register narrowing on userspace write (git-fixes). - commit c002253 - KVM: fix kvm_mmu_memory_cache allocation warning (git-fixes). - commit 9570c83 - KVM: Always flush async #PF workqueue when vCPU is being destroyed (git-fixes). - commit bbeeae4 - iommu: Add static iommu_ops-&gt;release_domain (bsc#1223742 CVE-2024-27079). - iommu/vt-d: Fix NULL domain on device release (bsc#1223742 CVE-2024-27079). - Refresh patches.suse/iommu-vt-d-Fix-WARN_ON-in-iommu-probe-path.patch. - commit 5ddde3c - KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY (git-fixes). - commit 7a71a2a - KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler (git-fixes). - commit ebc54df - KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table() (git-fixes). - commit 989930f - KVM: arm64: Add missing memory barriers when switching to pKVM's hyp pgd (git-fixes). - commit 5599b84 - KVM: arm64: vgic-v4: Restore pending state on host userspace write (git-fixes). - commit ba9826d - KVM: arm64: vgic: Force vcpu vgic teardown on vcpu destroy (git-fixes). - commit 26e04aa - KVM: arm64: vgic: Add a non-locking primitive for kvm_vgic_vcpu_destroy() (git-fixes). - commit 686bc1c - netfilter: nft_limit: reject configurations that cause integer overflow (CVE-2024-26668 bsc#1222335). - commit 8ea214b - netfilter: nf_tables: set dormant flag on hook register failure (CVE-2024-26835 bsc#1222967). - commit 8f4d028 - KVM: arm64: vgic: Simplify kvm_vgic_destroy() (git-fixes). - commit 3a96863 - Revert &quot;KVM: Prevent module exit until all VMs are freed&quot; (git-fixes). - commit c075225 - netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain (CVE-2024-26808 bsc#1222634). - commit 7f0379b - KVM: arm64: GICv4: Do not perform a map to a mapped vLPI (git-fixes). - commit 919175d - netfilter: nft_set_pipapo: release elements in clone only from destroy path (CVE-2024-26809 bsc#1222633). - commit d3a3287 - KVM: arm64: vgic-v2: Use cpuid from userspace as vcpu_id (git-fixes). - commit 7b3deae - KVM: arm64: timers: Correctly handle TGE flip with CNTPOFF_EL2 (git-fixes). - commit 48c0cad - netfilter: nf_tables: fix memleak when more than 255 elements expired (CVE-2023-52581 bsc#1220877). - commit 26441fd - KVM: Protect vcpu-&gt;pid dereference via debugfs with RCU (git-fixes). - commit 55ae2a6 - KVM: arm64: timers: Fix resource leaks in kvm_timer_hyp_init() (git-fixes). - commit f80cefe - bpf: Fix updating attached freplace prog in prog_array map (bsc#1229297 CVE-2024-43837). - commit a9d7d77 - dma-direct: Leak pages on dma_set_decrypted() failure (bsc#1224535 CVE-2024-35939). - commit 7de8166 - ice: Add a per-VF limit on number of FDIR filters (CVE-2024-42291 bsc#1229374). - commit ee2b93b - net/mlx5: Fix missing lock on sync reset reload (CVE-2024-42268 bsc#1229391). - commit 268cdf6 - selftests/bpf: Add a test to verify previous stacksafe() fix (bsc#1225903). - bpf: Fix a kernel verifier crash in stacksafe() (bsc#1225903). - commit dab2844 - xdp: fix invalid wait context of page_pool_destroy() (CVE-2024-43834 bsc#1229314) - commit 6348ec4 - clk: mediatek: mt7622-apmixedsys: Fix an error handling path in clk_mt8135_apmixed_probe() (bsc#1224711 CVE-2024-27433). - commit 30e1ef1 - netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() (CVE-2024-36286 bsc#1226801) - commit 3278d5d - netfilter: tproxy: bail out if IP has been disabled on the device (CVE-2024-36270 1226798) - commit 26814d6 - netfilter: nf_conntrack_h323: Add protection for bmp length out of range (CVE-2024-26851 bsc#1223074) - commit 6ad2cbe - net: bridge: mst: fix suspicious rcu usage in br_mst_set_state (CVE-2024-40920 bsc#1227781). - net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state (CVE-2024-40921 bsc#1227784). - net: bridge: mst: fix vlan use-after-free (CVE-2024-36979 bsc#1226604). - commit 7beae73 - blacklist.conf: git-fixes f2eaed1565acc2bdeb5c433f5f6c7bd7a0d62db1 blacklisted since it involves backporting many other commits not that are relevnat only to gdb debug scripts and whose dependent commits may break kABI. - commit 323e420 - erofs: fix inconsistent per-file compression format (bsc#1220252, CVE-2024-26590). - commit 4f99bd1 - perf: hisi: Fix use-after-free when register pmu fails (bsc#1225582 CVE-2023-52859). - commit a50ce06 - printk/panic: Allow cpu backtraces to be written into ringbuffer during panic (bsc#1225607). - commit 1ebfff4 - net: drop bad gso csum_start and offset in virtio_net_hdr (git-fixes). - commit 6d27b13 - selftests/bpf: Test for null-pointer-deref bugfix in resolve_prog_type() (bsc#1229297 CVE-2024-43837). - bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT (bsc#1229297 CVE-2024-43837). - commit 37e60d8 - bpf: simplify btf_get_prog_ctx_type() into btf_is_prog_ctx_type() (git-fixes). - Refresh patches.suse/bpf-don-t-infer-PTR_TO_CTX-for-programs-with-unnamed.patch - Refresh patches.suse/bpf-handle-bpf_user_pt_regs_t-typedef-explicitly-for.patch - bpf: extract bpf_ctx_convert_map logic and make it more reusable (git-fixes). - Refresh patches.suse/bpf-handle-bpf_user_pt_regs_t-typedef-explicitly-for.patch - commit a1a0c24 - vhost: Release worker mutex during flushes (git-fixes). - commit be0d4d9 - virtio: reenable config if freezing device failed (git-fixes). - commit d96d64e - kabi fix for SUNRPC: add a missing rpc_stat for TCP TLS (git-fixes). - SUNRPC: add a missing rpc_stat for TCP TLS (git-fixes). - commit 4fa6f6d - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init() (CVE-2024-42270 bsc#1229404) - commit eb407e1 - netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init() (CVE-2024-42269 bsc#1229402) - commit 6f31e8c - tipc: Return non-zero value from tipc_udp_addr2str() on error (CVE-2024-42284 bsc#1229382) - commit 003e7ab - net: nexthop: Initialize all fields in dumped nexthops (CVE-2024-42283 bsc#1229383) - commit dd830eb - sysctl: always initialize i_uid/i_gid (CVE-2024-42312 bsc#1229357) - commit 683a109 - block: initialize integrity buffer to zero before writing it to media (CVE-2024-43854 bsc#1229345) - commit bc065ac - ipvs: properly dereference pe in ip_vs_add_service (CVE-2024-42322 bsc#1229347) - commit 5abcd51 - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler (git-fixes). - commit efaee02 - net: missing check virtio (git-fixes). - commit 547a4d8 - vhost/vsock: always initialize seqpacket_allow (git-fixes). - commit 1501797 - vhost: Use virtqueue mutex for swapping worker (git-fixes). - commit ee31e9d - nvme-sysfs: add 'tls_keyring' attribute (bsc#1221857). - nvme-sysfs: add 'tls_configured_key' sysfs attribute (bsc#1221857). - nvme: split off TLS sysfs attributes into a separate group (bsc#1221857). - nvme: add a newline to the 'tls_key' sysfs attribute (bsc#1221857). - nvme-tcp: check for invalidated or revoked key (bsc#1221857). - nvme-tcp: sanitize TLS key handling (bsc#1221857). - nvme: tcp: remove unnecessary goto statement (bsc#1221857). - commit 95902b1 - Refresh patches.suse/nvme-fabrics-typo-in-nvmf_parse_key.patch. Move into sorted section. - commit 24e43c3 - vhost-scsi: Handle vhost_vq_work_queue failures for events (git-fixes). - commit bb54ef9 - Update DRM patch reference (CVE-2024-42308 bsc#1229411) - commit ddc1933 - Update patches.suse/nvme-tcp-fix-compile-time-checks-for-TLS-mode.patch (jsc#PED-6252 jsc#PED-5728 jsc#PED-5062 jsc#PED-3535 bsc#1221857). Fix backporting error. - commit 35c7df3 - Update parport patch reference (CVE-2024-42301 bsc#1229407) - commit 6707829 - Refresh patches.suse/nvme-tcp-strict-pdu-pacing-to-avoid-send-stalls-on-T.patch. Use the version which got upload upstream. - commit 4896f98 - blacklist.conf: add ffe6176b7f53 (&quot;virtio: store owner from modules with register_virtio_driver()&quot;) - commit 08df841 - virtio_net: use u64_stats_t infra to avoid data-races (git-fixes). - commit 1825530 - usb: typec: fsa4480: Check if the chip is really there (git-fixes). - commit 771af75 - usb: typec: fsa4480: Add support to swap SBU orientation (git-fixes). - commit b744e01 - usb: typec: fsa4480: add support for Audio Accessory Mode (git-fixes). - commit 471d14e - usb: typec: fsa4480: rework mux &amp; switch setup to handle more states (git-fixes). - commit dc03605 - irqchip/imx-irqsteer: Handle runtime power management correctly (CVE-2024-42290 bsc#1229379). - commit a3bbc63 - landlock: Don't lose track of restrictions on cred_transfer (bsc#1229351 CVE-2024-42318). - commit e161e74 - apparmor: Fix null pointer deref when receiving skb during sock creation (bsc#1229287, CVE-2023-52889). - commit 7a47d08 - kABI fix of: virtio-crypto: handle config changed by work queue (git-fixes). - commit 2e4646f - nvme-multipath: implement &quot;queue-depth&quot; iopolicy (bsc#1227706). - nvme-multipath: prepare for &quot;queue-depth&quot; iopolicy (bsc#1227706). - commit 796fd31 - nilfs2: handle inconsistent state in nilfs_btnode_create_block() (bsc#1229370 CVE-2024-42295). - commit 34231c4 - arm64: dts: imx8mp: Fix pgc vpu locations (git-fixes) - commit 6f29859 - arm64: dts: imx8mp: Fix pgc_mlmix location (git-fixes) - commit 6b6ab8a - soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove (CVE-2024-43850 bsc#1229316). - soc: qcom: icc-bwmon: Set default thresholds dynamically (CVE-2024-43850 bsc#1229316). - commit e842a77 - arm64: dts: imx8mp: add HDMI power-domains (git-fixes) - commit 88b7cca - arm64: dts: imx8mp: Add NPU Node (git-fixes) - commit 55a2e84 - media: mediatek: vcodec: Handle invalid decoder vsi (CVE-2024-43831 bsc#1229309). - commit a7b1ec0 - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures (CVE-2024-43839 bsc#1229301). - net: mana: Add support for page sizes other than 4KB on ARM64 (jsc#PED-8491 bsc#1226530). - commit 24750b5 - Squashfs: fix variable overflow triggered by sysbot (git-fixes). - commit 90b77e5 - squashfs: squashfs_read_data need to check if the length is 0 (git-fixes). - commit 1ab3d64 - jfs: Fix shift-out-of-bounds in dbDiscardAG (git-fixes). - commit f862c1b - jfs: fix null ptr deref in dtInsertEntry (git-fixes). - commit 72d65ab - reiserfs: fix uninit-value in comp_keys (git-fixes). - commit aeea4b8 - Update patches.suse/0001-netlink-add-nla-be16-32-types-to-minlen-array.patch (CVE-2024-26849 bsc#1223053). Fixes: 2747893c94d9b55340403026d9430f2f93947449 - commit 4cf09d7 - virtio-crypto: handle config changed by work queue (git-fixes). - Refresh patches.suse/crypto-virtio-Wait-for-tasklet-to-complete-on-device.patch. - commit 3719b45 - fuse: Initialize beyond-EOF page contents before setting uptodate (bsc#1229456). - fs/netfs/fscache_cookie: add missing &quot;n_accesses&quot; check (bsc#1229455). - commit 1ffdccd - s390/dasd: fix error recovery leading to data corruption on ESE devices (git-fixes bsc#1229452). - commit 421d882 - blacklist.conf: Change entry to alt-commit - Refresh patches.suse/tools-Disable-__packed-attribute-compiler-warning-due-to-Werror-attributes.patch. - commit a7c7d40 - net/iucv: fix the allocation size of iucv_path_table array (git-fixes bsc#1229451). - commit 4e0b259 - blacklist.conf: we don't enable CONFIG_CPUMASK_OFFSTACK on s390 - commit 8a36035 - Refresh patches.suse/0001-drm-mst-Fix-NULL-pointer-dereference-at-drm_dp_add_p.patch (git-fixes) Alt-commit - commit 98e41cf - Refresh patches.suse/drm-i915-vma-Fix-UAF-on-destroy-against-retire-race.patch (git-fixes) Alt-commit - commit 11ef901 - Refresh patches.suse/drm-amd-display-Send-DTBCLK-disable-message-on-first.patch (git-fixes) Alt-commit - commit 6d9aa0a - Refresh patches.suse/drm-amd-display-Fix-DPSTREAM-CLK-on-and-off-sequence.patch (git-fixes) Alt-commit - commit 24768b9 - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() (CVE-2024-41007 bsc#1227863). - commit 35aaaf5 - HID: wacom: Defer calculation of resolution until resolution_code is known (git-fixes). - ALSA: usb: Fix UBSAN warning in parse_audio_unit() (stable-fixes). - commit a485c9b - blacklist.conf: Add libata upstream revert entry (bsc#1229054) - commit 5ded40a - bpf: Fix a segment issue when downgrading gso_size (bsc#1229386 CVE-2024-42281). - commit f593f1f - kABI fix for net/sched: flower: Fix chain template offload (CVE-2024-26669 bsc#1222350). - net/sched: flower: Fix chain template offload (CVE-2024-26669 bsc#1222350). - commit 43f1cd6 - kABI fix for rxrpc: Fix delayed ACKs to not set the reference serial number (CVE-2024-26677 bsc#1222387). - rxrpc: Fix delayed ACKs to not set the reference serial number (CVE-2024-26677 bsc#1222387). - commit c3c3a27 - Update patches.suse/cpu-SMT-Enable-SMT-only-if-a-core-is-online.patch (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes bsc#1229327 ltc#206365). - Update patches.suse/powerpc-topology-Check-if-a-core-is-online.patch (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes bsc#1229327 ltc#206365). - commit fd7ec4b - xprtrdma: Fix rpcrdma_reqs_reset() (git-fixes). - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey (git-fixes). - commit c717fae - SUNRPC: Fix a race to wake a sync task (git-fixes). - nfs: pass explicit offset/count to trace events (git-fixes). - commit 6f41a0a - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server (git-fixes). - NFSD: Support write delegations in LAYOUTGET (git-fixes). - nfs: don't invalidate dentries on transient errors (git-fixes). - nfs: propagate readlink errors in nfs_symlink_filler (git-fixes). - nfs: make the rpc_stat per net namespace (git-fixes). - nfs: expose /proc/net/sunrpc/nfs in net namespaces (git-fixes). - sunrpc: add a struct rpc_stats arg to rpc_create_args (git-fixes). - commit 6ab4001 - Update patches.suse/ata-libata-core-Fix-double-free-on-error.patch (git-fixes CVE-2024-41087 bsc#1228740 bsc#1228466). - Update patches.suse/cachefiles-add-missing-lock-protection-when-polling.patch (bsc#1229256 CVE-2024-42250 bsc#1228977). - Update patches.suse/cachefiles-defer-exposing-anon_fd-until-after-copy_to.patch (bsc#1229251 CVE-2024-40913 bsc#1227839). - Update patches.suse/cachefiles-fix-slab-use-after-free-in-cachefiles_onde.patch (bsc#1229247 CVE-2024-39510 bsc#1227734). - Update patches.suse/cachefiles-fix-slab-use-after-free-in-cachefiles_ondemand_daemon_read.patch (bsc#1229246 CVE-2024-40899 bsc#1227758). - Update patches.suse/drm-i915-gem-Fix-Virtual-Memory-mapping-boundaries-c.patch (git-fixes CVE-2024-42259 bsc#1229156). - Update patches.suse/powerpc-pseries-Whitelist-dtl-slub-object-for-copyin.patch (bsc#1194869 CVE-2024-41065 bsc#1228636). - commit 3fec826 - char: xillybus: Check USB endpoints when probing device (git-fixes). - Revert &quot;misc: fastrpc: Restrict untrusted app to attach to privileged PD&quot; (git-fixes). - tty: atmel_serial: use the correct RTS flag (git-fixes). - tty: serial: fsl_lpuart: mark last busy before uart_add_one_port (git-fixes). - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration (git-fixes). - Revert &quot;usb: typec: tcpm: clear pd_event queue in PORT_RESET&quot; (git-fixes). - commit e3fe681 - blacklist.conf: add unwanted nfs/sunrpc patch - commit 405ec89 - Refresh patches.suse/SUNRPC-avoid-soft-lockup-when-transmitting-UDP-to-re.patch. Add git-commit - commit 7a1e763 - xfs: attr forks require attr, not attr2 (git-fixes). - commit d1644af - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume (git-fixes). - i2c: Use IS_REACHABLE() for substituting empty ACPI functions (git-fixes). - commit 37fcb0e - Move upstreamed powerpc patches into sorted section - commit 7bdd775 - xfs: journal geometry is not properly bounds checked (git-fixes). - commit 7680aeb - arm64: Fix KASAN random tag seed initialization (git-fixes) - commit a300263 - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to (git-fixes) - commit a089c62 - spi: Add empty versions of ACPI functions (stable-fixes). - i2c: Fix conditional for substituting empty ACPI functions (stable-fixes). - commit 3dc083c - gpio: mlxbf3: Support shutdown() function (git-fixes). - ALSA: hda/tas2781: Use correct endian conversion (git-fixes). - ALSA: usb-audio: Support Yamaha P-125 quirk entry (stable-fixes). - ALSA: hda/tas2781: fix wrong calibrated data order (git-fixes). - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET (stable-fixes). - ALSA: hda/realtek: Add support for new HP G12 laptops (stable-fixes). - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 (git-fixes). - ALSA: timer: Relax start tick time check for slave timer elements (git-fixes). - drm/amd/display: Adjust cursor position (git-fixes). - drm/amd/display: fix cursor offset on rotation 180 (git-fixes). - device property: Add cleanup.h based fwnode_handle_put() scope based cleanup (stable-fixes). - commit 51be9a0 - xfs: allow cross-linking special files without project quota (git-fixes). - commit 8d26aca - KVM: nVMX: Check for pending posted interrupts when looking for nested events (git-fixes). - commit 0b1027c - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked() (git-fixes). - commit 47fc351 - xfs: use consistent uid/gid when grabbing dquots for inodes (git-fixes). - commit c1c88ce - xfs: honor init_xattrs in xfs_init_new_inode for !ATTR fs (git-fixes). - commit fae2711 - xfs: allow unlinked symlinks and dirs with zero size (git-fixes). - commit 184b713 - blacklist.conf: add f99b052256f1 (&quot;KVM: SNP: Fix LBR Virtualization for SNP guest&quot;) - commit c9ad47e - KVM: x86/mmu: Bug the VM if KVM tries to split a !hugepage SPTE (git-fixes). - commit 96acab8 - xfs: fix unlink vs cluster buffer instantiation race (git-fixes). - commit 0ae592b - xfs: upgrade the extent counters in xfs_reflink_end_cow_extent later (git-fixes). - commit 730a4f0 - xfs: match lock mode in xfs_buffered_write_iomap_begin() (git-fixes). - commit e70a195 - xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovery (git-fixes). - commit 85919a1 - xfs: don't use current-&gt;journal_info (git-fixes). - commit d96f684 - KVM: nVMX: Request immediate exit iff pending nested event needs injection (git-fixes). - commit 9d306b8 - cachefiles: add missing lock protection when polling (bsc#1229256). - cachefiles: cyclic allocation of msg_id to avoid reuse (bsc#1228499 CVE-2024-41050). - cachefiles: wait for ondemand_object_worker to finish when dropping object (bsc#1228468 CVE-2024-41051). - cachefiles: cancel all requests for the object that is being dropped (bsc#1229255). - cachefiles: stop sending new request when dropping object (bsc#1229254). - cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop (bsc#1229253). - cachefiles: make on-demand read killable (bsc#1229252). - cachefiles: Set object to close if ondemand_id &lt; 0 in copen (bsc#1228643 CVE-2024-41074). - cachefiles: defer exposing anon_fd until after copy_to_user() succeeds (bsc#1229251). - cachefiles: never get a new anonymous fd if ondemand_id is valid (bsc#1229250). - cachefiles: add spin_lock for cachefiles_ondemand_info (bsc#1229249). - cachefiles: add consistency check for copen/cread (bsc#1228646 CVE-2024-41075). - cachefiles: remove err_put_fd label in cachefiles_ondemand_daemon_read() (bsc#1229248). - cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() (bsc#1229247). - cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() (bsc#1229246). - cachefiles, erofs: Fix NULL deref in when cachefiles is not doing ondemand-mode (bsc#1229245). - cachefiles: add restore command to recover inflight ondemand read requests (bsc#1229244). - cachefiles: narrow the scope of triggering EPOLLIN events in ondemand mode (bsc#1229243). - cachefiles: resend an open request if the read request's object is closed (bsc#1229241). - cachefiles: extract ondemand info field from cachefiles_object (bsc#1229240). - cachefiles: introduce object ondemand state (bsc#1229239). - commit 3d893c5 - KVM: nVMX: Add a helper to get highest pending from Posted Interrupt vector (git-fixes). - commit ebf04ff - KVM: VMX: Switch __vmx_exit() and kvm_x86_vendor_exit() in vmx_exit() (git-fixes). - commit 8ef91ee - KVM: x86: Limit check IDs for KVM_SET_BOOT_CPU_ID (git-fixes). - commit 395837f - KVM: VMX: Move posted interrupt descriptor out of VMX code (git-fixes). - commit feb966b - xfs: allow symlinks with short remote targets (bsc#1229160). - commit e82d4ad - blacklist.conf: add 1c682593096a (&quot;xen: privcmd: Switch from mutex to spinlock for irqfds&quot;) - commit 46d4480 - x86/xen: Convert comma to semicolon (git-fixes). - commit c8d2d16 - net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings (bsc#1229154). - net: mana: Fix RX buf alloc_size alignment and atomic op panic (bsc#1229086). - commit 59cb1c7 - wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion (git-fixes). - net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() (git-fixes). - media: Revert &quot;media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()&quot; (git-fixes). - commit daf04e2 - filelock: Remove locks reliably when fcntl/close race is detected (CVE-2024-41012 bsc#1228247). - commit a736b9b - io_uring: fix possible deadlock in io_register_iowq_max_workers() (bsc#1228616 CVE-2024-41080). - commit eae6448 - io_uring: fix io_match_task must_hold (git-fixes). - io_uring: tighten task exit cancellations (git-fixes). - commit f9ce2d8 - io_uring: Fix probe of disabled operations (git-fixes). - io_uring/advise: support 64-bit lengths (git-fixes). - commit 7566a8d - io_uring: Drop per-ctx dummy_ubuf (git-fixes). - commit 2717cc1 - powerpc/kexec_file: fix cpus node update to FDT (bsc#1194869). - powerpc/pseries: Whitelist dtl slub object for copying to userspace (bsc#1194869). - powerpc/kexec: make the update_cpus_node() function public (bsc#1194869). - powerpc/xmon: Check cpu id in commands &quot;c#&quot;, &quot;dp#&quot; and &quot;dx#&quot; (bsc#1194869). - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n (bsc#1194869). - powerpc/io: Avoid clang null pointer arithmetic warnings (bsc#1194869). - powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp (bsc#1194869). - powerpc/kexec: split CONFIG_KEXEC_FILE and CONFIG_CRASH_DUMP (bsc#1194869). - powerpc: xor_vmx: Add '-mhard-float' to CFLAGS (bsc#1194869). - powerpc/radix: Move some functions into #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE (bsc#1194869). - commit 4e7f0fe - blacklist.conf: Add a bunch of superfluous ppc changes reported by git-fixes. - commit 7c2a851 - blacklist.conf: Add ppc more ppc unsupported arch paths and commits. - commit 66e06b4 - blacklist.conf: Add more ppc 32bit paths. - commit 013a9db - arm64: errata: Expand speculative SSBS workaround (again) (git-fixes) - commit e589bbc - arm64: cputype: Add Cortex-A725 definitions (git-fixes) - commit 0d04176 - arm64: cputype: Add Cortex-X1C definitions (git-fixes) - commit 6a5ea61 - arm64: errata: Expand speculative SSBS workaround (git-fixes) - commit f75d6ba - arm64: errata: Unify speculative SSBS errata logic (git-fixes). Update config files. - commit ffaab08 - arm64: cputype: Add Cortex-X925 definitions (git-fixes) - commit 3c8ddb7 - arm64: cputype: Add Cortex-A720 definitions (git-fixes) - commit f5fd7c6 - arm64: cputype: Add Cortex-X3 definitions (git-fixes) - commit d87d988 - arm64: errata: Add workaround for Arm errata 3194386 and 3312417 (git-fixes) Refresh patches.suse/kabi-arm64-reserve-space-in-cpu_hwcaps-and-cpu_hwcap.patch and enable around. - commit b3747ef - arm64: cputype: Add Neoverse-V3 definitions (git-fixes) - commit 78aeee9 - arm64: cputype: Add Cortex-X4 definitions (git-fixes) - commit 2841965 - arm64: barrier: Restore spec_bar() macro (git-fixes) - commit 5c935b6 - arm64: Add Neoverse-V2 part (git-fixes) - commit 0f9f30b - net/rds: fix possible cp null dereference (git-fixes). - commit cac3126 - s390/pci: Add missing virt_to_phys() for directed DIBV (git-fixes bsc#1229174). - commit ea8e3e7 - s390/dasd: fix error checks in dasd_copy_pair_store() (git-fixes bsc#1229173). - commit f5c4fe8 - s390/pci: Allow allocation of more than 1 MSI interrupt (git-fixes bsc#1229172). - s390/pci: Refactor arch_setup_msi_irqs() (git-fixes bsc#1229172). - commit ad8c54b - s390/cpum_cf: Fix endless loop in CF_DIAG event stop (git-fixes bsc#1229171). - commit 94c7469 - s390/uv: Panic for set and remove shared access UVC errors (git-fixes bsc#1229170). - commit 447c271 - s390/sclp: Prevent release of buffer in I/O (git-fixes bsc#1229169). - commit 9daf007 - kvm: s390: Reject memory region operations for ucontrol VMs (git-fixes bsc#1229168). - commit 14a9742 - KVM: s390: fix validity interception issue when gisa is switched off (git-fixes bsc#1229167). - commit 5c4e348 - Update patch reference of USB patch (jsc#PED-10108) - commit edfa08b - USB: serial: debug: do not echo input by default (stable-fixes). - usb: vhci-hcd: Do not drop references before new references are gained (stable-fixes). - serial: core: check uartclk for zero to avoid divide by zero (stable-fixes). - media: xc2028: avoid use-after-free in load_firmware_cb() (stable-fixes). - media: uvcvideo: Fix the bandwdith quirk on USB 3.x (stable-fixes). - media: uvcvideo: Ignore empty TS packets (stable-fixes). - media: amphion: Remove lock in s_ctrl callback (stable-fixes). - wifi: nl80211: don't give key data to userspace (stable-fixes). - PCI: Add Edimax Vendor ID to pci_ids.h (stable-fixes). - wifi: ath12k: fix memory leak in ath12k_dp_rx_peer_frag_setup() (stable-fixes). - wifi: nl80211: disallow setting special AP channel widths (stable-fixes). - gpio: prevent potential speculation leaks in gpio_device_get_desc() (stable-fixes). - commit 2335bf9 - docs: KVM: Fix register ID of SPSR_FIQ (git-fixes). - drm/i915/gem: Adjust vma offset for framebuffer mmap offset (stable-fixes). - drm/amd/display: Skip Recompute DSC Params if no Stream on Link (stable-fixes). - drm/amdgpu: Forward soft recovery errors to userspace (stable-fixes). - drm/dp_mst: Skip CSN if topology probing is not done yet (stable-fixes). - drm/mediatek/dp: Fix spurious kfree() (git-fixes). - drm/amd/display: Add null checker before passing variables (stable-fixes). - Revert &quot;drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update&quot; (stable-fixes). - drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update (stable-fixes). - drm/bridge: analogix_dp: properly handle zero sized AUX transactions (stable-fixes). - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr (stable-fixes). - drm/radeon: Remove __counted_by from StateArray.states[] (git-fixes). - drm/amdgpu: Add lock around VF RLCG interface (stable-fixes). - drm/admgpu: fix dereferencing null pointer context (stable-fixes). - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules (stable-fixes). - drm/amdgpu: Fix the null pointer dereference to ras_manager (stable-fixes). - drm/amdgpu/pm: Fix the null pointer dereference for smu7 (stable-fixes). - drm/amdgpu/pm: Fix the param type of set_power_profile_mode (stable-fixes). - drm/amdgpu: fix potential resource leak warning (stable-fixes). - drm/amd/display: Add delay to improve LTTPR UHBR interop (stable-fixes). - Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading (stable-fixes). - can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd (stable-fixes). - can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum (stable-fixes). - ACPI: SBS: manage alarm sysfs attribute through psy core (stable-fixes). - ACPI: battery: create alarm sysfs attribute atomically (stable-fixes). - clocksource/drivers/sh_cmt: Address race condition for clock events (stable-fixes). - commit 2a8ca72 - Update patch reference for SPI patch (jsc#PED-10105) - commit a896d55 - kabi fix for KVM: s390: fix LPSWEY handling (bsc#1227634 git-fixes). - KVM: s390: fix LPSWEY handling (bsc#1227634 git-fixes). - commit 576de67 - kernfs: Convert kernfs_path_from_node_locked() from strlcpy() to strscpy() (bsc#1229134). - Refresh patches.suse/cgroup-cpuset-Prevent-UAF-in-proc_cpuset_show.patch. - commit bc8376b - Update patch reference for iwlwifi fix (jsc#PED-10055) - commit 73fda85 - Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table (bsc#1229056). - commit 0ae7f4e - bpf: hardcode BPF_PROG_PACK_SIZE to 2MB * num_possible_nodes() (git-fixes). - bpf: don't infer PTR_TO_CTX for programs with unnamed context type (git-fixes). - bpf: handle bpf_user_pt_regs_t typedef explicitly for PTR_TO_CTX global arg (git-fixes). - bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly (git-fixes). - commit dd0591b - net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket (CVE-2024-42246 bsc#1228989). - commit 12865c8 - tools/resolve_btfids: Fix comparison of distinct pointer types warning in resolve_btfids (git-fixes). - tools/resolve_btfids: fix build with musl libc (git-fixes). - commit f42b517 - btrfs: fix leak of qgroup extent records after transaction abort (git-fixes). - btrfs: fix ordered extent split error handling in btrfs_dio_submit_io (git-fixes). - btrfs: use irq safe locking when running and adding delayed iputs (git-fixes). - commit 59b18df - btrfs: fix extent map use-after-free when adding pages to compressed bio (git-fixes). - commit b3e7c96 - Drop libata patch that caused a regression (bsc#1229054) - commit 3d5faca - btrfs: fix double inode unlock for direct IO sync writes (git-fixes). - btrfs: fix corruption after buffer fault in during direct IO append write (git-fixes). - btrfs: use a btrfs_inode local variable at btrfs_sync_file() (git-fixes). - btrfs: pass a btrfs_inode to btrfs_wait_ordered_range() (git-fixes). - btrfs: pass a btrfs_inode to btrfs_fdatawrite_range() (git-fixes). - btrfs: use a btrfs_inode in the log context (struct btrfs_log_ctx) (git-fixes). - btrfs: make btrfs_finish_ordered_extent() return void (git-fixes). - btrfs: ensure fast fsync waits for ordered extents after a write failure (git-fixes). - btrfs: rename err to ret in btrfs_direct_write() (git-fixes). - btrfs: uninline some static inline helpers from tree-log.h (git-fixes). - btrfs: use btrfs_finish_ordered_extent to complete buffered writes (git-fixes). - btrfs: use btrfs_finish_ordered_extent to complete direct writes (git-fixes). - btrfs: use btrfs_finish_ordered_extent to complete compressed writes (git-fixes). - btrfs: open code end_extent_writepage in end_bio_extent_writepage (git-fixes). - btrfs: add a btrfs_finish_ordered_extent helper (git-fixes). - btrfs: factor out a btrfs_queue_ordered_fn helper (git-fixes). - btrfs: factor out a can_finish_ordered_extent helper (git-fixes). - btrfs: use bbio-&gt;ordered in btrfs_csum_one_bio (git-fixes). - btrfs: add an ordered_extent pointer to struct btrfs_bio (git-fixes). - btrfs: open code btrfs_bio_end_io in btrfs_dio_submit_io (git-fixes). - btrfs: add a is_data_bbio helper (git-fixes). - btrfs: remove btrfs_add_ordered_extent (git-fixes). - btrfs: pass an ordered_extent to btrfs_submit_compressed_write (git-fixes). - btrfs: pass an ordered_extent to btrfs_reloc_clone_csums (git-fixes). - btrfs: merge the two calls to btrfs_add_ordered_extent in run_delalloc_nocow (git-fixes). - btrfs: limit write bios to a single ordered extent (git-fixes). - commit 90ea198 - powerpc/topology: Check if a core is online (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes). - cpu/SMT: Enable SMT only if a core is online (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes). - commit 3d340df - Update patch reference for MD patch (jsc#PED-10029 jsc#PED-10045) - commit 1bf8fd1 - Update patch refefernce for MFD patch (jsc#PED-10029) - commit f36d989 - platform/x86/amd/hsmp: Check HSMP support on AMD family of processors (jsc#PED-8779). - commit c606582 - platform/x86/amd/hsmp: switch to use device_add_groups() (jsc#PED-8779). - commit 4007799 - platform/x86/amd/hsmp: Change devm_kzalloc() to devm_kcalloc() (jsc#PED-8779). - commit 9854658 - platform/x86/amd/hsmp: Remove extra parenthesis and add a space (jsc#PED-8779). - commit 0a84b39 - platform/x86/amd/hsmp: Check num_sockets against MAX_AMD_SOCKETS (jsc#PED-8779). - commit 85ba4b7 - platform/x86/amd/hsmp: Non-ACPI support for AMD F1A_M00~0Fh (jsc#PED-8779). - commit 1b89039 - platform/x86/amd/hsmp: Add support for ACPI based probing (jsc#PED-8779). - commit 73c2646 - platform/x86/amd/hsmp: Restructure sysfs group creation (jsc#PED-8779). - commit 9e31807 - platform/x86/amd/hsmp: Move dev from platdev to hsmp_socket (jsc#PED-8779). - commit f6baa58 - platform/x86/amd/hsmp: Define a struct to hold mailbox regs (jsc#PED-8779). - commit 07f864e - platform/x86/amd/hsmp: Create static func to handle platdev (jsc#PED-8779). - commit d5ea9be - platform/x86/amd/hsmp: Cache pci_dev in struct hsmp_socket (jsc#PED-8779). - commit d314cb6 - platform/x86/amd/hsmp: Move hsmp_test to probe (jsc#PED-8779). - commit b00829d - tools/resolve_btfids: Fix cross-compilation to non-host endianness (git-fixes). - tools/resolve_btfids: Refactor set sorting with types from btf_ids.h (git-fixes). - libbpf: Use OPTS_SET() macro in bpf_xdp_query() (git-fixes). - commit 6fc7b9e - libbpf: Add missing LIBBPF_API annotation to libbpf_set_memlock_rlim API (git-fixes). - selftests/bpf: Disable IPv6 for lwt_redirect test (git-fixes). - libbpf: Fix faccessat() usage on Android (git-fixes). - selftests/bpf: Wait for the netstamp_needed_key static key to be turned on (git-fixes). - commit 89d6f3b - selftests/bpf: Fix the flaky tc_redirect_dtime test (git-fixes). - selftest/bpf: Add map_in_maps with BPF_MAP_TYPE_PERF_EVENT_ARRAY values (git-fixes). - libbpf: Apply map_set_def_max_entries() for inner_maps on creation (git-fixes). - selftests/bpf: Fix potential premature unload in bpf_testmod (git-fixes). - bpftool: Silence build warning about calloc() (git-fixes). - commit 7aaf2fc - x86/asm: Use %c/%n instead of %P operand modifier in asm templates (git-fixes). - Refresh patches.suse/x86-uaccess-Fix-missed-zeroing-of-ia32-u64-get_user-range-.patch. - commit 97ffc68 - selftests/bpf: Fix up xdp bonding test wrt feature flags (git-fixes). - selftests/bpf: fix compiler warnings in RELEASE=1 mode (git-fixes). - selftests/bpf: Relax time_tai test for equal timestamps in tai_forward (git-fixes). - bpf: Set uattr-&gt;batch.count as zero before batched update or deletion (git-fixes). - bpf: Remove unnecessary wait from bpf_map_copy_value() (git-fixes). - commit 19ebfe6 - bpf: enforce precision of R0 on callback return (git-fixes). - selftests/bpf: Fix erroneous bitmask operation (git-fixes). - bpf/tests: Remove duplicate JSGT tests (git-fixes). - bpftool: mark orphaned programs during prog show (git-fixes). - commit 2b6a18e - bpf: Fix a few selftest failures due to llvm18 change (git-fixes). - selftests/bpf: Fix issues in setup_classid_environment() (git-fixes). - selftests/bpf: Add assert for user stacks in test_task_stack (git-fixes). - selftests/bpf: Fix pyperf180 compilation failure with clang18 (git-fixes). - bpf: Add crosstask check to __bpf_get_stack (git-fixes). - commit fce00e9 - bpf, lpm: Fix check prefixlen before walking trie (git-fixes). - selftests/bpf: satisfy compiler by having explicit return in btf test (git-fixes). - selftests/bpf: fix RELEASE=1 build for tc_opts (git-fixes). - bpf: Fix prog_array_map_poke_run map poke update (git-fixes). - commit ca200c8 - scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add() (bsc#1228754 CVE-2024-42159 git-fixes). - scsi: mpi3mr: Sanitise num_phys (bsc#1228754 CVE-2024-42159). - commit e024eb0 - tcp_metrics: validate source addr length (CVE-2024-42154 bsc#1228507). - commit a83d949 - selftests/bpf: check if max number of bpf_loop iterations is tracked (git-fixes). Refresh patches.suse/selftests-bpf-test-case-for-callback_depth-states-pr.patch. - selftests/bpf: fix bpf_loop_bench for new callback verification scheme (git-fixes). - selftests/bpf: Add netkit to tc_redirect selftest (git-fixes). - selftests/bpf: De-veth-ize the tc_redirect test case (git-fixes). - bpf: fix control-flow graph checking in privileged mode (git-fixes). - commit 27db2c6 - bpf: Fix check_stack_write_fixed_off() to correctly spill imm (git-fixes). - bpf: Fix unnecessary -EBUSY from htab_lock_bucket (git-fixes). - commit b5c430e - mm/shmem: disable PMD-sized page cache if needed (CVE-2024-42241 bsc#1228986). - commit 8ecdd91 - x86/mm: Fix pti_clone_pgtable() alignment assumption (git-fixes). - commit 1d041a1 - x86/mm: Fix pti_clone_entry_text() for i386 (git-fixes). - commit 5407674 - x86/pci: Skip early E820 check for ECAM region (git-fixes). - commit 7ac1bfc - x86/mtrr: Check if fixed MTRRs exist before saving them (git-fixes). - commit 03de6ee - x86/entry/64: Remove obsolete comment on tracing vs. SYSRET (git-fixes). - commit 41708c1 - memcg: protect concurrent access to mem_cgroup_idr (git-fixes). - commit e9979b2 - Revert &quot;sched/fair: Make sure to try to detach at least one movable task&quot; (CVE-2024-42245 bsc#1228978). - commit bff0dc0 - selftests/bpf: Make linked_list failure test more robust (git-fixes). - bpf: Ensure proper register state printing for cond jumps (git-fixes). - commit 2ec4f49 - ipv6: sr: fix incorrect unregister order (git-fixes). - commit f975fdd - ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735 bsc#1222372). - commit 75aaed9 - bpftool: Align output skeleton ELF code (git-fixes). - samples/bpf: syscall_tp_user: Fix array out-of-bound access (git-fixes). - samples/bpf: syscall_tp_user: Rename num_progs into nr_tests (git-fixes). - bpf: Fix kfunc callback register type handling (git-fixes). - commit ee3cca0 - bpf: Detect IP == ksym.end as part of BPF program (git-fixes). - commit b5b57d0 - selftests/bpf: Skip module_fentry_shadow test when bpf_testmod is not available (git-fixes). - commit 85b5d5e - bpftool: Fix -Wcast-qual warning (git-fixes). - commit 0417873 - net: bridge: switchdev: Skip MDB replays of deferred events on offload (CVE-2024-26837 bsc#1222973). - commit 2f55c98 - s390/pkey: Wipe copies of protected- and secure-keys (CVE-2024-42155 bsc#1228733). - s390/pkey: Wipe copies of clear-key structures on failure (CVE-2024-42156 bsc#1228722). - s390/pkey: Wipe sensitive data on failure (CVE-2024-42157 bsc#1228727). - s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings (CVE-2024-42158 bsc#1228720). - s390/pkey: introduce dynamic debugging for pkey (bsc#1228720). - s390/pkey: harmonize pkey s390 debug feature calls (bsc#1228720). - commit 72f0617 - usb: gadget: u_serial: Set start_delayed during suspend (git-fixes). - usb: gadget: core: Check for unset descriptor (git-fixes). - usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed (git-fixes). - driver core: Fix uevent_show() vs driver detach race (git-fixes). - thermal/drivers/broadcom: Fix race between removal and clock disable (git-fixes). - thermal: bcm2835: Convert to platform remove callback returning void (stable-fixes). - commit 9bfd8af - selftests/bpf: Cover verifier checks for mutating sockmap/sockhash (bsc#1226885 CVE-2024-38662). - Revert &quot;bpf, sockmap: Prevent lock inversion deadlock in map delete elem&quot; (bsc#1226885 CVE-2024-38662). - bpf: Allow delete from sockmap/sockhash only if update is allowed (bsc#1226885 CVE-2024-38662). - commit 7f528cf - rpm/kernel-binary.spec.in: fix klp_symbols macro The commit below removed openSUSE filter from %ifs of the klp_symbols definition. But it removed -c of grep too and that causes: error: syntax error in expression: 01 &amp;&amp; ( || 1 ) error: ^ error: unmatched (: 01 &amp;&amp; ( || 1 ) error: ^ error: kernel-default.spec:137: bad %if condition: 01 &amp;&amp; ( || 1 ) So reintroduce -c to the PTF's grep. Fixes: fd0b293bebaf (kernel-binary.spec.in: Enable klp_symbols on openSUSE Tumbleweed (boo#1229042).) - commit 4a36fe3 - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume (git-fixes). - i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume (git-fixes). - i2c: smbus: Send alert notifications to all devices if source not found (git-fixes). - i2c: smbus: Improve handling of stuck alerts (git-fixes). - spi: spi-fsl-lpspi: Fix scldiv calculation (git-fixes). - spi: spidev: Add missing spi_device_id for bh2228fv (git-fixes). - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation (git-fixes). - drm/client: fix null pointer dereference in drm_client_modeset_probe (git-fixes). - commit e093c66 - Update patch references for ASoC regression fixes (bsc#1229045 bsc#1229046) - commit 4e3f007 - rpm/kernel-binary.spec.in: Fix build regression The previous fix forgot to take over grep -c option that broke the conditional expression - commit d29edf2 - Moved upstreamed ASoC patch into sorted section - commit 3058bc3 - ASoC: cs35l56: Patch CS35L56_IRQ1_MASK_18 to the default value (stable-fixes). - ASoC: amd: yc: Support mic on Lenovo Thinkpad E14 Gen 6 (stable-fixes). - ASoC: cs35l56: Handle OTP read latency over SoundWire (stable-fixes). - ASoC: nau8822: Lower debug print priority (stable-fixes). - ASoC: fsl_micfil: Expand the range of FIFO watermark mask (stable-fixes). - ASoC: amd: yc: Support mic on HP 14-em0002la (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks (stable-fixes). - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 (stable-fixes). - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list (stable-fixes). - ALSA: line6: Fix racy access to midibuf (stable-fixes). - ASoC: cs35l56: Patch CS35L56_IRQ1_MASK_18 to the default value (stable-fixes). - ASoC: amd: yc: Support mic on Lenovo Thinkpad E14 Gen 6 (stable-fixes). - ASoC: cs35l56: Handle OTP read latency over SoundWire (stable-fixes). - ASoC: nau8822: Lower debug print priority (stable-fixes). - ASoC: fsl_micfil: Expand the range of FIFO watermark mask (stable-fixes). - ASoC: amd: yc: Support mic on HP 14-em0002la (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks (stable-fixes). - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 (stable-fixes). - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list (stable-fixes). - ALSA: line6: Fix racy access to midibuf (stable-fixes). - commit a8c8868 - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT (git-fixes). - ASoC: SOF: Remove libraries from topology lookups (git-fixes). - ASoC: codecs: wsa884x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wsa883x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wsa881x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask (git-fixes). - ALSA: usb-audio: Re-add ScratchAmp quirk entries (git-fixes). - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT (git-fixes). - ASoC: SOF: Remove libraries from topology lookups (git-fixes). - ASoC: codecs: wsa884x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wsa883x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wsa881x: Correct Soundwire ports mask (git-fixes). - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask (git-fixes). - ALSA: usb-audio: Re-add ScratchAmp quirk entries (git-fixes). - commit cdc2939 - kernel-binary.spec.in: Enable klp_symbols on openSUSE Tumbleweed (boo#1229042). After the Jump project the kernel used by SLE and openSUSE Leap are the same. As consequence the klp_symbols variable is set, enabling kernel-default-livepatch-devel on both SLE and openSUSE. The current rules to avoid enabling the package exclude openSUSE Tumbleweed alone, which doesn't makes sense for now. Enabling kernel-default-livepatch-devel on TW makes it easier to test the creation of kernel livepatches of the next SLE versions. - commit fd0b293 - Split kABI workaround of recent hyperv fixes (bsc#1229040, bsc#1225745, CVE-2024-36911, bsc#1225717, CVE-2024-36910, bsc#1225744, CVE-2024-36909) - commit 3639306 - Yet more build fix without patches.kabi (bsc#1226502) - commit 6bc3429 - Fix build errors without patches.kabi (bsc#1226502) Now patches.suse/x86-Stop-using-weak-symbols-for-__iowrite32_copy.patch has a full backport and later partially reverted via patches.kabi/kabi-partial-revert-commit-20516d6e51dd.patch - commit 44c5e90 - landlock: Fix d_parent walk (CVE-2024-40938 bsc#1227840). - commit 36de641 - net: fix sk_memory_allocated_{add|sub} vs softirqs (bsc#1228757). - commit a963c0f - minmax: fix up min3() and max3() too (bsc#1229024). - minmax: improve macro expansion and type checking (bsc#1229024). - minmax: simplify min()/max()/clamp() implementation (bsc#1229024). - minmax: don't use max() in situations that want a C constant expression (bsc#1229024). - minmax: make generic MIN() and MAX() macros available everywhere (bsc#1229024). - minmax: simplify and clarify min_t()/max_t() implementation (bsc#1229024). - minmax: add a few more MIN_T/MAX_T users (bsc#1229024). - minmax: avoid overly complicated constant expressions in VM code (bsc#1229024). - drm/radeon/evergreen_cs: Clean up errors in evergreen_cs.c (bsc#1229024). - commit c64c296 - Update patches.suse/ALSA-emux-improve-patch-ioctl-data-validation.patch (stable-fixes CVE-2024-42097 bsc#1228766). - Update patches.suse/ASoC-SOF-Intel-hda-fix-null-deref-on-system-suspend-.patch (git-fixes CVE-2024-41037 bsc#1228508). - Update patches.suse/ASoC-amd-acp-add-a-null-check-for-chip_pdev-structur.patch (git-fixes CVE-2024-42074 bsc#1228481). - Update patches.suse/ASoC-fsl-asoc-card-set-priv-pdev-before-using-it.patch (git-fixes CVE-2024-42089 bsc#1228450). - Update patches.suse/Bluetooth-ISO-Check-socket-flag-instead-of-hcon.patch (git-fixes CVE-2024-42141 bsc#1228502). - Update patches.suse/Bluetooth-Ignore-too-large-handle-values-in-BIG.patch (git-fixes CVE-2024-42133 bsc#1228511). - Update patches.suse/Bluetooth-hci_core-cancel-all-works-upon-hci_unregis.patch (stable-fixes CVE-2024-41063 bsc#1228580). - Update patches.suse/Bluetooth-qca-Fix-BT-enable-failure-again-for-QCA639.patch (git-fixes CVE-2024-42137 bsc#1228563). - Update patches.suse/PCI-MSI-Fix-UAF-in-msi_capability_init.patch (git-fixes CVE-2024-41096 bsc#1228479). - Update patches.suse/RDMA-restrack-Fix-potential-invalid-address-access.patch (git-fixes CVE-2024-42080 bsc#1228673). - Update patches.suse/USB-core-Fix-duplicate-endpoint-bug-by-clearing-rese.patch (git-fixes CVE-2024-41035 bsc#1228485). - Update patches.suse/USB-serial-mos7840-fix-crash-on-resume.patch (git-fixes CVE-2024-42244 bsc#1228967). - Update patches.suse/ata-libata-core-Fix-null-pointer-dereference-on-erro.patch (git-fixes CVE-2024-41098 bsc#1228467). - Update patches.suse/bluetooth-hci-disallow-setting-handle-bigger-than-HC.patch (git-fixes CVE-2024-42132 bsc#1228492). - Update patches.suse/bpf-Fail-bpf_timer_cancel-when-callback-is-being-can.patch (bsc#1228531 CVE-2024-41045 CVE-2024-42239 bsc#1228979). - Update patches.suse/can-mcp251xfd-fix-infinite-loop-when-xmit-fails.patch (git-fixes CVE-2024-41088 bsc#1228469). - Update patches.suse/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch (stable-fixes CVE-2024-42136 bsc#1228758). - Update patches.suse/crypto-aead-cipher-zeroize-key-buffer-after-use.patch (stable-fixes CVE-2024-42229 bsc#1228708). - Update patches.suse/crypto-ecdh-explicitly-zeroize-private_key.patch (stable-fixes CVE-2024-42098 bsc#1228779). - Update patches.suse/drm-amd-display-ASSERT-when-failing-to-find-index-by.patch (stable-fixes CVE-2024-42117 bsc#1228582). - Update patches.suse/drm-amd-display-Check-index-msg_id-before-read-or-wr.patch (stable-fixes CVE-2024-42121 bsc#1228590). - Update patches.suse/drm-amd-display-Check-pipe-offset-before-setting-vbl.patch (stable-fixes CVE-2024-42120 bsc#1228588). - Update patches.suse/drm-amd-display-Fix-array-index-out-of-bounds-in-dml.patch (stable-fixes CVE-2024-41061 bsc#1228572). - Update patches.suse/drm-amd-display-Fix-overlapping-copy-within-dml_core.patch (stable-fixes CVE-2024-42227 bsc#1228707). - Update patches.suse/drm-amd-display-Skip-finding-free-audio-for-unknown-.patch (stable-fixes CVE-2024-42119 bsc#1228584). - Update patches.suse/drm-amd-display-Skip-pipe-if-the-pipe-idx-not-set-pr.patch (stable-fixes CVE-2024-42064 bsc#1228586). - Update patches.suse/drm-amdgpu-Fix-signedness-bug-in-sdma_v4_0_process_t.patch (git-fixes CVE-2024-41022 bsc#1228429). - Update patches.suse/drm-amdgpu-Using-uninitialized-value-size-when-calli.patch (stable-fixes CVE-2024-42228 bsc#1228667). - Update patches.suse/drm-amdgpu-avoid-using-null-object-of-framebuffer.patch (stable-fixes CVE-2024-41093 bsc#1228660). - Update patches.suse/drm-fbdev-dma-Only-set-smem_start-is-enable-per-modu.patch (git-fixes CVE-2024-41094 bsc#1228458). - Update patches.suse/drm-i915-gt-Fix-potential-UAF-by-revoke-of-fence-reg.patch (git-fixes CVE-2024-41092 bsc#1228483). - Update patches.suse/drm-lima-fix-shared-irq-handling-on-driver-remove.patch (stable-fixes CVE-2024-42127 bsc#1228721). - Update patches.suse/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-66edf3f.patch (stable-fixes CVE-2024-41095 bsc#1228662). - Update patches.suse/drm-nouveau-dispnv04-fix-null-pointer-dereference-in.patch (stable-fixes CVE-2024-41089 bsc#1228658). - Update patches.suse/drm-nouveau-fix-null-pointer-dereference-in-nouveau_.patch (git-fixes CVE-2024-42101 bsc#1228495). - Update patches.suse/drm-panel-ilitek-ili9881c-Fix-warning-with-GPIO-cont.patch (stable-fixes CVE-2024-42087 bsc#1228677). - Update patches.suse/drm-radeon-check-bo_va-bo-is-non-NULL-before-using-i.patch (stable-fixes CVE-2024-41060 bsc#1228567). - Update patches.suse/filelock-fix-potential-use-after-free-in-posix_lock_inode.patch (git-fixes CVE-2024-41049 bsc#1228486). - Update patches.suse/firmware-cs_dsp-Fix-overflow-checking-of-wmfw-header.patch (git-fixes CVE-2024-41039 bsc#1228515). - Update patches.suse/firmware-cs_dsp-Prevent-buffer-overrun-when-processi.patch (git-fixes CVE-2024-41038 bsc#1228509). - Update patches.suse/firmware-cs_dsp-Return-error-if-block-header-overflo.patch (git-fixes CVE-2024-42238 bsc#1228991). - Update patches.suse/firmware-cs_dsp-Use-strnlen-on-name-fields-in-V1-wmf.patch (git-fixes CVE-2024-41056 bsc#1228480). - Update patches.suse/firmware-cs_dsp-Validate-payload-length-before-proce.patch (git-fixes CVE-2024-42237 bsc#1228992). - Update patches.suse/genirq-cpuhotplug-x86-vector-Prevent-vector-leak-dur.patch (git-fixes CVE-2024-31076 bsc#1226765). - Update patches.suse/gpio-davinci-Validate-the-obtained-number-of-IRQs.patch (git-fixes CVE-2024-42092 bsc#1228447). - Update patches.suse/gpio-pca953x-fix-pca953x_irq_bus_sync_unlock-race.patch (stable-fixes CVE-2024-42253 bsc#1229005). - Update patches.suse/i2c-pnx-Fix-potential-deadlock-warning-from-del_time.patch (git-fixes CVE-2024-42153 bsc#1228510). - Update patches.suse/iio-chemical-bme680-Fix-overflows-in-compensate-func.patch (git-fixes CVE-2024-42086 bsc#1228452). - Update patches.suse/jffs2-Fix-potential-illegal-address-access-in-jffs2_free_inode.patch (git-fixes CVE-2024-42115 bsc#1228656). - Update patches.suse/libceph-fix-race-between-delayed_work-and-ceph_monc_s.patch (bsc#1228192 CVE-2024-42232 bsc#1228959). - Update patches.suse/media-dvb-frontends-tda10048-Fix-integer-overflow.patch (stable-fixes CVE-2024-42223 bsc#1228726). - Update patches.suse/misc-fastrpc-Fix-memory-leak-in-audio-daemon-attach-.patch (git-fixes CVE-2024-41025 bsc#1228527). - Update patches.suse/misc-fastrpc-Restrict-untrusted-app-to-attach-to-pri.patch (git-fixes CVE-2024-41024 bsc#1228525). - Update patches.suse/mm-Avoid-overflows-in-dirty-throttling-logic.patch (bsc#1222364 CVE-2024-26720 CVE-2024-42131 bsc#1228650). - Update patches.suse/msft-hv-3022-net-mana-Fix-possible-double-free-in-error-handling-.patch (git-fixes CVE-2024-42069 bsc#1228463). - Update patches.suse/net-can-j1939-Initialize-unused-data-in-j1939_send_o.patch (git-fixes CVE-2024-42076 bsc#1228484). - Update patches.suse/net-can-j1939-enhanced-error-handling-for-tightly-re.patch (git-fixes CVE-2023-52887 bsc#1228426). - Update patches.suse/nfc-nci-Add-the-inconsistency-check-between-the-inpu.patch (stable-fixes CVE-2024-42130 bsc#1228687). - Update patches.suse/nilfs2-add-missing-check-for-inode-numbers-on-direct.patch (stable-fixes CVE-2024-42104 bsc#1228654). - Update patches.suse/nvme-avoid-double-free-special-payload.patch (git-fixes CVE-2024-41073 bsc#1228635). - Update patches.suse/nvmet-always-initialize-cqe.result.patch (git-fixes CVE-2024-41079 bsc#1228615). - Update patches.suse/nvmet-fix-a-possible-leak-when-destroy-a-ctrl-during.patch (git-fixes CVE-2024-42152 bsc#1228724). - Update patches.suse/ocfs2-fix-DIO-failure-due-to-insufficient-transaction-credits.patch (git-fixes CVE-2024-42077 bsc#1228516). - Update patches.suse/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xatt.patch (bsc#1228410 CVE-2024-41016). - Update patches.suse/orangefs-fix-out-of-bounds-fsid-access.patch (git-fixes CVE-2024-42143 bsc#1228748). - Update patches.suse/pinctrl-fix-deadlock-in-create_pinctrl-when-handling.patch (git-fixes CVE-2024-42090 bsc#1228449). - Update patches.suse/platform-x86-toshiba_acpi-Fix-array-out-of-bounds-ac.patch (git-fixes CVE-2024-41028 bsc#1228539). - Update patches.suse/powerpc-Avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch (bsc#1221645 ltc#205739 bsc#1223191 CVE-2024-42126 bsc#1228718). - Update patches.suse/powerpc-pseries-Fix-scv-instruction-crash-with-kexec.patch (bsc#1194869 CVE-2024-42230 bsc#1228489). - Update patches.suse/thermal-drivers-mediatek-lvts_thermal-Check-NULL-ptr.patch (stable-fixes CVE-2024-42144 bsc#1228666). - Update patches.suse/usb-atm-cxacru-fix-endpoint-checking-in-cxacru_bind.patch (git-fixes CVE-2024-41097 bsc#1228513). - Update patches.suse/usb-dwc3-core-remove-lock-of-otg-mode-during-gadget-.patch (git-fixes CVE-2024-42085 bsc#1228456). - Update patches.suse/usb-gadget-configfs-Prevent-OOB-read-write-in-usb_st.patch (stable-fixes CVE-2024-42236 bsc#1228964). - Update patches.suse/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch (stable-fixes CVE-2024-42226 bsc#1228709). - Update patches.suse/wifi-cfg80211-restrict-NL80211_ATTR_TXQ_QUANTUM-valu.patch (git-fixes CVE-2024-42114 bsc#1228564). - Update patches.suse/wifi-cfg80211-wext-add-extra-SIOCSIWSCAN-data-check.patch (stable-fixes CVE-2024-41072 bsc#1228626). - Update patches.suse/wifi-mac80211-Avoid-address-calculations-via-out-of-.patch (stable-fixes CVE-2024-41071 bsc#1228625). - Update patches.suse/wifi-mt76-replace-skb_put-with-skb_put_zero.patch (stable-fixes CVE-2024-42225 bsc#1228710). - Update patches.suse/wifi-rtw89-fw-scan-offload-prohibit-all-6-GHz-channe.patch (bsc#1227149 CVE-2024-42125 bsc#1228674). - Update patches.suse/x86-bhi-Avoid-warning-in-DB-handler-due-to-BHI-mitigation (git-fixes CVE-2024-42240 bsc#1228966). Add CVE references. - commit dfa8582 - Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor (git-fixes). - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() (git-fixes). - net: usb: qmi_wwan: fix memory leak for not ip packets (git-fixes). - padata: Fix possible divide-by-0 panic in padata_mt_helper() (git-fixes). - kcov: properly check for softirq context (git-fixes). - commit fc99a65 - wireguard: allowedips: avoid unaligned 64-bit memory accesses (CVE-2024-42247 bsc#1228988). - commit 12abe6d - selftests/bpf: Add netlink helper library (bsc#1228021 CVE-2024-41010). - Fix BPF selftest build failure - commit c3e9de4 - x86/numa: Fix the sort compare func used in numa_fill_memblks() (git-fixes). - x86/numa: Fix the address overlap check in numa_fill_memblks() (git-fixes). - commit b42baa2 - inet_diag: Initialize pad field in struct inet_diag_req_v2 (CVE-2024-42106 bsc#1228493). - commit 87d015b - x86/numa: Fix SRAT lookup of CFMWS ranges with numa_fill_memblks() (git-fixes). - ACPI/NUMA: Apply SRAT proximity domain to entire CFMWS window (git-fixes). - x86/numa: Introduce numa_fill_memblks() (git-fixes). - commit 7f40727 - ACPI: processor_idle: use raw_safe_halt() in acpi_idle_play_dead() (git-fixes). - perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09 (git-fixes). - commit 23f94eb - Update patches.suse/crypto-hisilicon-debugfs-Fix-debugfs-uninit-process-.patch (bsc#1228764 CVE-2024-42147). - commit 9b42aa7 - serial: 8250_omap: Fix Errata i2310 with RX FIFO level check (bsc#1228446 CVE-2024-42095). - commit 6d3406b - serial: 8250_omap: Implementation of Errata i2310 (bsc#1228446 CVE-2024-42095). - commit a3bd324 - net/iucv: fix use after free in iucv_sock_close() (bsc#1228973). - commit c3ed1a0 - s390/sclp: Fix sclp_init() cleanup on failure (bsc#1228579 CVE-2024-41068). - commit a8db9f2 - config.sh: generate and install compile_commands.json (bsc#1228971) This file contains the command line options used to compile every C file. It's useful for the livepatching team. - kernel-binary: generate and install compile_commands.json (bsc#1228971) This file contains the command line options used to compile every C file. It's useful for the livepatching team. - commit 15eff3e - irqdomain: Fixed unbalanced fwnode get and put (git-fixes). - genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline (git-fixes). - genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware (git-fixes). - genirq/matrix: Exclude managed interrupts in irq_matrix_allocated() (git-fixes). - commit 592adb3 - selftests/bpf: Test pinning bpf timer to a core (bsc#1228531 CVE-2024-41045). - Refresh patches.suse/selftests-bpf-Test-racing-between-bpf_timer_cancel_a.patch - commit 1026c30 - bpf: Add ability to pin bpf timer to calling CPU (bsc#1228531 CVE-2024-41045). - commit 060adb3 - power: supply: qcom_battmgr: return EAGAIN when firmware service is not up (git-fixes). - power: supply: axp288_charger: Round constant_charge_voltage writes down (git-fixes). - power: supply: axp288_charger: Fix constant_charge_voltage writes (git-fixes). - commit 5ff04d3 - selftests/bpf: Add timer lockup selftest (bsc#1228531 CVE-2024-41045). - bpf: Defer work in bpf_timer_cancel_and_free (bsc#1228531 CVE-2024-41045). - bpf: Fail bpf_timer_cancel when callback is being cancelled (bsc#1228531 CVE-2024-41045). - bpf: replace bpf_timer_cancel_and_free with a generic helper (bsc#1228531 CVE-2024-41045). - bpf: replace bpf_timer_set_callback with a generic helper (bsc#1228531 CVE-2024-41045). - bpf: replace bpf_timer_init with a generic helper (bsc#1228531 CVE-2024-41045). - bpf: make timer data struct more generic (bsc#1228531 CVE-2024-41045). - bpf: Check map-&gt;usercnt after timer-&gt;timer is assigned (bsc#1228531 CVE-2024-41045). - commit a65dc5b - Move upstreamed sound patches into sorted section - commit df9598d - ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx (bsc#1227182). - commit 645364b - tcp: avoid too many retransmit packets (CVE-2024-41007 bsc#1227863). - commit 8f47fe6 - mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file (CVE-2024-42138 bsc#1228500). - ice: Don't process extts if PTP is disabled (CVE-2024-42107 bsc#1228494). - ice: Fix improper extts handling (CVE-2024-42139 bsc#1228503). - net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx() (CVE-2024-42110 bsc#1228501). - net: txgbe: initialize num_q_vectors for MSI/INTx interrupts (CVE-2024-42113 bsc#1228568). - bnx2x: Fix multiple UBSAN array-index-out-of-bounds (CVE-2024-42148 bsc#1228487). - net/mlx5: E-switch, Create ingress ACL when needed (CVE-2024-42142 bsc#1228491). - mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems (CVE-2024-42073 bsc#1228457). - gve: Account for stopped queues when reading NIC stats (CVE-2024-42162 bsc#1228706). - commit e94d07a - blacklist.conf: add some IRQ HANDLING ones - commit 404c094 - packaging: Add case-sensitive perl option parsing A recent change in Getopt::Long [1]: Changes in version 2.55 - ---------------------- * Fix long standing bug that duplicate options were not detected when the options differ in case while ignore_case is in effect. This will now yield a warning and become a fatal error in a future release. perl defaults to ignore_case by default, switch it off to avoid accidental misparsing of options. This was suggested after similar change in scripts/. - commit e978477 - xdp: Remove WARN() from __xdp_reg_mem_model() (bsc#1228482 CVE-2024-42082). - commit 73e7677 - arm64: jump_label: Ensure patched jump_labels are visible to all CPUs (git-fixes) - commit 2480247 - KVM: arm64: Fix clobbered ELR in sync abort/SError (git-fixes) - commit 90dba9e - bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG (git-fixes) - commit e10a18b - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process (git-fixes) - commit bae6c4b - nvme-pci: do not directly handle subsys reset fallout (bsc#1220066). - commit 2082e5f - platform/x86/intel/ifs: Initialize union ifs_status to zero (git-fixes). - commit b291cc1 - scsi: qedi: Fix crash while reading debugfs attribute (bsc#1227929 CVE-2024-40978). - block/ioctl: prefer different overflow check (bsc#1227867 CVE-2024-41000). - commit 4cc5e60 - tipc: force a dst refcount before doing decryption (CVE-2024-40983 bsc#1227819). - commit cee1bad - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() (CVE-2024-40995 bsc#1227830). - commit 0580a17 - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN (git-fixes). - RDMA/mana_ib: Use virtual address in dma regions for MRs (git-fixes). - commit 9336dc6 - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD (bsc#1228756 CVE-2024-42161). - commit 64d3ad2 - ASoC: topology: Fix route memory corruption (CVE-2024-41069 bsc#1228644). - ASoC: topology: Clean up route loading (CVE-2024-41069 bsc#1228644). - commit 30d44d4 - md-cluster: keeping kabi compatibility for upstream commit 35a0a409fa26 (bsc#1223395). - md-cluster: fix no recovery job when adding/re-adding a disk (bsc#1223395). - md-cluster: fix hanging issue while a new disk adding (bsc#1223395). - commit dac906f - tools/perf: Fix timing issue with parallel threads in perf bench wake-up-parallel (bsc#1227747). - tools/perf: Fix perf bench epoll to enable the run when some CPU's are offline (bsc#1227747). - tools/perf: Fix perf bench futex to enable the run when some CPU's are offline (bsc#1227747). - commit 7bc1e4f - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap() (bsc#1194869). - KVM: PPC: Book3S HV: Fix the set_one_reg for MMCR3 (bsc#1194869). - commit f36d7ca - KVM: PPC: Book3S HV: Handle pending exceptions on guest entry with MSR_EE (bsc#1215199). - commit 6051d0b - blacklist.conf: KVM PPC APIv2 enablement not included. - commit b36c39a - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet (CVE-2024-39506 bsc#1227729). - commit 6f4e943 - kabi/severity: add nvme common code The nvme common code is also allowed to change the data structures, there are only internal users. - commit 3abdbd5 - apparmor: unpack transition table if dfa is not present (bsc#1226031). - commit 10a598f - scsi: lpfc: Update lpfc version to 14.4.0.3 (bsc#1228857). - scsi: lpfc: Revise lpfc_prep_embed_io routine with proper endian macro usages (bsc#1228857). - scsi: lpfc: Fix incorrect request len mbox field when setting trunking via sysfs (bsc#1228857). - scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info (bsc#1228857). - scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (bsc#1228857). - scsi: lpfc: Relax PRLI issue conditions after GID_FT response (bsc#1228857). - scsi: lpfc: Allow DEVICE_RECOVERY mode after RSCN receipt if in PRLI_ISSUE state (bsc#1228857). - scsi: lpfc: Cancel ELS WQE instead of issuing abort when SLI port is inactive (bsc#1228857). - commit c4b9763 - scsi: qla2xxx: Convert comma to semicolon (bsc#1228850). - scsi: qla2xxx: Update version to 10.02.09.300-k (bsc#1228850). - scsi: qla2xxx: Use QP lock to search for bsg (bsc#1228850). - scsi: qla2xxx: Reduce fabric scan duplicate code (bsc#1228850). - scsi: qla2xxx: Fix optrom version displayed in FDMI (bsc#1228850). - scsi: qla2xxx: During vport delete send async logout explicitly (bsc#1228850). - scsi: qla2xxx: Complete command early within lock (bsc#1228850). - scsi: qla2xxx: Fix flash read failure (bsc#1228850). - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds (bsc#1228850). - scsi: qla2xxx: Fix for possible memory corruption (bsc#1228850). - scsi: qla2xxx: validate nvme_local_port correctly (bsc#1228850). - scsi: qla2xxx: Unable to act on RSCN for port online (bsc#1228850). - scsi: qla2xxx: Remove unused struct 'scsi_dif_tuple' (bsc#1228850). - scsi: qla2xxx: Fix debugfs output for fw_resource_count (bsc#1228850). - scsi: qla2xxx: Indent help text (bsc#1228850). - scsi: qla2xxx: Drop driver owner assignment (bsc#1228850). - scsi: qla2xxx: Avoid possible run-time warning with long model_num (bsc#1228850). - string.h: Introduce memtostr() and memtostr_pad() (bsc#1228849). - commit 072d194 - nvme-pci: add missing condition check for existence of mapped data (git-fixes). - nvme-pci: Fix the instructions for disabling power management (git-fixes). - nvmet-auth: fix nvmet_auth hash error handling (git-fixes). - nvmet: make 'tsas' attribute idempotent for RDMA (git-fixes). - nvme: fixup comment for nvme RDMA Provider Type (git-fixes). - nvmet: do not return 'reserved' for empty TSAS values (git-fixes). - nvme: fix NVME_NS_DEAC may incorrectly identifying the disk as EXT_LBA (git-fixes). - nvmet: always initialize cqe.result (git-fixes). - nvme: avoid double free special payload (git-fixes). - nvmet: fix a possible leak when destroy a ctrl during qp establishment (git-fixes). - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset (git-fixes). - nvme-multipath: find NUMA path only for online numa-node (git-fixes). - commit 7935501 - check-for-config-changes: ignore also GCC_ASM_GOTO_OUTPUT_BROKEN Mainline commit f2f6a8e88717 (&quot;init/Kconfig: remove CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND&quot;) replaced GCC_ASM_GOTO_OUTPUT_WORKAROUND with GCC_ASM_GOTO_OUTPUT_BROKEN. Ignore both when checking config changes. - commit b60be3e - RDMA: Fix netdev tracker in ib_device_set_netdev (git-fixes) - commit 3130571 - bnxt_re: Fix imm_data endianness (git-fixes) - commit 49ce7dd - RDMA/hns: Fix mbx timing out before CMD execution is completed (git-fixes) - commit 09de886 - RDMA/hns: Fix insufficient extend DB for VFs. (git-fixes) - commit 9e511e1 - RDMA/hns: Fix undifined behavior caused by invalid max_sge (git-fixes) - commit 75c8a8f - RDMA/hns: Fix shift-out-bounds when max_inline_data is 0 (git-fixes) - commit f76d2ac - RDMA/hns: Fix missing pagesize and alignment check in FRMR (git-fixes) - commit 3200c5d - RDMA/hns: Fix unmatch exception handling when init eq table fails (git-fixes) - commit 1c3f5bc - RDMA/hns: Fix soft lockup under heavy CEQE load (git-fixes) - commit bae3b01 - RDMA/hns: Check atomic wr length (git-fixes) - commit 53b999f - RDMA/device: Return error earlier if port in not valid (git-fixes) - commit 1a6c9cf - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs (git-fixes) - commit ecbc61e - RDMA/mlx4: Fix truncated output warning in alias_GUID.c (git-fixes) - commit 9a0a984 - RDMA/mlx4: Fix truncated output warning in mad.c (git-fixes) - commit e923a91 - RDMA/cache: Release GID table even if leak is detected (git-fixes) - commit e73316e - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE (git-fixes) - commit ee50dd0 - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs (git-fixes) - commit 6b71029 - IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145) - commit 673df57 - xfs: convert comma to semicolon (git-fixes). - commit 8f18daf - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() (git-fixes). - commit 1aa4511 - kABI workaround for sound core UMP conversion (stable-fixes). - commit b9e008a - ALSA: seq: ump: Explicitly reset RPN with Null RPN (stable-fixes). - ALSA: seq: ump: Transmit RPN/NRPN message at each MSB/LSB data reception (stable-fixes). - ALSA: seq: ump: Use the common RPN/bank conversion context (stable-fixes). - ALSA: ump: Explicitly reset RPN with Null RPN (stable-fixes). - ALSA: ump: Transmit RPN/NRPN message at each MSB/LSB data reception (stable-fixes). - commit 508da4c - kabi/severities: ignore kABI for FireWire sound local symbols (bsc#1208783) - commit 041506f - Drop doubly put References tags in sound patches - commit 92b6eba - Revert &quot;ALSA: firewire-lib: operate for period elapse event in process context&quot; (bsc#1208783). - commit 2045d7f - Revert &quot;ALSA: firewire-lib: obsolete workqueue for period update&quot; (bsc#1208783). - commit 09a87ea - spi: microchip-core: switch to use modern name (stable-fixes). - Refresh patches.suse/spi-microchip-core-defer-asserting-chip-select-until.patch. - commit 31d15b3 - spi: microchip-core: fix init function not setting the master and motorola modes (git-fixes). - drm/amdgpu: reset vm state machine after gpu reset(vram lost) (stable-fixes). - drm/amd/display: Check for NULL pointer (stable-fixes). - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell (stable-fixes). - efi/libstub: Zero initialize heap allocated struct screen_info (git-fixes). - PCI: loongson: Enable MSI in LS7A Root Complex (stable-fixes). - dev/parport: fix the array out-of-bounds risk (stable-fixes). - clk: qcom: kpss-xcc: Return of_clk_add_hw_provider to transfer the error (git-fixes). - clk: qcom: Park shared RCGs upon registration (git-fixes). - clk: qcom: gpucc-sa8775p: Update wait_val fields for GPU GDSC's (git-fixes). - clk: qcom: gpucc-sa8775p: Park RCG's clk source at XO during disable (git-fixes). - clk: qcom: gpucc-sa8775p: Remove the CLK_IS_CRITICAL and ALWAYS_ON flags (git-fixes). - clk: qcom: gcc-sa8775p: Update the GDSC wait_val fields and flags (git-fixes). - clk: qcom: gpucc-sm8350: Park RCG's clk source at XO during disable (git-fixes). - clk: qcom: camcc-sc7280: Add parent dependency to all camera GDSCs (git-fixes). - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock (git-fixes). - clk: en7523: fix rate divider for slic and spi clocks (git-fixes). - drm/etnaviv: don't block scheduler when GPU is still active (stable-fixes). - media: uvcvideo: Add quirk for invalid dev_sof in Logitech C920 (git-fixes). - media: uvcvideo: Quirk for invalid dev_sof in Logitech C922 (stable-fixes). - ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error (stable-fixes). - ata: libata-scsi: Do not overwrite valid sense data when CK_COND=1 (stable-fixes). - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591 (stable-fixes). - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables (stable-fixes). - wifi: rtw88: usb: Fix disconnection after beacon loss (stable-fixes). - media: uvcvideo: Disable autosuspend for Insta360 Link (stable-fixes). - sbitmap: use READ_ONCE to access map-&gt;word (stable-fixes). - Bluetooth: Add device 13d3:3572 IMC Networks Bluetooth Radio (stable-fixes). - commit 5fabaee - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G (stable-fixes). - commit ae4c81e - ALSA: hda: Conditionally use snooping for AMD HDMI (git-fixes). - ALSA: usb-audio: Correct surround channels in UAC1 channel map (git-fixes). - ALSA: seq: ump: Optimize conversions from SysEx to UMP (git-fixes). - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode (git-fixes). - drm/vmwgfx: Fix overlay when using Screen Targets (git-fixes). - drm/vmwgfx: Fix a deadlock in dma buf fence polling (git-fixes). - drm/virtio: Fix type of dma-fence context variable (git-fixes). - drm/nouveau: prime: fix refcount underflow (git-fixes). - drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll() (git-fixes). - drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro (git-fixes). - i915/perf: Remove code to update PWR_CLK_STATE for gen12 (git-fixes). - commit 581e0b5 - ptp: fix integer overflow in max_vclocks_store (bsc#1227829 CVE-2024-40994). - commit f2dc01f - Update patches.suse/79b5b4b18bc8-mlxsw-spectrum_acl_tcam-Fix-possible-use-after-free-.patch (CVE-2024-35854 bsc#1224636 CVE-2024-35855 bsc#1224694). - Update patches.suse/ACPICA-Revert-ACPICA-avoid-Info-mapping-multiple-BAR.patch (git-fixes CVE-2024-40984 bsc#1227820). - Update patches.suse/ALSA-hda-cs35l41-Possible-null-pointer-dereference-i.patch (git-fixes CVE-2024-40964 bsc#1227818). - Update patches.suse/ALSA-hda-cs35l56-Fix-lifetime-of-cs_dsp-instance.patch (git-fixes CVE-2024-39491 bsc#1227627). - Update patches.suse/Bluetooth-hci_core-Fix-possible-buffer-overflow.patch (git-fixes CVE-2024-26889 bsc#1228195). - Update patches.suse/HID-core-remove-unnecessary-WARN_ON-in-implement.patch (git-fixes CVE-2024-39509 bsc#1227733). - Update patches.suse/HID-logitech-dj-Fix-memory-leak-in-logi_dj_recv_swit.patch (git-fixes CVE-2024-40934 bsc#1227796). - Update patches.suse/KVM-SVM-WARN-on-vNMI-NMI-window-iff-NMIs-are-outrigh.patch (git-fixes CVE-2024-39483 bsc#1227494). - Update patches.suse/KVM-arm64-Fix-circular-locking-dependency.patch (bsc#1222463 (CVE-2024-26691) CVE-2024-26691). - Update patches.suse/RDMA-mlx5-Add-check-for-srq-max_sge-attribute.patch (git-fixes CVE-2024-40990 bsc#1227824). - Update patches.suse/RDMA-rxe-Fix-responder-length-checking-for-UD-reques.patch (git-fixes CVE-2024-40992 bsc#1227826). - Update patches.suse/SUNRPC-Fix-loop-termination-condition-in-gss_free_in.patch (git-fixes CVE-2024-36288 bsc#1226834). - Update patches.suse/USB-class-cdc-wdm-Fix-CPU-lockup-caused-by-excessive.patch (git-fixes CVE-2024-40904 bsc#1227772). - Update patches.suse/arm64-asm-bug-Add-.align-2-to-the-end-of-__BUG_ENTRY.patch (git-fixes CVE-2024-39488 bsc#1227618). - Update patches.suse/ata-libata-core-Fix-double-free-on-error.patch (git-fixes CVE-2024-41087 bsc#1228740). - Update patches.suse/ax25-Fix-refcount-imbalance-on-inbound-connections.patch (git-fixes CVE-2024-40910 bsc#1227832). - Update patches.suse/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch (stable-fixes CVE-2024-40981 bsc#1227864). - Update patches.suse/btrfs-zoned-allocate-dummy-checksums-for-zoned-NODAT.patch (bsc#1223731 CVE-2024-26944 CVE-2024-40962 bsc#1227815). - Update patches.suse/cachefiles-remove-requests-from-xarray-during-flushin.patch (bsc#1226588 CVE-2024-40900 bsc#1227760). - Update patches.suse/cpufreq-amd-pstate-fix-memory-leak-on-CPU-EPP-exit.patch (stable-fixes CVE-2024-40997 bsc#1227853). - Update patches.suse/crypto-hisilicon-sec-Fix-memory-leak-for-sec-resourc.patch (stable-fixes CVE-2024-41002 bsc#1227870). - Update patches.suse/crypto-qat-Fix-ADF_DEV_RESET_SYNC-memory-leak.patch (git-fixes CVE-2024-39493 bsc#1227620). - Update patches.suse/cxl-region-Fix-memregion-leaks-in-devm_cxl_add_regio.patch (git-fixes CVE-2024-40936 bsc#1227833). - Update patches.suse/drivers-core-synchronize-really_probe-and-dev_uevent.patch (git-fixes CVE-2024-39501 bsc#1227754). - Update patches.suse/drm-amdgpu-fix-UBSAN-warning-in-kv_dpm.c.patch (stable-fixes CVE-2024-40987 bsc#1228235). - Update patches.suse/drm-amdkfd-don-t-allow-mapping-the-MMIO-HDP-page-wit.patch (CVE-2024-41011 bsc#1228115 git-fixes bsc#1228114). - Update patches.suse/drm-bridge-cdns-mhdp8546-Fix-possible-null-pointer-d.patch (git-fixes CVE-2024-38548 bsc#1228202). - Update patches.suse/drm-drm_file-Fix-pid-refcounting-race.patch (git-fixes CVE-2024-39486 bsc#1227492). - Update patches.suse/drm-exynos-hdmi-report-safe-640x480-mode-as-a-fallba.patch (git-fixes CVE-2024-40916 bsc#1227846). - Update patches.suse/drm-exynos-vidi-fix-memory-leak-in-.get_modes.patch (stable-fixes CVE-2024-40932 bsc#1227828). - Update patches.suse/drm-i915-dpt-Make-DPT-object-unshrinkable.patch (git-fixes CVE-2024-40924 bsc#1227787). - Update patches.suse/drm-komeda-check-for-error-valued-pointer.patch (git-fixes CVE-2024-39505 bsc#1227728). - Update patches.suse/drm-lima-mask-irqs-in-timeout-path-before-hard-reset.patch (stable-fixes CVE-2024-40976 bsc#1227893). - Update patches.suse/drm-nouveau-don-t-attempt-to-schedule-hpd_work-on-he.patch (git-fixes CVE-2024-40926 bsc#1227791). - Update patches.suse/drm-radeon-fix-UBSAN-warning-in-kv_dpm.c.patch (stable-fixes CVE-2024-40988 bsc#1227957). - Update patches.suse/drm-shmem-helper-Fix-BUG_ON-on-mmap-PROT_WRITE-MAP_P.patch (git-fixes CVE-2024-39497 bsc#1227722). - Update patches.suse/io_uring-io-wq-Use-set_bit-and-test_bit-at-worker-fl.patch (git-fixes CVE-2024-39508 bsc#1227732). - Update patches.suse/io_uring-rsrc-don-t-lock-while-TASK_RUNNING.patch (git-fixes CVE-2024-40922 bsc#1227785). - Update patches.suse/io_uring-sqpoll-work-around-a-potential-audit-memory.patch (git-fixes CVE-2024-41001 bsc#1227869). - Update patches.suse/iommu-Return-right-value-in-iommu_sva_bind_device.patch (git-fixes CVE-2024-40945 bsc#1227802). - Update patches.suse/jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch (bsc#1227383 CVE-2024-40902 bsc#1227764). - Update patches.suse/mmc-davinci-Don-t-strip-remove-function-when-driver-.patch (git-fixes CVE-2024-39484 bsc#1227493). - Update patches.suse/nfs-Handle-error-of-rpc_proc_register-in-nfs_net_ini.patch (git-fixes CVE-2024-36939 bsc#1225838). - Update patches.suse/ocfs2-fix-races-between-hole-punching-and-AIO-DIO.patch (git-fixes CVE-2024-40943 bsc#1227849). - Update patches.suse/serial-imx-Introduce-timeout-when-waiting-on-transmi.patch (stable-fixes CVE-2024-40967 bsc#1227891). - Update patches.suse/sock_map-avoid-race-between-sock_map_close-and-sk_ps.patch (bsc#1225475 CVE-2023-52735 CVE-2024-39500 bsc#1227724). - Update patches.suse/ssb-Fix-potential-NULL-pointer-dereference-in-ssb_de.patch (stable-fixes CVE-2024-40982 bsc#1227865). - Update patches.suse/tracing-Build-event-generation-tests-only-as-modules.patch (git-fixes CVE-2024-41004 bsc#1227851). - Update patches.suse/tracing-trigger-Fix-to-return-error-if-failed-to-alloc-snapshot.patch (git-fixes CVE-2024-26920 bsc#1228237). - Update patches.suse/usb-typec-tcpm-fix-use-after-free-case-in-tcpm_regis.patch (git-fixes CVE-2024-40903 bsc#1227766). - Update patches.suse/vmci-prevent-speculation-leaks-by-sanitizing-event-i.patch (git-fixes CVE-2024-39499 bsc#1227725). - Update patches.suse/wifi-ath11k-rely-on-mac80211-debugfs-handling-for-vi.patch (bsc#1227149 CVE-2024-26637 bsc#1221652). - Update patches.suse/wifi-cfg80211-Lock-wiphy-in-cfg80211_get_station.patch (git-fixes CVE-2024-40911 bsc#1227792). - Update patches.suse/wifi-cfg80211-detect-stuck-ECSA-element-in-probe-res.patch (bsc#1227149 CVE-2024-26683 bsc#1222434). - Update patches.suse/wifi-cfg80211-validate-HE-operation-element-parsing.patch (bsc#1227149 CVE-2024-40930 bsc#1228236). - Update patches.suse/wifi-iwlwifi-Use-request_module_nowait.patch (bsc#1227149 CVE-2024-36970 bsc#1226127). - Update patches.suse/wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch (git-fixes CVE-2024-40929 bsc#1227774). - Update patches.suse/wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch (git-fixes CVE-2024-40941 bsc#1227771). - Update patches.suse/wifi-iwlwifi-mvm-pick-the-version-of-SESSION_PROTECT.patch (bsc#1227149 CVE-2024-35913 bsc#1224485). - Update patches.suse/wifi-mac80211-Fix-deadlock-in-ieee80211_sta_ps_deliv.patch (git-fixes CVE-2024-40912 bsc#1227790). - Update patches.suse/wifi-mac80211-improve-CSA-ECSA-connection-refusal.patch (bsc#1227149 CVE-2024-26682 bsc#1222433). - Update patches.suse/wifi-mac80211-mesh-Fix-leak-of-mesh_preq_queue-objec.patch (git-fixes CVE-2024-40942 bsc#1227770). - Update patches.suse/wifi-mt76-connac-check-for-null-before-dereferencing.patch (bsc#1227149 CVE-2024-38609 bsc#1226751). - Update patches.suse/wifi-mt76-mt7921s-fix-potential-hung-tasks-during-ch.patch (stable-fixes CVE-2024-40977 bsc#1227950). - Update patches.suse/wifi-mt76-mt7925e-fix-use-after-free-in-free_irq.patch (bsc#1227149 CVE-2024-27049 bsc#1223763). - Update patches.suse/wifi-mt76-mt7996-fix-potential-memory-leakage-when-r.patch (bsc#1227149 CVE-2024-38563 bsc#1226743). - Update patches.suse/x86-kexec-Fix-bug-with-call-depth-tracking.patch (git-fixes CVE-2024-40944 bsc#1227883). - Update patches.suse/xhci-Handle-TD-clearing-for-multiple-streams-case.patch (git-fixes CVE-2024-40927 bsc#1227816). - commit 2cd72fd - Update patches.suse/SUNRPC-Fix-UAF-in-svc_tcp_listen_data_ready.patch (bsc#1012628 CVE-2023-52885 bsc#1227750). - Update patches.suse/USB-core-Fix-race-by-not-overwriting-udev-descriptor.patch (bsc#1213123 CVE-2023-37453 CVE-2023-52886 bsc#1227981). - Update patches.suse/btrfs-zoned-fix-lock-ordering-in-btrfs_zone_activate.patch (bsc#1223731 CVE-2024-26944 CVE-2023-52668 bsc#1224690). - Update patches.suse/wifi-ath12k-fix-the-error-handler-of-rfkill-config.patch (bsc#1227149 CVE-2023-52688 bsc#1224631). - commit 0637df8 - scsi: qedf: Make qedf_execute_tmf() non-preemptible (CVE-2024-42124 bsc#1228705) - commit a8638c5 - x86: stop playing stack games in profile_pc() (bsc#1228633 CVE-2024-42096). - commit 5c85064 - net: dsa: mv88e6xxx: Correct check for empty list (CVE-2024-42224 bsc#1228723) - commit 48e8710 - skmsg: Skip zero length skb in sk_msg_recvmsg (CVE-2024-41048 bsc#1228565) - commit 1a6942b - netns: Make get_net_ns() handle zero refcount net (CVE-2024-40958 bsc#1227812). - commit f6c7d72 - nvme_core: scan namespaces asynchronously (bsc#1224105). - commit e6f41be - net: wwan: iosm: Fix tainted pointer delete is case of region creation fail (CVE-2024-40939 bsc#1227799). - commit 0b93a9f - nsh: Restore skb-&gt;{protocol,data,mac_header} for outer header in nsh_gso_segment() (CVE-2024-36933 bsc#1225832). - commit 6740d82 - blacklist.conf: Add 943ad0b62e3c kernel: rerun task_work while freezing in get_signal() and related io_uring fix. - commit ead5c32 - net: core: reject skb_copy(_expand) for fraglist GSO skbs (CVE-2024-36929 bsc#1225814). - commit e49ed10 - blacklist.conf: Add 7a4479680d7f cgroup_misc: add kernel-doc comments for enum misc_res_type - commit fe05fa4 - cgroup/cpuset: Prevent UAF in proc_cpuset_show() (bsc#1228801). - commit 8707a09 - Drop MD patches that caused dependency cycles Also the patch was placed in a wrong directory. Deleted: patches.kabi/0002-md-cluster-fix-no-recovery-job-when-adding-re-adding.patch patches.suse/0001-md-cluster-fix-hanging-issue-while-a-new-disk-adding.patch - commit f696a5b - net: phy: micrel: Fix the KSZ9131 MDI-X status issue (git-fixes). - Bluetooth: hci_sync: Fix suspending with wrong filter policy (git-fixes). - Bluetooth: btintel: Fail setup on error (git-fixes). - wifi: ath12k: fix soft lockup on suspend (git-fixes). - wifi: cfg80211: fix reporting failed MLO links status with cfg80211_connect_done (git-fixes). - wifi: mac80211: use monitor sdata with driver only if desired (git-fixes). - net: phy: realtek: add support for RTL8366S Gigabit PHY (git-fixes). - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read (git-fixes). - commit f33a0c2 - ppp: reject claimed-as-LCP but actually malformed packets (CVE-2024-41044 bsc#1228530). - ibmvnic: Add tx check to prevent skb leak (CVE-2024-41066 bsc#1228640). - net/dpaa2: Avoid explicit cpumask var allocation on stack (CVE-2024-42093 bsc#1228680). - commit 960e23f - drm/amd/display: Add NULL pointer check for kzalloc (bsc#1228591 CVE-2024-42122) - commit 22c79c5 - workqueue: Improve scalability of workqueue watchdog touch (bsc#1193454). - commit 3c83768 - workqueue: wq_watchdog_touch is always called with valid CPU (bsc#1193454). - commit 5cd5767 - btrfs: qgroup: fix quota root leak after quota disable failure (bsc#1228655 CVE-2024-41078). - commit d598dd5 - KVM: arm64: Disassociate vcpus from redistributor region on teardown (CVE-2024-40989 bsc#1227823). - commit 8e9651c - powerpc/eeh: avoid possible crash when edev-&gt;pdev changes (CVE-2024-41064 bsc#1228599). - commit 2510511 - net: ks8851: Fix deadlock with the SPI chip variant (CVE-2024-41036 bsc#1228496) - commit 3cf617f - net/sched: Fix UAF when resolving a clash (CVE-2024-41040 bsc#1228518) - commit dea6a81 - btrfs: make sure that WRITTEN is set on all metadata blocks (CVE-2024-35949 bsc#1224700) Changes: adjust returned error codes to -EUCLEAN and drop definition of the enum error. - commit 7880179 - ila: block BH in ila_output() (CVE-2024-41081 bsc#1228617) - commit b832793 - NFSv4: Fix memory leak in nfs4_set_security_label (CVE-2024-41076 bsc#1228649) - commit c2db2a8 - gfs2: Fix NULL pointer dereference in gfs2_log_flush (bsc#1228672 CVE-2024-42079). - commit 61cd0c5 - Update patch reference for ASoC fix (CVE-2024-41069 bsc#1228644) - commit bc5c8af - Update patches.suse/nilfs2-fix-inode-number-range-checks.patch (stable-fixes bsc#1228665 CVE-2024-42105). - commit c8d5b4d - Update patches.suse/hfsplus-fix-uninit-value-in-copy_name.patch (git-fixes bsc#1228561 CVE-2024-41059). - commit f1238d0 - cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() (bsc#1228462 CVE-2024-41057). - cachefiles: fix slab-use-after-free in fscache_withdraw_volume() (bsc#1228459 CVE-2024-41058). - netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume() (bsc#1228459 bsc#1228462). - commit a80ddf3 - platform/chrome: cros_ec_proto: Lock device when updating MKBP version (git-fixes). - commit ab277a6 - ocfs2: add bounds checking to ocfs2_check_dir_entry() (bsc#1228409 CVE-2024-41015). - ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() (bsc#1228410). - ocfs2: add bounds checking to ocfs2_xattr_find_entry() (bsc#1228410 CVE-2024-41016). - commit ec6fa65 - platform/chrome: cros_ec_proto: Lock device when updating MKBP version (git-fixes). - commit d441a76 - Update patch reference of dmaengine fix (CVE-2024-40956 bsc#1227810) - commit d7e764c - vfio/pci: Disable auto-enable of exclusive INTx IRQ (bsc#1222625 CVE-2024-27437). - commit de8901b - mm: vmalloc: check if a hash-index is in cpu_possible_mask (CVE-2024-41032 bsc#1228460) - commit 9b04845 - seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors (CVE-2024-40957 bsc#1227811) - commit a8ab7dd - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port() (CVE-2024-41041 bsc#1228520) - commit 74b98cc - net: do not leave a dangling sk pointer, when socket creation fails (CVE-2024-40954 bsc#1227808) - commit 5ea4aa9 - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers (CVE-2024-42070 bsc#1228470) - commit 3ac6386 - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() (bsc#1228581 CVE-2024-41070). - commit 89912c7 - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() (CVE-2024-40959 bsc#1227884). - commit 3a174d1 - Update config files. Disable vdpa drivers for Alibaba ENI and SolidNET (jsc#PED-8954, bsc#1227834) - commit 9287d7f - selftests/bpf: Extend tcx tests to cover late tcx_entry release (bsc#1228021 CVE-2024-41010). - bpf: Fix too early release of tcx_entry (bsc#1228021 CVE-2024-41010). - commit 57180df - selftests/bpf: Add more ring buffer test coverage (bsc#1228020 CVE-2024-41009). - bpf: Fix overrunning reservations in ringbuf (bsc#1228020 CVE-2024-41009). - commit cd82cf6 - md-cluster: fix no recovery job when adding/re-adding a disk (bsc#1223395). - md-cluster: fix hanging issue while a new disk adding (bsc#1223395). - commit d3c6e61 - rpm/guards: fix precedence issue with control flow operator With perl 5.40 it report the following error on rpm/guards script: Possible precedence issue with control flow operator (exit) at scripts/guards line 208. Fix the issue by adding parenthesis around ternary operator. - commit dfba20e - blacklist.conf: Add 9c573cd31343 randomize_kstack: Improve entropy diffusion - commit 095be15 - blacklist.conf: kABI - commit 1dd3f93 - blacklist.conf: spelling fix in comment - commit de0ca0a - blacklist.conf: cleanup, no code change - commit 19384b6 - blacklist.conf: pure cleanup - commit 21ff021 - blacklist.conf: pure cleanup - commit fef6015 Package util-linux was updated: - Skip aarch64 decode path for rest of the architectures (bsc#1229476, util-linux-lscpu-skip-aarch64-decode.patch). - agetty: Prevent login cursor escape (bsc#1194818, util-linux-agetty-prevent-cursor-escape.patch). - Document unexpected side effects of lazy destruction (bsc#1159034, util-linux-umount-losetup-lazy-destruction.patch, util-linux-umount-losetup-lazy-destruction-generated.patch). - Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them. (bsc#1222285) Package cryptsetup was updated: - cryptsetup-fips140-3.patch: extend the password for PBKDF2 benchmarking to be more than 20 chars to meet FIPS 140-3 requirements (bsc#1229975) Package expat was updated: - Security fix (bsc#1229932, CVE-2024-45492): detect integer overflow in function nextScaffoldPart * Added expat-CVE-2024-45492.patch - Security fix (bsc#1229931, CVE-2024-45491): detect integer overflow in dtdCopy * Added expat-CVE-2024-45491.patch - Security fix (bsc#1229930, CVE-2024-45490): reject negative len for XML_ParseBuffer * Added expat-CVE-2024-45490.patch Package gnutls was updated: - FIPS: Do not allow curve P-192 for signature or keypair verification [bsc#1227669] * Add gnutls-FIPS-p192-disabled.patch - FIPS: Allow to perform the integrity check with the hmac provided by each library [bsc#1226724] * Rebase gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch - FIPS: bsc#1230166 * Mark gnutls_hash_fast operations as approved in SLI. * Add gnutls-FIPS-gnutls_hash_fast-SLI.patch - FIPS: bsc#1226733 * Run pairwise consistency test only in FIPS mode * Backport upstream commit 5c276953c1536375fba96bc769e1cb5d3123b4a7 * Add gnutls-pct-in-FIPS-only.patch - FIPS: bsc#1226733 * Use full hash+sign operations, not low level primitives in PCT test. * Add gnutls-FIPS-full-hash_sign.patch - FIPS: bsc#1227642 * Mark SHA1 as not allowed for signature verification in both RSA and ECDSA sigVer. * Add gnutls-FIPS-no-sha1-verify.patch - FIPS: bsc#1227670 * Allow RSA signature verification with min of 2048 bit modulus. * Add gnutls-FIPS-rsa-min-2048.patch - FIPS: [bsc#1227671, bsc#1226731] * Remove not needed DSA in selfchecks in FIPS mode. * Add gnutls-FIPS-no_dsa_selftest.patch Package ldb was updated: - Update to 2.8.1 * Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances; (bso#15625). Package ncurses was updated: - Add patch ncurses-6.1-boo1229028.patch (boo#1229028) * Allow that terminal description based on static fallback entries can be freed. Package nfs-utils was updated: - Include source for libnfsidmap 0.26 and build that. This is needed for compatability with SLE15-SP5 and earlier (bsc#1228159) Copied from old nfsidmap package: libnfsidmap-0.26.tar.bz2 idmap-fix-prototype.patch idmap-libnfsidmap-export-symbols.patch idmap-0001-libnfsidmap-add-options-to-aid-id-mapping-in-multi-d.patch idmap-0002-nss_gss_princ_to_ids-and-nss_gss_princ_to_grouplist-.patch idmap-0001-Removed-some-unused-and-set-but-not-used-warnings.patch idmap-0002-Handle-NULL-names-better.patch idmap-0003-Strip-newlines-out-of-IDMAP_LOG-messages.patch idmap-0004-onf_parse_line-Ignore-whitespace-at-the-beginning-of.patch idmap-0005-nss.c-wrong-check-of-return-value.patch idmap-0006-Fixed-a-memory-leak-nss_name_to_gid.patch Package libnvme was updated: - Update to version 1.8+50.g2b587d3: * types: add new fields added in TP4165 (bsc#1231668) * types: Changed the space into tap space (bsc#1231668) * types: add new field added in TP4090 (bsc#1231668) * ioctl: export nvme_submit_passthru{64} as weak symbol (bsc#1231668) * tree: fix segfault in nvme_free_tree() (bsc#1231668) * tree: fix tls key mem leak (bsc#1231668) * tree: fix dhchap_ctrl_key mem leak (bsc#1231668) * tree: fix dhchap_key mem leak (bsc#1231668) - Update to version 1.8+42.gdc0831f: * tree: handle no address phy slot dirs (bsc#1229193) - Update to version 1.8+41.g6e8e2d7: * linux: Correct error handling for derive_psk_digest (bsc#1228376) * tree: Add NVM subsystem controller identifier (bsc#1224024) Package openssl-1_1 was updated: - Security fix: [bsc#1220262, CVE-2023-50782] * Implicit rejection in PKCS#1 v1.5 * Add openssl-CVE-2023-50782.patch - FIPS: AES GCM external IV implementation [bsc#1228618] * Mark the standalone AES-GCM encryption with external IV as non-approved in the SLI. * Add openssl-1_1-ossl-sli-021-AES-GCM-external-IV.patch - FIPS: Mark PBKDF2 and HKDF HMAC input keys with size &gt;= 112 bits as approved in the SLI. [bsc#1228623] * openssl-1_1-ossl-sli-020-PBKDF2-HMAC-size-SLI.patch - FIPS: Enforce KDF in FIPS style [bsc#1224270] * Add openssl-1_1-ossl-sli-019-Enforce-KDF.patch - FIPS: Mark HKDF and TLSv1.3 KDF as approved in the SLI [bsc#1228619] * Add openssl-1_1-ossl-sli-018-TLS13-HKDF.patch - FIPS: The X9.31 scheme is not approved for RSA signature operations in FIPS 186-5. [bsc#1224269] * Add openssl-1_1-ossl-sli-017-X9.31-sign.patch - FIPS: Differentiate the PSS length requirements [bsc#1224275] * Add openssl-1_1-ossl-sli-016-PSS-length.patch - FIPS: Mark sigGen and sigVer primitives as non-approved [bsc#1224272] * Add openssl-1_1-ossl-sli-015-sigver-hashing.patch - FIPS: Disable PKCSv1.5 and shake in FIPS mode [bsc#1224271] * FIPS 186-5 Section 5.4 disallows RSA PKCSv1.5 signature operations with XOF. * Add openssl-1_1-ossl-sli-014-PKCSv1.5-and-shake.patch - FIPS: Mark SHA1 as non-approved in the SLI [bsc#1224266] * Add openssl-1_1-ossl-sli-013-Mark-SHA1-unapproved.patch - FIPS: DH FIPS selftest and safe prime group [bsc#1224264] * Add openssl-1_1-ossl-sli-012-DH-selftest-and-safe-prime-group.patch - Build with no-afalgeng [bsc#1226463] - Security fix: [bsc#1227138, CVE-2024-5535] * SSL_select_next_proto buffer overread * Add openssl-CVE-2024-5535.patch - FIPS: Remove not needed FIPS DRBG files [bsc#1224268] - FIPS: Add Pair-wise Consistency Test when generating DH key [bsc#1224265] * Add PCT in function crypto/dh/dh_key.c:generate_key() to meet assurance 5.6.2.1.4 of SP 800-56Arev3. * Add openssl-fips-DH-Pair-wise-Consistency.patch - FIPS: Disallow non-approved KDF types [bsc#1224267] * Add openssl-1_1-ossl-sli-011-SSHKDF.patch - FIPS: Disallow RSA sigVer with 1024 and ECDSA sigVer/keyVer P-192 [bsc#1224273] * Add openssl-1_1-ossl-sli-009-RSA-sigver.patch * Add openssl-1_1-ossl-sli-010-ECDSA-sigver-keyver.patch - FIPS: DRBG component chaining [bsc#1224258] * Add prediction resistance and oversampling of the noise source. * Allow setting the FIPS error state if jitterentropy fails the health-tests. * Add patches: - openssl-1_1-FIPS-140-3-DRBG-prediction-resistance.patch - openssl-1_1-FIPS-140-3-DRBG-oversampling.patch - openssl-1_1-jitterentropy-error-state.patch - FIPS: Align CRNGT_BUFSIZ with Jitter RNG output size [bsc#1224260] * Add openssl-1_1-FIPS-CRNGT_BUFSIZ.patch - FIPS: Fix build warnings. * Rebase patches: - openssl-1.1.1-fips.patch - openssl-fips_selftest_upstream_drbg.patch - Fixed C99 violations in patches bsc1185319-FIPS-KAT-for-ECDSA.patch (need to for explicity typecast) and openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch (missing include) to allow the package to build with GCC 14. [boo#1225907] Package openssl-3 was updated: - Security fix: [bsc#1220262, CVE-2023-50782] * Implicit rejection in PKCS#1 v1.5 * Add openssl-CVE-2023-50782.patch - Security fix: [bsc#1230698, CVE-2024-41996] * Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used. * Added openssl-3-CVE-2024-41996.patch - Security fix: [bsc#1229465, CVE-2024-6119] * possible denial of service in X.509 name checks * openssl-CVE-2024-6119.patch Package libpcap was updated: - enable rdma support (bsc#1230894) - Security fix: [bsc#1230034, CVE-2024-8006] * libpcap: NULL pointer derefence in pcap_findalldevs_ex() * Add libpcap-CVE-2024-8006.patch - Security fix: [bsc#1230020, CVE-2023-7256] * libpcap: double free via addrinfo in sock_initaddress() * Add libpcap-CVE-2023-7256.patch Package python3 was updated: - Add CVE-2024-9287-venv_path_unquoted.patch to properly quote path names provided when creating a virtual environment (bsc#1232241, CVE-2024-9287) - Drop .pyc files from docdir for reproducible builds (bsc#1230906). - Add CVE-2024-6232-ReDOS-backtrack-tarfile.patch prevent ReDos via excessive backtracking while parsing header values (bsc#1230227, CVE-2024-6232). - Add CVE-2024-5642-switch-off-NPN.patch switching off the NPN support eliminating bsc#1227233 (CVE-2024-5642). - Add CVE-2024-6923-email-hdr-inject.patch to prevent email header injection due to unquoted newlines (bsc#1228780, CVE-2024-6923). - Add CVE-2024-7592-quad-complex-cookies.patch fixing quadratic complexity in parsing cookies with backslashes (bsc#1229596, CVE-2024-7592) - %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999) - Remove %suse_update_desktop_file macro as it is not useful any more. - Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378). Package ruby2.5 was updated: - backport REXML from 3.3 - fix denial of service when parsing a XML that has many deep elements with the same local name attributes (boo#1229673 CVE-2024-43398) - fix denial of service when parsing an XML that contains many specific characters such as whitespaces, &gt;] and ]&gt; (boo#1228794 CVE-2024-41123) - fix denial of service when parsing an XML that has many entity expansions with SAX2 or pull parser API (boo#1228799 CVE-2024-41946) - fix denial of service when parsing an XML that has many left angled brackets in an attribute value (boo#1224390 CVE-2024-35176) - fix ReDoS when parsing an XML that has many specific characters (boo#1228072 CVE-2024-39908) Package libsolv was updated: - removed dependency on external find program in the repo2solv tool- bindings: fix return value of repodata.add_solv() - new SOLVER_FLAG_FOCUS_NEW flag - bump version to 0.7.30 Package suseconnect-ng was updated: - Update version to 1.12: - Set the filesystem root on zypper when given (bsc#1230229,bsc#1229014) Package systemd was updated: - Import commit 44943af96be1422c2d7bdf271e4a77b42f4b41ec (merge of v254.18) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/51fd0b7b9d11bb932370f4bcc3e849f8c0b3bc06...44943af96be1422c2d7bdf271e4a77b42f4b41ec - Add 5003-99-systemd.rules-rework-SYSTEMD_READY-logic-for-devi.patch (bsc#1229518) - Import commit 51fd0b7b9d11bb932370f4bcc3e849f8c0b3bc06 0512d0d1fc cgroup: Rename effective limits internal table (jsc#PED-5659) 765846b70b cgroup: Restrict effective limits with global resource provision (jsc#PED-5659) e29909088b test: Add effective cgroup limits testing (jsc#PED-5659) beacac6df0 test: Convert rlimit test to subtest of generic limit testing (jsc#PED-5659) e3b789e512 cgroup: Add EffectiveMemoryMax=, EffectiveMemoryHigh= and EffectiveTasksMax= properties (jsc#PED-5659) 5aa063ae16 bus-print-properties: prettify more unset properties a53122c9bd bus-print-properties: ignore CGROUP_LIMIT_MAX for Memory*{Current, Peak} 8418791441 cgroup: rename TasksMax structure to CGroupTasksMax - Drop 5003-cgroup-rename-TasksMax-structure-to-CGroupTasksMax.patch 5004-bus-print-properties-ignore-CGROUP_LIMIT_MAX-for-Mem.patch 5005-bus-print-properties-prettify-more-unset-properties.patch 5006-cgroup-Add-EffectiveMemoryMax-EffectiveMemoryHigh-an.patch 5007-test-Convert-rlimit-test-to-subtest-of-generic-limit.patch 5008-test-Add-effective-cgroup-limits-testing.patch 5009-cgroup-Restrict-effective-limits-with-global-resourc.patch 5010-cgroup-Rename-effective-limits-internal-table.patch These patches have been merged in the SUSE/254 branch. - Don't try to restart the udev socket units anymore (bsc#1228809) There's currently no way to restart a socket activable service and its socket units &quot;atomically&quot; and safely. - Make the 32bit version of libudev.so available again (bsc#1228223) The symlink for building 32bit applications was mistakenly dropped when the content of libudev-devel was merged into systemd-devel. Provide the 32bit flavor of systemd-devel again, which should restore the plug and play support in Wine for 32bit windows applications. - Import commit cbad4b6dbbec36616c04f2d26e2e568936c789ab (merge of v254.17) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/2ef89364315e1ca71606768f1bb4d63aaee66209...cbad4b6dbbec36616c04f2d26e2e568936c789ab - Import commit 2ef89364315e1ca71606768f1bb4d63aaee66209 (merge of v254.16) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/957aeb6452837326866e1f89092e6d0e0665fc10...2ef89364315e1ca71606768f1bb4d63aaee66209 - Don't mention any rpm macros inside comments, even if escaped (bsc#1228091) Otherwise pesign-obs-integration ends up re-packaging systemd with all macros inside comments unescaped leading to unpredictable behavior. Now why rpm expands rpm macros inside comments is the question... Package libzypp was updated: - PluginFrame: Send unescaped colons in header values (bsc#1231043) According to the STOMP protocol it would be correct to escape a colon in a header-value, but it breaks plugin receivers which do not expect this. The first colon separates header-name from header-value, so escaping in the header-value is not needed anyway. Escaping in the header-value affects especially the urlresolver plugins. The input URL is passed in a header, but sent back as raw data in the frames body. If the plugin receiver does not correctly unescape the URL we may get back a &quot;https\c//&quot; which is not usable. - Do not ignore return value of std::remove_if in MediaSyncFacade (fixes #579) - Fix hang in curl code with no network connection (bsc#1230912) - version 17.35.12 (35) - Deprecate librpmDb::db_const_iterator default ctor (bsc#1230267) It's preferred to explicitly tell the root directory of the system whose database you want to query. - version 17.35.11 (35) - API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267) - Conflicts: zypper &lt;= 1.14.76 - version 17.35.10 (35) - single_rpmtrans: fix installation of .src.rpms (bsc#1228647) - version 17.35.9 (35) - Make sure not to statically linked installed tools (bsc#1228787) - version 17.35.8 (35) - MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208) - version 17.35.7 (35) - Export CredentialManager for legacy YAST versions (bsc#1228420) - version 17.35.6 (35) - Export asSolvable for YAST (bsc#1228420) - Fix 4 typos in zypp.conf. - version 17.35.5 (35) - Fix typo in the geoip update pipeline (bsc#1228206) - Export RepoVariablesStringReplacer for yast2 (bsc#1228138) - version 17.35.4 (35) - Translation: updated .pot file. - Conflict with python zypp-plugin &lt; 0.6.4 (bsc#1227793) Older zypp-plugins reject stomp headers including a '-'. Like the 'content-length' header we may send. - Fix int overflow in Provider (fixes #559) This patch fixes an issue in safe_strtonum which caused timestamps to overflow in the Provider message parser. - Fix error reporting on repoindex.xml parse error (bsc#1227625) - version 17.35.3 (35) - Keep UrlResolverPlugin API public (fixes #560) - Blacklist /snap executables for 'zypper ps' (bsc#1226014) - Fix handling of buddies when applying locks (bsc#1225267) Buddy pairs (like -release package and product) internally share the same status object. When applying locks from query results the locked bit must be set if either item is locked. - version 17.35.2 (35) - Install zypp/APIConfig.h legacy include (fixes #557) - version 17.35.1 (35) - Update soname due to RepoManager refactoring and cleanup. - version 17.35.0 (35) - Workaround broken libsolv-tools-base requirements (fixes openSUSE/zypper#551) - Strip ssl_clientkey from repo urls (bsc#1226030) - Remove protobuf build dependency. - Lazily attach medium during refresh workflows (bsc#1223094) - Refactor RepoManager and add Service workflows. - version 17.34.2 (34) Package shadow was updated: - bsc#1230972: Add useradd warnings when requested UID is outside the default range - add shadow-bsc1230972-useradd-warning.patch Package logrotate was updated: - Backport 'ignoreduplicates' configuration flag (jsc#PED-10366) * Added patch logrotate-ignore-duplicates.patch * Allows log processing with duplicate logfile matches Package makedumpfile was updated: - don't reserve disk space for flattened format (bsc#1226183) * Add make-reserve_diskspace-do-nothing-for-flattened-form.patch Package mozilla-nss was updated: - Updated nss-fips-approved-crypto-non-ec.patch to enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Package nvme-cli was updated: - Update to version 2.8+65.gae2c271: * nvme-print-json: update JSON verbose output for nvm-id-ctrl (bsc#1231668) * nvme-print-stdout: update changed-ns-list-log output (bsc#1231668) * nvme: fix uninitialized value in error-log (bsc#1231668) * netapp-smdevices: print single device output too (bsc#1231668) * netapp-smdevices: segregate print routines (bsc#1231668) * fabrics: fix incorrect access filename check (bsc#1231668) * fabrics: check if json config is existing (bsc#1231668) * nvme: update nvme_insert_tls_key_versioned() return handling (bsc#1231668) * nvme-print: sanitize error-log output (bsc#1231668) * nvme-print: update subsys verbose outputs (bsc#1231668) * nvme-print: add subsystype to the list-subsys output (bsc#1231668) * nvme-print-stdout: refactor subsys config (bsc#1231668) * netapp: print output for single device too (bsc#1231668) * netapp: segregate the print routines (bsc#1231668) * netapp: fix uninitialized value from heap error (bsc#1231668) * fabrics: avoid potential segfault in nvmf_dim() (bsc#1231668) * nvme: fix verbose logging (bsc#1231668) * logging: Split to output ioctl latency by log info level (bsc#1231668) * logging: output ioctl debugging info (bsc#1231668) * nvme: track verbose level (bsc#1231668) - Update to version 2.8+45.gb66f0b8: * plugins/sed: add sid password change (bsc#1229677) - Update to version 2.8+44.gb56f5d9: * nvme-print: Print cntlid number for controller (bsc#1224024) Package pam-config was updated: - Change check for existence of modules. If we have a biarch architecture, we check that the 64bit PAM module is there and report an error if not. For the 32bit variant, we only issue a warning. [pam-config-change-check-for-existence-of-modules.patch, bsc#1227216] Package pam was updated: - Prevent cursor escape from the login prompt [bsc#1194818] * Added: pam-bsc1194818-cursor-escape.patch Package perl-Bootloader was updated: - merge gh#openSUSE/perl-bootloader#176- handle missing grub_installdevice on powerpc (bsc#1230070) - 1.8.2 Package permissions was updated: - Update to version 20240826: * permissions: remove outdated entries (bsc#1228968) - Update to version 20240826: * cockpit: revert path change (bsc#1229329) Package python3-setuptools was updated: - Add patch CVE-2024-6345-code-execution-via-download-funcs.patch: * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105) Package zypp-plugin was updated: - Fix stomp header regex to include '-' (bsc#1227793)- version 0.6.4 - singlespec in Tumbleweed must support multiple python3 flavors in the future gh#openSUSE/python-rpm-macros#66 - Provide python3-zypp-plugin down to SLE12 (bsc#1081596) - Provide python3-zypp-plugin in SLE12-SP3 (bsc#1081596) Package regionServiceClientConfigGCE was updated: - Version 4.2.0 (jsc#PCT-361) + Add IPv6 certs to supprt access of the update infrastructure via IPv6 on GCE instances. - Update to version 4.1.0 (bsc#1217538) + Replace 162.222.182.90 and 35.187.193.56 (length 4096): rgnsrv-gce-asia-northeast1 -&gt; 162.222.182.90 expires in 9 years rgnsrv-gce-us-central1 -&gt; 35.187.193.56 expires in 10 years Package release-notes-sles was updated: - 15.6.20240926 (tracked in bsc#933411) - Corrected a wrong entry regarding 389 and OpenLDAP * OpenLDAP will be replaced by 389 in future SLE versions * OpenLDAP has been re-added to SLE 15 SP5 and SP6 to prolong the migration time window - 15.6.20240906 (tracked in bsc#933411) - Updated max user space limit (bsc#1227524) - Added note about OpenLDAP deprecation (jsc#PED-8118) - Added Confidential computing info (jsc#PED-8022) - Added note about Python 3 packages in Basesystem (bsc#1224313) Package rsyslog was updated: - restart daemon after update at the end of the transaction (bsc#1230984) - Upgrade to rsyslog 8.2406.0 -patches replaced by upgrade (see details in upgrade logs below) 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch * 2023-11-29: Revert &quot;Update omlibdbi.c&quot; * 2023-11-21: imkmsg: add params &quot;readMode&quot; and &quot;expectedBootCompleteSeconds&quot; * 2023-11-10: testbench: fix &quot;typo&quot; in test case * 2023-11-08: omazureeventhubs: Corrected handling of transport closed failures * 2023-10-31: imkmsg: add module param parseKernelTimestamp * 2023-11-03: imfile: remove state file on file delete fix * 2023-10-30: imklog bugfix: keepKernelTimestamp=off config param did not work * 2023-10-30: Netstreamdriver: deallocate certificate related resources * 2023-10-20: TLS subsystem: add remote hostname to error reporting * 2023-10-21: Fix forking issue do to close_range call * 2023-10-23: replace debian sample systemd service file by readme * 2023-10-20: testbench: bump zookeeper version to match current offering * 2023-10-20: Update rsyslog.service sample unit to the latest version used in Debian Trixie * 2023-10-20: Only keep a single rsyslog.service for Debian * 2023-10-20: Remove no longer used --with-systemdsystemunitdir configure switch * 2023-10-18: use logind instead of utmp for wall messages with systemd * 2023-10-11: Typo fixes * 2023-10-11: Drop CAP_IPC_LOCK capability * 2023-10-04: Add CAP_NET_RAW capability due to the omudpspoof module * 2023-10-03: Add new global config option &quot;libcapng.enable&quot; * 2023-10-02: tcp net subsystem: handle data race gracefully * 2023-08-31: Avoid crash on restart in imrelp SIGTTIN handler - replaces 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch * 2023-09-26: fix startup issue on modern systemd systems * 2023-09-14: Fix misspeling in message. * 2023-09-13: tcpflood bugfix: plain tcp send error not properly reported * 2023-09-12: omprog bugfix: Add CAP_DAC_OVERRIDE to the bounding set * 2023-08-02: testbench: cleanup and improve some more imfile tests * 2023-08-02: lookup tables: fix static analyzer issue * 2023-08-02: lookup tables bugfix: reload on HUP did not work when backgrounded * 2023-07-28: CI: fix and cleaup github workflow * 2023-03-07: imjournal: Support input module * 2023-07-28: testbench: make test more reliable * 2023-07-28: tcpflood: add -A option to NOT abort when sending fails * 2023-07-28: tcpflood: fix today's programming error * 2023-07-28: openssl: Replaced depreceated method SSLv23_method with TLS_method * 2023-07-27: testbench improvement: define state file directories for imfile tests * 2023-07-28: testbench: cleanup a test and some nitfixes to it * 2023-07-27: tcpflood bugfix: TCP sending was not implemented properly * 2023-07-26: testbench: make waiting for HUP processing more reliable * 2023-07-25: build system: make rsyslogd execute when --disable-inet is configured * 2023-07-25: CI: update zookeper download to newer version * 2023-07-10: ossl driver: Using newer INIT API for OpenSSL 1.1+ Versions * 2023-07-11: ossl: Fix CRL File Expire from 1 day to 100 years. * 2023-07-06: PR5175: Add TLS CRL Support for GnuTLS driver and OpenSSL 1.0.2+ * 2022-05-13: omazureeventhubs: Initial implementation of new output module * 2023-07-03: TLS CRL Support Issue 5081 * 2023-06-29: action.resumeintervalmax: the parameter was not respected * 2023-06-28: IMHIREDIS::FIXED:: Restore compatiblity with hiredis &lt; v1.0.0 * 2023-05-15: Add the 'batchsize' parameter to imhiredis * 2023-06-28: Clear undefined behavior in libgcry.c (GH #5167) * 2023-06-22: Do not try to drop capabilities when we don't have any * 2023-06-22: testbench: use newer zookeeper version in tests * 2023-06-22: build system: more precise error message on too-old lib * 2023-05-17: Fix quoting for omprog, improg, mmexternal Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.14. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.14&gt;. Includes the patch for CVE-2024-45310. bsc#1230092 - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch Package samba was updated: - Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated; (bso#15699); (bsc#1229684). - Update to 4.19.8 * Invalid client warning about command line passwords; (bso#15671); * Version string is truncated in manpages; (bso#15672); * --version-* options are still not ergonomic, and they reject tilde characters; (bso#15673); * cmdline_burn does not always burn secrets; (bso#15674); * Samba doesn't parse SDDL found in defaultSecurityDescriptor in AD_DS_Classes_Windows_Server_v1903.ldf; (bso#15685); * We have added new options --vendor-name and --vendor-patch- revision arguments to ./configure to allow distributions and packagers to put their name in the Samba version string so that when debugging Samba the source of the binary is obvious; (bso#15654); * When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password; (bso#15655); * Fix clock skew error message and memory cache clock skew recovery; (bso#15676); * CTDB RADOS mutex helper misses namespace support; (bso#15665); * The images don't build after the git security release and CentOS 8 Stream is EOL; (bso#15660); * Fix unnecessary delays in CTDB while processing requests under high load; (bso#15678); * Dynamic DNS updates with the internal DNS are not working; (bso#13019); * s4:nbt_server: does not provide unexpected handling, so winbindd can't use nmb requests instead cldap; (bso#15620); * Panic in vfs_offload_token_db_fetch_fsp(); (bso#15664); * &quot;client use kerberos&quot; and --use-kerberos is ignored for the machine account; (bso#15666); * Regression DFS not working with widelinks = true; (bso#15435); * ntlm_auth make logs more consistent with length check; (bso#15677); - Fix a crash when joining offline and 'kerberos method' includes keytab; (bsc#1228732); - Fix reading the password from STDIN or environment vars if it was already given in the command line; (bsc#1228732); - Update to 4.19.7 * ldb qsort might r/w out of bounds with an intransitive compare function (ldb 2.8.1 is already released); (bso#15569). * Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances (ldb 2.8.1 is already released); (bso#15625). * Need to change gitlab-ci.yml tags in all branches to avoid CI bill; (bso#15638). * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0; (bso#14981). * Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022); (bso#15412). * Panic in dreplsrv_op_pull_source_apply_changes_trigger; (bso#15573). * winbindd, net ads join and other things don't work on an ipv6 only host; (bso#15642). * Smbcacls incorrectly propagates inheritance with Inherit-Only flag; (bso#15636). * http library doesn't support 'chunked transfer encoding'; (bso#15611). - Update to 4.19.6 * fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close(); (bso#15527). * samba-gpupdate: Correctly implement site support; (bso#15588). * libgpo: Segfault in python bindings; (bso#15599). * Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED; (bso#15580). Package strace was updated: - Change the license to the correct LGPL-2.1-or-later (bsc#1228216). Package supportutils was updated: - Changes to version 3.2.8 + Avoid getting duplicate kernel verifications in boot.text (pr#190) + lvm: suppress file descriptor leak warnings from lvm commands (pr#191) + docker_info: Add timestamps to container logs (pr#196) + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198) + Update supportconfig get pam.d sorted (pr#199) + yast_files: Exclude .zcat (pr#201) + Sanitize grub bootloader (bsc#1227127, pr#203) + Sanitize regcodes (pr#204) + Improve product detection (pr#205) + Add read_values for s390x (bsc#1228265, pr#206) + hardware_info: Remove old alsa ver check (pr#209) + drbd_info: Fix incorrect escape of quotes (pr#210) Package suse-build-key was updated: - extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339) - gpg-pubkey-39db7c82-5f68629b.asc + gpg-pubkey-39db7c82-66c5d91a.asc - ensure key2rpmname is called using bash. - make the per-project inclusion optional, default off. - Also include the GPG key from the current build project to allow Staging testing without production keys. (bsc#1231829) Package unzip was updated: - Use %patch -P N instead of deprecated %patchN. - Build unzip-rcc using multibuild and update unzip-rcc.spec file Package wget was updated: - Update 0001-possibly-truncate-pathname-components.patch * Take the patch from savannah repository where the checking of the file length doesn't include path length. * [bsc#1204720, bsc#1231661] Package wicked was updated: - Update to version 0.6.77 - compat-suse: use iftype in sysctl handling (bsc#1230911, gh#openSUSE/wicked#1043) - Always generate the ipv4/ipv6 &lt;enabled&gt;true|false&lt;/enabled&gt; node - Inherit all, default and interface sysctl settings also for loopback, except for use_tempaddr and accept_dad. - Consider only interface specific accept_redirects sysctl settings. - Adopt ifsysctl(5) manual page with wicked specific behavior. - route: fix family and destination processing (bsc#1231060) - man: improve wicked-config(5) file description (gh#openSUSE/wicked#1039) - dhcp4: add ignore-rfc3927-1-6 wicked-config(5) option (jsc#PED-10855, gh#openSUSE/wicked#1038) - team: set arp link watcher interval default to 1s (gh#openSUSE/wicked#1037) - systemd: use `BindsTo=dbus.service` in favor of `Requisite=` (bsc#1229745) - compat-suse: fix use of deprecated `INTERFACETYPE=dummy` (boo#1229555) - arp: don't set target broadcast hardware address (gh#openSUSE/wicked#1036) - dbus: don't memcpy empty/NULL array value (gh#openSUSE/wicked#1035) - ethtool: fix leak and free pause data in ethtool_free (gh#openSUSE/wicked#1030) - Removed patches included in the source archive: [- 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch] - compat-suse: fix dummy interfaces configuration with INTERFACETYPE=dummy (boo#1229555, gh#openSUSE/wicked#1031) [+ 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch] Package xfsprogs was updated: - xfs_repair: allow symlinks with short remote targets (bsc#1229160) - add xfsprogs-xfs_repair-allow-symlinks-with-short-remote-targets.patch Package yast2-bootloader was updated: - Sync warning text from s390 secure boot to be identical in installation proposal and on running system (bsc#1219989) - 4.6.8 Package yast2-country was updated: - Rename Europe/Kiev to Europe/Kyiv as per 2022b release of tz code and data by ICANN (bsc#1224387) - 4.6.7 Package yast2-firewall was updated: - In case of autoinstallation keep the firewall service state in the Installation::SecuritySettings for not conflicting with the proposal (bsc#1216615) - 4.6.1 Package yast2-installation was updated: - Don't block in AutoYaST upgrade (bsc#1181625)- 4.6.13 Package yast2-iscsi-client was updated: - Fixes for bsc#1228084: - Inst client: Read sessions just after auto login in order to enable services at the end of the installation if needed - Finish client: enable iscsiuio.service instead of the socket - Use ip for reading the ip address of a given device instead of the deprecated ifconfig command - 4.6.3 - Don't leak passwords to the log (bsc#1225432) - 4.6.2 Package yast2-kdump was updated: - Don't write empty fadump=&quot;&quot; kernel parameter (bsc#1230359)- 4.6.3 Package yast2-registration was updated: - Disable the SLE_BCI repository after registration (jsc#PED-8817)- 4.6.3 Package yast2-security was updated: - Do not load the security settings from the security policy until needed (bsc#1216615). - 4.6.1 Package yast2-storage-ng was updated: - Use the newer exfatprogs instead of exfat-utils (bsc#1187854)- 4.6.18 Package yast2-users was updated: - Relax check in GECOS field (bsc#1228149): Allow any data except colons - 4.6.6 - Backport changes to avoid namespace collisions (gh#yast/yast-users#396) - 4.6.5 - Branch package for SP6 (bsc#1208913) - 4.6.4 Package zypper was updated: - API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267) - BuildRequires: libzypp-devel &gt;= 17.35.10. - Fix wrong numbers used in CommitSummary skipped/failed messages. - version 1.14.77 - Show rpm install size before installing (bsc#1224771) If filesystem snapshots are taken before the installation (e.g. by snapper) no disk space is freed by removing old packages. In this case the install size of all packages is a hint how much additional disk space is needed by the new packages static content. - version 1.14.76 - Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly (bsc#1227205) - version 1.14.75 - Let_readline_abort_on_Ctrl-C (bsc#1226493) - packages: add '--system' to show @System packages (bsc#222971) - version 1.14.74 - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - BuildRequires: libzypp-devel &gt;= 17.33.0. - Delay zypp lock until command options are parsed (bsc#1223766) - version 1.14.73 - Unify message format(fixes #485) - version 1.14.72 - switch cmake build type to RelWithDebInfo - modernize spec file (remove Authors section, use proper macros, remove redundant clean section, don't mark man pages as doc) - switch to -O2 -fvisibility=hidden -fpie: * PIC is not needed as no shared lib is built * fstack-protector-strong is default on modern dists and would be downgraded by fstack-protector * default visibility hidden allows better optimisation * O2 is reducing inlining bloat - &gt; 18% reduced binary size - remove procps requires (was only for ZMD which is dropped) (jsc#PED-8153) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-v20241113-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-v20241113-arm64 bash-4.4-150400.27.3.2 bash-sh-4.4-150400.27.3.2 binutils-2.43-150100.7.49.1 ca-certificates-mozilla-2.68-150200.33.1 cloud-regionsrv-client-10.3.4-150300.13.9.1 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.9.1 containerd-1.7.21-150000.117.1 curl-8.6.0-150600.4.12.1 cyrus-sasl-2.1.28-150600.7.3.1 cyrus-sasl-digestmd5-2.1.28-150600.7.3.1 cyrus-sasl-gssapi-2.1.28-150600.7.3.1 cyrus-sasl-plain-2.1.28-150600.7.3.1 cyrus-sasl-saslauthd-2.1.28-150600.7.3.1 deltarpm-3.6.5-150000.5.6.3 device-mapper-2.03.22_1.02.196-150600.3.3.2 dmidecode-3.6-150400.16.11.2 docker-25.0.6_ce-150000.207.1 dracut-059+suse.541.g3c2df232-150600.3.11.2 e2fsprogs-1.47.0-150600.4.6.2 glibc-2.38-150600.14.14.2 glibc-i18ndata-2.38-150600.14.14.2 glibc-locale-2.38-150600.14.14.2 glibc-locale-base-2.38-150600.14.14.2 grub2-2.12-150600.8.9.2 grub2-arm64-efi-2.12-150600.8.9.2 kernel-default-6.4.0-150600.23.25.1 libblkid1-2.39.3-150600.4.12.2 libcom_err2-1.47.0-150600.4.6.2 libcryptsetup12-2.7.0-150600.3.3.1 libctf-nobfd0-2.43-150100.7.49.1 libctf0-2.43-150100.7.49.1 libcurl4-8.6.0-150600.4.12.1 libdevmapper-event1_03-2.03.22_1.02.196-150600.3.3.2 libdevmapper1_03-2.03.22_1.02.196-150600.3.3.2 libexpat1-2.4.4-150400.3.22.1 libext2fs2-1.47.0-150600.4.6.2 libfdisk1-2.39.3-150600.4.12.2 libgcc_s1-14.2.0+git10526-150000.1.6.1 libgnutls30-3.8.3-150600.4.3.1 libhogweed6-3.9.1-150600.3.2.1 libldb2-2.8.1-150600.3.3.4 liblvm2cmd2_03-2.03.22-150600.3.3.2 libmount1-2.39.3-150600.4.12.2 libncurses6-6.1-150000.5.27.1 libnettle8-3.9.1-150600.3.2.1 libnfsidmap1-1.0-150600.28.3.2 libnvme-mi1-1.8+50.g2b587d3-150600.3.9.2 libnvme1-1.8+50.g2b587d3-150600.3.9.2 libopenssl1_1-1.1.1w-150600.5.9.1 libopenssl3-3.1.4-150600.5.21.1 libpcap1-1.10.4-150600.3.6.2 libproxy1-0.5.3-150600.4.3.2 libpxbackend-1_0-0.5.3-150600.4.3.2 libpython3_6m1_0-3.6.15-150300.10.75.1 libreadline7-7.0-150400.27.3.2 libruby2_5-2_5-2.5.9-150000.4.32.1 libsasl2-3-2.1.28-150600.7.3.1 libsmartcols1-2.39.3-150600.4.12.2 libsolv-tools-base-0.7.30-150600.8.2.1 libstdc++6-14.2.0+git10526-150000.1.6.1 libsuseconnect-1.12.0-150600.3.8.2 libsystemd0-254.18-150600.4.15.10 libudev1-254.18-150600.4.15.10 libuuid1-2.39.3-150600.4.12.2 libyaml-0-2-0.1.7-150000.3.2.1 libyui-ncurses-pkg16-4.5.3-150600.6.2.1 libyui-ncurses16-4.5.3-150600.6.2.1 libyui16-4.5.3-150600.6.2.1 libzypp-17.35.12-150600.3.27.1 login_defs-4.8.1-150600.17.9.1 logrotate-3.18.1-150400.3.10.1 lvm2-2.03.22-150600.3.3.2 makedumpfile-1.7.4-150600.3.3.2 mozilla-nss-certs-3.101.2-150400.3.51.1 ncurses-utils-6.1-150000.5.27.1 nfs-client-2.6.4-150600.28.3.2 nfs-kernel-server-2.6.4-150600.28.3.2 nscd-2.38-150600.14.14.2 nvme-cli-2.8+65.gae2c271-150600.3.9.2 openssl-3-3.1.4-150600.5.21.1 pam-1.3.0-150000.6.71.2 pam-config-1.1-150600.16.3.1 perl-Bootloader-1.8.2-150600.3.3.1 permissions-20240826-150600.10.9.1 python3-3.6.15-150300.10.75.1 python3-base-3.6.15-150300.10.75.1 python3-curses-3.6.15-150300.10.75.1 python3-setuptools-44.1.1-150400.9.9.1 python3-solv-0.7.30-150600.8.2.1 python3-zypp-plugin-0.6.4-150600.18.2.3 regionServiceClientConfigGCE-4.2.0-150000.4.15.1 release-notes-sles-15.6.20240926-150600.3.6.2 rsyslog-8.2406.0-150600.12.6.2 ruby-solv-0.7.30-150600.8.2.1 ruby2.5-2.5.9-150000.4.32.1 ruby2.5-stdlib-2.5.9-150000.4.32.1 runc-1.1.14-150000.70.1 samba-client-libs-4.19.8+git.368.51d32c069f-150600.3.6.11 shadow-4.8.1-150600.17.9.1 sles-release-15.6-150600.64.3.1 strace-5.14-150400.3.3.2 supportutils-3.2.8-150600.3.3.1 suse-build-key-12.0-150000.8.55.1 suseconnect-ng-1.12.0-150600.3.8.2 suseconnect-ruby-bindings-1.12.0-150600.3.8.2 systemd-254.18-150600.4.15.10 systemd-sysvcompat-254.18-150600.4.15.10 terminfo-6.1-150000.5.27.1 terminfo-base-6.1-150000.5.27.1 udev-254.18-150600.4.15.10 unzip-6.00-150000.4.14.1 util-linux-2.39.3-150600.4.12.2 util-linux-systemd-2.39.3-150600.4.12.2 wget-1.20.3-150600.19.6.2 wicked-0.6.77-150600.11.15.1 wicked-service-0.6.77-150600.11.15.1 xfsprogs-6.7.0-150600.3.6.2 yast2-bootloader-4.6.8-150600.3.3.1 yast2-country-4.6.7-150600.3.3.2 yast2-country-data-4.6.7-150600.3.3.2 yast2-firewall-4.6.1-150600.3.3.2 yast2-installation-4.6.13-150600.3.3.3 yast2-iscsi-client-4.6.3-150600.3.6.2 yast2-kdump-4.6.3-150600.3.3.2 yast2-pkg-bindings-4.6.5-150600.3.6.1 yast2-registration-4.6.3-150600.3.6.2 yast2-security-4.6.1-150600.3.3.2 yast2-storage-ng-4.6.18-150600.3.3.2 yast2-users-4.6.6-150600.3.3.5 zypper-1.14.77-150600.10.11.2 bash-4.4-150400.27.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 bash-sh-4.4-150400.27.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 binutils-2.43-150100.7.49.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 ca-certificates-mozilla-2.68-150200.33.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 cloud-regionsrv-client-10.3.4-150300.13.9.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.9.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 containerd-1.7.21-150000.117.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 curl-8.6.0-150600.4.12.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 cyrus-sasl-2.1.28-150600.7.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 cyrus-sasl-digestmd5-2.1.28-150600.7.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 cyrus-sasl-gssapi-2.1.28-150600.7.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 cyrus-sasl-plain-2.1.28-150600.7.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 cyrus-sasl-saslauthd-2.1.28-150600.7.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 deltarpm-3.6.5-150000.5.6.3 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 device-mapper-2.03.22_1.02.196-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 dmidecode-3.6-150400.16.11.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 docker-25.0.6_ce-150000.207.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 dracut-059+suse.541.g3c2df232-150600.3.11.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 e2fsprogs-1.47.0-150600.4.6.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 glibc-2.38-150600.14.14.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 glibc-i18ndata-2.38-150600.14.14.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 glibc-locale-2.38-150600.14.14.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 glibc-locale-base-2.38-150600.14.14.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 grub2-2.12-150600.8.9.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 grub2-arm64-efi-2.12-150600.8.9.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 kernel-default-6.4.0-150600.23.25.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libblkid1-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libcom_err2-1.47.0-150600.4.6.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libcryptsetup12-2.7.0-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libctf-nobfd0-2.43-150100.7.49.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libctf0-2.43-150100.7.49.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libcurl4-8.6.0-150600.4.12.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libdevmapper-event1_03-2.03.22_1.02.196-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libdevmapper1_03-2.03.22_1.02.196-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libexpat1-2.4.4-150400.3.22.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libext2fs2-1.47.0-150600.4.6.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libfdisk1-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libgcc_s1-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libgnutls30-3.8.3-150600.4.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libhogweed6-3.9.1-150600.3.2.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libldb2-2.8.1-150600.3.3.4 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 liblvm2cmd2_03-2.03.22-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libmount1-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libncurses6-6.1-150000.5.27.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libnettle8-3.9.1-150600.3.2.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libnfsidmap1-1.0-150600.28.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libnvme-mi1-1.8+50.g2b587d3-150600.3.9.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libnvme1-1.8+50.g2b587d3-150600.3.9.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libopenssl1_1-1.1.1w-150600.5.9.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libopenssl3-3.1.4-150600.5.21.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libpcap1-1.10.4-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libproxy1-0.5.3-150600.4.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libpxbackend-1_0-0.5.3-150600.4.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libpython3_6m1_0-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libreadline7-7.0-150400.27.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libruby2_5-2_5-2.5.9-150000.4.32.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libsasl2-3-2.1.28-150600.7.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libsmartcols1-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libsolv-tools-base-0.7.30-150600.8.2.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libstdc++6-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libsuseconnect-1.12.0-150600.3.8.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libsystemd0-254.18-150600.4.15.10 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libudev1-254.18-150600.4.15.10 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libuuid1-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libyaml-0-2-0.1.7-150000.3.2.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libyui-ncurses-pkg16-4.5.3-150600.6.2.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libyui-ncurses16-4.5.3-150600.6.2.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libyui16-4.5.3-150600.6.2.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 libzypp-17.35.12-150600.3.27.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 login_defs-4.8.1-150600.17.9.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 logrotate-3.18.1-150400.3.10.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 lvm2-2.03.22-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 makedumpfile-1.7.4-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 mozilla-nss-certs-3.101.2-150400.3.51.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 ncurses-utils-6.1-150000.5.27.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 nfs-client-2.6.4-150600.28.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 nfs-kernel-server-2.6.4-150600.28.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 nscd-2.38-150600.14.14.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 nvme-cli-2.8+65.gae2c271-150600.3.9.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 openssl-3-3.1.4-150600.5.21.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 pam-1.3.0-150000.6.71.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 pam-config-1.1-150600.16.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 perl-Bootloader-1.8.2-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 permissions-20240826-150600.10.9.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 python3-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 python3-base-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 python3-curses-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 python3-setuptools-44.1.1-150400.9.9.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 python3-solv-0.7.30-150600.8.2.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 python3-zypp-plugin-0.6.4-150600.18.2.3 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 regionServiceClientConfigGCE-4.2.0-150000.4.15.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 release-notes-sles-15.6.20240926-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 rsyslog-8.2406.0-150600.12.6.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 ruby-solv-0.7.30-150600.8.2.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 ruby2.5-2.5.9-150000.4.32.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 ruby2.5-stdlib-2.5.9-150000.4.32.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 runc-1.1.14-150000.70.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 samba-client-libs-4.19.8+git.368.51d32c069f-150600.3.6.11 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 shadow-4.8.1-150600.17.9.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 sles-release-15.6-150600.64.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 strace-5.14-150400.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 supportutils-3.2.8-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 suse-build-key-12.0-150000.8.55.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 suseconnect-ng-1.12.0-150600.3.8.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 suseconnect-ruby-bindings-1.12.0-150600.3.8.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 systemd-254.18-150600.4.15.10 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 systemd-sysvcompat-254.18-150600.4.15.10 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 terminfo-6.1-150000.5.27.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 terminfo-base-6.1-150000.5.27.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 udev-254.18-150600.4.15.10 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 unzip-6.00-150000.4.14.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 util-linux-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 util-linux-systemd-2.39.3-150600.4.12.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 wget-1.20.3-150600.19.6.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 wicked-0.6.77-150600.11.15.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 wicked-service-0.6.77-150600.11.15.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 xfsprogs-6.7.0-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-bootloader-4.6.8-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-country-4.6.7-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-country-data-4.6.7-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-firewall-4.6.1-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-installation-4.6.13-150600.3.3.3 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-iscsi-client-4.6.3-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-kdump-4.6.3-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-pkg-bindings-4.6.5-150600.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-registration-4.6.3-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-security-4.6.1-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-storage-ng-4.6.18-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 yast2-users-4.6.6-150600.3.3.5 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 zypper-1.14.77-150600.10.11.2 as a component of Public Cloud Image google/sles-15-sp6-v20241113-arm64 An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c. CVE-2023-37453 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it. CVE-2023-45142 Public Cloud Image google/sles-15-sp6-v20241113-arm64:containerd-1.7.21-150000.117.1 important OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. CVE-2023-47108 Public Cloud Image google/sles-15-sp6-v20241113-arm64:containerd-1.7.21-150000.117.1 important A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. CVE-2023-50782 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libopenssl1_1-1.1.1w-150600.5.9.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libopenssl3-3.1.4-150600.5.21.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:openssl-3-3.1.4-150600.5.21.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN's are such that [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end pfn contains the device memory PFN's as well, the compaction triggered will try on the device memory PFN's too though they end up in NOP(because pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When from other core, the section mappings are being removed for the ZONE_DEVICE region, that the PFN in question belongs to, on which compaction is currently being operated is resulting into the kernel crash with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1]. compact_zone() memunmap_pages ------------- --------------- __pageblock_pfn_to_page ...... (a)pfn_valid(): valid_section()//return true (b)__remove_pages()-> sparse_remove_section()-> section_deactivate(): [Free the array ms->usage and set ms->usage = NULL] pfn_section_valid() [Access ms->usage which is NULL] NOTE: From the above it can be said that the race is reduced to between the pfn_valid()/pfn_section_valid() and the section deactivate with SPASEMEM_VMEMAP enabled. The commit b943f045a9af("mm/sparse: fix kernel crash with pfn_section_valid check") tried to address the same problem by clearing the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns false thus ms->usage is not accessed. Fix this issue by the below steps: a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage. b) RCU protected read side critical section will either return NULL when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage. c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No attempt will be made to access ->usage after this as the SECTION_HAS_MEM_MAP is cleared thus valid_section() return false. Thanks to David/Pavan for their inputs on this patch. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/ On Snapdragon SoC, with the mentioned memory configuration of PFN's as [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of issues daily while testing on a device farm. For this particular issue below is the log. Though the below log is not directly pointing to the pfn_section_valid(){ ms->usage;}, when we loaded this dump on T32 lauterbach tool, it is pointing. [ 540.578056] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 540.578068] Mem abort info: [ 540.578070] ESR = 0x0000000096000005 [ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits [ 540.578077] SET = 0, FnV = 0 [ 540.578080] EA = 0, S1PTW = 0 [ 540.578082] FSC = 0x05: level 1 translation fault [ 540.578085] Data abort info: [ 540.578086] ISV = 0, ISS = 0x00000005 [ 540.578088] CM = 0, WnR = 0 [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--) [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c [ 540.579454] lr : compact_zone+0x994/0x1058 [ 540.579460] sp : ffffffc03579b510 [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640 [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000 [ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140 [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff [ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001 [ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440 [ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4 [ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000 ---truncated--- CVE-2023-52489 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memleak when more than 255 elements expired When more than 255 elements expired we're supposed to switch to a new gc container structure. This never happens: u8 type will wrap before reaching the boundary and nft_trans_gc_space() always returns true. This means we recycle the initial gc container structure and lose track of the elements that came before. While at it, don't deref 'gc' after we've passed it to call_rcu. CVE-2023-52581 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ct: fix skb leak and crash on ooo frags act_ct adds skb->users before defragmentation. If frags arrive in order, the last frag's reference is reset in: inet_frag_reasm_prepare skb_morph which is not straightforward. However when frags arrive out of order, nobody unref the last frag, and all frags are leaked. The situation is even worse, as initiating packet capture can lead to a crash[0] when skb has been cloned and shared at the same time. Fix the issue by removing skb_get() before defragmentation. act_ct returns TC_ACT_CONSUMED when defrag failed or in progress. [0]: [ 843.804823] ------------[ cut here ]------------ [ 843.809659] kernel BUG at net/core/skbuff.c:2091! [ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2 [ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 [ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300 [ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 [ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202 [ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820 [ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 [ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000 [ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880 [ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 [ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000 [ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 [ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 843.894229] PKRU: 55555554 [ 843.898539] Call Trace: [ 843.902772] <IRQ> [ 843.906922] ? __die_body+0x1e/0x60 [ 843.911032] ? die+0x3c/0x60 [ 843.915037] ? do_trap+0xe2/0x110 [ 843.918911] ? pskb_expand_head+0x2ac/0x300 [ 843.922687] ? do_error_trap+0x65/0x80 [ 843.926342] ? pskb_expand_head+0x2ac/0x300 [ 843.929905] ? exc_invalid_op+0x50/0x60 [ 843.933398] ? pskb_expand_head+0x2ac/0x300 [ 843.936835] ? asm_exc_invalid_op+0x1a/0x20 [ 843.940226] ? pskb_expand_head+0x2ac/0x300 [ 843.943580] inet_frag_reasm_prepare+0xd1/0x240 [ 843.946904] ip_defrag+0x5d4/0x870 [ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack] [ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct] [ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred] [ 843.959657] tcf_action_exec+0xa1/0x160 [ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower] [ 843.966010] ? skb_clone+0x53/0xc0 [ 843.969173] tcf_classify+0x24d/0x420 [ 843.972333] tc_run+0x8f/0xf0 [ 843.975465] __netif_receive_skb_core+0x67a/0x1080 [ 843.978634] ? dev_gro_receive+0x249/0x730 [ 843.981759] __netif_receive_skb_list_core+0x12d/0x260 [ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0 [ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] [ 843.991170] napi_complete_done+0x72/0x1a0 [ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core] [ 843.997501] __napi_poll+0x25/0x1b0 [ 844.000627] net_rx_action+0x256/0x330 [ 844.003705] __do_softirq+0xb3/0x29b [ 844.006718] irq_exit_rcu+0x9e/0xc0 [ 844.009672] common_interrupt+0x86/0xa0 [ 844.012537] </IRQ> [ 844.015285] <TASK> [ 844.017937] asm_common_interrupt+0x26/0x40 [ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20 [ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb ---truncated--- CVE-2023-52610 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix the error handler of rfkill config When the core rfkill config throws error, it should free the allocated resources. Currently it is not freeing the core pdev create resources. Avoid this issue by calling the core pdev destroy in the error handler of core rfkill config. Found this issue in the code review and it is compile tested only. CVE-2023-52688 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself sock_map proto callbacks should never call themselves by design. Protect against bugs like [1] and break out of the recursive loop to avoid a stack overflow in favor of a resource leak. [1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ CVE-2023-52735 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf: hisi: Fix use-after-free when register pmu fails When we fail to register the uncore pmu, the pmu context may not been allocated. The error handing will call cpuhp_state_remove_instance() to call uncore pmu offline callback, which migrate the pmu context. Since that's liable to lead to some kind of use-after-free. Use cpuhp_state_remove_instance_nocalls() instead of cpuhp_state_remove_instance() so that the notifiers don't execute after the PMU device has been failed to register. CVE-2023-52859 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket. CVE-2023-52885 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new This patch enhances error handling in scenarios with RTS (Request to Send) messages arriving closely. It replaces the less informative WARN_ON_ONCE backtraces with a new error handling method. This provides clearer error messages and allows for the early termination of problematic sessions. Previously, sessions were only released at the end of j1939_xtp_rx_rts(). Potentially this could be reproduced with something like: testj1939 -r vcan0:0x80 & while true; do # send first RTS cansend vcan0 18EC8090#1014000303002301; # send second RTS cansend vcan0 18EC8090#1014000303002301; # send abort cansend vcan0 18EC8090#ff00000000002301; done CVE-2023-52887 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix null pointer deref when receiving skb during sock creation The panic below is observed when receiving ICMP packets with secmark set while an ICMP raw socket is being created. SK_CTX(sk)->label is updated in apparmor_socket_post_create(), but the packet is delivered to the socket before that, causing the null pointer dereference. Drop the packet if label context is not set. BUG: kernel NULL pointer dereference, address: 000000000000004c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020 RIP: 0010:aa_label_next_confined+0xb/0x40 Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2 RSP: 0018:ffffa92940003b08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002 R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400 R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000 FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0 PKRU: 55555554 Call Trace: <IRQ> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x7f/0x180 ? asm_exc_page_fault+0x26/0x30 ? aa_label_next_confined+0xb/0x40 apparmor_secmark_check+0xec/0x330 security_sock_rcv_skb+0x35/0x50 sk_filter_trim_cap+0x47/0x250 sock_queue_rcv_skb_reason+0x20/0x60 raw_rcv+0x13c/0x210 raw_local_deliver+0x1f3/0x250 ip_protocol_deliver_rcu+0x4f/0x2f0 ip_local_deliver_finish+0x76/0xa0 __netif_receive_skb_one_core+0x89/0xa0 netif_receive_skb+0x119/0x170 ? __netdev_alloc_skb+0x3d/0x140 vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a] __napi_poll+0x28/0x1b0 net_rx_action+0x2a4/0x380 __do_softirq+0xd1/0x2c8 __irq_exit_rcu+0xbb/0xf0 common_interrupt+0x86/0xa0 </IRQ> <TASK> asm_common_interrupt+0x26/0x40 RIP: 0010:apparmor_socket_post_create+0xb/0x200 Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48 RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286 RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003 R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748 ? __pfx_apparmor_socket_post_create+0x10/0x10 security_socket_post_create+0x4b/0x80 __sock_create+0x176/0x1f0 __sys_socket+0x89/0x100 __x64_sys_socket+0x17/0x20 do_syscall_64+0x5d/0x90 ? do_syscall_64+0x6c/0x90 ? do_syscall_64+0x6c/0x90 ? do_syscall_64+0x6c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc CVE-2023-52889 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") CVE-2023-52915 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: aspeed: Fix memory overwrite if timing is 1600x900 When capturing 1600x900, system could crash when system memory usage is tight. The way to reproduce this issue: 1. Use 1600x900 to display on host 2. Mount ISO through 'Virtual media' on OpenBMC's web 3. Run script as below on host to do sha continuously #!/bin/bash while [ [1] ]; do find /media -type f -printf '"%h/%f"\n' | xargs sha256sum done 4. Open KVM on OpenBMC's web The size of macro block captured is 8x8. Therefore, we should make sure the height of src-buf is 8 aligned to fix this issue. CVE-2023-52916 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In affected libpcap versions during the setup of a remote packet capture the internal function sock_initaddress() calls getaddrinfo() and possibly freeaddrinfo(), but does not clearly indicate to the caller function whether freeaddrinfo() still remains to be called after the function returns. This makes it possible in some scenarios that both the function and its caller call freeaddrinfo() for the same allocated memory block. A similar problem was reported in Apple libpcap, to which Apple assigned CVE-2023-40400. CVE-2023-7256 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libpcap1-1.10.4-150600.3.6.2 moderate In the Linux kernel, the following vulnerability has been resolved: erofs: fix inconsistent per-file compression format EROFS can select compression algorithms on a per-file basis, and each per-file compression algorithm needs to be marked in the on-disk superblock for initialization. However, syzkaller can generate inconsistent crafted images that use an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA algorithmtype even it's not set in `sbi->available_compr_algs`. This can lead to an unexpected "BUG: kernel NULL pointer dereference" if the corresponding decompressor isn't built-in. Fix this by checking against `sbi->available_compr_algs` for each m_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset bitmap is now fixed together since it was harmless previously. CVE-2024-26590 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work idev->mc_ifc_count can be written over without proper locking. Originally found by syzbot [1], fix this issue by encapsulating calls to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with mutex_lock() and mutex_unlock() accordingly as these functions should only be called with mc_lock per their declarations. [1] BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0: mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline] ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725 addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949 addrconf_notify+0x310/0x980 notifier_call_chain kernel/notifier.c:93 [inline] raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461 __dev_notify_flags+0x205/0x3d0 dev_change_flags+0xab/0xd0 net/core/dev.c:8685 do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916 rtnl_group_changelink net/core/rtnetlink.c:3458 [inline] __rtnl_newlink net/core/rtnetlink.c:3717 [inline] rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754 rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558 netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910 ... write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1: mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700 worker_thread+0x525/0x730 kernel/workqueue.c:2781 ... CVE-2024-26631 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: rely on mac80211 debugfs handling for vif mac80211 started to delete debugfs entries in certain cases, causing a ath11k to crash when it tried to delete the entries later. Fix this by relying on mac80211 to delete the entries when appropriate and adding them from the vif_add_debugfs handler. CVE-2024-26637 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0) CVE-2024-26640 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit. CVE-2024-26668 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab374e>] __kmalloc+0x4e/0x90 [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0 [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0 [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90 [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0 [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460 [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0 [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated--- CVE-2024-26669 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference. CVE-2024-26677 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: improve CSA/ECSA connection refusal As mentioned in the previous commit, we pretty quickly found that some APs have ECSA elements stuck in their probe response, so using that to not attempt to connect while CSA is happening we never connect to such an AP. Improve this situation by checking more carefully and ignoring the ECSA if cfg80211 has previously detected the ECSA element being stuck in the probe response. Additionally, allow connecting to an AP that's switching to a channel it's already using, unless it's using quiet mode. In this case, we may just have to adjust bandwidth later. If it's actually switching channels, it's better not to try to connect in the middle of that. CVE-2024-26682 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: detect stuck ECSA element in probe resp We recently added some validation that we don't try to connect to an AP that is currently in a channel switch process, since that might want the channel to be quiet or we might not be able to connect in time to hear the switching in a beacon. This was in commit c09c4f31998b ("wifi: mac80211: don't connect to an AP while it's in a CSA process"). However, we promptly got a report that this caused new connection failures, and it turns out that the AP that we now cannot connect to is permanently advertising an extended channel switch announcement, even with quiet. The AP in question was an Asus RT-AC53, with firmware 3.0.0.4.380_10760-g21a5898. As a first step, attempt to detect that we're dealing with such a situation, so mac80211 can use this later. CVE-2024-26683 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix circular locking dependency The rule inside kvm enforces that the vcpu->mutex is taken *inside* kvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires the kvm->lock while already holding the vcpu->mutex lock from kvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by protecting the hyp vm handle with the config_lock, much like we already do for other forms of VM-scoped data. CVE-2024-26691 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-26720 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix possible use-after-free and null-ptr-deref The pernet operations structure for the subsystem must be registered before registering the generic netlink family. CVE-2024-26735 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/swap: fix race when skipping swapcache When skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads swapin the same entry at the same time, they get different pages (A, B). Before one thread (T0) finishes the swapin and installs page (A) to the PTE, another thread (T1) could finish swapin of page (B), swap_free the entry, then swap out the possibly modified page reusing the same entry. It breaks the pte_same check in (T0) because PTE value is unchanged, causing ABA problem. Thread (T0) will install a stalled page (A) into the PTE and cause data corruption. One possible callstack is like this: CPU0 CPU1 ---- ---- do_swap_page() do_swap_page() with same entry <direct swapin path> <direct swapin path> <alloc page A> <alloc page B> swap_read_folio() <- read to page A swap_read_folio() <- read to page B <slow on later locks or interrupt> <finished swapin first> ... set_pte_at() swap_free() <- entry is free <write to page B, now page A stalled> <swap out page B to same swap entry> pte_same() <- Check pass, PTE seems unchanged, but page A is stalled! swap_free() <- page B content lost! set_pte_at() <- staled page A installed! And besides, for ZRAM, swap_free() allows the swap device to discard the entry content, so even if page (B) is not modified, if swap_read_folio() on CPU0 happens later than swap_free() on CPU1, it may also cause data loss. To fix this, reuse swapcache_prepare which will pin the swap entry using the cache flag, and allow only one thread to swap it in, also prevent any parallel code from putting the entry in the cache. Release the pin after PT unlocked. Racers just loop and wait since it's a rare and very short event. A schedule_timeout_uninterruptible(1) call is added to avoid repeated page faults wasting too much CPU, causing livelock or adding too much noise to perf statistics. A similar livelock issue was described in commit 029c4628b2eb ("mm: swap: get rid of livelock in swapin readahead") Reproducer: This race issue can be triggered easily using a well constructed reproducer and patched brd (with a delay in read path) [1]: With latest 6.8 mainline, race caused data loss can be observed easily: $ gcc -g -lpthread test-thread-swap-race.c && ./a.out Polulating 32MB of memory region... Keep swapping out... Starting round 0... Spawning 65536 workers... 32746 workers spawned, wait for done... Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss! Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss! Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss! Round 0 Failed, 15 data loss! This reproducer spawns multiple threads sharing the same memory region using a small swap device. Every two threads updates mapped pages one by one in opposite direction trying to create a race, with one dedicated thread keep swapping out the data out using madvise. The reproducer created a reproduce rate of about once every 5 minutes, so the race should be totally possible in production. After this patch, I ran the reproducer for over a few hundred rounds and no data loss observed. Performance overhead is minimal, microbenchmark swapin 10G from 32G zram: Before: 10934698 us After: 11157121 us Cached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag) [kasong@tencent.com: v4] CVE-2024-26759 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: prevent perpetual headroom growth syzkaller triggered following kasan splat: BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 [..] kasan_report+0xda/0x110 mm/kasan/report.c:588 __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline] ___skb_get_hash net/core/flow_dissector.c:1791 [inline] __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856 skb_get_hash include/linux/skbuff.h:1556 [inline] ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748 ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592 ... ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 .. iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831 ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 ... The splat occurs because skb->data points past skb->head allocated area. This is because neigh layer does: __skb_pull(skb, skb_network_offset(skb)); ... but skb_network_offset() returns a negative offset and __skb_pull() arg is unsigned. IOW, we skb->data gets "adjusted" by a huge value. The negative value is returned because skb->head and skb->data distance is more than 64k and skb->network_header (u16) has wrapped around. The bug is in the ip_tunnel infrastructure, which can cause dev->needed_headroom to increment ad infinitum. The syzkaller reproducer consists of packets getting routed via a gre tunnel, and route of gre encapsulated packets pointing at another (ipip) tunnel. The ipip encapsulation finds gre0 as next output device. This results in the following pattern: 1). First packet is to be sent out via gre0. Route lookup found an output device, ipip0. 2). ip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future output device, rt.dev->needed_headroom (ipip0). 3). ip output / start_xmit moves skb on to ipip0. which runs the same code path again (xmit recursion). 4). Routing step for the post-gre0-encap packet finds gre0 as output device to use for ipip0 encapsulated packet. tunl0->needed_headroom is then incremented based on the (already bumped) gre0 device headroom. This repeats for every future packet: gre0->needed_headroom gets inflated because previous packets' ipip0 step incremented rt->dev (gre0) headroom, and ipip0 incremented because gre0 needed_headroom was increased. For each subsequent packet, gre/ipip0->needed_headroom grows until post-expand-head reallocations result in a skb->head/data distance of more than 64k. Once that happens, skb->network_header (u16) wraps around when pskb_expand_head tries to make sure that skb_network_offset() is unchanged after the headroom expansion/reallocation. After this skb_network_offset(skb) returns a different (and negative) result post headroom expansion. The next trip to neigh layer (or anything else that would __skb_pull the network header) makes skb->data point to a memory location outside skb->head area. v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to prevent perpetual increase instead of dropping the headroom increment completely. CVE-2024-26804 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain Remove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER event is reported, otherwise a stale reference to netdevice remains in the hook list. CVE-2024-26808 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") which came after: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path"). CVE-2024-26809 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Create persistent INTx handler A vulnerability exists where the eventfd for INTx signaling can be deconfigured, which unregisters the IRQ handler but still allows eventfds to be signaled with a NULL context through the SET_IRQS ioctl or through unmask irqfd if the device interrupt is pending. Ideally this could be solved with some additional locking; the igate mutex serializes the ioctl and config space accesses, and the interrupt handler is unregistered relative to the trigger, but the irqfd path runs asynchronous to those. The igate mutex cannot be acquired from the atomic context of the eventfd wake function. Disabling the irqfd relative to the eventfd registration is potentially incompatible with existing userspace. As a result, the solution implemented here moves configuration of the INTx interrupt handler to track the lifetime of the INTx context object and irq_type configuration, rather than registration of a particular trigger eventfd. Synchronization is added between the ioctl path and eventfd_signal() wrapper such that the eventfd trigger can be dynamically updated relative to in-flight interrupts or irqfd callbacks. CVE-2024-26812 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: set dormant flag on hook register failure We need to set the dormant flag again if we fail to register the hooks. During memory pressure hook registration can fail and we end up with a table marked as active but no registered hooks. On table/base chain deletion, nf_tables will attempt to unregister the hook again which yields a warn splat from the nftables core. CVE-2024-26835 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: net: bridge: switchdev: Skip MDB replays of deferred events on offload Before this change, generation of the list of MDB events to replay would race against the creation of new group memberships, either from the IGMP/MLD snooping logic or from user configuration. While new memberships are immediately visible to walkers of br->mdb_list, the notification of their existence to switchdev event subscribers is deferred until a later point in time. So if a replay list was generated during a time that overlapped with such a window, it would also contain a replay of the not-yet-delivered event. The driver would thus receive two copies of what the bridge internally considered to be one single event. On destruction of the bridge, only a single membership deletion event was therefore sent. As a consequence of this, drivers which reference count memberships (at least DSA), would be left with orphan groups in their hardware database when the bridge was destroyed. This is only an issue when replaying additions. While deletion events may still be pending on the deferred queue, they will already have been removed from br->mdb_list, so no duplicates can be generated in that scenario. To a user this meant that old group memberships, from a bridge in which a port was previously attached, could be reanimated (in hardware) when the port joined a new bridge, without the new bridge's knowledge. For example, on an mv88e6xxx system, create a snooping bridge and immediately add a port to it: root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \ > ip link set dev x3 up master br0 And then destroy the bridge: root@infix-06-0b-00:~$ ip link del dev br0 root@infix-06-0b-00:~$ mvls atu ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a DEV:0 Marvell 88E6393X 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a root@infix-06-0b-00:~$ The two IPv6 groups remain in the hardware database because the port (x3) is notified of the host's membership twice: once via the original event and once via a replay. Since only a single delete notification is sent, the count remains at 1 when the bridge is destroyed. Then add the same port (or another port belonging to the same hardware domain) to a new bridge, this time with snooping disabled: root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \ > ip link set dev x3 up master br1 All multicast, including the two IPv6 groups from br0, should now be flooded, according to the policy of br1. But instead the old memberships are still active in the hardware database, causing the switch to only forward traffic to those groups towards the CPU (port 0). Eliminate the race in two steps: 1. Grab the write-side lock of the MDB while generating the replay list. This prevents new memberships from showing up while we are generating the replay list. But it leaves the scenario in which a deferred event was already generated, but not delivered, before we grabbed the lock. Therefore: 2. Make sure that no deferred version of a replay event is already enqueued to the switchdev deferred queue, before adding it to the replay list, when replaying additions. CVE-2024-26837 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: netlink: add nla be16/32 types to minlen array BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline] BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline] BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline] BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631 nla_validate_range_unsigned lib/nlattr.c:222 [inline] nla_validate_int_range lib/nlattr.c:336 [inline] validate_nla lib/nlattr.c:575 [inline] ... The message in question matches this policy: [NFTA_TARGET_REV] = NLA_POLICY_MAX(NLA_BE32, 255), but because NLA_BE32 size in minlen array is 0, the validation code will read past the malformed (too small) attribute. Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing: those likely should be added too. CVE-2024-26849 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: Add protection for bmp length out of range UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts that are out of bounds for their data type. vmlinux get_bitmap(b=75) + 712 <net/netfilter/nf_conntrack_h323_asn1.c:0> vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956 <net/netfilter/nf_conntrack_h323_asn1.c:592> vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 <net/netfilter/nf_conntrack_h323_asn1.c:814> vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 <net/netfilter/nf_conntrack_h323_asn1.c:576> vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 <net/netfilter/nf_conntrack_h323_asn1.c:814> vmlinux DecodeRasMessage() + 304 <net/netfilter/nf_conntrack_h323_asn1.c:833> vmlinux ras_help() + 684 <net/netfilter/nf_conntrack_h323_main.c:1728> vmlinux nf_confirm() + 188 <net/netfilter/nf_conntrack_proto.c:137> Due to abnormal data in skb->data, the extension bitmap length exceeds 32 when decoding ras message then uses the length to make a shift operation. It will change into negative after several loop. UBSAN load could detect a negative shift as an undefined behaviour and reports exception. So we add the protection to avoid the length exceeding 32. Or else it will return out of range error and stop decoding. CVE-2024-26851 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy. CVE-2024-26889 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing/trigger: Fix to return error if failed to alloc snapshot Fix register_snapshot_trigger() to return error code if it failed to allocate a snapshot instead of 0 (success). Unless that, it will register snapshot trigger without an error. CVE-2024-26920 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free in do_zone_finish() Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070. BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007 CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0x200/0x3e0 kasan_report+0xd8/0x110 ? do_zone_finish+0x91a/0xb90 [btrfs] ? do_zone_finish+0x91a/0xb90 [btrfs] do_zone_finish+0x91a/0xb90 [btrfs] btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs] ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] ? btrfs_put_root+0x2d/0x220 [btrfs] ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs] cleaner_kthread+0x21e/0x380 [btrfs] ? __pfx_cleaner_kthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 3493983: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_alloc_device+0xb3/0x4e0 [btrfs] device_list_add.constprop.0+0x993/0x1630 [btrfs] btrfs_scan_one_device+0x219/0x3d0 [btrfs] btrfs_control_ioctl+0x26e/0x310 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 3494056: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3f/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x32/0x70 kfree+0x11b/0x320 btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs] btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs] btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] btrfs_ioctl+0xb27/0x57d0 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400) The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb This UAF happens because we're accessing stale zone information of a already removed btrfs_device in do_zone_finish(). The sequence of events is as follows: btrfs_dev_replace_start btrfs_scrub_dev btrfs_dev_replace_finishing btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced btrfs_rm_dev_replace_free_srcdev btrfs_free_device <-- device freed cleaner_kthread btrfs_delete_unused_bgs btrfs_zone_finish do_zone_finish <-- refers the freed device The reason for this is that we're using a ---truncated--- CVE-2024-26944 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: Always flush async #PF workqueue when vCPU is being destroyed Always flush the per-vCPU async #PF workqueue when a vCPU is clearing its completion queue, e.g. when a VM and all its vCPUs is being destroyed. KVM must ensure that none of its workqueue callbacks is running when the last reference to the KVM _module_ is put. Gifting a reference to the associated VM prevents the workqueue callback from dereferencing freed vCPU/VM memory, but does not prevent the KVM module from being unloaded before the callback completes. Drop the misguided VM refcount gifting, as calling kvm_put_kvm() from async_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will result in deadlock. async_pf_execute() can't return until kvm_put_kvm() finishes, and kvm_put_kvm() can't return until async_pf_execute() finishes: WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm] Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events async_pf_execute [kvm] RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm] Call Trace: <TASK> async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> ---[ end trace 0000000000000000 ]--- INFO: task kworker/8:1:251 blocked for more than 120 seconds. Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000 Workqueue: events async_pf_execute [kvm] Call Trace: <TASK> __schedule+0x33f/0xa40 schedule+0x53/0xc0 schedule_timeout+0x12a/0x140 __wait_for_common+0x8d/0x1d0 __flush_work.isra.0+0x19f/0x2c0 kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm] kvm_arch_destroy_vm+0x78/0x1b0 [kvm] kvm_put_kvm+0x1c1/0x320 [kvm] async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> If kvm_clear_async_pf_completion_queue() actually flushes the workqueue, then there's no need to gift async_pf_execute() a reference because all invocations of async_pf_execute() will be forced to complete before the vCPU and its VM are destroyed/freed. And that in turn fixes the module unloading bug as __fput() won't do module_put() on the last vCPU reference until the vCPU has been freed, e.g. if closing the vCPU file also puts the last reference to the KVM module. Note that kvm_check_async_pf_completion() may also take the work item off the completion queue and so also needs to flush the work queue, as the work will not be seen by kvm_clear_async_pf_completion_queue(). Waiting on the workqueue could theoretically delay a vCPU due to waiting for the work to complete, but that's a very, very small chance, and likely a very small delay. kvm_arch_async_page_present_queued() unconditionally makes a new request, i.e. will effectively delay entering the guest, so the remaining work is really just: trace_kvm_async_pf_completed(addr, cr2_or_gpa); __kvm_vcpu_wake_up(vcpu); mmput(mm); and mmput() can't drop the last reference to the page tables if the vCPU is still alive, i.e. the vCPU won't get stuck tearing down page tables. Add a helper to do the flushing, specifically to deal with "wakeup all" work items, as they aren't actually work items, i.e. are never placed in a workqueue. Trying to flush a bogus workqueue entry rightly makes __flush_work() complain (kudos to whoever added that sanity check). Note, commit 5f6de5cbebee ("KVM: Prevent module exit until al ---truncated--- CVE-2024-26976 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix mirred deadlock on device recursion When the mirred action is used on a classful egress qdisc and a packet is mirrored or redirected to self we hit a qdisc lock deadlock. See trace below. [..... other info removed for brevity....] [ 82.890906] [ 82.890906] ============================================ [ 82.890906] WARNING: possible recursive locking detected [ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W [ 82.890906] -------------------------------------------- [ 82.890906] ping/418 is trying to acquire lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] but task is already holding lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] other info that might help us debug this: [ 82.890906] Possible unsafe locking scenario: [ 82.890906] [ 82.890906] CPU0 [ 82.890906] ---- [ 82.890906] lock(&sch->q.lock); [ 82.890906] lock(&sch->q.lock); [ 82.890906] [ 82.890906] *** DEADLOCK *** [ 82.890906] [..... other info removed for brevity....] Example setup (eth0->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 Another example(eth0->eth1->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth1 tc qdisc add dev eth1 root handle 1: htb default 30 tc filter add dev eth1 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 We fix this by adding an owner field (CPU id) to struct Qdisc set after root qdisc is entered. When the softirq enters it a second time, if the qdisc owner is the same CPU, the packet is dropped to break the loop. CVE-2024-27010 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memleak in map from abort path The delete set command does not rely on the transaction object for element removal, therefore, a combination of delete element + delete set from the abort path could result in restoring twice the refcount of the mapping. Check for inactive element in the next generation for the delete element command in the abort path, skip restoring state if next generation bit has been already cleared. This is similar to the activate logic using the set walk iterator. [ 6170.286929] ------------[ cut here ]------------ [ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.287071] Modules linked in: [...] [ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365 [ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f [ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202 [ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000 [ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750 [ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55 [ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10 [ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100 [ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000 [ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0 [ 6170.287962] Call Trace: [ 6170.287967] <TASK> [ 6170.287973] ? __warn+0x9f/0x1a0 [ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.288092] ? report_bug+0x1b1/0x1e0 [ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.288092] ? report_bug+0x1b1/0x1e0 [ 6170.288104] ? handle_bug+0x3c/0x70 [ 6170.288112] ? exc_invalid_op+0x17/0x40 [ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20 [ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables] [ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables] [ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables] CVE-2024-27011 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925e: fix use-after-free in free_irq() From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76_REMOVED flag to indicate the device was removed and do not run into the resource access anymore. CVE-2024-27049 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: libbpf: Use OPTS_SET() macro in bpf_xdp_query() When the feature_flags and xdp_zc_max_segs fields were added to the libbpf bpf_xdp_query_opts, the code writing them did not use the OPTS_SET() macro. This causes libbpf to write to those fields unconditionally, which means that programs compiled against an older version of libbpf (with a smaller size of the bpf_xdp_query_opts struct) will have its stack corrupted by libbpf writing out of bounds. The patch adding the feature_flags field has an early bail out if the feature_flags field is not part of the opts struct (via the OPTS_HAS) macro, but the patch adding xdp_zc_max_segs does not. For consistency, this fix just changes the assignments to both fields to use the OPTS_SET() macro. CVE-2024-27050 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix NULL domain on device release In the kdump kernel, the IOMMU operates in deferred_attach mode. In this mode, info->domain may not yet be assigned by the time the release_device function is called. It leads to the following crash in the crash kernel: BUG: kernel NULL pointer dereference, address: 000000000000003c ... RIP: 0010:do_raw_spin_lock+0xa/0xa0 ... _raw_spin_lock_irqsave+0x1b/0x30 intel_iommu_release_device+0x96/0x170 iommu_deinit_device+0x39/0xf0 __iommu_group_remove_device+0xa0/0xd0 iommu_bus_notifier+0x55/0xb0 notifier_call_chain+0x5a/0xd0 blocking_notifier_call_chain+0x41/0x60 bus_notify+0x34/0x50 device_del+0x269/0x3d0 pci_remove_bus_device+0x77/0x100 p2sb_bar+0xae/0x1d0 ... i801_probe+0x423/0x740 Use the release_domain mechanism to fix it. The scalable mode context entry which is not part of release domain should be cleared in release_device(). CVE-2024-27079 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_flow_offload: reset dst in route object after setting up flow dst is transferred to the flow object, route object does not own it anymore. Reset dst in route object, otherwise if flow_offload_add() fails, error path releases dst twice, leading to a refcount underflow. CVE-2024-27403 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: mt7622-apmixedsys: Fix an error handling path in clk_mt8135_apmixed_probe() 'clk_data' is allocated with mtk_devm_alloc_clk_data(). So calling mtk_free_clk_data() explicitly in the remove function would lead to a double-free. Remove the redundant call. CVE-2024-27433 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Disable auto-enable of exclusive INTx IRQ Currently for devices requiring masking at the irqchip for INTx, ie. devices without DisINTx support, the IRQ is enabled in request_irq() and subsequently disabled as necessary to align with the masked status flag. This presents a window where the interrupt could fire between these events, resulting in the IRQ incrementing the disable depth twice. This would be unrecoverable for a user since the masked flag prevents nested enables through vfio. Instead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx is never auto-enabled, then unmask as required. CVE-2024-27437 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline The absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of interrupt affinity reconfiguration via procfs. Instead, the change is deferred until the next instance of the interrupt being triggered on the original CPU. When the interrupt next triggers on the original CPU, the new affinity is enforced within __irq_move_irq(). A vector is allocated from the new CPU, but the old vector on the original CPU remains and is not immediately reclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming process is delayed until the next trigger of the interrupt on the new CPU. Upon the subsequent triggering of the interrupt on the new CPU, irq_complete_move() adds a task to the old CPU's vector_cleanup list if it remains online. Subsequently, the timer on the old CPU iterates over its vector_cleanup list, reclaiming old vectors. However, a rare scenario arises if the old CPU is outgoing before the interrupt triggers again on the new CPU. In that case irq_force_complete_move() is not invoked on the outgoing CPU to reclaim the old apicd->prev_vector because the interrupt isn't currently affine to the outgoing CPU, and irq_needs_fixup() returns false. Even though __vector_schedule_cleanup() is later called on the new CPU, it doesn't reclaim apicd->prev_vector; instead, it simply resets both apicd->move_in_progress and apicd->prev_vector to 0. As a result, the vector remains unreclaimed in vector_matrix, leading to a CPU vector leak. To address this issue, move the invocation of irq_force_complete_move() before the irq_needs_fixup() call to reclaim apicd->prev_vector, if the interrupt is currently or used to be affine to the outgoing CPU. Additionally, reclaim the vector in __vector_schedule_cleanup() as well, following a warning message, although theoretically it should never see apicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU. CVE-2024-31076 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. CVE-2024-35176 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libruby2_5-2_5-2.5.9-150000.4.32.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:ruby2.5-2.5.9-150000.4.32.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:ruby2.5-stdlib-2.5.9-150000.4.32.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash delayed work migrates filters from one region to another according to the number of available credits. The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration. The destruction of a region that still has filters referencing it can result in a use-after-free [1]. Fix by not destroying the region if migration failed. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70 mlxsw_sp_acl_atcam_entry_del+0x81/0x210 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_region_destroy+0x272/0x310 mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 CVE-2024-35854 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: discard table flag update with pending basechain deletion Hook unregistration is deferred to the commit phase, same occurs with hook updates triggered by the table dormant flag. When both commands are combined, this results in deleting a basechain while leaving its hook still registered in the core. CVE-2024-35897 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/rds: fix possible cp null dereference cp might be null, calling cp->cp_conn would produce null dereference [Simon Horman adds:] Analysis: * cp is a parameter of __rds_rdma_map and is not reassigned. * The following call-sites pass a NULL cp argument to __rds_rdma_map() - rds_get_mr() - rds_get_mr_for_dest * Prior to the code above, the following assumes that cp may be NULL (which is indicative, but could itself be unnecessary) trans_private = rs->rs_transport->get_mr( sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL, args->vec.addr, args->vec.bytes, need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED); * The code modified by this patch is guarded by IS_ERR(trans_private), where trans_private is assigned as per the previous point in this analysis. The only implementation of get_mr that I could locate is rds_ib_get_mr() which can return an ERR_PTR if the conn (4th) argument is NULL. * ret is set to PTR_ERR(trans_private). rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL. Thus ret may be -ENODEV in which case the code in question will execute. Conclusion: * cp may be NULL at the point where this patch adds a check; this patch does seem to address a possible bug CVE-2024-35902 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF When we want to know whether we should look for the mac_id or the link_id in struct iwl_mvm_session_prot_notif, we should look at the version of SESSION_PROTECTION_NOTIF. This causes WARNINGs: WARNING: CPU: 0 PID: 11403 at drivers/net/wireless/intel/iwlwifi/mvm/time-event.c:959 iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm] RIP: 0010:iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm] Code: 00 49 c7 84 24 48 07 00 00 00 00 00 00 41 c6 84 24 78 07 00 00 ff 4c 89 f7 e8 e9 71 54 d9 e9 7d fd ff ff 0f 0b e9 23 fe ff ff <0f> 0b e9 1c fe ff ff 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffb4bb00003d40 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff9ae63a361000 RCX: ffff9ae4a98b60d4 RDX: ffff9ae4588499c0 RSI: 0000000000000305 RDI: ffff9ae4a98b6358 RBP: ffffb4bb00003d68 R08: 0000000000000003 R09: 0000000000000010 R10: ffffb4bb00003d00 R11: 000000000000000f R12: ffff9ae441399050 R13: ffff9ae4761329e8 R14: 0000000000000001 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff9ae7af400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055fb75680018 CR3: 00000003dae32006 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <IRQ> ? show_regs+0x69/0x80 ? __warn+0x8d/0x150 ? iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm] ? report_bug+0x196/0x1c0 ? handle_bug+0x45/0x80 ? exc_invalid_op+0x1c/0xb0 ? asm_exc_invalid_op+0x1f/0x30 ? iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm] iwl_mvm_rx_common+0x115/0x340 [iwlmvm] iwl_mvm_rx_mq+0xa6/0x100 [iwlmvm] iwl_pcie_rx_handle+0x263/0xa10 [iwlwifi] iwl_pcie_napi_poll_msix+0x32/0xd0 [iwlwifi] CVE-2024-35913 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-direct: Leak pages on dma_set_decrypted() failure On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. DMA could free decrypted/shared pages if dma_set_decrypted() fails. This should be a rare case. Just leak the pages in this case instead of freeing them. CVE-2024-35939 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: make sure that WRITTEN is set on all metadata blocks We previously would call btrfs_check_leaf() if we had the check integrity code enabled, which meant that we could only run the extended leaf checks if we had WRITTEN set on the header flags. This leaves a gap in our checking, because we could end up with corruption on disk where WRITTEN isn't set on the leaf, and then the extended leaf checks don't get run which we rely on to validate all of the item pointers to make sure we don't access memory outside of the extent buffer. However, since 732fab95abe2 ("btrfs: check-integrity: remove CONFIG_BTRFS_FS_CHECK_INTEGRITY option") we no longer call btrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only ever call it on blocks that are being written out, and thus have WRITTEN set, or that are being read in, which should have WRITTEN set. Add checks to make sure we have WRITTEN set appropriately, and then make sure __btrfs_check_leaf() always does the item checking. This will protect us from file systems that have been corrupted and no longer have WRITTEN set on some of the blocks. This was hit on a crafted image tweaking the WRITTEN bit and reported by KASAN as out-of-bound access in the eb accessors. The example is a dir item at the end of an eb. [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2 [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f] [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1 [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0 [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206 [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0 [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748 [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9 [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8 [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000 [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0 [2.621] Call Trace: [2.621] <TASK> [2.621] ? show_regs+0x74/0x80 [2.621] ? die_addr+0x46/0xc0 [2.621] ? exc_general_protection+0x161/0x2a0 [2.621] ? asm_exc_general_protection+0x26/0x30 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? btrfs_get_16+0x34b/0x6d0 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? __pfx_btrfs_get_16+0x10/0x10 [2.621] ? __pfx_mutex_unlock+0x10/0x10 [2.621] btrfs_match_dir_item_name+0x101/0x1a0 [2.621] btrfs_lookup_dir_item+0x1f3/0x280 [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10 [2.621] btrfs_get_tree+0xd25/0x1910 [ copy more details from report ] CVE-2024-35949 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: tproxy: bail out if IP has been disabled on the device syzbot reports: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] [..] RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62 Call Trace: nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline] nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168 __in_dev_get_rcu() can return NULL, so check for this. CVE-2024-36270 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() syzbot reported that nf_reinject() could be called without rcu_read_lock() : WARNING: suspicious RCU usage 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.4/13427: #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471 #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172 stack backtrace: CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline] nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397 nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline] instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172 rcu_do_batch kernel/rcu/tree.c:2196 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK> CVE-2024-36286 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix loop termination condition in gss_free_in_token_pages() The in_token->pages[] array is not NULL terminated. This results in the following KASAN splat: KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f] CVE-2024-36288 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix missing memory barrier in tls_init In tls_init(), a write memory barrier is missing, and store-store reordering may cause NULL dereference in tls_{setsockopt,getsockopt}. CPU0 CPU1 ----- ----- // In tls_init() // In tls_ctx_create() ctx = kzalloc() ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1) // In update_sk_prot() WRITE_ONCE(sk->sk_prot, tls_prots) -(2) // In sock_common_setsockopt() READ_ONCE(sk->sk_prot)->setsockopt() // In tls_{setsockopt,getsockopt}() ctx->sk_proto->setsockopt() -(3) In the above scenario, when (1) and (2) are reordered, (3) can observe the NULL value of ctx->sk_proto, causing NULL dereference. To fix it, we rely on rcu_assign_pointer() which implies the release barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is initialized, we can ensure that ctx->sk_proto are visible when changing sk->sk_prot. CVE-2024-36489 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: reset ptes when close() for wr-protected ones Userfaultfd unregister includes a step to remove wr-protect bits from all the relevant pgtable entries, but that only covered an explicit UFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself. Cover that too. This fixes a WARN trace. The only user visible side effect is the user can observe leftover wr-protect bits even if the user close()ed on an userfaultfd when releasing the last reference of it. However hopefully that should be harmless, and nothing bad should happen even if so. This change is now more important after the recent page-table-check patch we merged in mm-unstable (446dd9ad37d0 ("mm/page_table_check: support userfault wr-protect entries")), as we'll do sanity check on uffd-wp bits without vma context. So it's better if we can 100% guarantee no uffd-wp bit leftovers, to make sure each report will be valid. CVE-2024-36881 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-36907 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The netvsc driver could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl to decide whether to free the memory. CVE-2024-36911 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: core: reject skb_copy(_expand) for fraglist GSO skbs SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become invalid. Return NULL if such an skb is passed to skb_copy or skb_copy_expand, in order to prevent a crash on a potential later call to skb_gso_segment. CVE-2024-36929 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). syzbot triggered various splats (see [0] and links) by a crafted GSO packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols: ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls skb_mac_gso_segment() to invoke inner protocol GSO handlers. nsh_gso_segment() does the following for the original skb before calling skb_mac_gso_segment() 1. reset skb->network_header 2. save the original skb->{mac_heaeder,mac_len} in a local variable 3. pull the NSH header 4. resets skb->mac_header 5. set up skb->mac_len and skb->protocol for the inner protocol. and does the following for the segmented skb 6. set ntohs(ETH_P_NSH) to skb->protocol 7. push the NSH header 8. restore skb->mac_header 9. set skb->mac_header + mac_len to skb->network_header 10. restore skb->mac_len There are two problems in 6-7 and 8-9. (a) After 6 & 7, skb->data points to the NSH header, so the outer header (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev. Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH), skb_pull() in the first nsh_gso_segment() will make skb->data point to the middle of the outer NSH or Ethernet header because the Ethernet header is not pulled by the second nsh_gso_segment(). (b) While restoring skb->{mac_header,network_header} in 8 & 9, nsh_gso_segment() does not assume that the data in the linear buffer is shifted. However, udp6_ufo_fragment() could shift the data and change skb->mac_header accordingly as demonstrated by syzbot. If this happens, even the restored skb->mac_header points to the middle of the outer header. It seems nsh_gso_segment() has never worked with outer headers so far. At the end of nsh_gso_segment(), the outer header must be restored for the segmented skb, instead of the NSH header. To do that, let's calculate the outer header position relatively from the inner header and set skb->{data,mac_header,protocol} properly. [0]: BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline] BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668 ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668 ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222 __netdev_start_xmit include/linux/netdevice.h:4989 [inline] netdev_start_xmit include/linux/netdevice.h:5003 [inline] xmit_one net/core/dev.c:3547 [inline] dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563 __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351 dev_queue_xmit include/linux/netdevice.h:3171 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook mm/slub.c:3819 [inline] slab_alloc_node mm/slub.c:3860 [inline] __do_kmalloc_node mm/slub.c:3980 [inline] __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 __ ---truncated--- CVE-2024-36933 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfs: Handle error of rpc_proc_register() in nfs_net_init(). syzkaller reported a warning [0] triggered while destroying immature netns. rpc_proc_register() was called in init_nfs_fs(), but its error has been ignored since at least the initial commit 1da177e4c3f4 ("Linux-2.6.12-rc2"). Recently, commit d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces") converted the procfs to per-netns and made the problem more visible. Even when rpc_proc_register() fails, nfs_net_init() could succeed, and thus nfs_net_exit() will be called while destroying the netns. Then, remove_proc_entry() will be called for non-existing proc directory and trigger the warning below. Let's handle the error of rpc_proc_register() properly in nfs_net_init(). [0]: name 'nfs' WARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711 Modules linked in: CPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711 Code: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb RSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c RDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc R13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8 FS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310 nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438 ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170 setup_net+0x46c/0x660 net/core/net_namespace.c:372 copy_net_ns+0x244/0x590 net/core/net_namespace.c:505 create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228 ksys_unshare+0x342/0x760 kernel/fork.c:3322 __do_sys_unshare kernel/fork.c:3393 [inline] __se_sys_unshare kernel/fork.c:3391 [inline] __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x7f30d0febe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000 </TASK> CVE-2024-36939 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr() vgic_v2_parse_attr() is responsible for finding the vCPU that matches the user-provided CPUID, which (of course) may not be valid. If the ID is invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled gracefully. Similar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id() actually returns something and fail the ioctl if not. CVE-2024-36953 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: Use request_module_nowait This appears to work around a deadlock regression that came in with the LED merge in 6.9. The deadlock happens on my system with 24 iwlwifi radios, so maybe it something like all worker threads are busy and some work that needs to complete cannot complete. [also remove unnecessary "load_module" var and now-wrong comment] CVE-2024-36970 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: mst: fix vlan use-after-free syzbot reported a suspicious rcu usage[1] in bridge's mst code. While fixing it I noticed that nothing prevents a vlan to be freed while walking the list from the same path (br forward delay timer). Fix the rcu usage and also make sure we are not accessing freed memory by making br_mst_vlan_set_state use rcu read lock. [1] WARNING: suspicious RCU usage 6.9.0-rc6-syzkaller #0 Not tainted ----------------------------- net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage! ... stack backtrace: CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nbp_vlan_group net/bridge/br_private.h:1599 [inline] br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105 br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47 br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429 run_timer_base kernel/time/timer.c:2438 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448 __do_softirq+0x2c6/0x980 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758 Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25 RSP: 0018:ffffc90013657100 EFLAGS: 00000206 RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001 RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60 RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0 R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28 R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246 CVE-2024-36979 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL [1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-38538 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is assigned to mhdp_state->current_mode, and there is a dereference of it in drm_mode_set_name(), which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Fix this bug add a check of mhdp_state->current_mode. CVE-2024-38548 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix potential memory leakage when reading chip temperature Without this commit, reading chip temperature will cause memory leakage. CVE-2024-38563 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg A data-race condition has been identified in af_unix. In one data path, the write function unix_release_sock() atomically writes to sk->sk_shutdown using WRITE_ONCE. However, on the reader side, unix_stream_sendmsg() does not read it atomically. Consequently, this issue is causing the following KCSAN splat to occur: BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28: unix_release_sock (net/unix/af_unix.c:640) unix_release (net/unix/af_unix.c:1050) sock_close (net/socket.c:659 net/socket.c:1421) __fput (fs/file_table.c:422) __fput_sync (fs/file_table.c:508) __se_sys_close (fs/open.c:1559 fs/open.c:1541) __x64_sys_close (fs/open.c:1541) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14: unix_stream_sendmsg (net/unix/af_unix.c:2273) __sock_sendmsg (net/socket.c:730 net/socket.c:745) ____sys_sendmsg (net/socket.c:2584) __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x01 -> 0x03 The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7"). Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.") addressed a comparable issue in the past regarding sk->sk_shutdown. However, it overlooked resolving this particular data path. This patch only offending unix_stream_sendmsg() function, since the other reads seem to be protected by unix_state_lock() as discussed in CVE-2024-38596 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: connac: check for null before dereferencing The wcid can be NULL. It should be checked for validity before dereferencing it to avoid crash. CVE-2024-38609 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/pci: fix potential memory leak in vfio_intx_enable() If vfio_irq_ctx_alloc() failed will lead to 'name' memory leak. CVE-2024-38632 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Allow delete from sockmap/sockhash only if update is allowed We have seen an influx of syzkaller reports where a BPF program attached to a tracepoint triggers a locking rule violation by performing a map_delete on a sockmap/sockhash. We don't intend to support this artificial use scenario. Extend the existing verifier allowed-program-type check for updating sockmap/sockhash to also cover deleting from a map. From now on only BPF programs which were previously allowed to update sockmap/sockhash can delete from these map types. CVE-2024-38662 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING Xiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with small possibility, the root cause is exactly the same as commit bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"") However, Dan reported another hang after that, and junxiao investigated the problem and found out that this is caused by plugged bio can't issue from raid5d(). Current implementation in raid5d() has a weird dependence: 1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear MD_SB_CHANGE_PENDING; 2) raid5d() handles IO in a deadloop, until all IO are issued; 3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared; This behaviour is introduce before v2.6, and for consequence, if other context hold 'reconfig_mutex', and md_check_recovery() can't update super_block, then raid5d() will waste one cpu 100% by the deadloop, until 'reconfig_mutex' is released. Refer to the implementation from raid1 and raid10, fix this problem by skipping issue IO if MD_SB_CHANGE_PENDING is still set after md_check_recovery(), daemon thread will be woken up when 'reconfig_mutex' is released. Meanwhile, the hang problem will be fixed as well. CVE-2024-39476 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked When requesting an NMI window, WARN on vNMI support being enabled if and only if NMIs are actually masked, i.e. if the vCPU is already handling an NMI. KVM's ABI for NMIs that arrive simultanesouly (from KVM's point of view) is to inject one NMI and pend the other. When using vNMI, KVM pends the second NMI simply by setting V_NMI_PENDING, and lets the CPU do the rest (hardware automatically sets V_NMI_BLOCKING when an NMI is injected). However, if KVM can't immediately inject an NMI, e.g. because the vCPU is in an STI shadow or is running with GIF=0, then KVM will request an NMI window and trigger the WARN (but still function correctly). Whether or not the GIF=0 case makes sense is debatable, as the intent of KVM's behavior is to provide functionality that is as close to real hardware as possible. E.g. if two NMIs are sent in quick succession, the probability of both NMIs arriving in an STI shadow is infinitesimally low on real hardware, but significantly larger in a virtual environment, e.g. if the vCPU is preempted in the STI shadow. For GIF=0, the argument isn't as clear cut, because the window where two NMIs can collide is much larger in bare metal (though still small). That said, KVM should not have divergent behavior for the GIF=0 case based on whether or not vNMI support is enabled. And KVM has allowed simultaneous NMIs with GIF=0 for over a decade, since commit 7460fb4a3400 ("KVM: Fix simultaneous NMIs"). I.e. KVM's GIF=0 handling shouldn't be modified without a *really* good reason to do so, and if KVM's behavior were to be modified, it should be done irrespective of vNMI support. CVE-2024-39483 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text) CVE-2024-39484 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/drm_file: Fix pid refcounting race <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de> filp->pid is supposed to be a refcounted pointer; however, before this patch, drm_file_update_pid() only increments the refcount of a struct pid after storing a pointer to it in filp->pid and dropping the dev->filelist_mutex, making the following race possible: process A process B ========= ========= begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid B>, 1) mutex_unlock(&dev->filelist_mutex) begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid A>, 1) mutex_unlock(&dev->filelist_mutex) get_pid(<pid A>) synchronize_rcu() put_pid(<pid B>) *** pid B reaches refcount 0 and is freed here *** get_pid(<pid B>) *** UAF *** synchronize_rcu() put_pid(<pid A>) As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y because it requires RCU to detect a quiescent state in code that is not explicitly calling into the scheduler. This race leads to use-after-free of a "struct pid". It is probably somewhat hard to hit because process A has to pass through a synchronize_rcu() operation while process B is between mutex_unlock() and get_pid(). Fix it by ensuring that by the time a pointer to the current task's pid is stored in the file, an extra reference to the pid has been taken. This fix also removes the condition for synchronize_rcu(); I think that optimization is unnecessary complexity, since in that case we would usually have bailed out on the lockless check above. CVE-2024-39486 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY When CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes to bug_table entries, and as a result the last entry in a bug table will be ignored, potentially leading to an unexpected panic(). All prior entries in the table will be handled correctly. The arm64 ABI requires that struct fields of up to 8 bytes are naturally-aligned, with padding added within a struct such that struct are suitably aligned within arrays. When CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is: struct bug_entry { signed int bug_addr_disp; // 4 bytes signed int file_disp; // 4 bytes unsigned short line; // 2 bytes unsigned short flags; // 2 bytes } ... with 12 bytes total, requiring 4-byte alignment. When CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is: struct bug_entry { signed int bug_addr_disp; // 4 bytes unsigned short flags; // 2 bytes < implicit padding > // 2 bytes } ... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing padding, requiring 4-byte alginment. When we create a bug_entry in assembly, we align the start of the entry to 4 bytes, which implicitly handles padding for any prior entries. However, we do not align the end of the entry, and so when CONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding bytes. For the main kernel image this is not a problem as find_bug() doesn't depend on the trailing padding bytes when searching for entries: for (bug = __start___bug_table; bug < __stop___bug_table; ++bug) if (bugaddr == bug_addr(bug)) return bug; However for modules, module_bug_finalize() depends on the trailing bytes when calculating the number of entries: mod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry); ... and as the last bug_entry lacks the necessary padding bytes, this entry will not be counted, e.g. in the case of a single entry: sechdrs[i].sh_size == 6 sizeof(struct bug_entry) == 8; sechdrs[i].sh_size / sizeof(struct bug_entry) == 0; Consequently module_find_bug() will miss the last bug_entry when it does: for (i = 0; i < mod->num_bugs; ++i, ++bug) if (bugaddr == bug_addr(bug)) goto out; ... which can lead to a kenrel panic due to an unhandled bug. This can be demonstrated with the following module: static int __init buginit(void) { WARN(1, "hello\n"); return 0; } static void __exit bugexit(void) { } module_init(buginit); module_exit(bugexit); MODULE_LICENSE("GPL"); ... which will trigger a kernel panic when loaded: ------------[ cut here ]------------ hello Unexpected kernel BRK exception at EL1 Internal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: hello(O+) CPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8 Hardware name: linux,dummy-virt (DT) pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : buginit+0x18/0x1000 [hello] lr : buginit+0x18/0x1000 [hello] sp : ffff800080533ae0 x29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000 x26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58 x23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0 x20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006 x17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720 x14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312 x11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8 x8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000 x5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0 Call trace: buginit+0x18/0x1000 [hello] do_one_initcall+0x80/0x1c8 do_init_module+0x60/0x218 load_module+0x1ba4/0x1d70 __do_sys_init_module+0x198/0x1d0 __arm64_sys_init_module+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc ---truncated--- CVE-2024-39488 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix memleak in seg6_hmac_init_algo seg6_hmac_init_algo returns without cleaning up the previous allocations if one fails, so it's going to leak all that memory and the crypto tfms. Update seg6_hmac_exit to only free the memory when allocated, so we can reuse the code directly. CVE-2024-39489 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l56: Fix lifetime of cs_dsp instance The cs_dsp instance is initialized in the driver probe() so it should be freed in the driver remove(). Also fix a missing call to cs_dsp_remove() in the error path of cs35l56_hda_common_probe(). The call to cs_dsp_remove() was being done in the component unbind callback cs35l56_hda_unbind(). This meant that if the driver was unbound and then re-bound it would be using an uninitialized cs_dsp instance. It is best to initialize the cs_dsp instance in probe() so that it can return an error if it fails. The component binding API doesn't have any error handling so there's no way to handle a failure if cs_dsp was initialized in the bind. CVE-2024-39491 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak Using completion_done to determine whether the caller has gone away only works after a complete call. Furthermore it's still possible that the caller has not yet called wait_for_completion, resulting in another potential UAF. Fix this by making the caller use cancel_work_sync and then freeing the memory safely. CVE-2024-39493 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot: BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags)); Return -EINVAL early if COW mapping is detected. This bug affects all drm drivers using default shmem helpers. It can be reproduced by this simple example: void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset); ptr[0] = 0; CVE-2024-39497 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: vmci: prevent speculation leaks by sanitizing event in event_deliver() Coverity spotted that event_msg is controlled by user-space, event_msg->event_data.event is passed to event_deliver() and used as an index without sanitization. This change ensures that the event index is sanitized to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Only compile tested, no access to HW. CVE-2024-39499 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-39501 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/komeda: check for error-valued pointer komeda_pipeline_get_state() may return an error-valued pointer, thus check the pointer for negative or null value before dereferencing. CVE-2024-39505 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value, but then it is unconditionally passed to skb_add_rx_frag() which looks strange and could lead to null pointer dereference. lio_vf_rep_copy_packet() call trace looks like: octeon_droq_process_packets octeon_droq_fast_process_packets octeon_droq_dispatch_pkt octeon_create_recv_info ...search in the dispatch_list... ->disp_fn(rdisp->rinfo, ...) lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...) In this path there is no code which sets pg_info->page to NULL. So this check looks unneeded and doesn't solve potential problem. But I guess the author had reason to add a check and I have no such card and can't do real test. In addition, the code in the function liquidio_push_packet() in liquidio/lio_core.c does exactly the same. Based on this, I consider the most acceptable compromise solution to adjust this issue by moving skb_add_rx_frag() into conditional scope. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-39506 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq to address potential data races. The structure io_worker->flags may be accessed through various data paths, leading to concurrency issues. When KCSAN is enabled, it reveals data races occurring in io_worker_handle_work and io_wq_activate_free_worker functions. BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28: io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569) io_wq_worker (io_uring/io-wq.c:?) <snip> read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5: io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285) io_wq_enqueue (io_uring/io-wq.c:947) io_queue_iowq (io_uring/io_uring.c:524) io_req_task_submit (io_uring/io_uring.c:1511) io_handle_tw_list (io_uring/io_uring.c:1198) <snip> Line numbers against commit 18daea77cca6 ("Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm"). These races involve writes and reads to the same memory location by different tasks running on different CPUs. To mitigate this, refactor the code to use atomic operations such as set_bit(), test_bit(), and clear_bit() instead of basic "and" and "or" operations. This ensures thread-safe manipulation of worker flags. Also, move `create_index` to avoid holes in the structure. CVE-2024-39508 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: core: remove unnecessary WARN_ON() in implement() Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 Modules linked in: CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline] RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 ... Call Trace: <TASK> __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline] usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636 hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... CVE-2024-39509 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60 Read of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963 CPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564 Call Trace: kasan_report+0x93/0xc0 cachefiles_ondemand_daemon_read+0xb41/0xb60 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0 Allocated by task 116: kmem_cache_alloc+0x140/0x3a0 cachefiles_lookup_cookie+0x140/0xcd0 fscache_cookie_state_machine+0x43c/0x1230 [...] Freed by task 792: kmem_cache_free+0xfe/0x390 cachefiles_put_object+0x241/0x480 fscache_cookie_state_machine+0x5c8/0x1230 [...] ================================================================== Following is the process that triggers the issue: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_withdraw_cookie cachefiles_ondemand_clean_object(object) cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req msg->object_id = req->object->ondemand->ondemand_id ------ restore ------ cachefiles_ondemand_restore xas_for_each(&xas, req, ULONG_MAX) xas_set_mark(&xas, CACHEFILES_REQ_NEW) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req copy_to_user(_buffer, msg, n) xa_erase(&cache->reqs, id) complete(&REQ_A->done) ------ close(fd) ------ cachefiles_ondemand_fd_release cachefiles_put_object cachefiles_put_object kmem_cache_free(cachefiles_object_jar, object) REQ_A->object->ondemand->ondemand_id // object UAF !!! When we see the request within xa_lock, req->object must not have been freed yet, so grab the reference count of object before xa_unlock to avoid the above issue. CVE-2024-39510 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings. CVE-2024-39908 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libruby2_5-2_5-2.5.9-150000.4.32.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:ruby2.5-2.5.9-150000.4.32.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:ruby2.5-stdlib-2.5.9-150000.4.32.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0 Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962 CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542 Call Trace: kasan_report+0x94/0xc0 cachefiles_ondemand_daemon_read+0x609/0xab0 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0 Allocated by task 626: __kmalloc+0x1df/0x4b0 cachefiles_ondemand_send_req+0x24d/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] Freed by task 626: kfree+0xf1/0x2c0 cachefiles_ondemand_send_req+0x568/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] ================================================================== Following is the process that triggers the issue: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req cachefiles_ondemand_get_fd copy_to_user(_buffer, msg, n) process_open_req(REQ_A) ------ restore ------ cachefiles_ondemand_restore xas_for_each(&xas, req, ULONG_MAX) xas_set_mark(&xas, CACHEFILES_REQ_NEW); cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req write(devfd, ("copen %u,%llu", msg->msg_id, size)); cachefiles_ondemand_copen xa_erase(&cache->reqs, id) complete(&REQ_A->done) kfree(REQ_A) cachefiles_ondemand_get_fd(REQ_A) fd = get_unused_fd_flags file = anon_inode_getfile fd_install(fd, file) load = (void *)REQ_A->msg.data; load->fd = fd; // load UAF !!! This issue is caused by issuing a restore command when the daemon is still alive, which results in a request being processed multiple times thus triggering a UAF. So to avoid this problem, add an additional reference count to cachefiles_req, which is held while waiting and reading, and then released when the waiting and reading is over. Note that since there is only one reference count for waiting, we need to avoid the same request being completed multiple times, so we can only complete the request if it is successfully removed from the xarray. CVE-2024-40899 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: remove requests from xarray during flushing requests Even with CACHEFILES_DEAD set, we can still read the requests, so in the following concurrency the request may be used after it has been freed: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read // close dev fd cachefiles_flush_reqs complete(&REQ_A->done) kfree(REQ_A) xa_lock(&cache->reqs); cachefiles_ondemand_select_req req->msg.opcode != CACHEFILES_OP_READ // req use-after-free !!! xa_unlock(&cache->reqs); xa_destroy(&cache->reqs) Hence remove requests from cache->reqs when flushing them to avoid accessing freed requests. CVE-2024-40900 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: xattr: fix buffer overflow for invalid xattr When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all up by properly restricting the size of the debug hex dump in the kernel log. CVE-2024-40902 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps There could be a potential use-after-free case in tcpm_register_source_caps(). This could happen when: * new (say invalid) source caps are advertised * the existing source caps are unregistered * tcpm_register_source_caps() returns with an error as usb_power_delivery_register_capabilities() fails This causes port->partner_source_caps to hold on to the now freed source caps. Reset port->partner_source_caps value to NULL after unregistering existing source caps. CVE-2024-40903 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages The syzbot fuzzer found that the interrupt-URB completion callback in the cdc-wdm driver was taking too long, and the driver's immediate resubmission of interrupt URBs with -EPROTO status combined with the dummy-hcd emulation to cause a CPU lockup: cdc_wdm 1-1:1.0: nonzero urb status received: -71 cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625] CPU#0 Utilization every 4s during lockup: #1: 98% system, 0% softirq, 3% hardirq, 0% idle #2: 98% system, 0% softirq, 3% hardirq, 0% idle #3: 98% system, 0% softirq, 3% hardirq, 0% idle #4: 98% system, 0% softirq, 3% hardirq, 0% idle #5: 98% system, 1% softirq, 3% hardirq, 0% idle Modules linked in: irq event stamp: 73096 hardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline] hardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994 hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582 softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588 CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Testing showed that the problem did not occur if the two error messages -- the first two lines above -- were removed; apparently adding material to the kernel log takes a surprisingly large amount of time. In any case, the best approach for preventing these lockups and to avoid spamming the log with thousands of error messages per second is to ratelimit the two dev_err() calls. Therefore we replace them with dev_err_ratelimited(). CVE-2024-40904 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible race in __fib6_drop_pcpu_from() syzbot found a race in __fib6_drop_pcpu_from() [1] If compiler reads more than once (*ppcpu_rt), second read could read NULL, if another cpu clears the value in rt6_get_pcpu_route(). Add a READ_ONCE() to prevent this race. Also add rcu_read_lock()/rcu_read_unlock() because we rely on RCU protection while dereferencing pcpu_rt. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: netns cleanup_net RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984 Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48 RSP: 0018:ffffc900040df070 EFLAGS: 00010206 RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16 RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091 RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8 R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline] fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline] fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038 fib6_del_route net/ipv6/ip6_fib.c:1998 [inline] fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043 fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205 fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127 fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175 fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255 __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271 rt6_sync_down_dev net/ipv6/route.c:4906 [inline] rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911 addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855 addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992 call_netdevice_notifiers_extack net/core/dev.c:2030 [inline] call_netdevice_notifiers net/core/dev.c:2044 [inline] dev_close_many+0x333/0x6a0 net/core/dev.c:1585 unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193 unregister_netdevice_many net/core/dev.c:11276 [inline] default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CVE-2024-40905 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release(). CVE-2024-40910 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Lock wiphy in cfg80211_get_station Wiphy should be locked before calling rdev_get_station() (see lockdep assert in ieee80211_get_station()). This fixes the following kernel NULL dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000 [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] SMP Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705 Hardware name: RPT (r1) (DT) Workqueue: bat_events batadv_v_elp_throughput_metric_update pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core] lr : sta_set_sinfo+0xcc/0xbd4 sp : ffff000007b43ad0 x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98 x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000 x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000 x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000 x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000 x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90 x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000 Call trace: ath10k_sta_statistics+0x10/0x2dc [ath10k_core] sta_set_sinfo+0xcc/0xbd4 ieee80211_get_station+0x2c/0x44 cfg80211_get_station+0x80/0x154 batadv_v_elp_get_throughput+0x138/0x1fc batadv_v_elp_throughput_metric_update+0x1c/0xa4 process_one_work+0x1ec/0x414 worker_thread+0x70/0x46c kthread+0xdc/0xe0 ret_from_fork+0x10/0x20 Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814) This happens because STA has time to disconnect and reconnect before batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In this situation, ath10k_sta_state() can be in the middle of resetting arsta data when the work queue get chance to be scheduled and ends up accessing it. Locking wiphy prevents that. CVE-2024-40911 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from softirq context. However using only spin_lock() to get sta->ps_lock in ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to take this same lock ending in deadlock. Below is an example of rcu stall that arises in such situation. rcu: INFO: rcu_sched self-detected stall on CPU rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996 rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4) CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742 Hardware name: RPT (r1) (DT) pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : queued_spin_lock_slowpath+0x58/0x2d0 lr : invoke_tx_handlers_early+0x5b4/0x5c0 sp : ffff00001ef64660 x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8 x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000 x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000 x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000 x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80 x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440 x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880 x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8 Call trace: queued_spin_lock_slowpath+0x58/0x2d0 ieee80211_tx+0x80/0x12c ieee80211_tx_pending+0x110/0x278 tasklet_action_common.constprop.0+0x10c/0x144 tasklet_action+0x20/0x28 _stext+0x11c/0x284 ____do_softirq+0xc/0x14 call_on_irq_stack+0x24/0x34 do_softirq_own_stack+0x18/0x20 do_softirq+0x74/0x7c __local_bh_enable_ip+0xa0/0xa4 _ieee80211_wake_txqs+0x3b0/0x4b8 __ieee80211_wake_queue+0x12c/0x168 ieee80211_add_pending_skbs+0xec/0x138 ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480 ieee80211_mps_sta_status_update.part.0+0xd8/0x11c ieee80211_mps_sta_status_update+0x18/0x24 sta_apply_parameters+0x3bc/0x4c0 ieee80211_change_station+0x1b8/0x2dc nl80211_set_station+0x444/0x49c genl_family_rcv_msg_doit.isra.0+0xa4/0xfc genl_rcv_msg+0x1b0/0x244 netlink_rcv_skb+0x38/0x10c genl_rcv+0x34/0x48 netlink_unicast+0x254/0x2bc netlink_sendmsg+0x190/0x3b4 ____sys_sendmsg+0x1e8/0x218 ___sys_sendmsg+0x68/0x8c __sys_sendmsg+0x44/0x84 __arm64_sys_sendmsg+0x20/0x28 do_el0_svc+0x6c/0xe8 el0_svc+0x14/0x48 el0t_64_sync_handler+0xb0/0xb4 el0t_64_sync+0x14c/0x150 Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise on the same CPU that is holding the lock. CVE-2024-40912 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: defer exposing anon_fd until after copy_to_user() succeeds After installing the anonymous fd, we can now see it in userland and close it. However, at this point we may not have gotten the reference count of the cache, but we will put it during colse fd, so this may cause a cache UAF. So grab the cache reference count before fd_install(). In addition, by kernel convention, fd is taken over by the user land after fd_install(), and the kernel should not call close_fd() after that, i.e., it should call fd_install() after everything is ready, thus fd_install() is called after copy_to_user() succeeds. CVE-2024-40913 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found When reading EDID fails and driver reports no modes available, the DRM core adds an artificial 1024x786 mode to the connector. Unfortunately some variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not able to drive such mode, so report a safe 640x480 mode instead of nothing in case of the EDID reading failure. This fixes the following issue observed on Trats2 board since commit 13d5b040363c ("drm/exynos: do not return negative values from .get_modes()"): [drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations exynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops) exynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops) exynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b) exynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops) exynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops) [drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1 exynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state panel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c exynos-mixer 12c10000.mixer: timeout waiting for VSYNC ------------[ cut here ]------------ WARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8 [CRTC:70:crtc-1] vblank wait timed out Modules linked in: CPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events_unbound deferred_probe_work_func Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x68/0x88 dump_stack_lvl from __warn+0x7c/0x1c4 __warn from warn_slowpath_fmt+0x11c/0x1a8 warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8 drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184 commit_tail from drm_atomic_helper_commit+0x168/0x190 drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0 drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40 drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4 __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c drm_fb_helper_set_par from fbcon_init+0x3d8/0x550 fbcon_init from visual_init+0xc0/0x108 visual_init from do_bind_con_driver+0x1b8/0x3a4 do_bind_con_driver from do_take_over_console+0x140/0x1ec do_take_over_console from do_fbcon_takeover+0x70/0xd0 do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac fbcon_fb_registered from register_framebuffer+0x190/0x21c register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574 __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0 exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94 drm_client_register from exynos_drm_bind+0x160/0x190 exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8 try_to_bring_up_aggregate_device from __component_add+0xb0/0x170 __component_add from mixer_probe+0x74/0xcc mixer_probe from platform_probe+0x5c/0xb8 platform_probe from really_probe+0xe0/0x3d8 really_probe from __driver_probe_device+0x9c/0x1e4 __driver_probe_device from driver_probe_device+0x30/0xc0 driver_probe_device from __device_attach_driver+0xa8/0x120 __device_attach_driver from bus_for_each_drv+0x80/0xcc bus_for_each_drv from __device_attach+0xac/0x1fc __device_attach from bus_probe_device+0x8c/0x90 bus_probe_device from deferred_probe_work_func+0 ---truncated--- CVE-2024-40916 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: mst: fix suspicious rcu usage in br_mst_set_state I converted br_mst_set_state to RCU to avoid a vlan use-after-free but forgot to change the vlan group dereference helper. Switch to vlan group RCU deref helper to fix the suspicious rcu usage warning. CVE-2024-40920 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state Pass the already obtained vlan group pointer to br_mst_vlan_set_state() instead of dereferencing it again. Each caller has already correctly dereferenced it for their context. This change is required for the following suspicious RCU dereference fix. No functional changes intended. CVE-2024-40921 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: don't lock while !TASK_RUNNING There is a report of io_rsrc_ref_quiesce() locking a mutex while not TASK_RUNNING, which is due to forgetting restoring the state back after io_run_task_work_sig() and attempts to break out of the waiting loop. do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffff815d2494>] prepare_to_wait+0xa4/0x380 kernel/sched/wait.c:237 WARNING: CPU: 2 PID: 397056 at kernel/sched/core.c:10099 __might_sleep+0x114/0x160 kernel/sched/core.c:10099 RIP: 0010:__might_sleep+0x114/0x160 kernel/sched/core.c:10099 Call Trace: <TASK> __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0xb4/0x940 kernel/locking/mutex.c:752 io_rsrc_ref_quiesce+0x590/0x940 io_uring/rsrc.c:253 io_sqe_buffers_unregister+0xa2/0x340 io_uring/rsrc.c:799 __io_uring_register io_uring/register.c:424 [inline] __do_sys_io_uring_register+0x5b9/0x2400 io_uring/register.c:613 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 CVE-2024-40922 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: drm/i915/dpt: Make DPT object unshrinkable In some scenarios, the DPT object gets shrunk but the actual framebuffer did not and thus its still there on the DPT's vm->bound_list. Then it tries to rewrite the PTEs via a stale CPU mapping. This causes panic. [vsyrjala: Add TODO comment] (cherry picked from commit 51064d471c53dcc8eddd2333c3f1c1d9131ba36c) CVE-2024-40924 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: don't attempt to schedule hpd_work on headless cards If the card doesn't have display hardware, hpd_work and hpd_lock are left uninitialized which causes BUG when attempting to schedule hpd_work on runtime PM resume. Fix it by adding headless flag to DRM and skip any hpd if it's set. CVE-2024-40926 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: xhci: Handle TD clearing for multiple streams case When multiple streams are in use, multiple TDs might be in flight when an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for each, to ensure everything is reset properly and the caches cleared. Change the logic so that any N>1 TDs found active for different streams are deferred until after the first one is processed, calling xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to queue another command until we are done with all of them. Also change the error/"should never happen" paths to ensure we at least clear any affected TDs, even if we can't issue a command to clear the hardware cache, and complain loudly with an xhci_warn() if this ever happens. This problem case dates back to commit e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.") early on in the XHCI driver's life, when stream support was first added. It was then identified but not fixed nor made into a warning in commit 674f8438c121 ("xhci: split handling halted endpoints into two steps"), which added a FIXME comment for the problem case (without materially changing the behavior as far as I can tell, though the new logic made the problem more obvious). Then later, in commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs."), it was acknowledged again. [Mathias: commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs.") was a targeted regression fix to the previously mentioned patch. Users reported issues with usb stuck after unmounting/disconnecting UAS devices. This rolled back the TD clearing of multiple streams to its original state.] Apparently the commit author was aware of the problem (yet still chose to submit it): It was still mentioned as a FIXME, an xhci_dbg() was added to log the problem condition, and the remaining issue was mentioned in the commit description. The choice of making the log type xhci_dbg() for what is, at this point, a completely unhandled and known broken condition is puzzling and unfortunate, as it guarantees that no actual users would see the log in production, thereby making it nigh undebuggable (indeed, even if you turn on DEBUG, the message doesn't really hint at there being a problem at all). It took me *months* of random xHC crashes to finally find a reliable repro and be able to do a deep dive debug session, which could all have been avoided had this unhandled, broken condition been actually reported with a warning, as it should have been as a bug intentionally left in unfixed (never mind that it shouldn't have been left in at all). > Another fix to solve clearing the caches of all stream rings with > cancelled TDs is needed, but not as urgent. 3 years after that statement and 14 years after the original bug was introduced, I think it's finally time to fix it. And maybe next time let's not leave bugs unfixed (that are actually worse than the original bug), and let's actually get people to review kernel commits please. Fixes xHC crashes and IOMMU faults with UAS devices when handling errors/faults. Easiest repro is to use `hdparm` to mark an early sector (e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop. At least in the case of JMicron controllers, the read errors end up having to cancel two TDs (for two queued requests to different streams) and the one that didn't get cleared properly ends up faulting the xHC entirely when it tries to access DMA pages that have since been unmapped, referred to by the stale TDs. This normally happens quickly (after two or three loops). After this fix, I left the `cat` in a loop running overnight and experienced no xHC failures, with all read errors recovered properly. Repro'd and tested on an Apple M1 Mac Mini (dwc3 host). On systems without an IOMMU, this bug would instead silently corrupt freed memory, making this a ---truncated--- CVE-2024-40927 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first. CVE-2024-40929 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: validate HE operation element parsing Validate that the HE operation element has the correct length before parsing it. CVE-2024-40930 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/exynos/vidi: fix memory leak in .get_modes() The duplicated EDID is never freed. Fix it. CVE-2024-40932 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Fix a memory leak on logi_dj_recv_send_report() error path. CVE-2024-40934 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cxl/region: Fix memregion leaks in devm_cxl_add_region() Move the mode verification to __create_region() before allocating the memregion to avoid the memregion leaks. CVE-2024-40936 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: landlock: Fix d_parent walk The WARN_ON_ONCE() in collect_domain_accesses() can be triggered when trying to link a root mount point. This cannot work in practice because this directory is mounted, but the VFS check is done after the call to security_path_link(). Do not use source directory's d_parent when the source directory is the mount point. [mic: Fix commit message] CVE-2024-40938 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: wwan: iosm: Fix tainted pointer delete is case of region creation fail In case of region creation fail in ipc_devlink_create_region(), previously created regions delete process starts from tainted pointer which actually holds error code value. Fix this bug by decreasing region index before delete. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-40939 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't read past the mfuart notifcation In case the firmware sends a notification that claims it has more data than it has, we will read past that was allocated for the notification. Remove the print of the buffer, we won't see it by default. If needed, we can see the content with tracing. This was reported by KFENCE. CVE-2024-40941 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects The hwmp code use objects of type mesh_preq_queue, added to a list in ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath gets deleted, ex mesh interface is removed, the entries in that list will never get cleaned. Fix this by flushing all corresponding items of the preq_queue in mesh_path_flush_pending(). This should take care of KASAN reports like this: unreferenced object 0xffff00000668d800 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s) hex dump (first 32 bytes): 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h..... 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>........... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 unreferenced object 0xffff000009051f00 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s) hex dump (first 32 bytes): 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h..... 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy..... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 CVE-2024-40942 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix races between hole punching and AIO+DIO After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block", fstests/generic/300 become from always failed to sometimes failed: ======================================================================== [ 473.293420 ] run fstests generic/300 [ 475.296983 ] JBD2: Ignoring recovery information on journal [ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode. [ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found [ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted. [ 494.292018 ] OCFS2: File system is now read-only. [ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30 [ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3 fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072 ========================================================================= In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten extents to a list. extents are also inserted into extent tree in ocfs2_write_begin_nolock. Then another thread call fallocate to puch a hole at one of the unwritten extent. The extent at cpos was removed by ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list found there is no such extent at the cpos. T1 T2 T3 inode lock ... insert extents ... inode unlock ocfs2_fallocate __ocfs2_change_file_space inode lock lock ip_alloc_sem ocfs2_remove_inode_range inode ocfs2_remove_btree_range ocfs2_remove_extent ^---remove the extent at cpos 78723 ... unlock ip_alloc_sem inode unlock ocfs2_dio_end_io ocfs2_dio_end_io_write lock ip_alloc_sem ocfs2_mark_extent_written ocfs2_change_extent_flag ocfs2_search_extent_list ^---failed to find extent ... unlock ip_alloc_sem In most filesystems, fallocate is not compatible with racing with AIO+DIO, so fix it by adding to wait for all dio before fallocate/punch_hole like ext4. CVE-2024-40943 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Fix bug with call depth tracking The call to cc_platform_has() triggers a fault and system crash if call depth tracking is active because the GS segment has been reset by load_segments() and GS_BASE is now 0 but call depth tracking uses per-CPU variables to operate. Call cc_platform_has() earlier in the function when GS is still valid. [ bp: Massage. ] CVE-2024-40944 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu: Return right value in iommu_sva_bind_device() iommu_sva_bind_device() should return either a sva bond handle or an ERR_PTR value in error cases. Existing drivers (idxd and uacce) only check the return value with IS_ERR(). This could potentially lead to a kernel NULL pointer dereference issue if the function returns NULL instead of an error pointer. In reality, this doesn't cause any problems because iommu_sva_bind_device() only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA. In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will return an error, and the device drivers won't call iommu_sva_bind_device() at all. CVE-2024-40945 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: do not leave a dangling sk pointer, when socket creation fails It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded and stripped): ================================================================== BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) Read of size 8 at addr ffff888007110dd8 by task traceroute/299 CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_report (mm/kasan/report.c:603) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e bpf_trampoline_6442506592+0x47/0xaf __sock_release (net/socket.c:652) __sock_create (net/socket.c:1601) ... Allocated by task 299 on cpu 2 at 78.328492s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) sk_prot_alloc (net/core/sock.c:2075) sk_alloc (net/core/sock.c:2134) inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 299 on cpu 2 at 78.328502s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) kasan_save_free_info (mm/kasan/generic.c:582) poison_slab_object (mm/kasan/common.c:242) __kasan_slab_free (mm/kasan/common.c:256) kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by clearing the struct socket reference in sk_common_release() to cover all protocol families create functions, which may already attached the reference to the sk object with sock_init_data(). CVE-2024-40954 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator when the descriptor is reused by another thread without it being deleted from the list. CVE-2024-40956 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for PREROUTING hook, in PREROUTING hook, we should passing a valid indev, and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer dereference, as below: [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090 [74830.655633] #PF: supervisor read access in kernel mode [74830.657888] #PF: error_code(0x0000) - not-present page [74830.659500] PGD 0 P4D 0 [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI ... [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter] ... [74830.689725] Call Trace: [74830.690402] <IRQ> [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables] [74830.694275] ? __die_body.cold+0x8/0xd [74830.695205] ? page_fault_oops+0xac/0x140 [74830.696244] ? exc_page_fault+0x62/0x150 [74830.697225] ? asm_exc_page_fault+0x22/0x30 [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter] [74830.699540] ipt_do_table+0x286/0x710 [ip_tables] [74830.700758] ? ip6_route_input+0x19d/0x240 [74830.701752] nf_hook_slow+0x3f/0xb0 [74830.702678] input_action_end_dx4+0x19b/0x1e0 [74830.703735] ? input_action_end_t+0xe0/0xe0 [74830.704734] seg6_local_input_core+0x2d/0x60 [74830.705782] lwtunnel_input+0x5b/0xb0 [74830.706690] __netif_receive_skb_one_core+0x63/0xa0 [74830.707825] process_backlog+0x99/0x140 [74830.709538] __napi_poll+0x2c/0x160 [74830.710673] net_rx_action+0x296/0x350 [74830.711860] __do_softirq+0xcb/0x2ac [74830.713049] do_softirq+0x63/0x90 input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback(): static bool rpfilter_is_loopback(const struct sk_buff *skb, const struct net_device *in) { // in is NULL return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK; } CVE-2024-40957 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netns: Make get_net_ns() handle zero refcount net Syzkaller hit a warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 Modules linked in: CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xdf/0x1d0 Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1 RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001 RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139 R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4 R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040 FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0xa3/0xc0 ? __warn+0xa5/0x1c0 ? refcount_warn_saturate+0xdf/0x1d0 ? report_bug+0x1fc/0x2d0 ? refcount_warn_saturate+0xdf/0x1d0 ? handle_bug+0xa1/0x110 ? exc_invalid_op+0x3c/0xb0 ? asm_exc_invalid_op+0x1f/0x30 ? __warn_printk+0xcc/0x140 ? __warn_printk+0xd5/0x140 ? refcount_warn_saturate+0xdf/0x1d0 get_net_ns+0xa4/0xc0 ? __pfx_get_net_ns+0x10/0x10 open_related_ns+0x5a/0x130 __tun_chr_ioctl+0x1616/0x2370 ? __sanitizer_cov_trace_switch+0x58/0xa0 ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30 ? __pfx_tun_chr_ioctl+0x10/0x10 tun_chr_ioctl+0x2f/0x40 __x64_sys_ioctl+0x11b/0x160 x64_sys_call+0x1211/0x20d0 do_syscall_64+0x9e/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5b28f165d7 Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8 RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7 RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003 RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0 R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730 R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... This is trigger as below: ns0 ns1 tun_set_iff() //dev is tun0 tun->dev = dev //ip link set tun0 netns ns1 put_net() //ref is 0 __tun_chr_ioctl() //TUNGETDEVNETNS net = dev_net(tun->dev); open_related_ns(&net->ns, get_net_ns); //ns1 get_net_ns() get_net() //addition on 0 Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this CVE-2024-40958 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64 Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00 RSP: 0018:ffffc90000117378 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7 RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98 RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000 R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline] xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline] xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541 xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline] xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201 xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline] xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309 ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256 send6+0x611/0xd20 drivers/net/wireguard/socket.c:139 wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178 wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200 wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40 wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CVE-2024-40959 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind() The cs35l41_hda_unbind() function clears the hda_component entry matching it's index and then dereferences the codec pointer held in the first element of the hda_component array, this is an issue when the device index was 0. Instead use the codec pointer stashed in the cs35l41_hda structure as it will still be valid. CVE-2024-40964 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: lpi2c: Avoid calling clk_get_rate during transfer Instead of repeatedly calling clk_get_rate for each transfer, lock the clock rate and cache the value. A deadlock has been observed while adding tlv320aic32x4 audio codec to the system. When this clock provider adds its clock, the clk mutex is locked already, it needs to access i2c, which in return needs the mutex for clk_get_rate as well. CVE-2024-40965 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: imx: Introduce timeout when waiting on transmitter empty By waiting at most 1 second for USR2_TXDC to be set, we avoid a potential deadlock. In case of the timeout, there is not much we can do, so we simply ignore the transmitter state and optimistically try to continue. CVE-2024-40967 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: mtk-vcodec: potential null pointer deference in SCP The return value of devm_kzalloc() needs to be checked to avoid NULL pointer deference. This is similar to CVE-2022-3113. CVE-2024-40973 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/lima: mask irqs in timeout path before hard reset There is a race condition in which a rendering job might take just long enough to trigger the drm sched job timeout handler but also still complete before the hard reset is done by the timeout handler. This runs into race conditions not expected by the timeout handler. In some very specific cases it currently may result in a refcount imbalance on lima_pm_idle, with a stack dump such as: [10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0 ... [10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0 ... [10136.669628] Call trace: [10136.669634] lima_devfreq_record_idle+0xa0/0xb0 [10136.669646] lima_sched_pipe_task_done+0x5c/0xb0 [10136.669656] lima_gp_irq_handler+0xa8/0x120 [10136.669666] __handle_irq_event_percpu+0x48/0x160 [10136.669679] handle_irq_event+0x4c/0xc0 We can prevent that race condition entirely by masking the irqs at the beginning of the timeout handler, at which point we give up on waiting for that job entirely. The irqs will be enabled again at the next hard reset which is already done as a recovery by the timeout handler. CVE-2024-40976 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921s: fix potential hung tasks during chip recovery During chip recovery (e.g. chip reset), there is a possible situation that kernel worker reset_work is holding the lock and waiting for kernel thread stat_worker to be parked, while stat_worker is waiting for the release of the same lock. It causes a deadlock resulting in the dumping of hung tasks messages and possible rebooting of the device. This patch prevents the execution of stat_worker during the chip recovery. CVE-2024-40977 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedi: Fix crash while reading debugfs attribute The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly on a __user pointer, which results into the crash. To fix this issue, use a small local stack buffer for sprintf() and then call simple_read_from_buffer(), which in turns make the copy_to_user() call. BUG: unable to handle page fault for address: 00007f4801111000 PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0 Oops: 0002 [#1] PREEMPT SMP PTI Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023 RIP: 0010:memcpy_orig+0xcd/0x130 RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202 RAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f RDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000 RBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572 R10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff R13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af FS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? page_fault_oops+0x183/0x510 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x22/0x30 ? memcpy_orig+0xcd/0x130 vsnprintf+0x102/0x4c0 sprintf+0x51/0x80 qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324] full_proxy_read+0x50/0x80 vfs_read+0xa5/0x2e0 ? folio_add_new_anon_rmap+0x44/0xa0 ? set_pte_at+0x15/0x30 ? do_pte_missing+0x426/0x7f0 ksys_read+0xa5/0xe0 do_syscall_64+0x58/0x80 ? __count_memcg_events+0x46/0x90 ? count_memcg_event_mm+0x3d/0x60 ? handle_mm_fault+0x196/0x2f0 ? do_user_addr_fault+0x267/0x890 ? exc_page_fault+0x69/0x150 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f4800f20b4d CVE-2024-40978 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: batman-adv: bypass empty buckets in batadv_purge_orig_ref() Many syzbot reports are pointing to soft lockups in batadv_purge_orig_ref() [1] Root cause is unknown, but we can avoid spending too much time there and perhaps get more interesting reports. [1] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621] Modules linked in: irq event stamp: 6182794 hardirqs last enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271 CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_purge_orig pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline] pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388 lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 sp : ffff800099007970 x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000 x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001 x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4 x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0 x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001 x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000 Call trace: __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline] __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51 lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103 sp : ffff800093a17d30 x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4 x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002 x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000 x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396 x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001 ---truncated--- CVE-2024-40981 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-40982 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tipc: force a dst refcount before doing decryption As it says in commit 3bc07321ccc2 ("xfrm: Force a dst refcount before entering the xfrm type handlers"): "Crypto requests might return asynchronous. In this case we leave the rcu protected region, so force a refcount on the skb's destination entry before we enter the xfrm type input/output handlers." On TIPC decryption path it has the same problem, and skb_dst_force() should be called before doing decryption to avoid a possible crash. Shuang reported this issue when this warning is triggered: [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc] [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug [] Workqueue: crypto cryptd_queue_worker [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc] [] Call Trace: [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc] [] tipc_rcv+0xcf5/0x1060 [tipc] [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc] [] cryptd_aead_crypt+0xdb/0x190 [] cryptd_queue_worker+0xed/0x190 [] process_one_work+0x93d/0x17e0 CVE-2024-40983 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Undo the modifications made in commit d410ee5109a1 ("ACPICA: avoid "Info: mapping multiple BARs. Your kernel is fine.""). The initial purpose of this commit was to stop memory mappings for operation regions from overlapping page boundaries, as it can trigger warnings if different page attributes are present. However, it was found that when this situation arises, mapping continues until the boundary's end, but there is still an attempt to read/write the entire length of the map, leading to a NULL pointer deference. For example, if a four-byte mapping request is made but only one byte is mapped because it hits the current page boundary's end, a four-byte read/write attempt is still made, resulting in a NULL pointer deference. Instead, map the entire length, as the ACPI specification does not mandate that it must be within the same page boundary. It is permissible for it to be mapped across different regions. CVE-2024-40984 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix UBSAN warning in kv_dpm.c Adds bounds check for sumo_vid_mapping_entry. CVE-2024-40987 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix UBSAN warning in kv_dpm.c Adds bounds check for sumo_vid_mapping_entry. CVE-2024-40988 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Disassociate vcpus from redistributor region on teardown When tearing down a redistributor region, make sure we don't have any dangling pointer to that region stored in a vcpu. CVE-2024-40989 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Add check for srq max_sge attribute max_sge attribute is passed by the user, and is inserted and used unchecked, so verify that the value doesn't exceed maximum allowed value before using it. CVE-2024-40990 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix responder length checking for UD request packets According to the IBA specification: If a UD request packet is detected with an invalid length, the request shall be an invalid request and it shall be silently dropped by the responder. The responder then waits for a new request packet. commit 689c5421bfe0 ("RDMA/rxe: Fix incorrect responder length checking") defers responder length check for UD QPs in function `copy_data`. But it introduces a regression issue for UD QPs. When the packet size is too large to fit in the receive buffer. `copy_data` will return error code -EINVAL. Then `send_data_in` will return RESPST_ERR_MALFORMED_WQE. UD QP will transfer into ERROR state. CVE-2024-40992 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ptp: fix integer overflow in max_vclocks_store On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc() to do the allocation to prevent this. CVE-2024-40994 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() syzbot found hanging tasks waiting on rtnl_lock [1] A reproducer is available in the syzbot bug. When a request to add multiple actions with the same index is sent, the second request will block forever on the first request. This holds rtnl_lock, and causes tasks to hang. Return -EAGAIN to prevent infinite looping, while keeping documented behavior. [1] INFO: task kworker/1:0:5088 blocked for more than 143 seconds. Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000 Workqueue: events_power_efficient reg_check_chans_work Call Trace: <TASK> context_switch kernel/sched/core.c:5409 [inline] __schedule+0xf15/0x5d00 kernel/sched/core.c:6746 __schedule_loop kernel/sched/core.c:6823 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6838 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 wiphy_lock include/net/cfg80211.h:5953 [inline] reg_leave_invalid_chans net/wireless/reg.c:2466 [inline] reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481 CVE-2024-40995 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: fix memory leak on CPU EPP exit The cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is not freed in the analogous exit function, so fix that. [ rjw: Subject and changelog edits ] CVE-2024-40997 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: block/ioctl: prefer different overflow check Running syzkaller with the newly reintroduced signed integer overflow sanitizer shows this report: [ 62.982337] ------------[ cut here ]------------ [ 62.985692] cgroup: Invalid name [ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46 [ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1 [ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long' [ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1 [ 62.999369] random: crng reseeded on system resumption [ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000) [ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 [ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 63.000682] Call Trace: [ 63.000686] <TASK> [ 63.000731] dump_stack_lvl+0x93/0xd0 [ 63.000919] __get_user_pages+0x903/0xd30 [ 63.001030] __gup_longterm_locked+0x153e/0x1ba0 [ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50 [ 63.001072] ? try_get_folio+0x29c/0x2d0 [ 63.001083] internal_get_user_pages_fast+0x1119/0x1530 [ 63.001109] iov_iter_extract_pages+0x23b/0x580 [ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220 [ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410 [ 63.001297] __iomap_dio_rw+0xab4/0x1810 [ 63.001316] iomap_dio_rw+0x45/0xa0 [ 63.001328] ext4_file_write_iter+0xdde/0x1390 [ 63.001372] vfs_write+0x599/0xbd0 [ 63.001394] ksys_write+0xc8/0x190 [ 63.001403] do_syscall_64+0xd4/0x1b0 [ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60 [ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 63.001535] RIP: 0033:0x7f7fd3ebf539 [ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539 [ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004 [ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000 [ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8 ... [ 63.018142] ---[ end trace ]--- Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang; It was re-enabled in the kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow sanitizer"). Let's rework this overflow checking logic to not actually perform an overflow during the check itself, thus avoiding the UBSAN splat. [1]: https://github.com/llvm/llvm-project/pull/82432 CVE-2024-41000 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/sqpoll: work around a potential audit memory leak kmemleak complains that there's a memory leak related to connect handling: unreferenced object 0xffff0001093bdf00 (size 128): comm "iou-sqp-455", pid 457, jiffies 4294894164 hex dump (first 32 bytes): 02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 2e481b1a): [<00000000c0a26af4>] kmemleak_alloc+0x30/0x38 [<000000009c30bb45>] kmalloc_trace+0x228/0x358 [<000000009da9d39f>] __audit_sockaddr+0xd0/0x138 [<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8 [<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4 [<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48 [<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4 [<00000000d999b491>] ret_from_fork+0x10/0x20 which can can happen if: 1) The command type does something on the prep side that triggers an audit call. 2) The thread hasn't done any operations before this that triggered an audit call inside ->issue(), where we have audit_uring_entry() and audit_uring_exit(). Work around this by issuing a blanket NOP operation before the SQPOLL does anything. CVE-2024-41001 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/sec - Fix memory leak for sec resource release The AIV is one of the SEC resources. When releasing resources, it need to release the AIV resources at the same time. Otherwise, memory leakage occurs. The aiv resource release is added to the sec resource release function. CVE-2024-41002 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Build event generation tests only as modules The kprobes and synth event generation test modules add events and lock (get a reference) those event file reference in module init function, and unlock and delete it in module exit function. This is because those are designed for playing as modules. If we make those modules as built-in, those events are left locked in the kernel, and never be removed. This causes kprobe event self-test failure as below. [ 97.349708] ------------[ cut here ]------------ [ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.357106] Modules linked in: [ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14 [ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90 [ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286 [ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000 [ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68 [ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000 [ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000 [ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000 [ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0 [ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 97.391196] Call Trace: [ 97.391967] <TASK> [ 97.392647] ? __warn+0xcc/0x180 [ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.395181] ? report_bug+0xbd/0x150 [ 97.396234] ? handle_bug+0x3e/0x60 [ 97.397311] ? exc_invalid_op+0x1a/0x50 [ 97.398434] ? asm_exc_invalid_op+0x1a/0x20 [ 97.399652] ? trace_kprobe_is_busy+0x20/0x20 [ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90 [ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.403773] ? init_kprobe_trace+0x50/0x50 [ 97.404972] do_one_initcall+0x112/0x240 [ 97.406113] do_initcall_level+0x95/0xb0 [ 97.407286] ? kernel_init+0x1a/0x1a0 [ 97.408401] do_initcalls+0x3f/0x70 [ 97.409452] kernel_init_freeable+0x16f/0x1e0 [ 97.410662] ? rest_init+0x1f0/0x1f0 [ 97.411738] kernel_init+0x1a/0x1a0 [ 97.412788] ret_from_fork+0x39/0x50 [ 97.413817] ? rest_init+0x1f0/0x1f0 [ 97.414844] ret_from_fork_asm+0x11/0x20 [ 97.416285] </TASK> [ 97.417134] irq event stamp: 13437323 [ 97.418376] hardirqs last enabled at (13437337): [<ffffffff8110bc0c>] console_unlock+0x11c/0x150 [ 97.421285] hardirqs last disabled at (13437370): [<ffffffff8110bbf1>] console_unlock+0x101/0x150 [ 97.423838] softirqs last enabled at (13437366): [<ffffffff8108e17f>] handle_softirqs+0x23f/0x2a0 [ 97.426450] softirqs last disabled at (13437393): [<ffffffff8108e346>] __irq_exit_rcu+0x66/0xd0 [ 97.428850] ---[ end trace 0000000000000000 ]--- And also, since we can not cleanup dynamic_event file, ftracetest are failed too. To avoid these issues, build these tests only as modules. CVE-2024-41004 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: tcp: avoid too many retransmit packets If a TCP socket is using TCP_USER_TIMEOUT, and the other peer retracted its window to zero, tcp_retransmit_timer() can retransmit a packet every two jiffies (2 ms for HZ=1000), for about 4 minutes after TCP_USER_TIMEOUT has 'expired'. The fix is to make sure tcp_rtx_probe0_timed_out() takes icsk->icsk_user_timeout into account. Before blamed commit, the socket would not timeout after icsk->icsk_user_timeout, but would use standard exponential backoff for the retransmits. Also worth noting that before commit e89688e3e978 ("net: tcp: fix unexcepted socket die when snd_wnd is 0"), the issue would last 2 minutes instead of 4. CVE-2024-41007 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that "owns" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter. CVE-2024-41009 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: bpf: Fix too early release of tcx_entry Pedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported an issue that the tcx_entry can be released too early leading to a use after free (UAF) when an active old-style ingress or clsact qdisc with a shared tc block is later replaced by another ingress or clsact instance. Essentially, the sequence to trigger the UAF (one example) can be as follows: 1. A network namespace is created 2. An ingress qdisc is created. This allocates a tcx_entry, and &tcx_entry->miniq is stored in the qdisc's miniqp->p_miniq. At the same time, a tcf block with index 1 is created. 3. chain0 is attached to the tcf block. chain0 must be connected to the block linked to the ingress qdisc to later reach the function tcf_chain0_head_change_cb_del() which triggers the UAF. 4. Create and graft a clsact qdisc. This causes the ingress qdisc created in step 1 to be removed, thus freeing the previously linked tcx_entry: rtnetlink_rcv_msg() => tc_modify_qdisc() => qdisc_create() => clsact_init() [a] => qdisc_graft() => qdisc_destroy() => __qdisc_destroy() => ingress_destroy() [b] => tcx_entry_free() => kfree_rcu() // tcx_entry freed 5. Finally, the network namespace is closed. This registers the cleanup_net worker, and during the process of releasing the remaining clsact qdisc, it accesses the tcx_entry that was already freed in step 4, causing the UAF to occur: cleanup_net() => ops_exit_list() => default_device_exit_batch() => unregister_netdevice_many() => unregister_netdevice_many_notify() => dev_shutdown() => qdisc_put() => clsact_destroy() [c] => tcf_block_put_ext() => tcf_chain0_head_change_cb_del() => tcf_chain_head_change_item() => clsact_chain_head_change() => mini_qdisc_pair_swap() // UAF There are also other variants, the gist is to add an ingress (or clsact) qdisc with a specific shared block, then to replace that qdisc, waiting for the tcx_entry kfree_rcu() to be executed and subsequently accessing the current active qdisc's miniq one way or another. The correct fix is to turn the miniq_active boolean into a counter. What can be observed, at step 2 above, the counter transitions from 0->1, at step [a] from 1->2 (in order for the miniq object to remain active during the replacement), then in [b] from 2->1 and finally [c] 1->0 with the eventual release. The reference counter in general ranges from [0,2] and it does not need to be atomic since all access to the counter is protected by the rtnl mutex. With this in place, there is no longer a UAF happening and the tcx_entry is freed at the correct time. CVE-2024-41010 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages We don't get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space. CVE-2024-41011 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: filelock: Remove locks reliably when fcntl/close race is detected When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. Separately, posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle). After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory. Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush(). CVE-2024-41012 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: add bounds checking to ocfs2_check_dir_entry() This adds sanity checks for ocfs2_dir_entry to make sure all members of ocfs2_dir_entry don't stray beyond valid memory region. CVE-2024-41015 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() xattr in ocfs2 maybe 'non-indexed', which saved with additional space requested. It's better to check if the memory is out of bound before memcmp, although this possibility mainly comes from crafted poisonous images. CVE-2024-41016 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: filelock: Fix fcntl/close race recovery compat path When I wrote commit 3cad1bc01041 ("filelock: Remove locks reliably when fcntl/close race is detected"), I missed that there are two copies of the code I was patching: The normal version, and the version for 64-bit offsets on 32-bit kernels. Thanks to Greg KH for stumbling over this while doing the stable backport... Apply exactly the same fix to the compat path for 32-bit kernels. CVE-2024-41020 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() The "instance" variable needs to be signed for the error handling to work. CVE-2024-41022 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-41024 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix memory leak in audio daemon attach operation Audio PD daemon send the name as part of the init IOCTL call. This name needs to be copied to kernel for which memory is allocated. This memory is never freed which might result in memory leak. Free the memory when it is not needed. CVE-2024-41025 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_acpi: Fix array out-of-bounds access In order to use toshiba_dmi_quirks[] together with the standard DMI matching functions, it must be terminated by a empty entry. Since this entry is missing, an array out-of-bounds access occurs every time the quirk list is processed. Fix this by adding the terminating empty entry. CVE-2024-41028 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: check if a hash-index is in cpu_possible_mask The problem is that there are systems where cpu_possible_mask has gaps between set CPUs, for example SPARC. In this scenario addr_to_vb_xa() hash function can return an index which accesses to not-possible and not setup CPU area using per_cpu() macro. This results in an oops on SPARC. A per-cpu vmap_block_queue is also used as hash table, incorrectly assuming the cpu_possible_mask has no gaps. Fix it by adjusting an index to a next possible CPU. CVE-2024-41032 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor Syzbot has identified a bug in usbcore (see the Closes: tag below) caused by our assumption that the reserved bits in an endpoint descriptor's bEndpointAddress field will always be 0. As a result of the bug, the endpoint_is_duplicate() routine in config.c (and possibly other routines as well) may believe that two descriptors are for distinct endpoints, even though they have the same direction and endpoint number. This can lead to confusion, including the bug identified by syzbot (two descriptors with matching endpoint numbers and directions, where one was interrupt and the other was bulk). To fix the bug, we will clear the reserved bits in bEndpointAddress when we parse the descriptor. (Note that both the USB-2.0 and USB-3.1 specs say these bits are "Reserved, reset to zero".) This requires us to make a copy of the descriptor earlier in usb_parse_endpoint() and use the copy instead of the original when checking for duplicates. CVE-2024-41035 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Fix deadlock with the SPI chip variant When SMP is enabled and spinlocks are actually functional then there is a deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi and ks8851_irq: watchdog: BUG: soft lockup - CPU#0 stuck for 27s! call trace: queued_spin_lock_slowpath+0x100/0x284 do_raw_spin_lock+0x34/0x44 ks8851_start_xmit_spi+0x30/0xb8 ks8851_start_xmit+0x14/0x20 netdev_start_xmit+0x40/0x6c dev_hard_start_xmit+0x6c/0xbc sch_direct_xmit+0xa4/0x22c __qdisc_run+0x138/0x3fc qdisc_run+0x24/0x3c net_tx_action+0xf8/0x130 handle_softirqs+0x1ac/0x1f0 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x3c/0x58 do_softirq_own_stack+0x1c/0x28 __irq_exit_rcu+0x54/0x9c irq_exit_rcu+0x10/0x1c el1_interrupt+0x38/0x50 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x64/0x68 __netif_schedule+0x6c/0x80 netif_tx_wake_queue+0x38/0x48 ks8851_irq+0xb8/0x2c8 irq_thread_fn+0x2c/0x74 irq_thread+0x10c/0x1b0 kthread+0xc8/0xd8 ret_from_fork+0x10/0x20 This issue has not been identified earlier because tests were done on a device with SMP disabled and so spinlocks were actually NOPs. Now use spin_(un)lock_bh for TX queue related locking to avoid execution of softirq work synchronously that would lead to a deadlock. CVE-2024-41036 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: fix null deref on system suspend entry When system enters suspend with an active stream, SOF core calls hw_params_upon_resume(). On Intel platforms with HDA DMA used to manage the link DMA, this leads to call chain of hda_dsp_set_hw_params_upon_resume() -> hda_dsp_dais_suspend() -> hda_dai_suspend() -> hda_ipc4_post_trigger() A bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first, which clears hext_stream->link_substream, and then hda_ipc4_post_trigger() is called with a NULL snd_pcm_substream pointer. CVE-2024-41037 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers Check that all fields of a V2 algorithm header fit into the available firmware data buffer. The wmfw V2 format introduced variable-length strings in the algorithm block header. This means the overall header length is variable, and the position of most fields varies depending on the length of the string fields. Each field must be checked to ensure that it does not overflow the firmware data buffer. As this ia bugfix patch, the fixes avoid making any significant change to the existing code. This makes it easier to review and less likely to introduce new bugs. CVE-2024-41038 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix overflow checking of wmfw header Fix the checking that firmware file buffer is large enough for the wmfw header, to prevent overrunning the buffer. The original code tested that the firmware data buffer contained enough bytes for the sums of the size of the structs wmfw_header + wmfw_adsp1_sizes + wmfw_footer But wmfw_adsp1_sizes is only used on ADSP1 firmware. For ADSP2 and Halo Core the equivalent struct is wmfw_adsp2_sizes, which is 4 bytes longer. So the length check didn't guarantee that there are enough bytes in the firmware buffer for a header with wmfw_adsp2_sizes. This patch splits the length check into three separate parts. Each of the wmfw_header, wmfw_adsp?_sizes and wmfw_footer are checked separately before they are used. CVE-2024-41039 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix UAF when resolving a clash KASAN reports the following UAF: BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] Read of size 1 at addr ffff888c07603600 by task handler130/6469 Call Trace: <IRQ> dump_stack_lvl+0x48/0x70 print_address_description.constprop.0+0x33/0x3d0 print_report+0xc0/0x2b0 kasan_report+0xd0/0x120 __asan_load1+0x6c/0x80 tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] tcf_ct_act+0x886/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 __irq_exit_rcu+0x82/0xc0 irq_exit_rcu+0xe/0x20 common_interrupt+0xa1/0xb0 </IRQ> <TASK> asm_common_interrupt+0x27/0x40 Allocated by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_alloc_info+0x1e/0x40 __kasan_krealloc+0x133/0x190 krealloc+0xaa/0x130 nf_ct_ext_add+0xed/0x230 [nf_conntrack] tcf_ct_act+0x1095/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 Freed by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_free_info+0x2b/0x60 ____kasan_slab_free+0x180/0x1f0 __kasan_slab_free+0x12/0x30 slab_free_freelist_hook+0xd2/0x1a0 __kmem_cache_free+0x1a2/0x2f0 kfree+0x78/0x120 nf_conntrack_free+0x74/0x130 [nf_conntrack] nf_ct_destroy+0xb2/0x140 [nf_conntrack] __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack] nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack] __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack] tcf_ct_act+0x12ad/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 The ct may be dropped if a clash has been resolved but is still passed to the tcf_ct_flow_table_process_conn function for further usage. This issue can be fixed by retrieving ct from skb again after confirming conntrack. CVE-2024-41040 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). syzkaller triggered the warning [0] in udp_v4_early_demux(). In udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount of the looked-up sk and use sock_pfree() as skb->destructor, so we check SOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace period. Currently, SOCK_RCU_FREE is flagged for a bound socket after being put into the hash table. Moreover, the SOCK_RCU_FREE check is done too early in udp_v[46]_early_demux() and sk_lookup(), so there could be a small race window: CPU1 CPU2 ---- ---- udp_v4_early_demux() udp_lib_get_port() | |- hlist_add_head_rcu() |- sk = __udp4_lib_demux_lookup() | |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk)); `- sock_set_flag(sk, SOCK_RCU_FREE) We had the same bug in TCP and fixed it in commit 871019b22d1b ("net: set SOCK_RCU_FREE before inserting socket into hashtable"). Let's apply the same fix for UDP. [0]: WARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599 Modules linked in: CPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599 Code: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52 RSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c RDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001 RBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680 R13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e FS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <TASK> ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349 ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624 __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738 netif_receive_skb_internal net/core/dev.c:5824 [inline] netif_receive_skb+0x271/0x300 net/core/dev.c:5884 tun_rx_batched drivers/net/tun.c:1549 [inline] tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002 tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x76f/0x8d0 fs/read_write.c:590 ksys_write+0xbf/0x190 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x41/0x50 fs/read_write.c:652 x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fc44a68bc1f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48 RSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f R ---truncated--- CVE-2024-41041 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: ppp: reject claimed-as-LCP but actually malformed packets Since 'ppp_async_encode()' assumes valid LCP packets (with code from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that LCP packet has an actual body beyond PPP_LCP header bytes, and reject claimed-as-LCP but actually malformed data otherwise. CVE-2024-41044 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Defer work in bpf_timer_cancel_and_free Currently, the same case as previous patch (two timer callbacks trying to cancel each other) can be invoked through bpf_map_update_elem as well, or more precisely, freeing map elements containing timers. Since this relies on hrtimer_cancel as well, it is prone to the same deadlock situation as the previous patch. It would be sufficient to use hrtimer_try_to_cancel to fix this problem, as the timer cannot be enqueued after async_cancel_and_free. Once async_cancel_and_free has been done, the timer must be reinitialized before it can be armed again. The callback running in parallel trying to arm the timer will fail, and freeing bpf_hrtimer without waiting is sufficient (given kfree_rcu), and bpf_timer_cb will return HRTIMER_NORESTART, preventing the timer from being rearmed again. However, there exists a UAF scenario where the callback arms the timer before entering this function, such that if cancellation fails (due to timer callback invoking this routine, or the target timer callback running concurrently). In such a case, if the timer expiration is significantly far in the future, the RCU grace period expiration happening before it will free the bpf_hrtimer state and along with it the struct hrtimer, that is enqueued. Hence, it is clear cancellation needs to occur after async_cancel_and_free, and yet it cannot be done inline due to deadlock issues. We thus modify bpf_timer_cancel_and_free to defer work to the global workqueue, adding a work_struct alongside rcu_head (both used at _different_ points of time, so can share space). Update existing code comments to reflect the new state of affairs. CVE-2024-41045 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: skmsg: Skip zero length skb in sk_msg_recvmsg When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch platform, the following kernel panic occurs: [...] Oops[#1]: CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018 ... ... ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560 ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 0000000c (PPLV0 +PIE +PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) BADV: 0000000000000040 PRID: 0014c011 (Loongson-64bit, Loongson-3C5000) Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...) Stack : ... Call Trace: [<9000000004162774>] copy_page_to_iter+0x74/0x1c0 [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560 [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0 [<90000000049aae34>] inet_recvmsg+0x54/0x100 [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0 [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0 [<900000000481e27c>] sys_recvfrom+0x1c/0x40 [<9000000004c076ec>] do_syscall+0x8c/0xc0 [<9000000003731da4>] handle_syscall+0xc4/0x160 Code: ... ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception Kernel relocated by 0x3510000 .text @ 0x9000000003710000 .data @ 0x9000000004d70000 .bss @ 0x9000000006469400 ---[ end Kernel panic - not syncing: Fatal exception ]--- [...] This crash happens every time when running sockmap_skb_verdict_shutdown subtest in sockmap_basic. This crash is because a NULL pointer is passed to page_address() in the sk_msg_recvmsg(). Due to the different implementations depending on the architecture, page_address(NULL) will trigger a panic on Loongarch platform but not on x86 platform. So this bug was hidden on x86 platform for a while, but now it is exposed on Loongarch platform. The root cause is that a zero length skb (skb->len == 0) was put on the queue. This zero length skb is a TCP FIN packet, which was sent by shutdown(), invoked in test_sockmap_skb_verdict_shutdown(): shutdown(p1, SHUT_WR); In this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no page is put to this sge (see sg_set_page in sg_set_page), but this empty sge is queued into ingress_msg list. And in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by sg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it to kmap_local_page() and to page_address(), then kernel panics. To solve this, we should skip this zero length skb. So in sk_msg_recvmsg(), if copy is zero, that means it's a zero length skb, skip invoking copy_page_to_iter(). We are using the EFAULT return triggered by copy_page_to_iter to check for is_fin in tcp_bpf.c. CVE-2024-41048 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen. CVE-2024-41049 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: cyclic allocation of msg_id to avoid reuse Reusing the msg_id after a maliciously completed reopen request may cause a read request to remain unprocessed and result in a hung, as shown below: t1 | t2 | t3 ------------------------------------------------- cachefiles_ondemand_select_req cachefiles_ondemand_object_is_close(A) cachefiles_ondemand_set_object_reopening(A) queue_work(fscache_object_wq, &info->work) ondemand_object_worker cachefiles_ondemand_init_object(A) cachefiles_ondemand_send_req(OPEN) // get msg_id 6 wait_for_completion(&req_A->done) cachefiles_ondemand_daemon_read // read msg_id 6 req_A cachefiles_ondemand_get_fd copy_to_user // Malicious completion msg_id 6 copen 6,-1 cachefiles_ondemand_copen complete(&req_A->done) // will not set the object to close // because ondemand_id && fd is valid. // ondemand_object_worker() is done // but the object is still reopening. // new open req_B cachefiles_ondemand_init_object(B) cachefiles_ondemand_send_req(OPEN) // reuse msg_id 6 process_open_req copen 6,A.size // The expected failed copen was executed successfully Expect copen to fail, and when it does, it closes fd, which sets the object to close, and then close triggers reopen again. However, due to msg_id reuse resulting in a successful copen, the anonymous fd is not closed until the daemon exits. Therefore read requests waiting for reopen to complete may trigger hung task. To avoid this issue, allocate the msg_id cyclically to avoid reusing the msg_id for a very short duration of time. CVE-2024-41050 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: wait for ondemand_object_worker to finish when dropping object When queuing ondemand_object_worker() to re-open the object, cachefiles_object is not pinned. The cachefiles_object may be freed when the pending read request is completed intentionally and the related erofs is umounted. If ondemand_object_worker() runs after the object is freed, it will incur use-after-free problem as shown below. process A processs B process C process D cachefiles_ondemand_send_req() // send a read req X // wait for its completion // close ondemand fd cachefiles_ondemand_fd_release() // set object as CLOSE cachefiles_ondemand_daemon_read() // set object as REOPENING queue_work(fscache_wq, &info->ondemand_work) // close /dev/cachefiles cachefiles_daemon_release cachefiles_flush_reqs complete(&req->done) // read req X is completed // umount the erofs fs cachefiles_put_object() // object will be freed cachefiles_ondemand_deinit_obj_info() kmem_cache_free(object) // both info and object are freed ondemand_object_worker() When dropping an object, it is no longer necessary to reopen the object, so use cancel_work_sync() to cancel or wait for ondemand_object_worker() to finish. CVE-2024-41051 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files Use strnlen() instead of strlen() on the algorithm and coefficient name string arrays in V1 wmfw files. In V1 wmfw files the name is a NUL-terminated string in a fixed-size array. cs_dsp should protect against overrunning the array if the NUL terminator is missing. CVE-2024-41056 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109 CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566 Call Trace: <TASK> kasan_report+0x93/0xc0 cachefiles_withdraw_cookie+0x4d9/0x600 fscache_cookie_state_machine+0x5c8/0x1230 fscache_cookie_worker+0x91/0x1c0 process_one_work+0x7fa/0x1800 [...] Allocated by task 117: kmalloc_trace+0x1b3/0x3c0 cachefiles_acquire_volume+0xf3/0x9c0 fscache_create_volume_work+0x97/0x150 process_one_work+0x7fa/0x1800 [...] Freed by task 120301: kfree+0xf1/0x2c0 cachefiles_withdraw_cache+0x3fa/0x920 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 do_exit+0x87a/0x29b0 [...] ================================================================== Following is the process that triggers the issue: p1 | p2 ------------------------------------------------------------ fscache_begin_lookup fscache_begin_volume_access fscache_cache_is_live(fscache_cache) cachefiles_daemon_release cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache fscache_withdraw_cache fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN); cachefiles_withdraw_objects(cache) fscache_wait_for_objects(fscache) atomic_read(&fscache_cache->object_count) == 0 fscache_perform_lookup cachefiles_lookup_cookie cachefiles_alloc_object refcount_set(&object->ref, 1); object->volume = volume fscache_count_object(vcookie->cache); atomic_inc(&fscache_cache->object_count) cachefiles_withdraw_volumes cachefiles_withdraw_volume fscache_withdraw_volume __cachefiles_free_volume kfree(cachefiles_volume) fscache_cookie_state_machine cachefiles_withdraw_cookie cache = object->volume->cache; // cachefiles_volume UAF !!! After setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups to complete first, and then wait for fscache_cache->object_count == 0 to avoid the cookie exiting after the volume has been freed and triggering the above issue. Therefore call fscache_withdraw_volume() before calling cachefiles_withdraw_objects(). This way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two cases will occur: 1) fscache_begin_lookup fails in fscache_begin_volume_access(). 2) fscache_withdraw_volume() will ensure that fscache_count_object() has been executed before calling fscache_wait_for_objects(). CVE-2024-41057 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in fscache_withdraw_volume() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370 Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798 CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565 Call Trace: kasan_check_range+0xf6/0x1b0 fscache_withdraw_volume+0x2e1/0x370 cachefiles_withdraw_volume+0x31/0x50 cachefiles_withdraw_cache+0x3ad/0x900 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 Allocated by task 5820: __kmalloc+0x1df/0x4b0 fscache_alloc_volume+0x70/0x600 __fscache_acquire_volume+0x1c/0x610 erofs_fscache_register_volume+0x96/0x1a0 erofs_fscache_register_fs+0x49a/0x690 erofs_fc_fill_super+0x6c0/0xcc0 vfs_get_super+0xa9/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] Freed by task 5820: kfree+0xf1/0x2c0 fscache_put_volume.part.0+0x5cb/0x9e0 erofs_fscache_unregister_fs+0x157/0x1b0 erofs_kill_sb+0xd9/0x1c0 deactivate_locked_super+0xa3/0x100 vfs_get_super+0x105/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] ================================================================== Following is the process that triggers the issue: mount failed | daemon exit ------------------------------------------------------------ deactivate_locked_super cachefiles_daemon_release erofs_kill_sb erofs_fscache_unregister_fs fscache_relinquish_volume __fscache_relinquish_volume fscache_put_volume(fscache_volume, fscache_volume_put_relinquish) zero = __refcount_dec_and_test(&fscache_volume->ref, &ref); cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache cachefiles_withdraw_volumes list_del_init(&volume->cache_link) fscache_free_volume(fscache_volume) cache->ops->free_volume cachefiles_free_volume list_del_init(&cachefiles_volume->cache_link); kfree(fscache_volume) cachefiles_withdraw_volume fscache_withdraw_volume fscache_volume->n_accesses // fscache_volume UAF !!! The fscache_volume in cache->volumes must not have been freed yet, but its reference count may be 0. So use the new fscache_try_get_volume() helper function try to get its reference count. If the reference count of fscache_volume is 0, fscache_put_volume() is freeing it, so wait for it to be removed from cache->volumes. If its reference count is not 0, call cachefiles_withdraw_volume() with reference count protection to avoid the above issue. CVE-2024-41058 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value in copy_name [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. CVE-2024-41059 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: drm/radeon: check bo_va->bo is non-NULL before using it The call to radeon_vm_clear_freed might clear bo_va->bo, so we have to check it before dereferencing it. CVE-2024-41060 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport [Why] Potential out of bounds access in dml2_calculate_rq_and_dlg_params() because the value of out_lowest_state_idx used as an index for FCLKChangeSupport array can be greater than 1. [How] Currently dml2 core specifies identical values for all FCLKChangeSupport elements. Always use index 0 in the condition to avoid out of bounds access. CVE-2024-41061 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: bluetooth/l2cap: sync sock recv cb and release The problem occurs between the system call to close the sock and hci_rx_work, where the former releases the sock and the latter accesses it without lock protection. CPU0 CPU1 ---- ---- sock_close hci_rx_work l2cap_sock_release hci_acldata_packet l2cap_sock_kill l2cap_recv_frame sk_free l2cap_conless_channel l2cap_sock_recv_cb If hci_rx_work processes the data that needs to be received before the sock is closed, then everything is normal; Otherwise, the work thread may access the released sock when receiving data. Add a chan mutex in the rx callback of the sock to achieve synchronization between the sock release and recv cb. Sock is dead, so set chan data to NULL, avoid others use invalid sock pointer. CVE-2024-41062 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: cancel all works upon hci_unregister_dev() syzbot is reporting that calling hci_release_dev() from hci_error_reset() due to hci_dev_put() from hci_error_reset() can cause deadlock at destroy_workqueue(), for hci_error_reset() is called from hdev->req_workqueue which destroy_workqueue() needs to flush. We need to make sure that hdev->{rx_work,cmd_work,tx_work} which are queued into hdev->workqueue and hdev->{power_on,error_reset} which are queued into hdev->req_workqueue are no longer running by the moment destroy_workqueue(hdev->workqueue); destroy_workqueue(hdev->req_workqueue); are called from hci_release_dev(). Call cancel_work_sync() on these work items from hci_unregister_dev() as soon as hdev->list is removed from hci_dev_list. CVE-2024-41063 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: avoid possible crash when edev->pdev changes If a PCI device is removed during eeh_pe_report_edev(), edev->pdev will change and can cause a crash, hold the PCI rescan/remove lock while taking a copy of edev->pdev->bus. CVE-2024-41064 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Whitelist dtl slub object for copying to userspace Reading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-* results in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as shown below. kernel BUG at mm/usercopy.c:102! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85 Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8 REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3) MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 2828220f XER: 0000000e CFAR: c0000000001fdc80 IRQMASK: 0 [ ... GPRs omitted ... ] NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0 LR [c0000000005d23d0] usercopy_abort+0x74/0xb0 Call Trace: usercopy_abort+0x74/0xb0 (unreliable) __check_heap_object+0xf8/0x120 check_heap_object+0x218/0x240 __check_object_size+0x84/0x1a4 dtl_file_read+0x17c/0x2c4 full_proxy_read+0x8c/0x110 vfs_read+0xdc/0x3a0 ksys_read+0x84/0x144 system_call_exception+0x124/0x330 system_call_vectored_common+0x15c/0x2ec --- interrupt: 3000 at 0x7fff81f3ab34 Commit 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") requires that only whitelisted areas in slab/slub objects can be copied to userspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY. Dtl contains hypervisor dispatch events which are expected to be read by privileged users. Hence mark this safe for user access. Specify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the entire object. CVE-2024-41065 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Add tx check to prevent skb leak Below is a summary of how the driver stores a reference to an skb during transmit: tx_buff[free_map[consumer_index]]->skb = new_skb; free_map[consumer_index] = IBMVNIC_INVALID_MAP; consumer_index ++; Where variable data looks like this: free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3] consumer_index^ tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null] The driver has checks to ensure that free_map[consumer_index] pointed to a valid index but there was no check to ensure that this index pointed to an unused/null skb address. So, if, by some chance, our free_map and tx_buff lists become out of sync then we were previously risking an skb memory leak. This could then cause tcp congestion control to stop sending packets, eventually leading to ETIMEDOUT. Therefore, add a conditional to ensure that the skb address is null. If not then warn the user (because this is still a bug that should be patched) and free the old pointer to prevent memleak/tcp problems. CVE-2024-41066 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix sclp_init() cleanup on failure If sclp_init() fails it only partially cleans up: if there are multiple failing calls to sclp_init() sclp_state_change_event will be added several times to sclp_reg_list, which results in the following warning: ------------[ cut here ]------------ list_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10. WARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3 Krnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 ... Call Trace: [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8 ([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8) [<000003ffe0a8d37e>] sclp_init+0x40e/0x450 [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0 [<000003ffe15b77a6>] do_initcalls+0x126/0x150 [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8 [<000003ffe0d6650e>] kernel_init+0x2e/0x180 [<000003ffe000301c>] __ret_from_fork+0x3c/0x60 [<000003ffe0d759ca>] ret_from_fork+0xa/0x30 Fix this by removing sclp_state_change_event from sclp_reg_list when sclp_init() fails. CVE-2024-41068 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: ASoC: topology: Fix references to freed memory Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed. CVE-2024-41069 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). It looks up `stt` from tablefd, but then continues to use it after doing fdput() on the returned fd. After the fdput() the tablefd is free to be closed by another thread. The close calls kvm_spapr_tce_release() and then release_spapr_tce_table() (via call_rcu()) which frees `stt`. Although there are calls to rcu_read_lock() in kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent the UAF, because `stt` is used outside the locked regions. With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF: BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV Call Trace: dump_stack_lvl+0xb4/0x108 (unreliable) print_report+0x2b4/0x6ec kasan_report+0x118/0x2b0 __asan_load4+0xb8/0xd0 kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] kvm_vfio_set_attr+0x524/0xac0 [kvm] kvm_device_ioctl+0x144/0x240 [kvm] sys_ioctl+0x62c/0x1810 system_call_exception+0x190/0x440 system_call_vectored_common+0x15c/0x2ec ... Freed by task 0: ... kfree+0xec/0x3e0 release_spapr_tce_table+0xd4/0x11c [kvm] rcu_core+0x568/0x16a0 handle_softirqs+0x23c/0x920 do_softirq_own_stack+0x6c/0x90 do_softirq_own_stack+0x58/0x90 __irq_exit_rcu+0x218/0x2d0 irq_exit+0x30/0x80 arch_local_irq_restore+0x128/0x230 arch_local_irq_enable+0x1c/0x30 cpuidle_enter_state+0x134/0x5cc cpuidle_enter+0x6c/0xb0 call_cpuidle+0x7c/0x100 do_idle+0x394/0x410 cpu_startup_entry+0x60/0x70 start_secondary+0x3fc/0x410 start_secondary_prolog+0x10/0x14 Fix it by delaying the fdput() until `stt` is no longer in use, which is effectively the entire function. To keep the patch minimal add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or __cleanup style cleanup. With the fix in place the test case no longer triggers the UAF. CVE-2024-41070 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-41071 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: wext: add extra SIOCSIWSCAN data check In 'cfg80211_wext_siwscan()', add extra check whether number of channels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed IW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise. CVE-2024-41072 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned. CVE-2024-41073 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: Set object to close if ondemand_id < 0 in copen If copen is maliciously called in the user mode, it may delete the request corresponding to the random id. And the request may have not been read yet. Note that when the object is set to reopen, the open request will be done with the still reopen state in above case. As a result, the request corresponding to this object is always skipped in select_req function, so the read request is never completed and blocks other process. Fix this issue by simply set object to close if its id < 0 in copen. CVE-2024-41074 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: add consistency check for copen/cread This prevents malicious processes from completing random copen/cread requests and crashing the system. Added checks are listed below: * Generic, copen can only complete open requests, and cread can only complete read requests. * For copen, ondemand_id must not be 0, because this indicates that the request has not been read by the daemon. * For cread, the object corresponding to fd and req should be the same. CVE-2024-41075 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFSv4: Fix memory leak in nfs4_set_security_label We leak nfs_fattr and nfs4_label every time we set a security xattr. CVE-2024-41076 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix quota root leak after quota disable failure If during the quota disable we fail when cleaning the quota tree or when deleting the root from the root tree, we jump to the 'out' label without ever dropping the reference on the quota root, resulting in a leak of the root since fs_info->quota_root is no longer pointing to the root (we have set it to NULL just before those steps). Fix this by always doing a btrfs_put_root() call under the 'out' label. This is a problem that exists since qgroups were first added in 2012 by commit bed92eae26cc ("Btrfs: qgroup implementation and prototypes"), but back then we missed a kfree on the quota root and free_extent_buffer() calls on its root and commit root nodes, since back then roots were not yet reference counted. CVE-2024-41078 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: nvmet: always initialize cqe.result The spec doesn't mandate that the first two double words (aka results) for the command queue entry need to be set to 0 when they are not used (not specified). Though, the target implemention returns 0 for TCP and FC but not for RDMA. Let's make RDMA behave the same and thus explicitly initializing the result field. This prevents leaking any data from the stack. CVE-2024-41079 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring: fix possible deadlock in io_register_iowq_max_workers() The io_register_iowq_max_workers() function calls io_put_sq_data(), which acquires the sqd->lock without releasing the uring_lock. Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock before acquiring sqd->lock"), this can lead to a potential deadlock situation. To resolve this issue, the uring_lock is released before calling io_put_sq_data(), and then it is re-acquired after the function call. This change ensures that the locks are acquired in the correct order, preventing the possibility of a deadlock. CVE-2024-41080 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ila: block BH in ila_output() As explained in commit 1378817486d6 ("tipc: block BH before using dst_cache"), net/core/dst_cache.c helpers need to be called with BH disabled. ila_output() is called from lwtunnel_output() possibly from process context, and under rcu_read_lock(). We might be interrupted by a softirq, re-enter ila_output() and corrupt dst_cache data structures. Fix the race by using local_bh_disable(). CVE-2024-41081 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cxl/region: Avoid null pointer dereference in region lookup cxl_dpa_to_region() looks up a region based on a memdev and DPA. It wrongly assumes an endpoint found mapping the DPA is also of a fully assembled region. When not true it leads to a null pointer dereference looking up the region name. This appears during testing of region lookup after a failure to assemble a BIOS defined region or if the lookup raced with the assembly of the BIOS defined region. Failure to clean up BIOS defined regions that fail assembly is an issue in itself and a fix to that problem will alleviate some of the impact. It will not alleviate the race condition so let's harden this path. The behavior change is that the kernel oops due to a null pointer dereference is replaced with a dev_dbg() message noting that an endpoint was mapped. Additional comments are added so that future users of this function can more clearly understand what it provides. CVE-2024-41084 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780 R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006 FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x6a/0x90 ? kfree+0x2cf/0x2f0 ? exc_invalid_op+0x50/0x70 ? kfree+0x2cf/0x2f0 ? asm_exc_invalid_op+0x1a/0x20 ? ata_host_alloc+0xf5/0x120 [libata] ? ata_host_alloc+0xf5/0x120 [libata] ? kfree+0x2cf/0x2f0 ata_host_alloc+0xf5/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Ensure that we will not call kfree(host) twice, by performing the kfree() only if the devres_open_group() call failed. CVE-2024-41087 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: mcp251xfd: fix infinite loop when xmit fails When the mcp251xfd_start_xmit() function fails, the driver stops processing messages, and the interrupt routine does not return, running indefinitely even after killing the running application. Error messages: [ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16 [ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3). ... and repeat forever. The issue can be triggered when multiple devices share the same SPI interface. And there is concurrent access to the bus. The problem occurs because tx_ring->head increments even if mcp251xfd_start_xmit() fails. Consequently, the driver skips one TX package while still expecting a response in mcp251xfd_handle_tefif_one(). Resolve the issue by starting a workqueue to write the tx obj synchronously if err = -EBUSY. In case of another error, decrement tx_ring->head, remove skb from the echo stack, and drop the message. [mkl: use more imperative wording in patch description] CVE-2024-41088 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode(). Add a check to avoid null pointer dereference. CVE-2024-41089 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix potential UAF by revoke of fence registers CI has been sporadically reporting the following issue triggered by igt@i915_selftest@live@hangcheck on ADL-P and similar machines: <6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence ... <6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled <6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled <3> [414.070354] Unable to pin Y-tiled fence; err:-4 <3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active)) ... <4>[ 609.603992] ------------[ cut here ]------------ <2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301! <4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1 <4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 <4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915] <4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915] ... <4>[ 609.604271] Call Trace: <4>[ 609.604273] <TASK> ... <4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915] <4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915] <4>[ 609.604977] force_unbind+0x24/0xa0 [i915] <4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915] <4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915] <4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915] <4>[ 609.605440] process_scheduled_works+0x351/0x690 ... In the past, there were similar failures reported by CI from other IGT tests, observed on other platforms. Before commit 63baf4f3d587 ("drm/i915/gt: Only wait for GPU activity before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for idleness of vma->active via fence_update(). That commit introduced vma->fence->active in order for the fence_update() to be able to wait selectively on that one instead of vma->active since only idleness of fence registers was needed. But then, another commit 0d86ee35097a ("drm/i915/gt: Make fence revocation unequivocal") replaced the call to fence_update() in i915_vma_revoke_fence() with only fence_write(), and also added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front. No justification was provided on why we might then expect idleness of vma->fence->active without first waiting on it. The issue can be potentially caused by a race among revocation of fence registers on one side and sequential execution of signal callbacks invoked on completion of a request that was using them on the other, still processed in parallel to revocation of those fence registers. Fix it by waiting for idleness of vma->fence->active in i915_vma_revoke_fence(). (cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1) CVE-2024-41092 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid using null object of framebuffer Instead of using state->fb->obj[0] directly, get object from framebuffer by calling drm_gem_fb_get_obj() and return error code when object is null to avoid using null object of framebuffer. CVE-2024-41093 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/fbdev-dma: Only set smem_start is enable per module option Only export struct fb_info.fix.smem_start if that is required by the user and the memory does not come from vmalloc(). Setting struct fb_info.fix.smem_start breaks systems where DMA memory is backed by vmalloc address space. An example error is shown below. [ 3.536043] ------------[ cut here ]------------ [ 3.540716] virt_to_phys used for non-linear address: 000000007fc4f540 (0xffff800086001000) [ 3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98 [ 3.565455] Modules linked in: [ 3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250 [ 3.577310] Hardware name: NXP i.MX95 19X19 board (DT) [ 3.582452] Workqueue: events_unbound deferred_probe_work_func [ 3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3.595233] pc : __virt_to_phys+0x68/0x98 [ 3.599246] lr : __virt_to_phys+0x68/0x98 [ 3.603276] sp : ffff800083603990 [ 3.677939] Call trace: [ 3.680393] __virt_to_phys+0x68/0x98 [ 3.684067] drm_fbdev_dma_helper_fb_probe+0x138/0x238 [ 3.689214] __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0 [ 3.695385] drm_fb_helper_initial_config+0x4c/0x68 [ 3.700264] drm_fbdev_dma_client_hotplug+0x8c/0xe0 [ 3.705161] drm_client_register+0x60/0xb0 [ 3.709269] drm_fbdev_dma_setup+0x94/0x148 Additionally, DMA memory is assumed to by contiguous in physical address space, which is not guaranteed by vmalloc(). Resolve this by checking the module flag drm_leak_fbdev_smem when DRM allocated the instance of struct fb_info. Fbdev-dma then only sets smem_start only if required (via FBINFO_HIDE_SMEM_START). Also guarantee that the framebuffer is not located in vmalloc address space. CVE-2024-41094 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes In nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2024-41095 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI/MSI: Fix UAF in msi_capability_init KFENCE reports the following UAF: BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488 Use-after-free read at 0x0000000024629571 (in kfence-#12): __pci_enable_msi_range+0x2c0/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128 allocated by task 81 on cpu 7 at 10.808142s: __kmem_cache_alloc_node+0x1f0/0x2bc kmalloc_trace+0x44/0x138 msi_alloc_desc+0x3c/0x9c msi_domain_insert_msi_desc+0x30/0x78 msi_setup_msi_desc+0x13c/0x184 __pci_enable_msi_range+0x258/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 freed by task 81 on cpu 7 at 10.811436s: msi_domain_free_descs+0xd4/0x10c msi_domain_free_locked.part.0+0xc0/0x1d8 msi_domain_alloc_irqs_all_locked+0xb4/0xbc pci_msi_setup_msi_irqs+0x30/0x4c __pci_enable_msi_range+0x2a8/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 Descriptor allocation done in: __pci_enable_msi_range msi_capability_init msi_setup_msi_desc msi_insert_msi_desc msi_domain_insert_msi_desc msi_alloc_desc ... Freed in case of failure in __msi_domain_alloc_locked() __pci_enable_msi_range msi_capability_init pci_msi_setup_msi_irqs msi_domain_alloc_irqs_all_locked msi_domain_alloc_locked __msi_domain_alloc_locked => fails msi_domain_free_locked ... That failure propagates back to pci_msi_setup_msi_irqs() in msi_capability_init() which accesses the descriptor for unmasking in the error exit path. Cure it by copying the descriptor and using the copy for the error exit path unmask operation. [ tglx: Massaged change log ] CVE-2024-41096 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix endpoint checking in cxacru_bind() Syzbot is still reporting quite an old issue [1] that occurs due to incomplete checking of present usb endpoints. As such, wrong endpoints types may be used at urb sumbitting stage which in turn triggers a warning in usb_submit_urb(). Fix the issue by verifying that required endpoint types are present for both in and out endpoints, taking into account cmd endpoint type. Unfortunately, this patch has not been tested on real hardware. [1] Syzbot report: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 ... Call Trace: cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649 cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760 cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209 usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055 cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x23c/0xcd0 drivers/base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/core.c:3354 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293 CVE-2024-41097 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix null pointer dereference on error If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle page fault for address: 0000000000003990 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? ata_host_release.cold+0x2f/0x6e [libata] ? ata_host_release.cold+0x2f/0x6e [libata] release_nodes+0x35/0xb0 devres_release_group+0x113/0x140 ata_host_alloc+0xed/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Do not access ata_port struct members unconditionally. CVE-2024-41098 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. CVE-2024-41123 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libruby2_5-2_5-2.5.9-150000.4.32.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:ruby2.5-2.5.9-150000.4.32.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:ruby2.5-stdlib-2.5.9-150000.4.32.1 moderate REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability. CVE-2024-41946 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libruby2_5-2_5-2.5.9-150000.4.32.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:ruby2.5-2.5.9-150000.4.32.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:ruby2.5-stdlib-2.5.9-150000.4.32.1 moderate Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key. CVE-2024-41996 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libopenssl3-3.1.4-150600.5.21.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:openssl-3-3.1.4-150600.5.21.1 important In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip pipe if the pipe idx not set properly [why] Driver crashes when pipe idx not set properly [how] Add code to skip the pipe that idx not set properly CVE-2024-42064 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix possible double free in error handling path When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), callback function adev_release calls kfree(madev). We shouldn't call kfree(madev) again in the error handling path. Set 'madev' to NULL. CVE-2024-42069 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers register store validation for NFT_DATA_VALUE is conditional, however, the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This only requires a new helper function to infer the register type from the set datatype so this conditional check can be removed. Otherwise, pointer to chain object can be leaked through the registers. CVE-2024-42070 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems The following two shared buffer operations make use of the Shared Buffer Status Register (SBSR): # devlink sb occupancy snapshot pci/0000:01:00.0 # devlink sb occupancy clearmax pci/0000:01:00.0 The register has two masks of 256 bits to denote on which ingress / egress ports the register should operate on. Spectrum-4 has more than 256 ports, so the register was extended by cited commit with a new 'port_page' field. However, when filling the register's payload, the driver specifies the ports as absolute numbers and not relative to the first port of the port page, resulting in memory corruptions [1]. Fix by specifying the ports relative to the first port of the port page. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 Read of size 1 at addr ffff8881068cb00f by task devlink/1566 [...] Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 mlxsw_devlink_sb_occ_snapshot+0x75/0xb0 devlink_nl_sb_occ_snapshot_doit+0x1f9/0x2a0 genl_family_rcv_msg_doit+0x20c/0x300 genl_rcv_msg+0x567/0x800 netlink_rcv_skb+0x170/0x450 genl_rcv+0x2d/0x40 netlink_unicast+0x547/0x830 netlink_sendmsg+0x8d4/0xdb0 __sys_sendto+0x49b/0x510 __x64_sys_sendto+0xe5/0x1c0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f [...] Allocated by task 1: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 copy_verifier_state+0xbc2/0xfb0 do_check_common+0x2c51/0xc7e0 bpf_check+0x5107/0x9960 bpf_prog_load+0xf0e/0x2690 __sys_bpf+0x1a61/0x49d0 __x64_sys_bpf+0x7d/0xc0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x109/0x170 __kasan_slab_free+0x14/0x30 kfree+0xca/0x2b0 free_verifier_state+0xce/0x270 do_check_common+0x4828/0xc7e0 bpf_check+0x5107/0x9960 bpf_prog_load+0xf0e/0x2690 __sys_bpf+0x1a61/0x49d0 __x64_sys_bpf+0x7d/0xc0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-42073 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: add a null check for chip_pdev structure When acp platform device creation is skipped, chip->chip_pdev value will remain NULL. Add NULL check for chip->chip_pdev structure in snd_acp_resume() function to avoid null pointer dereference. CVE-2024-42074 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: Initialize unused data in j1939_send_one() syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one() creates full frame including unused data, but it doesn't initialize it. This causes the kernel-infoleak issue. Fix this by initializing unused data. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] memcpy_to_msg include/linux/skbuff.h:4113 [inline] raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 ____sys_recvmsg+0x18a/0x620 net/socket.c:2803 ___sys_recvmsg+0x223/0x840 net/socket.c:2845 do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939 __sys_recvmmsg net/socket.c:3018 [inline] __do_sys_recvmmsg net/socket.c:3041 [inline] __se_sys_recvmmsg net/socket.c:3034 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034 x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1313 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 sock_alloc_send_skb include/net/sock.h:1842 [inline] j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline] j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline] j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 12-15 of 16 are uninitialized Memory access of size 16 starts at ffff888120969690 Data copied to user address 00000000200017c0 CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 CVE-2024-42076 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix DIO failure due to insufficient transaction credits The code in ocfs2_dio_end_io_write() estimates number of necessary transaction credits using ocfs2_calc_extend_credits(). This however does not take into account that the IO could be arbitrarily large and can contain arbitrary number of extents. Extent tree manipulations do often extend the current transaction but not in all of the cases. For example if we have only single block extents in the tree, ocfs2_mark_extent_written() will end up calling ocfs2_replace_extent_rec() all the time and we will never extend the current transaction and eventually exhaust all the transaction credits if the IO contains many single block extents. Once that happens a WARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in jbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to this error. This was actually triggered by one of our customers on a heavily fragmented OCFS2 filesystem. To fix the issue make sure the transaction always has enough credits for one extent insert before each call of ocfs2_mark_extent_written(). Heming Zhao said: ------ PANIC: "Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error" PID: xxx TASK: xxxx CPU: 5 COMMAND: "SubmitThread-CA" #0 machine_kexec at ffffffff8c069932 #1 __crash_kexec at ffffffff8c1338fa #2 panic at ffffffff8c1d69b9 #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2] #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2] #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2] #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2] #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2] #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2] #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2] #10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2] #11 dio_complete at ffffffff8c2b9fa7 #12 do_blockdev_direct_IO at ffffffff8c2bc09f #13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2] #14 generic_file_direct_write at ffffffff8c1dcf14 #15 __generic_file_write_iter at ffffffff8c1dd07b #16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2] #17 aio_write at ffffffff8c2cc72e #18 kmem_cache_alloc at ffffffff8c248dde #19 do_io_submit at ffffffff8c2ccada #20 do_syscall_64 at ffffffff8c004984 #21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba CVE-2024-42077 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush). CVE-2024-42079 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/restrack: Fix potential invalid address access struct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME in ib_create_cq(), while if the module exited but forgot del this rdma_restrack_entry, it would cause a invalid address access in rdma_restrack_clean() when print the owner of this rdma_restrack_entry. These code is used to help find one forgotten PD release in one of the ULPs. But it is not needed anymore, so delete them. CVE-2024-42080 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: xdp: Remove WARN() from __xdp_reg_mem_model() syzkaller reports a warning in __xdp_reg_mem_model(). The warning occurs only if __mem_id_init_hash_table() returns an error. It returns the error in two cases: 1. memory allocation fails; 2. rhashtable_init() fails when some fields of rhashtable_params struct are not initialized properly. The second case cannot happen since there is a static const rhashtable_params struct with valid fields. So, warning is only triggered when there is a problem with memory allocation. Thus, there is no sense in using WARN() to handle this error and it can be safely removed. WARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299 CPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299 Call Trace: xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344 xdp_test_run_setup net/bpf/test_run.c:188 [inline] bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377 bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267 bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline] __se_sys_bpf kernel/bpf/syscall.c:5736 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Found by Linux Verification Center (linuxtesting.org) with syzkaller. CVE-2024-42082 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock When config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system to enter suspend status with below command: echo mem > /sys/power/state There will be a deadlock issue occurring. Detailed invoking path as below: dwc3_suspend_common() spin_lock_irqsave(&dwc->lock, flags); <-- 1st dwc3_gadget_suspend(dwc); dwc3_gadget_soft_disconnect(dwc); spin_lock_irqsave(&dwc->lock, flags); <-- 2nd This issue is exposed by commit c7ebd8149ee5 ("usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend") that removes the code of checking whether dwc->gadget_driver is NULL or not. It causes the following code is executed and deadlock occurs when trying to get the spinlock. In fact, the root cause is the commit 5265397f9442("usb: dwc3: Remove DWC3 locking during gadget suspend/resume") that forgot to remove the lock of otg mode. So, remove the redundant lock of otg mode during gadget suspend/resume. CVE-2024-42085 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: chemical: bme680: Fix overflows in compensate() functions There are cases in the compensate functions of the driver that there could be overflows of variables due to bit shifting ops. These implications were initially discussed here [1] and they were mentioned in log message of Commit 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor"). [1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/ CVE-2024-42086 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep The ilitek-ili9881c controls the reset GPIO using the non-sleeping gpiod_set_value() function. This complains loudly when the GPIO controller needs to sleep. As the caller can sleep, use gpiod_set_value_cansleep() to fix the issue. CVE-2024-42087 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: ASoC: fsl-asoc-card: set priv->pdev before using it priv->pdev pointer was set after being used in fsl_asoc_card_audmux_init(). Move this assignment at the start of the probe function, so sub-functions can correctly use pdev through priv. fsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the dev struct, used with dev_err macros. As priv is zero-initialised, there would be a NULL pointer dereference. Note that if priv->dev is dereferenced before assignment but never used, for example if there is no error to be printed, the driver won't crash probably due to compiler optimisations. CVE-2024-42089 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER In create_pinctrl(), pinctrl_maps_mutex is acquired before calling add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl() calls pinctrl_free(). However, pinctrl_free() attempts to acquire pinctrl_maps_mutex, which is already held by create_pinctrl(), leading to a potential deadlock. This patch resolves the issue by releasing pinctrl_maps_mutex before calling pinctrl_free(), preventing the deadlock. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. CVE-2024-42090 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: davinci: Validate the obtained number of IRQs Value of pdata->gpio_unbanked is taken from Device Tree. In case of broken DT due to any error this value can be any. Without this value validation there can be out of chips->irqs array boundaries access in davinci_gpio_probe(). Validate the obtained nirq value so that it won't exceed the maximum number of IRQs per bank. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-42092 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/dpaa2: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it. CVE-2024-42093 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: 8250_omap: Implementation of Errata i2310 As per Errata i2310[0], Erroneous timeout can be triggered, if this Erroneous interrupt is not cleared then it may leads to storm of interrupts, therefore apply Errata i2310 solution. [0] https://www.ti.com/lit/pdf/sprz536 page 23 CVE-2024-42095 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86: stop playing stack games in profile_pc() The 'profile_pc()' function is used for timer-based profiling, which isn't really all that relevant any more to begin with, but it also ends up making assumptions based on the stack layout that aren't necessarily valid. Basically, the code tries to account the time spent in spinlocks to the caller rather than the spinlock, and while I support that as a concept, it's not worth the code complexity or the KASAN warnings when no serious profiling is done using timers anyway these days. And the code really does depend on stack layout that is only true in the simplest of cases. We've lost the comment at some point (I think when the 32-bit and 64-bit code was unified), but it used to say: Assume the lock function has either no stack frame or a copy of eflags from PUSHF. which explains why it just blindly loads a word or two straight off the stack pointer and then takes a minimal look at the values to just check if they might be eflags or the return pc: Eflags always has bits 22 and up cleared unlike kernel addresses but that basic stack layout assumption assumes that there isn't any lock debugging etc going on that would complicate the code and cause a stack frame. It causes KASAN unhappiness reported for years by syzkaller [1] and others [2]. With no real practical reason for this any more, just remove the code. Just for historical interest, here's some background commits relating to this code from 2006: 0cb91a229364 ("i386: Account spinlocks to the caller during profiling for !FP kernels") 31679f38d886 ("Simplify profile_pc on x86-64") and a code unification from 2009: ef4512882dbe ("x86: time_32/64.c unify profile_pc") but the basics of this thing actually goes back to before the git tree. CVE-2024-42096 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: emux: improve patch ioctl data validation In load_data(), make the validation of and skipping over the main info block match that in load_guspatch(). In load_guspatch(), add checking that the specified patch length matches the actually supplied data, like load_data() already did. CVE-2024-42097 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: crypto: ecdh - explicitly zeroize private_key private_key is overwritten with the key parameter passed in by the caller (if present), or alternatively a newly generated private key. However, it is possible that the caller provides a key (or the newly generated key) which is shorter than the previous key. In that scenario, some key material from the previous key would not be overwritten. The easiest solution is to explicitly zeroize the entire private_key array first. Note that this patch slightly changes the behavior of this function: previously, if the ecc_gen_privkey failed, the old private_key would remain. Now, the private_key is always zeroized. This behavior is consistent with the case where params.key is set and ecc_is_key_valid fails. CVE-2024-42098 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes In nouveau_connector_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2024-42101 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: add missing check for inode numbers on directory entries Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis. CVE-2024-42104 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix inode number range checks Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value. This patch (of 3): In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked. As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly. In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment. Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros. Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time. CVE-2024-42105 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: inet_diag: Initialize pad field in struct inet_diag_req_v2 KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw sockets uses the pad field in struct inet_diag_req_v2 for the underlying protocol. This field corresponds to the sdiag_raw_protocol field in struct inet_diag_req_raw. inet_diag_get_exact_compat() converts inet_diag_req to inet_diag_req_v2, but leaves the pad field uninitialized. So the issue occurs when raw_lookup() accesses the sdiag_raw_protocol field. Fix this by initializing the pad field in inet_diag_get_exact_compat(). Also, do the same fix in inet_diag_dump_compat() to avoid the similar issue in the future. [1] BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline] BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71 raw_lookup net/ipv4/raw_diag.c:49 [inline] raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71 raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99 inet_diag_cmd_exact+0x7d9/0x980 inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline] inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426 sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564 sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x332/0x3d0 net/socket.c:745 ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639 __sys_sendmsg net/socket.c:2668 [inline] __do_sys_sendmsg net/socket.c:2677 [inline] __se_sys_sendmsg net/socket.c:2675 [inline] __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675 x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71 raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99 inet_diag_cmd_exact+0x7d9/0x980 inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline] inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426 sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564 sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x332/0x3d0 net/socket.c:745 ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639 __sys_sendmsg net/socket.c:2668 [inline] __do_sys_sendmsg net/socket.c:2677 [inline] __se_sys_sendmsg net/socket.c:2675 [inline] __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675 x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable req.i created at: inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline] inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426 sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 CVE-2024-42106 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Don't process extts if PTP is disabled The ice_ptp_extts_event() function can race with ice_ptp_release() and result in a NULL pointer dereference which leads to a kernel panic. Panic occurs because the ice_ptp_extts_event() function calls ptp_clock_event() with a NULL pointer. The ice driver has already released the PTP clock by the time the interrupt for the next external timestamp event occurs. To fix this, modify the ice_ptp_extts_event() function to check the PTP state and bail early if PTP is not ready. CVE-2024-42107 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally flush pending work before notifier syzbot reports: KASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831 KASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530 KASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597 Read of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45 [..] Workqueue: events nf_tables_trans_destroy_work Call Trace: nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline] nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline] nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597 Problem is that the notifier does a conditional flush, but its possible that the table-to-be-removed is still referenced by transactions being processed by the worker, so we need to flush unconditionally. We could make the flush_work depend on whether we found a table to delete in nf-next to avoid the flush for most cases. AFAICS this problem is only exposed in nf-next, with commit e169285f8c56 ("netfilter: nf_tables: do not store nft_ctx in transaction objects"), with this commit applied there is an unconditional fetch of table->family which is whats triggering the above splat. CVE-2024-42109 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx() The following is emitted when using idxd (DSA) dmanegine as the data mover for ntb_transport that ntb_netdev uses. [74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526 [74412.556784] caller is netif_rx_internal+0x42/0x130 [74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5 [74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024 [74412.581699] Call Trace: [74412.584514] <TASK> [74412.586933] dump_stack_lvl+0x55/0x70 [74412.591129] check_preemption_disabled+0xc8/0xf0 [74412.596374] netif_rx_internal+0x42/0x130 [74412.600957] __netif_rx+0x20/0xd0 [74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev] [74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport] [74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport] [74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd] [74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd] [74412.634046] irq_thread_fn+0x21/0x60 [74412.638134] ? irq_thread+0xa8/0x290 [74412.642218] irq_thread+0x1a0/0x290 [74412.646212] ? __pfx_irq_thread_fn+0x10/0x10 [74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10 [74412.656117] ? __pfx_irq_thread+0x10/0x10 [74412.660686] kthread+0x100/0x130 [74412.664384] ? __pfx_kthread+0x10/0x10 [74412.668639] ret_from_fork+0x31/0x50 [74412.672716] ? __pfx_kthread+0x10/0x10 [74412.676978] ret_from_fork_asm+0x1a/0x30 [74412.681457] </TASK> The cause is due to the idxd driver interrupt completion handler uses threaded interrupt and the threaded handler is not hard or soft interrupt context. However __netif_rx() can only be called from interrupt context. Change the call to netif_rx() in order to allow completion via normal context for dmaengine drivers that utilize threaded irq handling. While the following commit changed from netif_rx() to __netif_rx(), baebdf48c360 ("net: dev: Makes sure netif_rx() can be invoked in any context."), the change should've been a noop instead. However, the code precedes this fix should've been using netif_rx_ni() or netif_rx_any_context(). CVE-2024-42110 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: txgbe: initialize num_q_vectors for MSI/INTx interrupts When using MSI/INTx interrupts, wx->num_q_vectors is uninitialized. Thus there will be kernel panic in wx_alloc_q_vectors() to allocate queue vectors. CVE-2024-42113 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values syzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM to 2^31. We had a similar issue in sch_fq, fixed with commit d9e15a273306 ("pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM") watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24] Modules linked in: irq event stamp: 131135 hardirqs last enabled at (131134): [<ffff80008ae8778c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline] hardirqs last enabled at (131134): [<ffff80008ae8778c>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95 hardirqs last disabled at (131135): [<ffff80008ae85378>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (131135): [<ffff80008ae85378>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_hh_init net/core/neighbour.c:1538 [inline] softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553 softirqs last disabled at (125896): [<ffff80008904166c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: mld mld_ifc_work pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __list_del include/linux/list.h:195 [inline] pc : __list_del_entry include/linux/list.h:218 [inline] pc : list_move_tail include/linux/list.h:310 [inline] pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline] pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 lr : __list_del_entry include/linux/list.h:218 [inline] lr : list_move_tail include/linux/list.h:310 [inline] lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline] lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854 sp : ffff800093d36700 x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000 x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0 x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0 x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0 x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8 x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470 Call trace: __list_del include/linux/list.h:195 [inline] __list_del_entry include/linux/list.h:218 [inline] list_move_tail include/linux/list.h:310 [inline] fq_tin_dequeue include/net/fq_impl.h:112 [inline] ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 wake_tx_push_queue net/mac80211/util.c:294 [inline] ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315 drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline] schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline] ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664 ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966 ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062 __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338 ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547 __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563 neigh_output include/net/neighbour.h:542 [inline] ip6_fini ---truncated--- CVE-2024-42114 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: jffs2: Fix potential illegal address access in jffs2_free_inode During the stress testing of the jffs2 file system,the following abnormal printouts were found: [ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948 [ 2430.649622] Mem abort info: [ 2430.649829] ESR = 0x96000004 [ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits [ 2430.650564] SET = 0, FnV = 0 [ 2430.650795] EA = 0, S1PTW = 0 [ 2430.651032] FSC = 0x04: level 0 translation fault [ 2430.651446] Data abort info: [ 2430.651683] ISV = 0, ISS = 0x00000004 [ 2430.652001] CM = 0, WnR = 0 [ 2430.652558] [0069696969696948] address between user and kernel address ranges [ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33 [ 2430.655008] Hardware name: linux,dummy-virt (DT) [ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2430.656142] pc : kfree+0x78/0x348 [ 2430.656630] lr : jffs2_free_inode+0x24/0x48 [ 2430.657051] sp : ffff800009eebd10 [ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000 [ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000 [ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14 [ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000 [ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000 [ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19 [ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14 [ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302 [ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342 [ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000 [ 2430.664217] Call trace: [ 2430.664528] kfree+0x78/0x348 [ 2430.664855] jffs2_free_inode+0x24/0x48 [ 2430.665233] i_callback+0x24/0x50 [ 2430.665528] rcu_do_batch+0x1ac/0x448 [ 2430.665892] rcu_core+0x28c/0x3c8 [ 2430.666151] rcu_core_si+0x18/0x28 [ 2430.666473] __do_softirq+0x138/0x3cc [ 2430.666781] irq_exit+0xf0/0x110 [ 2430.667065] handle_domain_irq+0x6c/0x98 [ 2430.667447] gic_handle_irq+0xac/0xe8 [ 2430.667739] call_on_irq_stack+0x28/0x54 The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of the jffs_inode_info structure. It was found that all variables in the jffs_inode_info structure were 5a5a5a5a, except for the first member sem. It is suspected that these variables are not initialized because they were set to 5a5a5a5a during memory testing, which is meant to detect uninitialized memory.The sem variable is initialized in the function jffs2_i_init_once, while other members are initialized in the function jffs2_init_inode_info. The function jffs2_init_inode_info is called after iget_locked, but in the iget_locked function, the destroy_inode process is triggered, which releases the inode and consequently, the target member of the inode is not initialized.In concurrent high pressure scenarios, iget_locked may enter the destroy_inode branch as described in the code. Since the destroy_inode functionality of jffs2 only releases the target, the fix method is to set target to NULL in jffs2_i_init_once. CVE-2024-42115 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: ASSERT when failing to find index by plane/stream id [WHY] find_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns an array index and they return -1 when not found; however, -1 is not a valid index number. [HOW] When this happens, call ASSERT(), and return a positive number (which is fewer than callers' array size) instead. This fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity. CVE-2024-42117 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip finding free audio for unknown engine_id [WHY] ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it also means it is uninitialized and does not need free audio. [HOW] Skip and return NULL. This fixes 2 OVERRUN issues reported by Coverity. CVE-2024-42119 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check pipe offset before setting vblank pipe_ctx has a size of MAX_PIPES so checking its index before accessing the array. This fixes an OVERRUN issue reported by Coverity. CVE-2024-42120 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check index msg_id before read or write [WHAT] msg_id is used as an array index and it cannot be a negative value, and therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1). [HOW] Check whether msg_id is valid before reading and setting. This fixes 4 OVERRUN issues reported by Coverity. CVE-2024-42121 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL pointer check for kzalloc [Why & How] Check return pointer of kzalloc before using it. CVE-2024-42122 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Make qedf_execute_tmf() non-preemptible Stop calling smp_processor_id() from preemptible code in qedf_execute_tmf90. This results in BUG_ON() when running an RT kernel. [ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646 [ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf] CVE-2024-42124 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband We have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz sband will be NULL even if it is WiFi 7 chip. So, add NULL handling here to avoid crash. CVE-2024-42125 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. nmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel crash when invoked during real mode interrupt handling (e.g. early HMI/MCE interrupt handler) if percpu allocation comes from vmalloc area. Early HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI() wrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when percpu allocation is from the embedded first chunk. However with CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu allocation can come from the vmalloc area. With kernel command line "percpu_alloc=page" we can force percpu allocation to come from vmalloc area and can see kernel crash in machine_check_early: [ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110 [ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0 [ 1.215719] --- interrupt: 200 [ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable) [ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0 [ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8 Fix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu first chunk is not embedded. CVE-2024-42126 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/lima: fix shared irq handling on driver remove lima uses a shared interrupt, so the interrupt handlers must be prepared to be called at any time. At driver removal time, the clocks are disabled early and the interrupts stay registered until the very end of the remove process due to the devm usage. This is potentially a bug as the interrupts access device registers which assumes clocks are enabled. A crash can be triggered by removing the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled. This patch frees the interrupts at each lima device finishing callback so that the handlers are already unregistered by the time we fully disable clocks. CVE-2024-42127 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfc/nci: Add the inconsistency check between the input data length and count write$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB="610501"], 0xf) Syzbot constructed a write() call with a data length of 3 bytes but a count value of 15, which passed too little data to meet the basic requirements of the function nci_rf_intf_activated_ntf_packet(). Therefore, increasing the comparison between data length and count value to avoid problems caused by inconsistent data length and count. CVE-2024-42130 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX Syzbot hit warning in hci_conn_del() caused by freeing handle that was not allocated using ida allocator. This is caused by handle bigger than HCI_CONN_HANDLE_MAX passed by hci_le_big_sync_established_evt(), which makes code think it's unset connection. Add same check for handle upper bound as in hci_conn_set_handle() to prevent warning. CVE-2024-42132 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Ignore too large handle values in BIG hci_le_big_sync_established_evt is necessary to filter out cases where the handle value is belonging to ida id range, otherwise ida will be erroneously released in hci_conn_cleanup. CVE-2024-42133 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: cdrom: rearrange last_media_change check to avoid unintentional overflow When running syzkaller with the newly reintroduced signed integer wrap sanitizer we encounter this splat: [ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33 [ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long') [ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO [ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 [ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 366.027518] Call Trace: [ 366.027523] <TASK> [ 366.027533] dump_stack_lvl+0x93/0xd0 [ 366.027899] handle_overflow+0x171/0x1b0 [ 366.038787] ata1.00: invalid multi_count 32 ignored [ 366.043924] cdrom_ioctl+0x2c3f/0x2d10 [ 366.063932] ? __pm_runtime_resume+0xe6/0x130 [ 366.071923] sr_block_ioctl+0x15d/0x1d0 [ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10 [ 366.077642] blkdev_ioctl+0x419/0x500 [ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10 ... Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang. It was re-enabled in the kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow sanitizer"). Let's rearrange the check to not perform any arithmetic, thus not tripping the sanitizer. CVE-2024-42136 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot Commit 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closed serdev") will cause below regression issue: BT can't be enabled after below steps: cold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure if property enable-gpios is not configured within DT|ACPI for QCA6390. The commit is to fix a use-after-free issue within qca_serdev_shutdown() by adding condition to avoid the serdev is flushed or wrote after closed but also introduces this regression issue regarding above steps since the VSC is not sent to reset controller during warm reboot. Fixed by sending the VSC to reset controller within qca_serdev_shutdown() once BT was ever enabled, and the use-after-free issue is also fixed by this change since the serdev is still opened before it is flushed or wrote. Verified by the reported machine Dell XPS 13 9310 laptop over below two kernel commits: commit e00fc2700a3f ("Bluetooth: btusb: Fix triggering coredump implementation for QCA") of bluetooth-next tree. commit b23d98d46d28 ("Bluetooth: btusb: Fix triggering coredump implementation for QCA") of linus mainline tree. CVE-2024-42137 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file In case of invalid INI file mlxsw_linecard_types_init() deallocates memory but doesn't reset pointer to NULL and returns 0. In case of any error occurred after mlxsw_linecard_types_init() call, mlxsw_linecards_init() calls mlxsw_linecard_types_fini() which performs memory deallocation again. Add pointer reset to NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-42138 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Fix improper extts handling Extts events are disabled and enabled by the application ts2phc. However, in case where the driver is removed when the application is running, a specific extts event remains enabled and can cause a kernel crash. As a side effect, when the driver is reloaded and application is started again, remaining extts event for the channel from a previous run will keep firing and the message "extts on unexpected channel" might be printed to the user. To avoid that, extts events shall be disabled when PTP is released. CVE-2024-42139 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Check socket flag instead of hcon This fixes the following Smatch static checker warning: net/bluetooth/iso.c:1364 iso_sock_recvmsg() error: we previously assumed 'pi->conn->hcon' could be null (line 1359) net/bluetooth/iso.c 1347 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1348 size_t len, int flags) 1349 { 1350 struct sock *sk = sock->sk; 1351 struct iso_pinfo *pi = iso_pi(sk); 1352 1353 BT_DBG("sk %p", sk); 1354 1355 if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 1356 lock_sock(sk); 1357 switch (sk->sk_state) { 1358 case BT_CONNECT2: 1359 if (pi->conn->hcon && ^^^^^^^^^^^^^^ If ->hcon is NULL 1360 test_bit(HCI_CONN_PA_SYNC, &pi->conn->hcon->flags)) { 1361 iso_conn_big_sync(sk); 1362 sk->sk_state = BT_LISTEN; 1363 } else { --> 1364 iso_conn_defer_accept(pi->conn->hcon); ^^^^^^^^^^^^^^ then we're toast 1365 sk->sk_state = BT_CONFIG; 1366 } 1367 release_sock(sk); 1368 return 0; 1369 case BT_CONNECTED: 1370 if (test_bit(BT_SK_PA_SYNC, CVE-2024-42141 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: E-switch, Create ingress ACL when needed Currently, ingress acl is used for three features. It is created only when vport metadata match and prio tag are enabled. But active-backup lag mode also uses it. It is independent of vport metadata match and prio tag. And vport metadata match can be disabled using the following devlink command: # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \ value false cmode runtime If ingress acl is not created, will hit panic when creating drop rule for active-backup lag mode. If always create it, there will be about 5% performance degradation. Fix it by creating ingress acl when needed. If esw_port_metadata is true, ingress acl exists, then create drop rule using existing ingress acl. If esw_port_metadata is false, create ingress acl and then create drop rule. CVE-2024-42142 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-42143 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data Verify that lvts_data is not NULL before using it. CVE-2024-42144 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/core: Implement a limit on UMAD receive List The existing behavior of ib_umad, which maintains received MAD packets in an unbounded list, poses a risk of uncontrolled growth. As user-space applications extract packets from this list, the rate of extraction may not match the rate of incoming packets, leading to potential list overflow. To address this, we introduce a limit to the size of the list. After considering typical scenarios, such as OpenSM processing, which can handle approximately 100k packets per second, and the 1-second retry timeout for most packets, we set the list size limit to 200k. Packets received beyond this limit are dropped, assuming they are likely timed out by the time they are handled by user-space. Notably, packets queued on the receive list due to reasons like timed-out sends are preserved even when the list is full. CVE-2024-42145 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/debugfs - Fix debugfs uninit process issue During the zip probe process, the debugfs failure does not stop the probe. When debugfs initialization fails, jumping to the error branch will also release regs, in addition to its own rollback operation. As a result, it may be released repeatedly during the regs uninit process. Therefore, the null check needs to be added to the regs uninit process. CVE-2024-42147 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnx2x: Fix multiple UBSAN array-index-out-of-bounds Fix UBSAN warnings that occur when using a system with 32 physical cpu cores or more, or when the user defines a number of Ethernet queues greater than or equal to FP_SB_MAX_E1x using the num_queues module parameter. Currently there is a read/write out of bounds that occurs on the array "struct stats_query_entry query" present inside the "bnx2x_fw_stats_req" struct in "drivers/net/ethernet/broadcom/bnx2x/bnx2x.h". Looking at the definition of the "struct stats_query_entry query" array: struct stats_query_entry query[FP_SB_MAX_E1x+ BNX2X_FIRST_QUEUE_QUERY_IDX]; FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3 meaning the array has a total size of 19. Since accesses to "struct stats_query_entry query" are offset-ted by BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet queues should not exceed FP_SB_MAX_E1x (16). However one of these queues is reserved for FCOE and thus the number of Ethernet queues should be set to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if it is not. This is also described in a comment in the source code in drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition of FP_SB_MAX_E1x. Below is the part of this explanation that it important for this patch /* * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is * control by the number of fast-path status blocks supported by the * device (HW/FW). Each fast-path status block (FP-SB) aka non-default * status block represents an independent interrupts context that can * serve a regular L2 networking queue. However special L2 queues such * as the FCoE queue do not require a FP-SB and other components like * the CNIC may consume FP-SB reducing the number of possible L2 queues * * If the maximum number of FP-SB available is X then: * a. If CNIC is supported it consumes 1 FP-SB thus the max number of * regular L2 queues is Y=X-1 * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor) * c. If the FCoE L2 queue is supported the actual number of L2 queues * is Y+1 * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for * slow-path interrupts) or Y+2 if CNIC is supported (one additional * FP interrupt context for the CNIC). * e. The number of HW context (CID count) is always X or X+1 if FCoE * L2 queue is supported. The cid for the FCoE L2 queue is always X. */ However this driver also supports NICs that use the E2 controller which can handle more queues due to having more FP-SB represented by FP_SB_MAX_E2. Looking at the commits when the E2 support was added, it was originally using the E1x parameters: commit f2e0899f0f27 ("bnx2x: Add 57712 support"). Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver was later updated to take full advantage of the E2 instead of having it be limited to the capabilities of the E1x. But as far as we can tell, the array "stats_query_entry query" was still limited to using the FP-SB available to the E1x cards as part of an oversignt when the driver was updated to take full advantage of the E2, and now with the driver being aware of the greater queue size supported by E2 NICs, it causes the UBSAN warnings seen in the stack traces below. This patch increases the size of the "stats_query_entry query" array by replacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle both types of NICs. Stack traces: UBSAN: array-index-out-of-bounds in drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11 index 20 is out of range for type 'stats_query_entry [19]' CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic #202405052133 Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 ---truncated--- CVE-2024-42148 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet: fix a possible leak when destroy a ctrl during qp establishment In nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we know that a ctrl was allocated (in the admin connect request handler) and we need to release pending AERs, clear ctrl->sqs and sq->ctrl (for nvme-loop primarily), and drop the final reference on the ctrl. However, a small window is possible where nvmet_sq_destroy starts (as a result of the client giving up and disconnecting) concurrently with the nvme admin connect cmd (which may be in an early stage). But *before* kill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq live reference). In this case, sq->ctrl was allocated however after it was captured in a local variable in nvmet_sq_destroy. This prevented the final reference drop on the ctrl. Solve this by re-capturing the sq->ctrl after all inflight request has completed, where for sure sq->ctrl reference is final, and move forward based on that. This issue was observed in an environment with many hosts connecting multiple ctrls simoutanuosly, creating a delay in allocating a ctrl leading up to this race window. CVE-2024-42152 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr When del_timer_sync() is called in an interrupt context it throws a warning because of potential deadlock. The timer is used only to exit from wait_for_completion() after a timeout so replacing the call with wait_for_completion_timeout() allows to remove the problematic timer and its related functions altogether. CVE-2024-42153 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated). CVE-2024-42154 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of protected- and secure-keys Although the clear-key of neither protected- nor secure-keys is accessible, this key material should only be visible to the calling process. So wipe all copies of protected- or secure-keys from stack, even in case of an error. CVE-2024-42155 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of clear-key structures on failure Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key. CVE-2024-42156 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe sensitive data on failure Wipe sensitive data from stack also if the copy_to_user() fails. CVE-2024-42157 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Replace memzero_explicit() and kfree() with kfree_sensitive() to fix warnings reported by Coccinelle: WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770) CVE-2024-42158 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed. CVE-2024-42159 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD [Changes from V1: - Use a default branch in the switch statement to initialize `val'.] GCC warns that `val' may be used uninitialized in the BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as: [...] unsigned long long val; \ [...] \ switch (__CORE_RELO(s, field, BYTE_SIZE)) { \ case 1: val = *(const unsigned char *)p; break; \ case 2: val = *(const unsigned short *)p; break; \ case 4: val = *(const unsigned int *)p; break; \ case 8: val = *(const unsigned long long *)p; break; \ } \ [...] val; \ } \ This patch adds a default entry in the switch statement that sets `val' to zero in order to avoid the warning, and random values to be used in case __builtin_preserve_field_info returns unexpected values for BPF_FIELD_BYTE_SIZE. Tested in bpf-next master. No regressions. CVE-2024-42161 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: gve: Account for stopped queues when reading NIC stats We now account for the fact that the NIC might send us stats for a subset of queues. Without this change, gve_get_ethtool_stats might make an invalid access on the priv->stats_report->stats array. CVE-2024-42162 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: tda10048: Fix integer overflow state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer when multiplied by pll_mfactor. Create a new 64 bit variable to hold the calculations. CVE-2024-42223 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO busses") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only. CVE-2024-42224 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: replace skb_put with skb_put_zero Avoid potentially reusing uninitialized data CVE-2024-42225 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-42226 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix overlapping copy within dml_core_mode_programming [WHY] &mode_lib->mp.Watermark and &locals->Watermark are the same address. memcpy may lead to unexpected behavior. [HOW] memmove should be used. CVE-2024-42227 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian) CVE-2024-42228 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: aead,cipher - zeroize key buffer after use I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key. CVE-2024-42229 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix scv instruction crash with kexec kexec on pseries disables AIL (reloc_on_exc), required for scv instruction support, before other CPUs have been shut down. This means they can execute scv instructions after AIL is disabled, which causes an interrupt at an unexpected entry location that crashes the kernel. Change the kexec sequence to disable AIL after other CPUs have been brought down. As a refresher, the real-mode scv interrupt vector is 0x17000, and the fixed-location head code probably couldn't easily deal with implementing such high addresses so it was just decided not to support that interrupt at all. CVE-2024-42230 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: libceph: fix race between delayed_work() and ceph_monc_stop() The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs -- __close_session() doesn't mess with the delayed work in order to avoid interfering with the hunting interval logic. This part was missed in commit b5d91704f53e ("libceph: behave in mon_fault() if cur_mon < 0") and use-after-free can still ensue on monc and objects that hang off of it, with monc->auth and monc->monmap being particularly susceptible to quickly being reused. To fix this: - clear monc->cur_mon and monc->hunting as part of closing the session in ceph_monc_stop() - bail from delayed_work() if monc->cur_mon is cleared, similar to how it's done in mon_fault() and finish_hunting() (based on monc->hunting) - call cancel_delayed_work_sync() after the session is closed CVE-2024-42232 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() Userspace provided string 's' could trivially have the length zero. Left unchecked this will firstly result in an OOB read in the form `if (str[0 - 1] == '\n') followed closely by an OOB write in the form `str[0 - 1] = '\0'`. There is already a validating check to catch strings that are too long. Let's supply an additional check for invalid strings that are too short. CVE-2024-42236 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Validate payload length before processing block Move the payload length check in cs_dsp_load() and cs_dsp_coeff_load() to be done before the block is processed. The check that the length of a block payload does not exceed the number of remaining bytes in the firwmware file buffer was being done near the end of the loop iteration. However, some code before that check used the length field without validating it. CVE-2024-42237 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Return error if block header overflows file Return an error from cs_dsp_power_up() if a block header is longer than the amount of data left in the file. The previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop while there was enough data left in the file for a valid region. This protected against overrunning the end of the file data, but it didn't abort the file processing with an error. CVE-2024-42238 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/bhi: Avoid warning in #DB handler due to BHI mitigation When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler (exc_debug_kernel()) to issue a warning because single-step is used outside the entry_SYSENTER_compat() function. To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY after making sure the TF flag is cleared. The problem can be reproduced with the following sequence: $ cat sysenter_step.c int main() { asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); } $ gcc -o sysenter_step sysenter_step.c $ ./sysenter_step Segmentation fault (core dumped) The program is expected to crash, and the #DB handler will issue a warning. Kernel log: WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160 ... RIP: 0010:exc_debug_kernel+0xd2/0x160 ... Call Trace: <#DB> ? show_regs+0x68/0x80 ? __warn+0x8c/0x140 ? exc_debug_kernel+0xd2/0x160 ? report_bug+0x175/0x1a0 ? handle_bug+0x44/0x90 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? exc_debug_kernel+0xd2/0x160 exc_debug+0x43/0x50 asm_exc_debug+0x1e/0x40 RIP: 0010:clear_bhb_loop+0x0/0xb0 ... </#DB> <TASK> ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d </TASK> [ bp: Massage commit message. ] CVE-2024-42240 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/shmem: disable PMD-sized page cache if needed For shmem files, it's possible that PMD-sized page cache can't be supported by xarray. For example, 512MB page cache on ARM64 when the base page size is 64KB can't be supported by xarray. It leads to errors as the following messages indicate when this sort of xarray entry is split. WARNING: CPU: 34 PID: 7578 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 \ nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject \ nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse xfs \ libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_net \ net_failover virtio_console virtio_blk failover dimlib virtio_mmio CPU: 34 PID: 7578 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x720 sp : ffff8000882af5f0 x29: ffff8000882af5f0 x28: ffff8000882af650 x27: ffff8000882af768 x26: 0000000000000cc0 x25: 000000000000000d x24: ffff00010625b858 x23: ffff8000882af650 x22: ffffffdfc0900000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0900000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000018000000000 x15: 52f8004000000000 x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020 x11: 52f8000000000000 x10: 52f8e1c0ffff6000 x9 : ffffbeb9619a681c x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff00010b02ddb0 x5 : ffffbeb96395e378 x4 : 0000000000000000 x3 : 0000000000000cc0 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x720 truncate_inode_partial_folio+0xdc/0x160 shmem_undo_range+0x2bc/0x6a8 shmem_fallocate+0x134/0x430 vfs_fallocate+0x124/0x2e8 ksys_fallocate+0x4c/0xa0 __arm64_sys_fallocate+0x24/0x38 invoke_syscall.constprop.0+0x7c/0xd8 do_el0_svc+0xb4/0xd0 el0_svc+0x44/0x1d8 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Fix it by disabling PMD-sized page cache when HPAGE_PMD_ORDER is larger than MAX_PAGECACHE_ORDER. As Matthew Wilcox pointed, the page cache in a shmem file isn't represented by a multi-index entry and doesn't have this limitation when the xarry entry is split until commit 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache"). CVE-2024-42241 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray Patch series "mm/filemap: Limit page cache size to that supported by xarray", v2. Currently, xarray can't support arbitrary page cache size. More details can be found from the WARN_ON() statement in xas_split_alloc(). In our test whose code is attached below, we hit the WARN_ON() on ARM64 system where the base page size is 64KB and huge page size is 512MB. The issue was reported long time ago and some discussions on it can be found here [1]. [1] https://www.spinics.net/lists/linux-xfs/msg75404.html In order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one supported by xarray and avoid PMD-sized page cache if needed. The code changes are suggested by David Hildenbrand. PATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray PATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path PATCH[4] avoids PMD-sized page cache for shmem files if needed Test program ============ # cat test.c #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <fcntl.h> #include <errno.h> #include <sys/syscall.h> #include <sys/mman.h> #define TEST_XFS_FILENAME "/tmp/data" #define TEST_SHMEM_FILENAME "/dev/shm/data" #define TEST_MEM_SIZE 0x20000000 int main(int argc, char **argv) { const char *filename; int fd = 0; void *buf = (void *)-1, *p; int pgsize = getpagesize(); int ret; if (pgsize != 0x10000) { fprintf(stderr, "64KB base page size is required\n"); return -EPERM; } system("echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled"); system("rm -fr /tmp/data"); system("rm -fr /dev/shm/data"); system("echo 1 > /proc/sys/vm/drop_caches"); /* Open xfs or shmem file */ filename = TEST_XFS_FILENAME; if (argc > 1 && !strcmp(argv[1], "shmem")) filename = TEST_SHMEM_FILENAME; fd = open(filename, O_CREAT | O_RDWR | O_TRUNC); if (fd < 0) { fprintf(stderr, "Unable to open <%s>\n", filename); return -EIO; } /* Extend file size */ ret = ftruncate(fd, TEST_MEM_SIZE); if (ret) { fprintf(stderr, "Error %d to ftruncate()\n", ret); goto cleanup; } /* Create VMA */ buf = mmap(NULL, TEST_MEM_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if (buf == (void *)-1) { fprintf(stderr, "Unable to mmap <%s>\n", filename); goto cleanup; } fprintf(stdout, "mapped buffer at 0x%p\n", buf); ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE); if (ret) { fprintf(stderr, "Unable to madvise(MADV_HUGEPAGE)\n"); goto cleanup; } /* Populate VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE); if (ret) { fprintf(stderr, "Error %d to madvise(MADV_POPULATE_WRITE)\n", ret); goto cleanup; } /* Punch the file to enforce xarray split */ ret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, TEST_MEM_SIZE - pgsize, pgsize); if (ret) fprintf(stderr, "Error %d to fallocate()\n", ret); cleanup: if (buf != (void *)-1) munmap(buf, TEST_MEM_SIZE); if (fd > 0) close(fd); return 0; } # gcc test.c -o test # cat /proc/1/smaps | grep KernelPageSize | head -n 1 KernelPageSize: 64 kB # ./test shmem : ------------[ cut here ]------------ WARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \ drm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \ virtio_net sha1_ce net_failover failover virtio_console virtio_blk \ dimlib virtio_mmio CPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TC ---truncated--- CVE-2024-42243 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 ("USB: serial: use generic method if no alternative is provided in usb serial layer"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ] CVE-2024-42244 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Revert "sched/fair: Make sure to try to detach at least one movable task" This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06. b0defa7ae03ec changed the load balancing logic to ignore env.max_loop if all tasks examined to that point were pinned. The goal of the patch was to make it more likely to be able to detach a task buried in a long list of pinned tasks. However, this has the unfortunate side effect of creating an O(n) iteration in detach_tasks(), as we now must fully iterate every task on a cpu if all or most are pinned. Since this load balance code is done with rq lock held, and often in softirq context, it is very easy to trigger hard lockups. We observed such hard lockups with a user who affined O(10k) threads to a single cpu. When I discussed this with Vincent he initially suggested that we keep the limit on the number of tasks to detach, but increase the number of tasks we can search. However, after some back and forth on the mailing list, he recommended we instead revert the original patch, as it seems likely no one was actually getting hit by the original issue. CVE-2024-42245 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket When using a BPF program on kernel_connect(), the call can return -EPERM. This causes xs_tcp_setup_socket() to loop forever, filling up the syslog and causing the kernel to potentially freeze up. Neil suggested: This will propagate -EPERM up into other layers which might not be ready to handle it. It might be safer to map EPERM to an error we would be more likely to expect from the network system - such as ECONNREFUSED or ENETDOWN. ECONNREFUSED as error seems reasonable. For programs setting a different error can be out of reach (see handling in 4fbac77d2d09) in particular on kernels which do not have f10d05966196 ("bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean"), thus given that it is better to simply remap for consistent behavior. UDP does handle EPERM in xs_udp_send_request(). CVE-2024-42246 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wireguard: allowedips: avoid unaligned 64-bit memory accesses On the parisc platform, the kernel issues kernel warnings because swap_endian() tries to load a 128-bit IPv6 address from an unaligned memory location: Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df) Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc) Avoid such unaligned memory accesses by instead using the get_unaligned_be64() helper macro. [Jason: replace src[8] in original patch with src+8] CVE-2024-42247 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: add missing lock protection when polling Add missing lock protection in poll routine when iterating xarray, otherwise: Even with RCU read lock held, only the slot of the radix tree is ensured to be pinned there, while the data structure (e.g. struct cachefiles_req) stored in the slot has no such guarantee. The poll routine will iterate the radix tree and dereference cachefiles_req accordingly. Thus RCU read lock is not adequate in this case and spinlock is needed here. CVE-2024-42250 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: closures: Change BUG_ON() to WARN_ON() If a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON() For reference, this has popped up once in the CI, and we'll need more info to debug it: 03240 ------------[ cut here ]------------ 03240 kernel BUG at lib/closure.c:21! 03240 kernel BUG at lib/closure.c:21! 03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP 03240 Modules linked in: 03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570 03240 Hardware name: linux,dummy-virt (DT) 03240 Workqueue: btree_update btree_interior_update_work 03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 03240 pc : closure_put+0x224/0x2a0 03240 lr : closure_put+0x24/0x2a0 03240 sp : ffff0000d12071c0 03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360 03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040 03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168 03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001 03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974 03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d 03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e 03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b 03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954 03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000 03240 Call trace: 03240 closure_put+0x224/0x2a0 03240 bch2_check_for_deadlock+0x910/0x1028 03240 bch2_six_check_for_deadlock+0x1c/0x30 03240 six_lock_slowpath.isra.0+0x29c/0xed0 03240 six_lock_ip_waiter+0xa8/0xf8 03240 __bch2_btree_node_lock_write+0x14c/0x298 03240 bch2_trans_lock_write+0x6d4/0xb10 03240 __bch2_trans_commit+0x135c/0x5520 03240 btree_interior_update_work+0x1248/0x1c10 03240 process_scheduled_works+0x53c/0xd90 03240 worker_thread+0x370/0x8c8 03240 kthread+0x258/0x2e8 03240 ret_from_fork+0x10/0x20 03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000) 03240 ---[ end trace 0000000000000000 ]--- 03240 Kernel panic - not syncing: Oops - BUG: Fatal exception 03240 SMP: stopping secondary CPUs 03241 SMP: failed to stop secondary CPUs 13,15 03241 Kernel Offset: disabled 03241 CPU features: 0x00,00000003,80000008,4240500b 03241 Memory Limit: none 03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]--- 03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s CVE-2024-42252 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: pca953x: fix pca953x_irq_bus_sync_unlock race Ensure that `i2c_lock' is held when setting interrupt latch and mask in pca953x_irq_bus_sync_unlock() in order to avoid races. The other (non-probe) call site pca953x_gpio_set_multiple() ensures the lock is held before calling pca953x_write_regs(). The problem occurred when a request raced against irq_bus_sync_unlock() approximately once per thousand reboots on an i.MX8MP based system. * Normal case 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0 0-0022: write register AI|08 {ff,00,00,00,00} Output P3 0-0022: write register AI|12 {fc,00,00,00,00} Config P3 * Race case 0-0022: write register AI|08 {ff,00,00,00,00} Output P3 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register *** 0-0022: write register AI|12 {fc,00,00,00,00} Config P3 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0 CVE-2024-42253 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Fix Virtual Memory mapping boundaries calculation Calculating the size of the mapped area as the lesser value between the requested size and the actual size does not consider the partial mapping offset. This can cause page fault access. Fix the calculation of the starting and ending addresses, the total size is now deduced from the difference between the end and start addresses. Additionally, the calculations have been rewritten in a clearer and more understandable form. [Joonas: Add Requires: tag] Requires: 60a2066c5005 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset") (cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417) CVE-2024-42259 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: protect the fetch of ->fd[fd] in do_dup2() from mispredictions both callers have verified that fd is not greater than ->max_fds; however, misprediction might end up with tofree = fdt->fd[fd]; being speculatively executed. That's wrong for the same reasons why it's wrong in close_fd()/file_close_fd_locked(); the same solution applies - array_index_nospec(fd, fdt->max_fds) could differ from fd only in case of speculative execution on mispredicted path. CVE-2024-42265 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix missing lock on sync reset reload On sync reset reload work, when remote host updates devlink on reload actions performed on that host, it misses taking devlink lock before calling devlink_remote_reload_actions_performed() which results in triggering lock assert like the following: WARNING: CPU: 4 PID: 1164 at net/devlink/core.c:261 devl_assert_locked+0x3e/0x50 … CPU: 4 PID: 1164 Comm: kworker/u96:6 Tainted: G S W 6.10.0-rc2+ #116 Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0 12/18/2015 Workqueue: mlx5_fw_reset_events mlx5_sync_reset_reload_work [mlx5_core] RIP: 0010:devl_assert_locked+0x3e/0x50 … Call Trace: <TASK> ? __warn+0xa4/0x210 ? devl_assert_locked+0x3e/0x50 ? report_bug+0x160/0x280 ? handle_bug+0x3f/0x80 ? exc_invalid_op+0x17/0x40 ? asm_exc_invalid_op+0x1a/0x20 ? devl_assert_locked+0x3e/0x50 devlink_notify+0x88/0x2b0 ? mlx5_attach_device+0x20c/0x230 [mlx5_core] ? __pfx_devlink_notify+0x10/0x10 ? process_one_work+0x4b6/0xbb0 process_one_work+0x4b6/0xbb0 […] CVE-2024-42268 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init(). ip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id], but the function is exposed to user space before the entry is allocated via register_pernet_subsys(). Let's call register_pernet_subsys() before xt_register_template(). CVE-2024-42269 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). We had a report that iptables-restore sometimes triggered null-ptr-deref at boot time. [0] The problem is that iptable_nat_table_init() is exposed to user space before the kernel fully initialises netns. In the small race window, a user could call iptable_nat_table_init() that accesses net_generic(net, iptable_nat_net_id), which is available only after registering iptable_nat_net_ops. Let's call register_pernet_subsys() before xt_register_template(). [0]: bpfilter: Loaded bpfilter_umh pid 11702 Started bpfilter BUG: kernel NULL pointer dereference, address: 0000000000000013 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 0 P4D 0 PREEMPT SMP NOPTI CPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1 Hardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017 RIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat Code: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c RSP: 0018:ffffbef902843cd0 EFLAGS: 00010246 RAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80 RDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0 RBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240 R10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000 R13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004 FS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? xt_find_table_lock (net/netfilter/x_tables.c:1259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? page_fault_oops (arch/x86/mm/fault.c:727) ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518) ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570) ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat xt_find_table_lock (net/netfilter/x_tables.c:1259) xt_request_find_table_lock (net/netfilter/x_tables.c:1287) get_info (net/ipv4/netfilter/ip_tables.c:965) ? security_capable (security/security.c:809 (discriminator 13)) ? ns_capable (kernel/capability.c:376 kernel/capability.c:397) ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656) ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter nf_getsockopt (net/netfilter/nf_sockopt.c:116) ip_getsockopt (net/ipv4/ip_sockglue.c:1827) __sys_getsockopt (net/socket.c:2327) __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) RIP: 0033:0x7f62844685ee Code: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09 RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0 R10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2 R13: 00007f6284 ---truncated--- CVE-2024-42270 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv. CVE-2024-42271 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Revert "ALSA: firewire-lib: operate for period elapse event in process context" Commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event in process context") removed the process context workqueue from amdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove its overhead. With RME Fireface 800, this lead to a regression since Kernels 5.14.0, causing an AB/BA deadlock competition for the substream lock with eventual system freeze under ALSA operation: thread 0: * (lock A) acquire substream lock by snd_pcm_stream_lock_irq() in snd_pcm_status64() * (lock B) wait for tasklet to finish by calling tasklet_unlock_spin_wait() in tasklet_disable_in_atomic() in ohci_flush_iso_completions() of ohci.c thread 1: * (lock B) enter tasklet * (lock A) attempt to acquire substream lock, waiting for it to be released: snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed() in update_pcm_pointers() in process_ctx_payloads() in process_rx_packets() of amdtp-stream.c ? tasklet_unlock_spin_wait </NMI> <TASK> ohci_flush_iso_completions firewire_ohci amdtp_domain_stream_pcm_pointer snd_firewire_lib snd_pcm_update_hw_ptr0 snd_pcm snd_pcm_status64 snd_pcm ? native_queued_spin_lock_slowpath </NMI> <IRQ> _raw_spin_lock_irqsave snd_pcm_period_elapsed snd_pcm process_rx_packets snd_firewire_lib irq_target_callback snd_firewire_lib handle_it_packet firewire_ohci context_tasklet firewire_ohci Restore the process context work queue to prevent deadlock AB/BA deadlock competition for ALSA substream lock of snd_pcm_stream_lock_irq() in snd_pcm_status64() and snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed(). revert commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event in process context") Replace inline description to prevent future deadlock. CVE-2024-42274 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-pci: add missing condition check for existence of mapped data nvme_map_data() is called when request has physical segments, hence the nvme_unmap_data() should have same condition to avoid dereference. CVE-2024-42276 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en In sprd_iommu_cleanup() before calling function sprd_iommu_hw_en() dom->sdev is equal to NULL, which leads to null dereference. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-42277 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: TAS2781: Fix tasdev_load_calibrated_data() This function has a reversed if statement so it's either a no-op or it leads to a NULL dereference. CVE-2024-42278 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer While transmitting with rx_len == 0, the RX FIFO is not going to be emptied in the interrupt handler. A subsequent transfer could then read crap from the previous transfer out of the RX FIFO into the start RX buffer. The core provides a register that will empty the RX and TX FIFOs, so do that before each transfer. CVE-2024-42279 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp). CVE-2024-42280 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a segment issue when downgrading gso_size Linearize the skb when downgrading gso_size because it may trigger a BUG_ON() later when the skb is segmented as described in [1,2]. CVE-2024-42281 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: nexthop: Initialize all fields in dumped nexthops struct nexthop_grp contains two reserved fields that are not initialized by nla_put_nh_group(), and carry garbage. This can be observed e.g. with strace (edited for clarity): # ip nexthop add id 1 dev lo # ip nexthop add id 101 group 1 # strace -e recvmsg ip nexthop get id 101 ... recvmsg(... [{nla_len=12, nla_type=NHA_GROUP}, [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52 The fields are reserved and therefore not currently used. But as they are, they leak kernel memory, and the fact they are not just zero complicates repurposing of the fields for new ends. Initialize the full structure. CVE-2024-42283 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address. CVE-2024-42284 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix a use-after-free related to destroying CM IDs iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with an existing struct iw_cm_id (cm_id) as follows: conn_id->cm_id.iw = cm_id; cm_id->context = conn_id; cm_id->cm_handler = cma_iw_handler; rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make sure that cm_work_handler() does not trigger a use-after-free by only freeing of the struct rdma_id_private after all pending work has finished. CVE-2024-42285 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: validate nvme_local_port correctly The driver load failed with error message, qla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef and with a kernel crash, BUG: unable to handle kernel NULL pointer dereference at 0000000000000070 Workqueue: events_unbound qla_register_fcport_fn [qla2xxx] RIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc] RSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000 RDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000 RBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030 R10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4 R13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8 FS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0 Call Trace: qla_nvme_register_remote+0xeb/0x1f0 [qla2xxx] ? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx] qla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx] qla_register_fcport_fn+0x54/0xc0 [qla2xxx] Exit the qla_nvme_register_remote() function when qla_nvme_register_hba() fails and correctly validate nvme_local_port. CVE-2024-42286 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Complete command early within lock A crash was observed while performing NPIV and FW reset, BUG: kernel NULL pointer dereference, address: 000000000000001c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 1 PREEMPT_RT SMP NOPTI RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0 RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0 RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034 R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000 R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000 FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? page_fault_oops+0x16f/0x4a0 ? do_user_addr_fault+0x174/0x7f0 ? exc_page_fault+0x69/0x1a0 ? asm_exc_page_fault+0x22/0x30 ? dma_direct_unmap_sg+0x51/0x1e0 ? preempt_count_sub+0x96/0xe0 qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx] qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx] __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx] The command completion was done early while aborting the commands in driver unload path but outside lock to avoid the WARN_ON condition of performing dma_free_attr within the lock. However this caused race condition while command completion via multiple paths causing system crash. Hence complete the command early in unload path but within the lock to avoid race condition. CVE-2024-42287 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix for possible memory corruption Init Control Block is dereferenced incorrectly. Correctly dereference ICB CVE-2024-42288 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: During vport delete send async logout explicitly During vport delete, it is observed that during unload we hit a crash because of stale entries in outstanding command array. For all these stale I/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but I/Os could not complete while vport delete is in process of deleting. BUG: kernel NULL pointer dereference, address: 000000000000001c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Workqueue: qla2xxx_wq qla_do_work [qla2xxx] RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0 RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0 RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8 R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000 R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0 Call Trace: <TASK> qla2xxx_qpair_sp_free_dma+0x417/0x4e0 ? qla2xxx_qpair_sp_compl+0x10d/0x1a0 ? qla2x00_status_entry+0x768/0x2830 ? newidle_balance+0x2f0/0x430 ? dequeue_entity+0x100/0x3c0 ? qla24xx_process_response_queue+0x6a1/0x19e0 ? __schedule+0x2d5/0x1140 ? qla_do_work+0x47/0x60 ? process_one_work+0x267/0x440 ? process_one_work+0x440/0x440 ? worker_thread+0x2d/0x3d0 ? process_one_work+0x440/0x440 ? kthread+0x156/0x180 ? set_kthread_struct+0x50/0x50 ? ret_from_fork+0x22/0x30 </TASK> Send out async logout explicitly for all the ports during vport delete. CVE-2024-42289 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: irqchip/imx-irqsteer: Handle runtime power management correctly The power domain is automatically activated from clk_prepare(). However, on certain platforms like i.MX8QM and i.MX8QXP, the power-on handling invokes sleeping functions, which triggers the 'scheduling while atomic' bug in the context switch path during device probing: BUG: scheduling while atomic: kworker/u13:1/48/0x00000002 Call trace: __schedule_bug+0x54/0x6c __schedule+0x7f0/0xa94 schedule+0x5c/0xc4 schedule_preempt_disabled+0x24/0x40 __mutex_lock.constprop.0+0x2c0/0x540 __mutex_lock_slowpath+0x14/0x20 mutex_lock+0x48/0x54 clk_prepare_lock+0x44/0xa0 clk_prepare+0x20/0x44 imx_irqsteer_resume+0x28/0xe0 pm_generic_runtime_resume+0x2c/0x44 __genpd_runtime_resume+0x30/0x80 genpd_runtime_resume+0xc8/0x2c0 __rpm_callback+0x48/0x1d8 rpm_callback+0x6c/0x78 rpm_resume+0x490/0x6b4 __pm_runtime_resume+0x50/0x94 irq_chip_pm_get+0x2c/0xa0 __irq_do_set_handler+0x178/0x24c irq_set_chained_handler_and_data+0x60/0xa4 mxc_gpio_probe+0x160/0x4b0 Cure this by implementing the irq_bus_lock/sync_unlock() interrupt chip callbacks and handle power management in them as they are invoked from non-atomic context. [ tglx: Rewrote change log, added Fixes tag ] CVE-2024-42290 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Add a per-VF limit on number of FDIR filters While the iavf driver adds a s/w limit (128) on the number of FDIR filters that the VF can request, a malicious VF driver can request more than that and exhaust the resources for other VFs. Add a similar limit in ice. CVE-2024-42291 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: kobject_uevent: Fix OOB access within zap_modalias_env() zap_modalias_env() wrongly calculates size of memory block to move, so will cause OOB memory access issue if variable MODALIAS is not the last one within its @env parameter, fixed by correcting size to memmove. CVE-2024-42292 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: block: fix deadlock between sd_remove & sd_release Our test report the following hung task: [ 2538.459400] INFO: task "kworker/0:0":7 blocked for more than 188 seconds. [ 2538.459427] Call trace: [ 2538.459430] __switch_to+0x174/0x338 [ 2538.459436] __schedule+0x628/0x9c4 [ 2538.459442] schedule+0x7c/0xe8 [ 2538.459447] schedule_preempt_disabled+0x24/0x40 [ 2538.459453] __mutex_lock+0x3ec/0xf04 [ 2538.459456] __mutex_lock_slowpath+0x14/0x24 [ 2538.459459] mutex_lock+0x30/0xd8 [ 2538.459462] del_gendisk+0xdc/0x350 [ 2538.459466] sd_remove+0x30/0x60 [ 2538.459470] device_release_driver_internal+0x1c4/0x2c4 [ 2538.459474] device_release_driver+0x18/0x28 [ 2538.459478] bus_remove_device+0x15c/0x174 [ 2538.459483] device_del+0x1d0/0x358 [ 2538.459488] __scsi_remove_device+0xa8/0x198 [ 2538.459493] scsi_forget_host+0x50/0x70 [ 2538.459497] scsi_remove_host+0x80/0x180 [ 2538.459502] usb_stor_disconnect+0x68/0xf4 [ 2538.459506] usb_unbind_interface+0xd4/0x280 [ 2538.459510] device_release_driver_internal+0x1c4/0x2c4 [ 2538.459514] device_release_driver+0x18/0x28 [ 2538.459518] bus_remove_device+0x15c/0x174 [ 2538.459523] device_del+0x1d0/0x358 [ 2538.459528] usb_disable_device+0x84/0x194 [ 2538.459532] usb_disconnect+0xec/0x300 [ 2538.459537] hub_event+0xb80/0x1870 [ 2538.459541] process_scheduled_works+0x248/0x4dc [ 2538.459545] worker_thread+0x244/0x334 [ 2538.459549] kthread+0x114/0x1bc [ 2538.461001] INFO: task "fsck.":15415 blocked for more than 188 seconds. [ 2538.461014] Call trace: [ 2538.461016] __switch_to+0x174/0x338 [ 2538.461021] __schedule+0x628/0x9c4 [ 2538.461025] schedule+0x7c/0xe8 [ 2538.461030] blk_queue_enter+0xc4/0x160 [ 2538.461034] blk_mq_alloc_request+0x120/0x1d4 [ 2538.461037] scsi_execute_cmd+0x7c/0x23c [ 2538.461040] ioctl_internal_command+0x5c/0x164 [ 2538.461046] scsi_set_medium_removal+0x5c/0xb0 [ 2538.461051] sd_release+0x50/0x94 [ 2538.461054] blkdev_put+0x190/0x28c [ 2538.461058] blkdev_release+0x28/0x40 [ 2538.461063] __fput+0xf8/0x2a8 [ 2538.461066] __fput_sync+0x28/0x5c [ 2538.461070] __arm64_sys_close+0x84/0xe8 [ 2538.461073] invoke_syscall+0x58/0x114 [ 2538.461078] el0_svc_common+0xac/0xe0 [ 2538.461082] do_el0_svc+0x1c/0x28 [ 2538.461087] el0_svc+0x38/0x68 [ 2538.461090] el0t_64_sync_handler+0x68/0xbc [ 2538.461093] el0t_64_sync+0x1a8/0x1ac T1: T2: sd_remove del_gendisk __blk_mark_disk_dead blk_freeze_queue_start ++q->mq_freeze_depth bdev_release mutex_lock(&disk->open_mutex) sd_release scsi_execute_cmd blk_queue_enter wait_event(!q->mq_freeze_depth) mutex_lock(&disk->open_mutex) SCSI does not set GD_OWNS_QUEUE, so QUEUE_FLAG_DYING is not set in this scenario. This is a classic ABBA deadlock. To fix the deadlock, make sure we don't try to acquire disk->open_mutex after freezing the queue. CVE-2024-42294 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: handle inconsistent state in nilfs_btnode_create_block() Syzbot reported that a buffer state inconsistency was detected in nilfs_btnode_create_block(), triggering a kernel bug. It is not appropriate to treat this inconsistency as a bug; it can occur if the argument block address (the buffer index of the newly created block) is a virtual block number and has been reallocated due to corruption of the bitmap used to manage its allocation state. So, modify nilfs_btnode_create_block() and its callers to treat it as a possible filesystem error, rather than triggering a kernel bug. CVE-2024-42295 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. CVE-2024-42298 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport] CVE-2024-42301 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred. To do so, it polls the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its struct pci_dev cause the kernel to oops. That's because pci_bridge_wait_for_secondary_bus() neglects to hold a reference on the child device. Before v6.3, the function was only called on resume from system sleep or on runtime resume. Holding a reference wasn't necessary back then because the pciehp IRQ thread could never run concurrently. (On resume from system sleep, IRQs are not enabled until after the resume_noirq phase. And runtime resume is always awaited before a PCI device is removed.) However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset"), which introduced that, failed to appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a reference on the child device because dpc_handler() and pciehp may indeed run concurrently. The commit was backported to v5.10+ stable kernels, so that's the oldest one affected. Add the missing reference acquisition. Abridged stack trace: BUG: unable to handle page fault for address: 00000000091400c0 CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 RIP: pci_bus_read_config_dword+0x17/0x50 pci_dev_wait() pci_bridge_wait_for_secondary_bus() dpc_reset_link() pcie_do_recovery() dpc_handler() CVE-2024-42302 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: imx-pxp: Fix ERR_PTR dereference in pxp_probe() devm_regmap_init_mmio() can fail, add a check and bail out in case of error. CVE-2024-42303 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: make sure the first directory block is not a hole The syzbot constructs a directory that has no dirblock but is non-inline, i.e. the first directory block is a hole. And no errors are reported when creating files in this directory in the following flow. ext4_mknod ... ext4_add_entry // Read block 0 ext4_read_dirblock(dir, block, DIRENT) bh = ext4_bread(NULL, inode, block, 0) if (!bh && (type == INDEX || type == DIRENT_HTREE)) // The first directory block is a hole // But type == DIRENT, so no error is reported. After that, we get a directory block without '.' and '..' but with a valid dentry. This may cause some code that relies on dot or dotdot (such as make_indexed_dir()) to crash. Therefore when ext4_read_dirblock() finds that the first directory block is a hole report that the filesystem is corrupted and return an error to avoid loading corrupted data from disk causing something bad. CVE-2024-42304 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: check dot and dotdot of dx_root before making dir indexed Syzbot reports a issue as follows: ============================================ BUG: unable to handle page fault for address: ffffed11022e24fe PGD 23ffee067 P4D 23ffee067 PUD 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0 Call Trace: <TASK> make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451 ext4_rename fs/ext4/namei.c:3936 [inline] ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214 [...] ============================================ The immediate cause of this problem is that there is only one valid dentry for the block to be split during do_split, so split==0 results in out of bounds accesses to the map triggering the issue. do_split unsigned split dx_make_map count = 1 split = count/2 = 0; continued = hash2 == map[split - 1].hash; ---> map[4294967295] The maximum length of a filename is 255 and the minimum block size is 1024, so it is always guaranteed that the number of entries is greater than or equal to 2 when do_split() is called. But syzbot's crafted image has no dot and dotdot in dir, and the dentry distribution in dirblock is as follows: bus dentry1 hole dentry2 free |xx--|xx-------------|...............|xx-------------|...............| 0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024 So when renaming dentry1 increases its name_len length by 1, neither hole nor free is sufficient to hold the new dentry, and make_indexed_dir() is called. In make_indexed_dir() it is assumed that the first two entries of the dirblock must be dot and dotdot, so bus and dentry1 are left in dx_root because they are treated as dot and dotdot, and only dentry2 is moved to the new leaf block. That's why count is equal to 1. Therefore add the ext4_check_dx_root() helper function to add more sanity checks to dot and dotdot before starting the conversion to avoid the above issue. CVE-2024-42305 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: udf: Avoid using corrupted block bitmap buffer When the filesystem block bitmap is corrupted, we detect the corruption while loading the bitmap and fail the allocation with error. However the next allocation from the same bitmap will notice the bitmap buffer is already loaded and tries to allocate from the bitmap with mixed results (depending on the exact nature of the bitmap corruption). Fix the problem by using BH_verified bit to indicate whether the bitmap is valid or not. CVE-2024-42306 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-42308 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2024-42309 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2024-42310 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() Syzbot reports uninitialized value access issue as below: loop0: detected capacity change from 0 to 64 ===================================================== BUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30 hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30 d_revalidate fs/namei.c:862 [inline] lookup_fast+0x89e/0x8e0 fs/namei.c:1649 walk_component fs/namei.c:2001 [inline] link_path_walk+0x817/0x1480 fs/namei.c:2332 path_lookupat+0xd9/0x6f0 fs/namei.c:2485 filename_lookup+0x22e/0x740 fs/namei.c:2515 user_path_at_empty+0x8b/0x390 fs/namei.c:2924 user_path_at include/linux/namei.h:57 [inline] do_mount fs/namespace.c:3689 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x66b/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b BUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline] BUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366 hfs_ext_read_extent fs/hfs/extent.c:196 [inline] hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366 block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271 hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39 filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426 do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553 do_read_cache_page mm/filemap.c:3595 [inline] read_cache_page+0xfb/0x2f0 mm/filemap.c:3604 read_mapping_page include/linux/pagemap.h:755 [inline] hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78 hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204 hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406 mount_bdev+0x628/0x920 fs/super.c:1359 hfs_mount+0xcd/0xe0 fs/hfs/super.c:456 legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610 vfs_get_tree+0xdc/0x5d0 fs/super.c:1489 do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145 path_mount+0xf98/0x26a0 fs/namespace.c:3475 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674 __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2190 [inline] allocate_slab mm/slub.c:2354 [inline] new_slab+0x2d7/0x1400 mm/slub.c:2407 ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540 __slab_alloc mm/slub.c:3625 [inline] __slab_alloc_node mm/slub.c:3678 [inline] slab_alloc_node mm/slub.c:3850 [inline] kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879 alloc_inode_sb include/linux/fs.h:3018 [inline] hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165 alloc_inode+0x83/0x440 fs/inode.c:260 new_inode_pseudo fs/inode.c:1005 [inline] new_inode+0x38/0x4f0 fs/inode.c:1031 hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186 hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228 vfs_mkdir+0x49a/0x700 fs/namei.c:4126 do_mkdirat+0x529/0x810 fs/namei.c:4149 __do_sys_mkdirat fs/namei.c:4164 [inline] __se_sys_mkdirat fs/namei.c:4162 [inline] __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b It missed to initialize .tz_secondswest, .cached_start and .cached_blocks fields in struct hfs_inode_info after hfs_alloc_inode(), fix it. CVE-2024-42311 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: sysctl: always initialize i_uid/i_gid Always initialize i_uid/i_gid inside the sysfs core so set_ownership() can safely skip setting them. Commit 5ec27ec735ba ("fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.") added defaults for i_uid/i_gid when set_ownership() was not implemented. It also missed adjusting net_ctl_set_ownership() to use the same default values in case the computation of a better value failed. CVE-2024-42312 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: venus: fix use after free in vdec_close There appears to be a possible use after free with vdec_close(). The firmware will add buffer release work to the work queue through HFI callbacks as a normal part of decoding. Randomly closing the decoder device from userspace during normal decoding can incur a read after free for inst. Fix it by cancelling the work in vdec_close. CVE-2024-42313 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix extent map use-after-free when adding pages to compressed bio At add_ra_bio_pages() we are accessing the extent map to calculate 'add_size' after we dropped our reference on the extent map, resulting in a use-after-free. Fix this by computing 'add_size' before dropping our extent map reference. CVE-2024-42314 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: exfat: fix potential deadlock on __exfat_get_dentry_set When accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array is allocated in __exfat_get_entry_set. The problem is that the bh-array is allocated with GFP_KERNEL. It does not make sense. In the following cases, a deadlock for sbi->s_lock between the two processes may occur. CPU0 CPU1 ---- ---- kswapd balance_pgdat lock(fs_reclaim) exfat_iterate lock(&sbi->s_lock) exfat_readdir exfat_get_uniname_from_ext_entry exfat_get_dentry_set __exfat_get_dentry_set kmalloc_array ... lock(fs_reclaim) ... evict exfat_evict_inode lock(&sbi->s_lock) To fix this, let's allocate bh-array with GFP_NOFS. CVE-2024-42315 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/mglru: fix div-by-zero in vmpressure_calc_level() evict_folios() uses a second pass to reclaim folios that have gone through page writeback and become clean before it finishes the first pass, since folio_rotate_reclaimable() cannot handle those folios due to the isolation. The second pass tries to avoid potential double counting by deducting scan_control->nr_scanned. However, this can result in underflow of nr_scanned, under a condition where shrink_folio_list() does not increment nr_scanned, i.e., when folio_trylock() fails. The underflow can cause the divisor, i.e., scale=scanned+reclaimed in vmpressure_calc_level(), to become zero, resulting in the following crash: [exception RIP: vmpressure_work_fn+101] process_one_work at ffffffffa3313f2b Since scan_control->nr_scanned has no established semantics, the potential double counting has minimal risks. Therefore, fix the problem by not deducting scan_control->nr_scanned in evict_folios(). CVE-2024-42316 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: landlock: Don't lose track of restrictions on cred_transfer When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost. This basically means that a process with the ability to use the fork() and keyctl() syscalls can get rid of all Landlock restrictions on itself. Fix it by adding a cred_transfer hook that does the same thing as the existing cred_prepare hook. (Implemented by having hook_cred_prepare() call hook_cred_transfer() so that the two functions are less likely to accidentally diverge in the future.) CVE-2024-42318 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() When mtk-cmdq unbinds, a WARN_ON message with condition pm_runtime_get_sync() < 0 occurs. According to the call tracei below: cmdq_mbox_shutdown mbox_free_channel mbox_controller_unregister __devm_mbox_controller_unregister ... The root cause can be deduced to be calling pm_runtime_get_sync() after calling pm_runtime_disable() as observed below: 1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe() to bind the cmdq device to the mbox_controller, so devm_mbox_controller_unregister() will automatically unregister the device bound to the mailbox controller when the device-managed resource is removed. That means devm_mbox_controller_unregister() and cmdq_mbox_shoutdown() will be called after cmdq_remove(). 2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after devm_mbox_controller_register(), so that devm_pm_runtime_disable() will be called after cmdq_remove(), but before devm_mbox_controller_unregister(). To fix this problem, cmdq_probe() needs to move devm_mbox_controller_register() after devm_pm_runtime_enable() to make devm_pm_runtime_disable() be called after devm_mbox_controller_unregister(). CVE-2024-42319 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix error checks in dasd_copy_pair_store() dasd_add_busid() can return an error via ERR_PTR() if an allocation fails. However, two callsites in dasd_copy_pair_store() do not check the result, potentially resulting in a NULL pointer dereference. Fix this by checking the result with IS_ERR() and returning the error up the stack. CVE-2024-42320 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipvs: properly dereference pe in ip_vs_add_service Use pe directly to resolve sparse warning: net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression CVE-2024-42322 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability. CVE-2024-43398 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libruby2_5-2_5-2.5.9-150000.4.32.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:ruby2.5-2.5.9-150000.4.32.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:ruby2.5-stdlib-2.5.9-150000.4.32.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Revise lpfc_prep_embed_io routine with proper endian macro usages On big endian architectures, it is possible to run into a memory out of bounds pointer dereference when FCP targets are zoned. In lpfc_prep_embed_io, the memcpy(ptr, fcp_cmnd, sgl->sge_len) is referencing a little endian formatted sgl->sge_len value. So, the memcpy can cause big endian systems to crash. Redefine the *sgl ptr as a struct sli4_sge_le to make it clear that we are referring to a little endian formatted data structure. And, update the routine with proper le32_to_cpu macro usages. CVE-2024-43816 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: missing check virtio Two missing check in virtio_net_hdr_to_skb() allowed syzbot to crash kernels again 1. After the skb_segment function the buffer may become non-linear (nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere the __skb_linearize function will not be executed, then the buffer will remain non-linear. Then the condition (offset >= skb_headlen(skb)) becomes true, which causes WARN_ON_ONCE in skb_checksum_help. 2. The struct sk_buff and struct virtio_net_hdr members must be mathematically related. (gso_size) must be greater than (needed) otherwise WARN_ON_ONCE. (remainder) must be greater than (needed) otherwise WARN_ON_ONCE. (remainder) may be 0 if division is without remainder. offset+2 (4191) > skb_headlen() (1116) WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303 Modules linked in: CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303 Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209 RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001 RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d FS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777 ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584 ip_finish_output_gso net/ipv4/ip_output.c:286 [inline] __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433 dst_output include/net/dst.h:451 [inline] ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129 iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline] sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3545 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 __sys_sendto+0x255/0x340 net/socket.c:2190 __do_sys_sendto net/socket.c:2202 [inline] __se_sys_sendto net/socket.c:2198 [inline] __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Found by Linux Verification Center (linuxtesting.org) with Syzkaller CVE-2024-43817 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: Adjust error handling in case of absent codec device acpi_get_first_physical_node() can return NULL in several cases (no such device, ACPI table error, reference count drop to 0, etc). Existing check just emit error message, but doesn't perform return. Then this NULL pointer is passed to devm_acpi_dev_add_driver_gpios() where it is dereferenced. Adjust this error handling by adding error code return. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-43818 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: kvm: s390: Reject memory region operations for ucontrol VMs This change rejects the KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM. This is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and would thus result in a null pointer dereference further in. Memory management needs to be performed in userspace and using the ioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP. Also improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2. [frankja@linux.ibm.com: commit message spelling fix, subject prefix fix] CVE-2024-43819 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix a possible null pointer dereference In function lpfc_xcvr_data_show, the memory allocation with kmalloc might fail, thereby making rdp_context a null pointer. In the following context and functions that use this pointer, there are dereferencing operations, leading to null pointer dereference. To fix this issue, a null pointer check should be added. If it is null, use scnprintf to notify the user and return len. CVE-2024-43821 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs() If IORESOURCE_MEM is not provided in Device Tree due to any error, resource_list_first_type() will return NULL and pci_parse_request_of_pci_ranges() will just emit a warning. This will cause a NULL pointer dereference. Fix this bug by adding NULL return check. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-43823 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init() Instead of getting the epc_features from pci_epc_get_features() API, use the cached pci_epf_test::epc_features value to avoid the NULL check. Since the NULL check is already performed in pci_epf_test_bind(), having one more check in pci_epf_test_core_init() is redundant and it is not possible to hit the NULL pointer dereference. Also with commit a01e7214bef9 ("PCI: endpoint: Remove "core_init_notifier" flag"), 'epc_features' got dereferenced without the NULL check, leading to the following false positive Smatch warning: drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747) Thus, remove the redundant NULL check and also use the epc_features:: {msix_capable/msi_capable} flags directly to avoid local variables. [kwilczynski: commit log] CVE-2024-43824 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: Fix the sorting functionality in iio_gts_build_avail_time_table The sorting in iio_gts_build_avail_time_table is not working as intended. It could result in an out-of-bounds access when the time is zero. Here are more details: 1. When the gts->itime_table[i].time_us is zero, e.g., the time sequence is `3, 0, 1`, the inner for-loop will not terminate and do out-of-bound writes. This is because once `times[j] > new`, the value `new` will be added in the current position and the `times[j]` will be moved to `j+1` position, which makes the if-condition always hold. Meanwhile, idx will be added one, making the loop keep running without termination and out-of-bound write. 2. If none of the gts->itime_table[i].time_us is zero, the elements will just be copied without being sorted as described in the comment "Sort times from all tables to one and remove duplicates". For more details, please refer to https://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com. CVE-2024-43825 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfs: pass explicit offset/count to trace events nfs_folio_length is unsafe to use without having the folio locked and a check for a NULL ->f_mapping that protects against truncations and can lead to kernel crashes. E.g. when running xfstests generic/065 with all nfs trace points enabled. Follow the model of the XFS trace points and pass in an explіcit offset and length. This has the additional benefit that these values can be more accurate as some of the users touch partial folio ranges. CVE-2024-43826 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix infinite loop when replaying fast_commit When doing fast_commit replay an infinite loop may occur due to an uninitialized extent_status struct. ext4_ext_determine_insert_hole() does not detect the replay and calls ext4_es_find_extent_range(), which will return immediately without initializing the 'es' variable. Because 'es' contains garbage, an integer overflow may happen causing an infinite loop in this function, easily reproducible using fstest generic/039. This commit fixes this issue by unconditionally initializing the structure in function ext4_es_find_extent_range(). Thanks to Zhang Yi, for figuring out the real problem! CVE-2024-43828 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/qxl: Add check for drm_cvt_mode Add check for the return value of drm_cvt_mode() and return the error if it fails in order to avoid NULL pointer dereference. CVE-2024-43829 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: leds: trigger: Unregister sysfs attributes before calling deactivate() Triggers which have trigger specific sysfs attributes typically store related data in trigger-data allocated by the activate() callback and freed by the deactivate() callback. Calling device_remove_groups() after calling deactivate() leaves a window where the sysfs attributes show/store functions could be called after deactivation and then operate on the just freed trigger-data. Move the device_remove_groups() call to before deactivate() to close this race window. This also makes the deactivation path properly do things in reverse order of the activation path which calls the activate() callback before calling device_add_groups(). CVE-2024-43830 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Handle invalid decoder vsi Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi is valid for future use. CVE-2024-43831 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/uv: Don't call folio_wait_writeback() without a folio reference folio_wait_writeback() requires that no spinlocks are held and that a folio reference is held, as documented. After we dropped the PTL, the folio could get freed concurrently. So grab a temporary reference. CVE-2024-43832 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Fix NULL pointer dereference in adding ancillary links In v4l2_async_create_ancillary_links(), ancillary links are created for lens and flash sub-devices. These are sub-device to sub-device links and if the async notifier is related to a V4L2 device, the source sub-device of the ancillary link is NULL, leading to a NULL pointer dereference. Check the notifier's sd field is non-NULL in v4l2_async_create_ancillary_links(). [Sakari Ailus: Reword the subject and commit messages slightly.] CVE-2024-43833 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: xdp: fix invalid wait context of page_pool_destroy() If the driver uses a page pool, it creates a page pool with page_pool_create(). The reference count of page pool is 1 as default. A page pool will be destroyed only when a reference count reaches 0. page_pool_destroy() is used to destroy page pool, it decreases a reference count. When a page pool is destroyed, ->disconnect() is called, which is mem_allocator_disconnect(). This function internally acquires mutex_lock(). If the driver uses XDP, it registers a memory model with xdp_rxq_info_reg_mem_model(). The xdp_rxq_info_reg_mem_model() internally increases a page pool reference count if a memory model is a page pool. Now the reference count is 2. To destroy a page pool, the driver should call both page_pool_destroy() and xdp_unreg_mem_model(). The xdp_unreg_mem_model() internally calls page_pool_destroy(). Only page_pool_destroy() decreases a reference count. If a driver calls page_pool_destroy() then xdp_unreg_mem_model(), we will face an invalid wait context warning. Because xdp_unreg_mem_model() calls page_pool_destroy() with rcu_read_lock(). The page_pool_destroy() internally acquires mutex_lock(). Splat looks like: ============================= [ BUG: Invalid wait context ] 6.10.0-rc6+ #4 Tainted: G W ----------------------------- ethtool/1806 is trying to lock: ffffffff90387b90 (mem_id_lock){+.+.}-{4:4}, at: mem_allocator_disconnect+0x73/0x150 other info that might help us debug this: context-{5:5} 3 locks held by ethtool/1806: stack backtrace: CPU: 0 PID: 1806 Comm: ethtool Tainted: G W 6.10.0-rc6+ #4 f916f41f172891c800f2fed Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 Call Trace: <TASK> dump_stack_lvl+0x7e/0xc0 __lock_acquire+0x1681/0x4de0 ? _printk+0x64/0xe0 ? __pfx_mark_lock.part.0+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 lock_acquire+0x1b3/0x580 ? mem_allocator_disconnect+0x73/0x150 ? __wake_up_klogd.part.0+0x16/0xc0 ? __pfx_lock_acquire+0x10/0x10 ? dump_stack_lvl+0x91/0xc0 __mutex_lock+0x15c/0x1690 ? mem_allocator_disconnect+0x73/0x150 ? __pfx_prb_read_valid+0x10/0x10 ? mem_allocator_disconnect+0x73/0x150 ? __pfx_llist_add_batch+0x10/0x10 ? console_unlock+0x193/0x1b0 ? lockdep_hardirqs_on+0xbe/0x140 ? __pfx___mutex_lock+0x10/0x10 ? tick_nohz_tick_stopped+0x16/0x90 ? __irq_work_queue_local+0x1e5/0x330 ? irq_work_queue+0x39/0x50 ? __wake_up_klogd.part.0+0x79/0xc0 ? mem_allocator_disconnect+0x73/0x150 mem_allocator_disconnect+0x73/0x150 ? __pfx_mem_allocator_disconnect+0x10/0x10 ? mark_held_locks+0xa5/0xf0 ? rcu_is_watching+0x11/0xb0 page_pool_release+0x36e/0x6d0 page_pool_destroy+0xd7/0x440 xdp_unreg_mem_model+0x1a7/0x2a0 ? __pfx_xdp_unreg_mem_model+0x10/0x10 ? kfree+0x125/0x370 ? bnxt_free_ring.isra.0+0x2eb/0x500 ? bnxt_free_mem+0x5ac/0x2500 xdp_rxq_info_unreg+0x4a/0xd0 bnxt_free_mem+0x1356/0x2500 bnxt_close_nic+0xf0/0x3b0 ? __pfx_bnxt_close_nic+0x10/0x10 ? ethnl_parse_bit+0x2c6/0x6d0 ? __pfx___nla_validate_parse+0x10/0x10 ? __pfx_ethnl_parse_bit+0x10/0x10 bnxt_set_features+0x2a8/0x3e0 __netdev_update_features+0x4dc/0x1370 ? ethnl_parse_bitset+0x4ff/0x750 ? __pfx_ethnl_parse_bitset+0x10/0x10 ? __pfx___netdev_update_features+0x10/0x10 ? mark_held_locks+0xa5/0xf0 ? _raw_spin_unlock_irqrestore+0x42/0x70 ? __pm_runtime_resume+0x7d/0x110 ethnl_set_features+0x32d/0xa20 To fix this problem, it uses rhashtable_lookup_fast() instead of rhashtable_lookup() with rcu_read_lock(). Using xa without rcu_read_lock() here is safe. xa is freed by __xdp_mem_allocator_rcu_free() and this is called by call_rcu() of mem_xa_remove(). The mem_xa_remove() is called by page_pool_destroy() if a reference count reaches 0. The xa is already protected by the reference count mechanism well in the control plane. So removing rcu_read_lock() for page_pool_destroy() is safe. CVE-2024-43834 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix napi_skb_cache_put warning After the commit bdacf3e34945 ("net: Use nested-BH locking for napi_alloc_cache.") was merged, the following warning began to appear: WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0 __warn+0x12f/0x340 napi_skb_cache_put+0x82/0x4b0 napi_skb_cache_put+0x82/0x4b0 report_bug+0x165/0x370 handle_bug+0x3d/0x80 exc_invalid_op+0x1a/0x50 asm_exc_invalid_op+0x1a/0x20 __free_old_xmit+0x1c8/0x510 napi_skb_cache_put+0x82/0x4b0 __free_old_xmit+0x1c8/0x510 __free_old_xmit+0x1c8/0x510 __pfx___free_old_xmit+0x10/0x10 The issue arises because virtio is assuming it's running in NAPI context even when it's not, such as in the netpoll case. To resolve this, modify virtnet_poll_tx() to only set NAPI when budget is available. Same for virtnet_poll_cleantx(), which always assumed that it was in a NAPI context. CVE-2024-43835 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT When loading a EXT program without specifying `attr->attach_prog_fd`, the `prog->aux->dst_prog` will be null. At this time, calling resolve_prog_type() anywhere will result in a null pointer dereference. Example stack trace: [ 8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 [ 8.108262] Mem abort info: [ 8.108384] ESR = 0x0000000096000004 [ 8.108547] EC = 0x25: DABT (current EL), IL = 32 bits [ 8.108722] SET = 0, FnV = 0 [ 8.108827] EA = 0, S1PTW = 0 [ 8.108939] FSC = 0x04: level 0 translation fault [ 8.109102] Data abort info: [ 8.109203] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 8.109399] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 8.109614] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000 [ 8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000 [ 8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 8.112783] Modules linked in: [ 8.113120] CPU: 0 PID: 99 Comm: may_access_dire Not tainted 6.10.0-rc3-next-20240613-dirty #1 [ 8.113230] Hardware name: linux,dummy-virt (DT) [ 8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.113429] pc : may_access_direct_pkt_data+0x24/0xa0 [ 8.113746] lr : add_subprog_and_kfunc+0x634/0x8e8 [ 8.113798] sp : ffff80008283b9f0 [ 8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001 [ 8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000 [ 8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000 [ 8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff [ 8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720 [ 8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 [ 8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4 [ 8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f [ 8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c [ 8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000 [ 8.114126] Call trace: [ 8.114159] may_access_direct_pkt_data+0x24/0xa0 [ 8.114202] bpf_check+0x3bc/0x28c0 [ 8.114214] bpf_prog_load+0x658/0xa58 [ 8.114227] __sys_bpf+0xc50/0x2250 [ 8.114240] __arm64_sys_bpf+0x28/0x40 [ 8.114254] invoke_syscall.constprop.0+0x54/0xf0 [ 8.114273] do_el0_svc+0x4c/0xd8 [ 8.114289] el0_svc+0x3c/0x140 [ 8.114305] el0t_64_sync_handler+0x134/0x150 [ 8.114331] el0t_64_sync+0x168/0x170 [ 8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403) [ 8.118672] ---[ end trace 0000000000000000 ]--- One way to fix it is by forcing `attach_prog_fd` non-empty when bpf_prog_load(). But this will lead to `libbpf_probe_bpf_prog_type` API broken which use verifier log to probe prog type and will log nothing if we reject invalid EXT prog before bpf_check(). Another way is by adding null check in resolve_prog_type(). The issue was introduced by commit 4a9c7bbe2ed4 ("bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT") which wanted to correct type resolution for BPF_PROG_TYPE_TRACING programs. Before that, the type resolution of BPF_PROG_TYPE_EXT prog actually follows the logic below: prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type; It implies that when EXT program is not yet attached to `dst_prog`, the prog type should be EXT itself. This code worked fine in the past. So just keep using it. Fix this by returning `prog->type` for BPF_PROG_TYPE_EXT if `dst_prog` is not present in resolve_prog_type(). CVE-2024-43837 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bna: adjust 'name' buf size of bna_tcb and bna_ccb structures To have enough space to write all possible sprintf() args. Currently 'name' size is 16, but the first '%s' specifier may already need at least 16 characters, since 'bnad->netdev->name' is used there. For '%d' specifiers, assume that they require: * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8 * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX is 16 And replace sprintf with snprintf. Detected using the static analysis tool - Svace. CVE-2024-43839 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls __bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them the struct bpf_tramp_image *im pointer as an argument in R0. The trampoline generation code uses emit_addr_mov_i64() to emit instructions for moving the bpf_tramp_image address into R0, but emit_addr_mov_i64() assumes the address to be in the vmalloc() space and uses only 48 bits. Because bpf_tramp_image is allocated using kzalloc(), its address can use more than 48-bits, in this case the trampoline will pass an invalid address to __bpf_tramp_enter/exit() causing a kernel crash. Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64() as it can work with addresses that are greater than 48-bits. CVE-2024-43840 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: virt_wifi: avoid reporting connection success with wrong SSID When user issues a connection with a different SSID than the one virt_wifi has advertised, the __cfg80211_connect_result() will trigger the warning: WARN_ON(bss_not_found). The issue is because the connection code in virt_wifi does not check the SSID from user space (it only checks the BSSID), and virt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS even if the SSID is different from the one virt_wifi has advertised. Eventually cfg80211 won't be able to find the cfg80211_bss and generate the warning. Fixed it by checking the SSID (from user space) in the connection code. CVE-2024-43841 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size. But then 'rate->he_gi' is used as array index instead of 'status->he_gi'. This can lead to go beyond array boundaries in case of 'rate->he_gi' is not equal to 'status->he_gi' and is bigger than array size. Looks like "copy-paste" mistake. Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-43842 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: udf: Fix bogus checksum computation in udf_rename() Syzbot reports uninitialized memory access in udf_rename() when updating checksum of '..' directory entry of a moved directory. This is indeed true as we pass on-stack diriter.fi to the udf_update_tag() and because that has only struct fileIdentDesc included in it and not the impUse or name fields, the checksumming function is going to checksum random stack contents beyond the end of the structure. This is actually harmless because the following udf_fiiter_write_fi() will recompute the checksum from on-disk buffers where everything is properly included. So all that is needed is just removing the bogus calculation. CVE-2024-43845 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: lib: objagg: Fix general protection fault The library supports aggregation of objects into other objects only if the parent object does not have a parent itself. That is, nesting is not supported. Aggregation happens in two cases: Without and with hints, where hints are a pre-computed recommendation on how to aggregate the provided objects. Nesting is not possible in the first case due to a check that prevents it, but in the second case there is no check because the assumption is that nesting cannot happen when creating objects based on hints. The violation of this assumption leads to various warnings and eventually to a general protection fault [1]. Before fixing the root cause, error out when nesting happens and warn. [1] general protection fault, probably for non-canonical address 0xdead000000000d90: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 1083 Comm: kworker/1:9 Tainted: G W 6.9.0-rc6-custom-gd9b4f1cca7fb #7 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:mlxsw_sp_acl_erp_bf_insert+0x25/0x80 [...] Call Trace: <TASK> mlxsw_sp_acl_atcam_entry_add+0x256/0x3c0 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0 mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270 mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> CVE-2024-43846 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid memory access while processing fragmented packets The monitor ring and the reo reinject ring share the same ring mask index. When the driver receives an interrupt for the reo reinject ring, the monitor ring is also processed, leading to invalid memory access. Since monitor support is not yet enabled in ath12k, the ring mask for the monitor ring should be removed. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1 CVE-2024-43847 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pdr: protect locator_addr with the main mutex If the service locator server is restarted fast enough, the PDR can rewrite locator_addr fields concurrently. Protect them by placing modification of those fields under the main pdr->lock. CVE-2024-43849 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove The following warning is seen during bwmon_remove due to refcount imbalance, fix this by releasing the OPPs after use. Logs: WARNING: at drivers/opp/core.c:1640 _opp_table_kref_release+0x150/0x158 Hardware name: Qualcomm Technologies, Inc. X1E80100 CRD (DT) ... Call trace: _opp_table_kref_release+0x150/0x158 dev_pm_opp_remove_table+0x100/0x1b4 devm_pm_opp_of_table_release+0x10/0x1c devm_action_release+0x14/0x20 devres_release_all+0xa4/0x104 device_unbind_cleanup+0x18/0x60 device_release_driver_internal+0x1ec/0x228 driver_detach+0x50/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 bwmon_driver_exit+0x18/0x524 [icc_bwmon] __arm64_sys_delete_module+0x184/0x264 invoke_syscall+0x48/0x118 el0_svc_common.constprop.0+0xc8/0xe8 do_el0_svc+0x20/0x2c el0_svc+0x34/0xdc el0t_64_sync_handler+0x13c/0x158 el0t_64_sync+0x190/0x194 --[ end trace 0000000000000000 ]--- CVE-2024-43850 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: xilinx: rename cpu_number1 to dummy_cpu_number The per cpu variable cpu_number1 is passed to xlnx_event_handler as argument "dev_id", but it is not used in this function. So drop the initialization of this variable and rename it to dummy_cpu_number. This patch is to fix the following call trace when the kernel option CONFIG_DEBUG_ATOMIC_SLEEP is enabled: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0 preempt_count: 1, expected: 0 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0 #53 Hardware name: Xilinx Versal vmk180 Eval board rev1.1 (QSPI) (DT) Call trace: dump_backtrace+0xd0/0xe0 show_stack+0x18/0x40 dump_stack_lvl+0x7c/0xa0 dump_stack+0x18/0x34 __might_resched+0x10c/0x140 __might_sleep+0x4c/0xa0 __kmem_cache_alloc_node+0xf4/0x168 kmalloc_trace+0x28/0x38 __request_percpu_irq+0x74/0x138 xlnx_event_manager_probe+0xf8/0x298 platform_probe+0x68/0xd8 CVE-2024-43851 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: Prevent UAF in proc_cpuset_show() An UAF can happen when /proc/cpuset is read as reported in [1]. This can be reproduced by the following methods: 1.add an mdelay(1000) before acquiring the cgroup_lock In the cgroup_path_ns function. 2.$cat /proc/<pid>/cpuset repeatly. 3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ $umount /sys/fs/cgroup/cpuset/ repeatly. The race that cause this bug can be shown as below: (umount) | (cat /proc/<pid>/cpuset) css_release | proc_cpuset_show css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id); css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...); cgroup_destroy_root | mutex_lock(&cgroup_mutex); rebind_subsystems | cgroup_free_root | | // cgrp was freed, UAF | cgroup_path_ns_locked(cgrp,..); When the cpuset is initialized, the root node top_cpuset.css.cgrp will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated &cgroup_root.cgrp. When the umount operation is executed, top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp. The problem is that when rebinding to cgrp_dfl_root, there are cases where the cgroup_root allocated by setting up the root for cgroup v1 is cached. This could lead to a Use-After-Free (UAF) if it is subsequently freed. The descendant cgroups of cgroup v1 can only be freed after the css is released. However, the css of the root will never be released, yet the cgroup_root should be freed when it is unmounted. This means that obtaining a reference to the css of the root does not guarantee that css.cgrp->root will not be freed. Fix this problem by using rcu_read_lock in proc_cpuset_show(). As cgroup_root is kfree_rcu after commit d23b5c577715 ("cgroup: Make operations on the cgroup root_list RCU safe"), css->cgroup won't be freed during the critical section. To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to replace task_get_css with task_css. [1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd CVE-2024-43853 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes. CVE-2024-43854 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: md: fix deadlock between mddev_suspend and flush bio Deadlock occurs when mddev is being suspended while some flush bio is in progress. It is a complex issue. T1. the first flush is at the ending stage, it clears 'mddev->flush_bio' and tries to submit data, but is blocked because mddev is suspended by T4. T2. the second flush sets 'mddev->flush_bio', and attempts to queue md_submit_flush_data(), which is already running (T1) and won't execute again if on the same CPU as T1. T3. the third flush inc active_io and tries to flush, but is blocked because 'mddev->flush_bio' is not NULL (set by T2). T4. mddev_suspend() is called and waits for active_io dec to 0 which is inc by T3. T1 T2 T3 T4 (flush 1) (flush 2) (third 3) (suspend) md_submit_flush_data mddev->flush_bio = NULL; . . md_flush_request . mddev->flush_bio = bio . queue submit_flushes . . . . md_handle_request . . active_io + 1 . . md_flush_request . . wait !mddev->flush_bio . . . . mddev_suspend . . wait !active_io . . . submit_flushes . queue_work md_submit_flush_data . //md_submit_flush_data is already running (T1) . md_handle_request wait resume The root issue is non-atomic inc/dec of active_io during flush process. active_io is dec before md_submit_flush_data is queued, and inc soon after md_submit_flush_data() run. md_flush_request active_io + 1 submit_flushes active_io - 1 md_submit_flush_data md_handle_request active_io + 1 make_request active_io - 1 If active_io is dec after md_handle_request() instead of within submit_flushes(), make_request() can be called directly intead of md_handle_request() in md_submit_flush_data(), and active_io will only inc and dec once in the whole flush process. Deadlock will be fixed. Additionally, the only difference between fixing the issue and before is that there is no return error handling of make_request(). But after previous patch cleaned md_write_start(), make_requst() only return error in raid5_make_request() by dm-raid, see commit 41425f96d7aa ("dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape)". Since dm always splits data and flush operation into two separate io, io size of flush submitted by dm always is 0, make_request() will not be called in md_submit_flush_data(). To prevent future modifications from introducing issues, add WARN_ON to ensure make_request() no error is returned in this context. CVE-2024-43855 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma: fix call order in dmam_free_coherent dmam_free_coherent() frees a DMA allocation, which makes the freed vaddr available for reuse, then calls devres_destroy() to remove and free the data structure used to track the DMA allocation. Between the two calls, it is possible for a concurrent task to make an allocation with the same vaddr and add it to the devres list. If this happens, there will be two entries in the devres list with the same vaddr and devres_destroy() can free the wrong entry, triggering the WARN_ON() in dmam_match. Fix by destroying the devres entry before freeing the DMA allocation. kokonut //net/encryption http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03 CVE-2024-43856 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree CVE-2024-43858 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: remoteproc: imx_rproc: Skip over memory region when node value is NULL In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts number of phandles. But phandles may be empty. So of_parse_phandle() in the parsing loop (0 < a < nph) may return NULL which is later dereferenced. Adjust this issue by adding NULL-return check. Found by Linux Verification Center (linuxtesting.org) with SVACE. [Fixed title to fit within the prescribed 70-75 charcters] CVE-2024-43860 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: fix memory leak for not ip packets Free the unused skb when not ip packets arrive. CVE-2024-43861 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a deadlock in dma buf fence polling Introduce a version of the fence ops that on release doesn't remove the fence from the pending list, and thus doesn't require a lock to fix poll->fence wait->fence unref deadlocks. vmwgfx overwrites the wait callback to iterate over the list of all fences and update their status, to do that it holds a lock to prevent the list modifcations from other threads. The fence destroy callback both deletes the fence and removes it from the list of pending fences, for which it holds a lock. dma buf polling cb unrefs a fence after it's been signaled: so the poll calls the wait, which signals the fences, which are being destroyed. The destruction tries to acquire the lock on the pending fences list which it can never get because it's held by the wait from which it was called. Old bug, but not a lot of userspace apps were using dma-buf polling interfaces. Fix those, in particular this fixes KDE stalls/deadlock. CVE-2024-43863 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix CT entry update leaks of modify header context The cited commit allocates a new modify header to replace the old one when updating CT entry. But if failed to allocate a new one, eg. exceed the max number firmware can support, modify header will be an error pointer that will trigger a panic when deallocating it. And the old modify header point is copied to old attr. When the old attr is freed, the old modify header is lost. Fix it by restoring the old attr to attr when failed to allocate a new modify header context. So when the CT entry is freed, the right modify header context will be freed. And the panic of accessing error pointer is also fixed. CVE-2024-43864 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always drain health in shutdown callback There is no point in recovery during device shutdown. if health work started need to wait for it to avoid races and NULL pointer access. Hence, drain health WQ on shutdown callback. CVE-2024-43866 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix refcount underflow Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and hence the backing ttm_bo) leads to a refcount underflow. Instead of calling nouveau_bo_ref() in the unwind path of drm_gem_object_init(), clean things up manually. (cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5) CVE-2024-43867 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf: Fix event leak upon exit When a task is scheduled out, pending sigtrap deliveries are deferred to the target task upon resume to userspace via task_work. However failures while adding an event's callback to the task_work engine are ignored. And since the last call for events exit happen after task work is eventually closed, there is a small window during which pending sigtrap can be queued though ignored, leaking the event refcount addition such as in the following scenario: TASK A ----- do_exit() exit_task_work(tsk); <IRQ> perf_event_overflow() event->pending_sigtrap = pending_id; irq_work_queue(&event->pending_irq); </IRQ> =========> PREEMPTION: TASK A -> TASK B event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) // FAILS: task work has exited task_work_add(&event->pending_task) [...] <IRQ WORK> perf_pending_irq() // early return: event->oncpu = -1 </IRQ WORK> [...] =========> TASK B -> TASK A perf_event_exit_task(tsk) perf_event_exit_event() free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // leak event due to unexpected refcount == 2 As a result the event is never released while the task exits. Fix this with appropriate task_work_add()'s error handling. CVE-2024-43870 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: devres: Fix memory leakage caused by driver API devm_free_percpu() It will cause memory leakage when use driver API devm_free_percpu() to free memory allocated by devm_alloc_percpu(), fixed by using devres_release() instead of devres_destroy() within devm_free_percpu(). CVE-2024-43871 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup under heavy CEQE load CEQEs are handled in interrupt handler currently. This may cause the CPU core staying in interrupt context too long and lead to soft lockup under heavy load. Handle CEQEs in BH workqueue and set an upper limit for the number of CEQE handled by a single call of work handler. CVE-2024-43872 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: vhost/vsock: always initialize seqpacket_allow There are two issues around seqpacket_allow: 1. seqpacket_allow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared, then seqpacket_allow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this). To fix: - initialize seqpacket_allow after allocation - set it unconditionally in set_features CVE-2024-43873 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked Fix a null pointer dereference induced by DEBUG_TEST_DRIVER_REMOVE. Return from __sev_snp_shutdown_locked() if the psp_device or the sev_device structs are not initialized. Without the fix, the driver will produce the following splat: ccp 0000:55:00.5: enabling device (0000 -> 0002) ccp 0000:55:00.5: sev enabled ccp 0000:55:00.5: psp enabled BUG: kernel NULL pointer dereference, address: 00000000000000f0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI CPU: 262 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1+ #29 RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150 Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83 RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb2ea4014b808 RBP: ffffb2ea4014b7e8 R08: 0000000000000106 R09: 000000000003d9c0 R10: 0000000000000001 R11: ffffffffa39ff070 R12: ffff9e49d40590c8 R13: 0000000000000000 R14: ffffb2ea4014b808 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff9e58b1e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000f0 CR3: 0000000418a3e001 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x6f/0xb0 ? __die+0xcc/0xf0 ? page_fault_oops+0x330/0x3a0 ? save_trace+0x2a5/0x360 ? do_user_addr_fault+0x583/0x630 ? exc_page_fault+0x81/0x120 ? asm_exc_page_fault+0x2b/0x30 ? __sev_snp_shutdown_locked+0x2e/0x150 __sev_firmware_shutdown+0x349/0x5b0 ? pm_runtime_barrier+0x66/0xe0 sev_dev_destroy+0x34/0xb0 psp_dev_destroy+0x27/0x60 sp_destroy+0x39/0x90 sp_pci_remove+0x22/0x60 pci_device_remove+0x4e/0x110 really_probe+0x271/0x4e0 __driver_probe_device+0x8f/0x160 driver_probe_device+0x24/0x120 __driver_attach+0xc7/0x280 ? driver_attach+0x30/0x30 bus_for_each_dev+0x10d/0x130 driver_attach+0x22/0x30 bus_add_driver+0x171/0x2b0 ? unaccepted_memory_init_kdump+0x20/0x20 driver_register+0x67/0x100 __pci_register_driver+0x83/0x90 sp_pci_init+0x22/0x30 sp_mod_init+0x13/0x30 do_one_initcall+0xb8/0x290 ? sched_clock_noinstr+0xd/0x10 ? local_clock_noinstr+0x3e/0x100 ? stack_depot_save_flags+0x21e/0x6a0 ? local_clock+0x1c/0x60 ? stack_depot_save_flags+0x21e/0x6a0 ? sched_clock_noinstr+0xd/0x10 ? local_clock_noinstr+0x3e/0x100 ? __lock_acquire+0xd90/0xe30 ? sched_clock_noinstr+0xd/0x10 ? local_clock_noinstr+0x3e/0x100 ? __create_object+0x66/0x100 ? local_clock+0x1c/0x60 ? __create_object+0x66/0x100 ? parameq+0x1b/0x90 ? parse_one+0x6d/0x1d0 ? parse_args+0xd7/0x1f0 ? do_initcall_level+0x180/0x180 do_initcall_level+0xb0/0x180 do_initcalls+0x60/0xa0 ? kernel_init+0x1f/0x1d0 do_basic_setup+0x41/0x50 kernel_init_freeable+0x1ac/0x230 ? rest_init+0x1f0/0x1f0 kernel_init+0x1f/0x1d0 ? rest_init+0x1f0/0x1f0 ret_from_fork+0x3d/0x50 ? rest_init+0x1f0/0x1f0 ret_from_fork_asm+0x11/0x20 </TASK> Modules linked in: CR2: 00000000000000f0 ---[ end trace 0000000000000000 ]--- RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150 Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83 RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000 RDX: 0000000 ---truncated--- CVE-2024-43874 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Clean up error handling in vpci_scan_bus() Smatch complains about inconsistent NULL checking in vpci_scan_bus(): drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021) Instead of printing an error message and then crashing we should return an error code and clean up. Also the NULL check is reversed so it prints an error for success instead of failure. CVE-2024-43875 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup() Avoid large backtrace, it is sufficient to warn the user that there has been a link problem. Either the link has failed and the system is in need of maintenance, or the link continues to work and user has been informed. The message from the warning can be looked up in the sources. This makes an actual link issue less verbose. First of all, this controller has a limitation in that the controller driver has to assist the hardware with transition to L1 link state by writing L1IATN to PMCTRL register, the L1 and L0 link state switching is not fully automatic on this controller. In case of an ASMedia ASM1062 PCIe SATA controller which does not support ASPM, on entry to suspend or during platform pm_test, the SATA controller enters D3hot state and the link enters L1 state. If the SATA controller wakes up before rcar_pcie_wakeup() was called and returns to D0, the link returns to L0 before the controller driver even started its transition to L1 link state. At this point, the SATA controller did send an PM_ENTER_L1 DLLP to the PCIe controller and the PCIe controller received it, and the PCIe controller did set PMSR PMEL1RX bit. Once rcar_pcie_wakeup() is called, if the link is already back in L0 state and PMEL1RX bit is set, the controller driver has no way to determine if it should perform the link transition to L1 state, or treat the link as if it is in L0 state. Currently the driver attempts to perform the transition to L1 link state unconditionally, which in this specific case fails with a PMSR L1FAEG poll timeout, however the link still works as it is already back in L0 state. Reduce this warning verbosity. In case the link is really broken, the rcar_pcie_config_access() would fail, otherwise it will succeed and any system with this controller and ASM1062 can suspend without generating a backtrace. CVE-2024-43876 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: pci: ivtv: Add check for DMA map result In case DMA fails, 'dma->SG_length' is 0. This value is later used to access 'dma->SGarray[dma->SG_length - 1]', which will cause out of bounds access. Add check to return early on invalid value. Adjust warnings accordingly. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-43877 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() Currently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in cfg80211_calculate_bitrate_he(), leading to below warning: kernel: invalid HE MCS: bw:6, ru:6 kernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211] Fix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth. CVE-2024-43879 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_erp: Fix object nesting warning ACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM (A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can contain more ACLs (i.e., tc filters), but the number of masks in each region (i.e., tc chain) is limited. In order to mitigate the effects of the above limitation, the device allows filters to share a single mask if their masks only differ in up to 8 consecutive bits. For example, dst_ip/25 can be represented using dst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the number of masks being used (and therefore does not support mask aggregation), but can contain a limited number of filters. The driver uses the "objagg" library to perform the mask aggregation by passing it objects that consist of the filter's mask and whether the filter is to be inserted into the A-TCAM or the C-TCAM since filters in different TCAMs cannot share a mask. The set of created objects is dependent on the insertion order of the filters and is not necessarily optimal. Therefore, the driver will periodically ask the library to compute a more optimal set ("hints") by looking at all the existing objects. When the library asks the driver whether two objects can be aggregated the driver only compares the provided masks and ignores the A-TCAM / C-TCAM indication. This is the right thing to do since the goal is to move as many filters as possible to the A-TCAM. The driver also forbids two identical masks from being aggregated since this can only happen if one was intentionally put in the C-TCAM to avoid a conflict in the A-TCAM. The above can result in the following set of hints: H1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta H3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta After getting the hints from the library the driver will start migrating filters from one region to another while consulting the computed hints and instructing the device to perform a lookup in both regions during the transition. Assuming a filter with mask X is being migrated into the A-TCAM in the new region, the hints lookup will return H1. Since H2 is the parent of H1, the library will try to find the object associated with it and create it if necessary in which case another hints lookup (recursive) will be performed. This hints lookup for {mask Y, A-TCAM} will either return H2 or H3 since the driver passes the library an object comparison function that ignores the A-TCAM / C-TCAM indication. This can eventually lead to nested objects which are not supported by the library [1]. Fix by removing the object comparison function from both the driver and the library as the driver was the only user. That way the lookup will only return exact matches. I do not have a reliable reproducer that can reproduce the issue in a timely manner, but before the fix the issue would reproduce in several minutes and with the fix it does not reproduce in over an hour. Note that the current usefulness of the hints is limited because they include the C-TCAM indication and represent aggregation that cannot actually happen. This will be addressed in net-next. [1] WARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0 Modules linked in: CPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42 Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:objagg_obj_parent_assign+0xb5/0xd0 [...] Call Trace: <TASK> __objagg_obj_get+0x2bb/0x580 objagg_obj_get+0xe/0x80 mlxsw_sp_acl_erp_mask_get+0xb5/0xf0 mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0 mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270 mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510 process_one_work+0x151/0x370 CVE-2024-43880 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: change DMA direction while mapping reinjected packets For fragmented packets, ath12k reassembles each fragment as a normal packet and then reinjects it into HW ring. In this case, the DMA direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE. Otherwise, an invalid payload may be reinjected into the HW and subsequently delivered to the host. Given that arbitrary memory can be allocated to the skb buffer, knowledge about the data contained in the reinjected buffer is lacking. Consequently, there's a risk of private information being leaked. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1 CVE-2024-43881 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, "chmod o-x,u+s target" makes "target" executable only by uid "root" and gid "cdrom", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group "cdrom" membership can get the permission to execute "target" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of "only cdrom group members can setuid to root". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal. CVE-2024-43882 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: vhci-hcd: Do not drop references before new references are gained At a few places the driver carries stale pointers to references that can still be used. Make sure that does not happen. This strictly speaking closes ZDI-CAN-22273, though there may be similar races in the driver. CVE-2024-43883 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Add error handling to pair_device() hci_conn_params_add() never checks for a NULL value and could lead to a NULL pointer dereference causing a crash. Fixed by adding error handling in the function. CVE-2024-43884 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-43885 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check in resource_log_pipe_topology_update [WHY] When switching from "Extend" to "Second Display Only" we sometimes call resource_get_otg_master_for_stream on a stream for the eDP, which is disconnected. This leads to a null pointer dereference. [HOW] Added a null check in dc_resource.c/resource_log_pipe_topology_update. CVE-2024-43886 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: padata: Fix possible divide-by-0 panic in padata_mt_helper() We are hit with a not easily reproducible divide-by-0 panic in padata.c at bootup time. [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1 [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021 [ 10.017908] Workqueue: events_unbound padata_mt_helper [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0 : [ 10.017963] Call Trace: [ 10.017968] <TASK> [ 10.018004] ? padata_mt_helper+0x39/0xb0 [ 10.018084] process_one_work+0x174/0x330 [ 10.018093] worker_thread+0x266/0x3a0 [ 10.018111] kthread+0xcf/0x100 [ 10.018124] ret_from_fork+0x31/0x50 [ 10.018138] ret_from_fork_asm+0x1a/0x30 [ 10.018147] </TASK> Looking at the padata_mt_helper() function, the only way a divide-by-0 panic can happen is when ps->chunk_size is 0. The way that chunk_size is initialized in padata_do_multithreaded(), chunk_size can be 0 when the min_chunk in the passed-in padata_mt_job structure is 0. Fix this divide-by-0 panic by making sure that chunk_size will be at least 1 no matter what the input parameters are. CVE-2024-43889 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Fix overflow in get_free_elt() "tracing_map->next_elt" in get_free_elt() is at risk of overflowing. Once it overflows, new elements can still be inserted into the tracing_map even though the maximum number of elements (`max_elts`) has been reached. Continuing to insert elements after the overflow could result in the tracing_map containing "tracing_map->max_size" elements, leaving no empty entries. If any attempt is made to insert an element into a full tracing_map using `__tracing_map_insert()`, it will cause an infinite loop with preemption disabled, leading to a CPU hang problem. Fix this by preventing any further increments to "tracing_map->next_elt" once it reaches "tracing_map->max_elt". CVE-2024-43890 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: memcg: protect concurrent access to mem_cgroup_idr Commit 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after many small jobs") decoupled the memcg IDs from the CSS ID space to fix the cgroup creation failures. It introduced IDR to maintain the memcg ID space. The IDR depends on external synchronization mechanisms for modifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace() happen within css callback and thus are protected through cgroup_mutex from concurrent modifications. However idr_remove() for mem_cgroup_idr was not protected against concurrency and can be run concurrently for different memcgs when they hit their refcnt to zero. Fix that. We have been seeing list_lru based kernel crashes at a low frequency in our fleet for a long time. These crashes were in different part of list_lru code including list_lru_add(), list_lru_del() and reparenting code. Upon further inspection, it looked like for a given object (dentry and inode), the super_block's list_lru didn't have list_lru_one for the memcg of that object. The initial suspicions were either the object is not allocated through kmem_cache_alloc_lru() or somehow memcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but returned success. No evidence were found for these cases. Looking more deeply, we started seeing situations where valid memcg's id is not present in mem_cgroup_idr and in some cases multiple valid memcgs have same id and mem_cgroup_idr is pointing to one of them. So, the most reasonable explanation is that these situations can happen due to race between multiple idr_remove() calls or race between idr_alloc()/idr_replace() and idr_remove(). These races are causing multiple memcgs to acquire the same ID and then offlining of one of them would cleanup list_lrus on the system for all of them. Later access from other memcgs to the list_lru cause crashes due to missing list_lru_one. CVE-2024-43892 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: core: check uartclk for zero to avoid divide by zero Calling ioctl TIOCSSERIAL with an invalid baud_base can result in uartclk being zero, which will result in a divide by zero error in uart_get_divisor(). The check for uartclk being zero in uart_set_info() needs to be done before other settings are made as subsequent calls to ioctl TIOCSSERIAL for the same port would be impacted if the uartclk check was done where uartclk gets set. Oops: divide error: 0000 PREEMPT SMP KASAN PTI RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580) Call Trace: <TASK> serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576 drivers/tty/serial/8250/8250_port.c:2589) serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502 drivers/tty/serial/8250/8250_port.c:2741) serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862) uart_change_line_settings (./include/linux/spinlock.h:376 ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222) uart_port_startup (drivers/tty/serial/serial_core.c:342) uart_startup (drivers/tty/serial/serial_core.c:368) uart_set_info (drivers/tty/serial/serial_core.c:1034) uart_set_info_user (drivers/tty/serial/serial_core.c:1059) tty_set_serial (drivers/tty/tty_io.c:2637) tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791) __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893 fs/ioctl.c:893) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Rule: add CVE-2024-43893 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/client: fix null pointer dereference in drm_client_modeset_probe In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is assigned to modeset->mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2024-43894 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip Recompute DSC Params if no Stream on Link [why] Encounter NULL pointer dereference uner mst + dsc setup. BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2 Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022 RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper] Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8> RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224 RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280 RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850 R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000 R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224 FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? plist_add+0xbe/0x100 ? exc_page_fault+0x7c/0x180 ? asm_exc_page_fault+0x26/0x30 ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026] ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026] compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] drm_atomic_check_only+0x5c5/0xa40 drm_mode_atomic_ioctl+0x76e/0xbc0 [how] dsc recompute should be skipped if no mode change detected on the new request. If detected, keep checking whether the stream is already on current state or not. (cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef) CVE-2024-43895 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: drop bad gso csum_start and offset in virtio_net_hdr Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Mitigate with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests. CVE-2024-43897 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-43898 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null pointer deref in dcn20_resource.c Fixes a hang thats triggered when MPV is run on a DCN401 dGPU: mpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all and then enabling fullscreen playback (double click on the video) The following calltrace will be seen: [ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 181.843997] #PF: supervisor instruction fetch in kernel mode [ 181.844003] #PF: error_code(0x0010) - not-present page [ 181.844009] PGD 0 P4D 0 [ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI [ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu [ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018 [ 181.844044] RIP: 0010:0x0 [ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246 [ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004 [ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400 [ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c [ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8 [ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005 [ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000 [ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0 [ 181.844141] Call Trace: [ 181.844146] <TASK> [ 181.844153] ? show_regs+0x6d/0x80 [ 181.844167] ? __die+0x24/0x80 [ 181.844179] ? page_fault_oops+0x99/0x1b0 [ 181.844192] ? do_user_addr_fault+0x31d/0x6b0 [ 181.844204] ? exc_page_fault+0x83/0x1b0 [ 181.844216] ? asm_exc_page_fault+0x27/0x30 [ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu] [ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu] [ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu] [ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu] [ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu] [ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu] [ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu] [ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu] CVE-2024-43899 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: xc2028: avoid use-after-free in load_firmware_cb() syzkaller reported use-after-free in load_firmware_cb() [1]. The reason is because the module allocated a struct tuner in tuner_probe(), and then the module initialization failed, the struct tuner was released. A worker which created during module initialization accesses this struct tuner later, it caused use-after-free. The process is as follows: task-6504 worker_thread tuner_probe <= alloc dvb_frontend [2] ... request_firmware_nowait <= create a worker ... tuner_remove <= free dvb_frontend ... request_firmware_work_func <= the firmware is ready load_firmware_cb <= but now the dvb_frontend has been freed To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is null, report a warning and just return. [1]: ================================================================== BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0 Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504 Call trace: load_firmware_cb+0x1310/0x17a0 request_firmware_work_func+0x128/0x220 process_one_work+0x770/0x1824 worker_thread+0x488/0xea0 kthread+0x300/0x430 ret_from_fork+0x10/0x20 Allocated by task 6504: kzalloc tuner_probe+0xb0/0x1430 i2c_device_probe+0x92c/0xaf0 really_probe+0x678/0xcd0 driver_probe_device+0x280/0x370 __device_attach_driver+0x220/0x330 bus_for_each_drv+0x134/0x1c0 __device_attach+0x1f4/0x410 device_initial_probe+0x20/0x30 bus_probe_device+0x184/0x200 device_add+0x924/0x12c0 device_register+0x24/0x30 i2c_new_device+0x4e0/0xc44 v4l2_i2c_new_subdev_board+0xbc/0x290 v4l2_i2c_new_subdev+0xc8/0x104 em28xx_v4l2_init+0x1dd0/0x3770 Freed by task 6504: kfree+0x238/0x4e4 tuner_remove+0x144/0x1c0 i2c_device_remove+0xc8/0x290 __device_release_driver+0x314/0x5fc device_release_driver+0x30/0x44 bus_remove_device+0x244/0x490 device_del+0x350/0x900 device_unregister+0x28/0xd0 i2c_unregister_device+0x174/0x1d0 v4l2_device_unregister+0x224/0x380 em28xx_v4l2_init+0x1d90/0x3770 The buggy address belongs to the object at ffff8000d7ca2000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 776 bytes inside of 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800) The buggy address belongs to the page: page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0 flags: 0x7ff800000000100(slab) raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [2] Actually, it is allocated for struct tuner, and dvb_frontend is inside. CVE-2024-43900 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null checker before passing variables Checks null pointer before passing variables to functions. This fixes 3 NULL_RETURNS issues reported by Coverity. CVE-2024-43902 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-43903 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing This commit adds null checks for the 'stream' and 'plane' variables in the dcn30_apply_idle_power_optimizations function. These variables were previously assumed to be null at line 922, but they were used later in the code without checking if they were null. This could potentially lead to a null pointer dereference, which would cause a crash. The null checks ensure that 'stream' and 'plane' are not null before they are used, preventing potential crashes. Fixes the below static smatch checker: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922) CVE-2024-43904 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr Check return value and conduct null pointer handling to avoid null pointer dereference. CVE-2024-43905 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/admgpu: fix dereferencing null pointer context When user space sets an invalid ta type, the pointer context will be empty. So it need to check the pointer context before using it CVE-2024-43906 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules Check the pointer value to fix potential null pointer dereference CVE-2024-43907 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix the null pointer dereference to ras_manager Check ras_manager before using it CVE-2024-43908 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/pm: Fix the null pointer dereference for smu7 optimize the code to avoid pass a null pointer (hwmgr->backend) to function smu7_update_edc_leakage_table. CVE-2024-43909 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL dereference at band check in starting tx ba session In MLD connection, link_data/link_conf are dynamically allocated. They don't point to vif->bss_conf. So, there will be no chanreq assigned to vif->bss_conf and then the chan will be NULL. Tweak the code to check ht_supported/vht_supported/has_he/has_eht on sta deflink. Crash log (with rtw89 version under MLO development): [ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 9890.526102] #PF: supervisor read access in kernel mode [ 9890.526105] #PF: error_code(0x0000) - not-present page [ 9890.526109] PGD 0 P4D 0 [ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI [ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1 [ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018 [ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core] [ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211 [ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3 All code ======== 0: f7 e8 imul %eax 2: d5 (bad) 3: 93 xchg %eax,%ebx 4: 3e ea ds (bad) 6: 48 83 c4 28 add $0x28,%rsp a: 89 d8 mov %ebx,%eax c: 5b pop %rbx d: 41 5c pop %r12 f: 41 5d pop %r13 11: 41 5e pop %r14 13: 41 5f pop %r15 15: 5d pop %rbp 16: c3 retq 17: cc int3 18: cc int3 19: cc int3 1a: cc int3 1b: 49 8b 84 24 e0 f1 ff mov -0xe20(%r12),%rax 22: ff 23: 48 8b 80 90 1b 00 00 mov 0x1b90(%rax),%rax 2a:* 83 38 03 cmpl $0x3,(%rax) <-- trapping instruction 2d: 0f 84 37 fe ff ff je 0xfffffffffffffe6a 33: bb ea ff ff ff mov $0xffffffea,%ebx 38: eb cc jmp 0x6 3a: 49 rex.WB 3b: 8b .byte 0x8b 3c: 84 24 10 test %ah,(%rax,%rdx,1) 3f: f3 repz Code starting with the faulting instruction =========================================== 0: 83 38 03 cmpl $0x3,(%rax) 3: 0f 84 37 fe ff ff je 0xfffffffffffffe40 9: bb ea ff ff ff mov $0xffffffea,%ebx e: eb cc jmp 0xffffffffffffffdc 10: 49 rex.WB 11: 8b .byte 0x8b 12: 84 24 10 test %ah,(%rax,%rdx,1) 15: f3 repz [ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246 [ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8 [ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685 [ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873 [ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70 [ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000 [ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000 [ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0 [ 9890.526321] Call Trace: [ 9890.526324] <TASK> [ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479) [ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713) [ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator ---truncated--- CVE-2024-43911 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: disallow setting special AP channel widths Setting the AP channel width is meant for use with the normal 20/40/... MHz channel width progression, and switching around in S1G or narrow channels isn't supported. Disallow that. CVE-2024-43912 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: md/raid5: avoid BUG_ON() while continue reshape after reassembling Currently, mdadm support --revert-reshape to abort the reshape while reassembling, as the test 07revert-grow. However, following BUG_ON() can be triggerred by the test: kernel BUG at drivers/md/raid5.c:6278! invalid opcode: 0000 [#1] PREEMPT SMP PTI irq event stamp: 158985 CPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94 RIP: 0010:reshape_request+0x3f1/0xe60 Call Trace: <TASK> raid5_sync_request+0x43d/0x550 md_do_sync+0xb7a/0x2110 md_thread+0x294/0x2b0 kthread+0x147/0x1c0 ret_from_fork+0x59/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> Root cause is that --revert-reshape update the raid_disks from 5 to 4, while reshape position is still set, and after reassembling the array, reshape position will be read from super block, then during reshape the checking of 'writepos' that is caculated by old reshape position will fail. Fix this panic the easy way first, by converting the BUG_ON() to WARN_ON(), and stop the reshape if checkings fail. Noted that mdadm must fix --revert-shape as well, and probably md/raid should enhance metadata validation as well, however this means reassemble will fail and there must be user tools to fix the wrong metadata. CVE-2024-43914 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: prevent potential speculation leaks in gpio_device_get_desc() Userspace may trigger a speculative read of an address outside the gpio descriptor array. Users can do that by calling gpio_ioctl() with an offset out of range. Offset is copied from user and then used as an array index to get the gpio descriptor without sanitization in gpio_device_get_desc(). This change ensures that the offset is sanitized by using array_index_nospec() to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. CVE-2024-44931 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: Fix null-ptr-deref in reuseport_add_sock(). syzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in reuseport_add_sock(). [0] The repro first creates a listener with SO_REUSEPORT. Then, it creates another listener on the same port and concurrently closes the first listener. The second listen() calls reuseport_add_sock() with the first listener as sk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently, but the close() does clear it by reuseport_detach_sock(). The problem is SCTP does not properly synchronise reuseport_alloc(), reuseport_add_sock(), and reuseport_detach_sock(). The caller of reuseport_alloc() and reuseport_{add,detach}_sock() must provide synchronisation for sockets that are classified into the same reuseport group. Otherwise, such sockets form multiple identical reuseport groups, and all groups except one would be silently dead. 1. Two sockets call listen() concurrently 2. No socket in the same group found in sctp_ep_hashtable[] 3. Two sockets call reuseport_alloc() and form two reuseport groups 4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives incoming packets Also, the reported null-ptr-deref could occur. TCP/UDP guarantees that would not happen by holding the hash bucket lock. Let's apply the locking strategy to __sctp_hash_endpoint() and __sctp_unhash_endpoint(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 RIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350 Code: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14 RSP: 0018:ffffc9000b947c98 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012 RBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385 R10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0 R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __sctp_hash_endpoint net/sctp/input.c:762 [inline] sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790 sctp_listen_start net/sctp/socket.c:8570 [inline] sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625 __sys_listen_socket net/socket.c:1883 [inline] __sys_listen+0x1b7/0x230 net/socket.c:1894 __do_sys_listen net/socket.c:1902 [inline] __se_sys_listen net/socket.c:1900 [inline] __x64_sys_listen+0x5a/0x70 net/socket.c:1900 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f24e46039b9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032 RAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9 RDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004 RBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0 R10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c R13: ---truncated--- CVE-2024-44935 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: Fix shift-out-of-bounds in dbDiscardAG When searching for the next smaller log2 block, BLKSTOL2() returned 0, causing shift exponent -1 to be negative. This patch fixes the issue by exiting the loop directly when negative shift is found. CVE-2024-44938 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment "p->header.flag & BT-LEAF" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL. CVE-2024-44939 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use helper function to calculate expect ID Delete expectation path is missing a call to the nf_expect_get_id() helper function to calculate the expectation ID, otherwise LSB of the expectation object address is leaked to userspace. CVE-2024-44944 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: kcm: Serialise kcm_sendmsg() for the same socket. syzkaller reported UAF in kcm_release(). [0] The scenario is 1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb. 2. Thread A resumes building skb from kcm->seq_skb but is blocked by sk_stream_wait_memory() 3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb and puts the skb to the write queue 4. Thread A faces an error and finally frees skb that is already in the write queue 5. kcm_release() does double-free the skb in the write queue When a thread is building a MSG_MORE skb, another thread must not touch it. Let's add a per-sk mutex and serialise kcm_sendmsg(). [0]: BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167 CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x178/0x518 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __skb_unlink include/linux/skbuff.h:2366 [inline] __skb_dequeue include/linux/skbuff.h:2385 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] __skb_queue_purge include/linux/skbuff.h:3181 [inline] kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 __sock_release net/socket.c:659 [inline] sock_close+0xa4/0x1e8 net/socket.c:1421 __fput+0x30c/0x738 fs/file_table.c:376 ____fput+0x20/0x30 fs/file_table.c:404 task_work_run+0x230/0x2e0 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x618/0x1f64 kernel/exit.c:871 do_group_exit+0x194/0x22c kernel/exit.c:1020 get_signal+0x1500/0x15ec kernel/signal.c:2893 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Allocated by task 6166: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1296 [inline] kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x220/0x2c0 net/socket.c:768 splice_to_socket+0x7cc/0xd58 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] direct_splice_actor+0xec/0x1d8 fs/splice.c:1164 splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108 do_splice_direct_actor ---truncated--- CVE-2024-44946 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: fuse: Initialize beyond-EOF page contents before setting uptodate fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter). CVE-2024-44947 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/mtrr: Check if fixed MTRRs exist before saving them MTRRs have an obsolete fixed variant for fine grained caching control of the 640K-1MB region that uses separate MSRs. This fixed variant has a separate capability bit in the MTRR capability MSR. So far all x86 CPUs which support MTRR have this separate bit set, so it went unnoticed that mtrr_save_state() does not check the capability bit before accessing the fixed MTRR MSRs. Though on a CPU that does not support the fixed MTRR capability this results in a #GP. The #GP itself is harmless because the RDMSR fault is handled gracefully, but results in a WARN_ON(). Add the missing capability check to prevent this. CVE-2024-44948 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: fix invalid FIFO access with special register set When enabling access to the special register set, Receiver time-out and RHR interrupts can happen. In this case, the IRQ handler will try to read from the FIFO thru the RHR register at address 0x00, but address 0x00 is mapped to DLL register, resulting in erroneous FIFO reading. Call graph example: sc16is7xx_startup(): entry sc16is7xx_ms_proc(): entry sc16is7xx_set_termios(): entry sc16is7xx_set_baud(): DLH/DLL = $009C --> access special register set sc16is7xx_port_irq() entry --> IIR is 0x0C sc16is7xx_handle_rx() entry sc16is7xx_fifo_read(): --> unable to access FIFO (RHR) because it is mapped to DLL (LCR=LCR_CONF_MODE_A) sc16is7xx_set_baud(): exit --> Restore access to general register set Fix the problem by claiming the efr_lock mutex when accessing the Special register set. CVE-2024-44950 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: fix TX fifo corruption Sometimes, when a packet is received on channel A at almost the same time as a packet is about to be transmitted on channel B, we observe with a logic analyzer that the received packet on channel A is transmitted on channel B. In other words, the Tx buffer data on channel B is corrupted with data from channel A. The problem appeared since commit 4409df5866b7 ("serial: sc16is7xx: change EFR lock to operate on each channels"), which changed the EFR locking to operate on each channel instead of chip-wise. This commit has introduced a regression, because the EFR lock is used not only to protect the EFR registers access, but also, in a very obscure and undocumented way, to protect access to the data buffer, which is shared by the Tx and Rx handlers, but also by each channel of the IC. Fix this regression first by switching to kfifo_out_linear_ptr() in sc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer. Secondly, replace the chip-wise Rx buffer with a separate Rx buffer for each channel. CVE-2024-44951 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-44952 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: line6: Fix racy access to midibuf There can be concurrent accesses to line6 midibuf from both the URB completion callback and the rawmidi API access. This could be a cause of KMSAN warning triggered by syzkaller below (so put as reported-by here). This patch protects the midibuf call of the former code path with a spinlock for avoiding the possible races. CVE-2024-44954 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: Check for unset descriptor Make sure the descriptor has been set before looking at maxpacket. This fixes a null pointer panic in this case. This may happen if the gadget doesn't properly set up the endpoint for the current speed, or the gadget descriptors are malformed and the descriptor for the speed/endpoint are not found. No current gadget driver is known to have this problem, but this may cause a hard-to-find bug during development of new gadgets. CVE-2024-44960 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Forward soft recovery errors to userspace As we discussed before[1], soft recovery should be forwarded to userspace, or we can get into a really bad state where apps will keep submitting hanging command buffers cascading us to a hard reset. 1: https://lore.kernel.org/all/bf23d5ed-9a6b-43e7-84ee-8cbfd0d60f18@froggi.es/ (cherry picked from commit 434967aadbbbe3ad9103cc29e9a327de20fdba01) CVE-2024-44961 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading When unload the btnxpuart driver, its associated timer will be deleted. If the timer happens to be modified at this moment, it leads to the kernel call this timer even after the driver unloaded, resulting in kernel panic. Use timer_shutdown_sync() instead of del_timer_sync() to prevent rearming. panic log: Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP Modules linked in: algif_hash algif_skcipher af_alg moal(O) mlan(O) crct10dif_ce polyval_ce polyval_generic snd_soc_imx_card snd_soc_fsl_asoc_card snd_soc_imx_audmux mxc_jpeg_encdec v4l2_jpeg snd_soc_wm8962 snd_soc_fsl_micfil snd_soc_fsl_sai flexcan snd_soc_fsl_utils ap130x rpmsg_ctrl imx_pcm_dma can_dev rpmsg_char pwm_fan fuse [last unloaded: btnxpuart] CPU: 5 PID: 723 Comm: memtester Tainted: G O 6.6.23-lts-next-06207-g4aef2658ac28 #1 Hardware name: NXP i.MX95 19X19 board (DT) pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0xffff80007a2cf464 lr : call_timer_fn.isra.0+0x24/0x80 ... Call trace: 0xffff80007a2cf464 __run_timers+0x234/0x280 run_timer_softirq+0x20/0x40 __do_softirq+0x100/0x26c ____do_softirq+0x10/0x1c call_on_irq_stack+0x24/0x4c do_softirq_own_stack+0x1c/0x2c irq_exit_rcu+0xc0/0xdc el0_interrupt+0x54/0xd8 __el0_irq_handler_common+0x18/0x24 el0t_64_irq_handler+0x10/0x1c el0t_64_irq+0x190/0x194 Code: ???????? ???????? ???????? ???????? (????????) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt SMP: stopping secondary CPUs Kernel Offset: disabled CPU features: 0x0,c0000000,40028143,1000721b Memory Limit: none ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- CVE-2024-44962 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix pti_clone_pgtable() alignment assumption Guenter reported dodgy crashes on an i386-nosmp build using GCC-11 that had the form of endless traps until entry stack exhaust and then #DF from the stack guard. It turned out that pti_clone_pgtable() had alignment assumptions on the start address, notably it hard assumes start is PMD aligned. This is true on x86_64, but very much not true on i386. These assumptions can cause the end condition to malfunction, leading to a 'short' clone. Guess what happens when the user mapping has a short copy of the entry text? Use the correct increment form for addr to avoid alignment assumptions. CVE-2024-44965 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/mgag200: Bind I2C lifetime to DRM device Managed cleanup with devm_add_action_or_reset() will release the I2C adapter when the underlying Linux device goes away. But the connector still refers to it, so this cleanup leaves behind a stale pointer in struct drm_connector.ddc. Bind the lifetime of the I2C adapter to the connector's lifetime by using DRM's managed release. When the DRM device goes away (after the Linux device) DRM will first clean up the connector and then clean up the I2C adapter. CVE-2024-44967 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Prevent release of buffer in I/O When a task waiting for completion of a Store Data operation is interrupted, an attempt is made to halt this operation. If this attempt fails due to a hardware or firmware problem, there is a chance that the SCLP facility might store data into buffers referenced by the original operation at a later time. Handle this situation by not releasing the referenced data buffers if the halt attempt fails. For current use cases, this might result in a leak of few pages of memory in case of a rare hardware/firmware malfunction. CVE-2024-44969 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink When all the strides in a WQE have been consumed, the WQE is unlinked from the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible to receive CQEs with 0 consumed strides for the same WQE even after the WQE is fully consumed and unlinked. This triggers an additional unlink for the same wqe which corrupts the linked list. Fix this scenario by accepting 0 sized consumed strides without unlinking the WQE again. CVE-2024-44970 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register() bcm_sf2_mdio_register() calls of_phy_find_device() and then phy_device_remove() in a loop to remove existing PHY devices. of_phy_find_device() eventually calls bus_find_device(), which calls get_device() on the returned struct device * to increment the refcount. The current implementation does not decrement the refcount, which causes memory leak. This commit adds the missing phy_device_free() call to decrement the refcount via put_device() to balance the refcount. CVE-2024-44971 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: do not clear page dirty inside extent_write_locked_range() [BUG] For subpage + zoned case, the following workload can lead to rsv data leak at unmount time: # mkfs.btrfs -f -s 4k $dev # mount $dev $mnt # fsstress -w -n 8 -d $mnt -s 1709539240 0/0: fiemap - no filename 0/1: copyrange read - no filename 0/2: write - no filename 0/3: rename - no source filename 0/4: creat f0 x:0 0 0 0/4: creat add id=0,parent=-1 0/5: writev f0[259 1 0 0 0 0] [778052,113,965] 0 0/6: ioctl(FIEMAP) f0[259 1 0 0 224 887097] [1294220,2291618343991484791,0x10000] -1 0/7: dwrite - xfsctl(XFS_IOC_DIOINFO) f0[259 1 0 0 224 887097] return 25, fallback to stat() 0/7: dwrite f0[259 1 0 0 224 887097] [696320,102400] 0 # umount $mnt The dmesg includes the following rsv leak detection warning (all call trace skipped): ------------[ cut here ]------------ WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8653 btrfs_destroy_inode+0x1e0/0x200 [btrfs] ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8654 btrfs_destroy_inode+0x1a8/0x200 [btrfs] ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8660 btrfs_destroy_inode+0x1a0/0x200 [btrfs] ---[ end trace 0000000000000000 ]--- BTRFS info (device sda): last unmount of filesystem 1b4abba9-de34-4f07-9e7f-157cf12a18d6 ------------[ cut here ]------------ WARNING: CPU: 3 PID: 4528 at fs/btrfs/block-group.c:4434 btrfs_free_block_groups+0x338/0x500 [btrfs] ---[ end trace 0000000000000000 ]--- BTRFS info (device sda): space_info DATA has 268218368 free, is not full BTRFS info (device sda): space_info total=268435456, used=204800, pinned=0, reserved=0, may_use=12288, readonly=0 zone_unusable=0 BTRFS info (device sda): global_block_rsv: size 0 reserved 0 BTRFS info (device sda): trans_block_rsv: size 0 reserved 0 BTRFS info (device sda): chunk_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_refs_rsv: size 0 reserved 0 ------------[ cut here ]------------ WARNING: CPU: 3 PID: 4528 at fs/btrfs/block-group.c:4434 btrfs_free_block_groups+0x338/0x500 [btrfs] ---[ end trace 0000000000000000 ]--- BTRFS info (device sda): space_info METADATA has 267796480 free, is not full BTRFS info (device sda): space_info total=268435456, used=131072, pinned=0, reserved=0, may_use=262144, readonly=0 zone_unusable=245760 BTRFS info (device sda): global_block_rsv: size 0 reserved 0 BTRFS info (device sda): trans_block_rsv: size 0 reserved 0 BTRFS info (device sda): chunk_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_refs_rsv: size 0 reserved 0 Above $dev is a tcmu-runner emulated zoned HDD, which has a max zone append size of 64K, and the system has 64K page size. [CAUSE] I have added several trace_printk() to show the events (header skipped): > btrfs_dirty_pages: r/i=5/259 dirty start=774144 len=114688 > btrfs_dirty_pages: r/i=5/259 dirty part of page=720896 off_in_page=53248 len_in_page=12288 > btrfs_dirty_pages: r/i=5/259 dirty part of page=786432 off_in_page=0 len_in_page=65536 > btrfs_dirty_pages: r/i=5/259 dirty part of page=851968 off_in_page=0 len_in_page=36864 The above lines show our buffered write has dirtied 3 pages of inode 259 of root 5: 704K 768K 832K 896K I |////I/////////////////I///////////| I 756K 868K |///| is the dirtied range using subpage bitmaps. and 'I' is the page boundary. Meanwhile all three pages (704K, 768K, 832K) have their PageDirty flag set. > btrfs_direct_write: r/i=5/259 start dio filepos=696320 len=102400 Then direct IO writ ---truncated--- CVE-2024-44972 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Validate TA binary size Add TA binary size validation to avoid OOB write. (cherry picked from commit c0a04e3570d72aaf090962156ad085e37c62e442) CVE-2024-44977 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails If the dpu_format_populate_layout() fails, then FB is prepared, but not cleaned up. This ends up leaking the pin_count on the GEM object and causes a splat during DRM file closure: msm_obj->pin_count WARNING: CPU: 2 PID: 569 at drivers/gpu/drm/msm/msm_gem.c:121 update_lru_locked+0xc4/0xcc [...] Call trace: update_lru_locked+0xc4/0xcc put_pages+0xac/0x100 msm_gem_free_object+0x138/0x180 drm_gem_object_free+0x1c/0x30 drm_gem_object_handle_put_unlocked+0x108/0x10c drm_gem_object_release_handle+0x58/0x70 idr_for_each+0x68/0xec drm_gem_release+0x28/0x40 drm_file_free+0x174/0x234 drm_release+0xb0/0x160 __fput+0xc0/0x2c8 __fput_sync+0x50/0x5c __arm64_sys_close+0x38/0x7c invoke_syscall+0x48/0x118 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x4c/0x120 el0t_64_sync_handler+0x100/0x12c el0t_64_sync+0x190/0x194 irq event stamp: 129818 hardirqs last enabled at (129817): [<ffffa5f6d953fcc0>] console_unlock+0x118/0x124 hardirqs last disabled at (129818): [<ffffa5f6da7dcf04>] el1_dbg+0x24/0x8c softirqs last enabled at (129808): [<ffffa5f6d94afc18>] handle_softirqs+0x4c8/0x4e8 softirqs last disabled at (129785): [<ffffa5f6d94105e4>] __do_softirq+0x14/0x20 Patchwork: https://patchwork.freedesktop.org/patch/600714/ CVE-2024-44982 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix double DMA unmapping for XDP_REDIRECT Remove the dma_unmap_page_attrs() call in the driver's XDP_REDIRECT code path. This should have been removed when we let the page pool handle the DMA mapping. This bug causes the warning: WARNING: CPU: 7 PID: 59 at drivers/iommu/dma-iommu.c:1198 iommu_dma_unmap_page+0xd5/0x100 CPU: 7 PID: 59 Comm: ksoftirqd/7 Tainted: G W 6.8.0-1010-gcp #11-Ubuntu Hardware name: Dell Inc. PowerEdge R7525/0PYVT1, BIOS 2.15.2 04/02/2024 RIP: 0010:iommu_dma_unmap_page+0xd5/0x100 Code: 89 ee 48 89 df e8 cb f2 69 ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 31 f6 31 ff 45 31 c0 e9 ab 17 71 00 <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 RSP: 0018:ffffab1fc0597a48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff99ff838280c8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffab1fc0597a78 R08: 0000000000000002 R09: ffffab1fc0597c1c R10: ffffab1fc0597cd3 R11: ffff99ffe375acd8 R12: 00000000e65b9000 R13: 0000000000000050 R14: 0000000000001000 R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffff9a06efb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000565c34c37210 CR3: 00000005c7e3e000 CR4: 0000000000350ef0 ? show_regs+0x6d/0x80 ? __warn+0x89/0x150 ? iommu_dma_unmap_page+0xd5/0x100 ? report_bug+0x16a/0x190 ? handle_bug+0x51/0xa0 ? exc_invalid_op+0x18/0x80 ? iommu_dma_unmap_page+0xd5/0x100 ? iommu_dma_unmap_page+0x35/0x100 dma_unmap_page_attrs+0x55/0x220 ? bpf_prog_4d7e87c0d30db711_xdp_dispatcher+0x64/0x9f bnxt_rx_xdp+0x237/0x520 [bnxt_en] bnxt_rx_pkt+0x640/0xdd0 [bnxt_en] __bnxt_poll_work+0x1a1/0x3d0 [bnxt_en] bnxt_poll+0xaa/0x1e0 [bnxt_en] __napi_poll+0x33/0x1e0 net_rx_action+0x18a/0x2f0 CVE-2024-44984 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible UAF in ip6_xmit() If skb_expand_head() returns NULL, skb has been freed and the associated dst/idev could also have been freed. We must use rcu_read_lock() to prevent a possible UAF. CVE-2024-44985 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in ip6_finish_output2() If skb_expand_head() returns NULL, skb has been freed and associated dst/idev could also have been freed. We need to hold rcu_read_lock() to make sure the dst and associated idev are alive. CVE-2024-44986 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 do_iter_readv_writev+0x60a/0x890 vfs_writev+0x37c/0xbb0 fs/read_write.c:971 do_writev+0x1b1/0x350 fs/read_write.c:1018 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 </TASK> Allocated by task 6530: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 dst_alloc+0x12b/0x190 net/core/dst.c:89 ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 45: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 dst_destroy+0x2ac/0x460 net/core/dst.c:124 rcu_do_batch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated--- CVE-2024-44987 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Fix out-of-bound access If an ATU violation was caused by a CPU Load operation, the SPID could be larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array). CVE-2024-44988 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bonding: fix xfrm real_dev null pointer dereference We shouldn't set real_dev to NULL because packets can be in transit and xfrm might call xdo_dev_offload_ok() in parallel. All callbacks assume real_dev is set. Example trace: kernel: BUG: unable to handle page fault for address: 0000000000001030 kernel: bond0: (slave eni0np1): making interface the new active one kernel: #PF: supervisor write access in kernel mode kernel: #PF: error_code(0x0002) - not-present page kernel: PGD 0 P4D 0 kernel: Oops: 0002 [#1] PREEMPT SMP kernel: CPU: 4 PID: 2237 Comm: ping Not tainted 6.7.7+ #12 kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 kernel: RIP: 0010:nsim_ipsec_offload_ok+0xc/0x20 [netdevsim] kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: Code: e0 0f 0b 48 83 7f 38 00 74 de 0f 0b 48 8b 47 08 48 8b 37 48 8b 78 40 e9 b2 e5 9a d7 66 90 0f 1f 44 00 00 48 8b 86 80 02 00 00 <83> 80 30 10 00 00 01 b8 01 00 00 00 c3 0f 1f 80 00 00 00 00 0f 1f kernel: bond0: (slave eni0np1): making interface the new active one kernel: RSP: 0018:ffffabde81553b98 EFLAGS: 00010246 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: kernel: RAX: 0000000000000000 RBX: ffff9eb404e74900 RCX: ffff9eb403d97c60 kernel: RDX: ffffffffc090de10 RSI: ffff9eb404e74900 RDI: ffff9eb3c5de9e00 kernel: RBP: ffff9eb3c0a42000 R08: 0000000000000010 R09: 0000000000000014 kernel: R10: 7974203030303030 R11: 3030303030303030 R12: 0000000000000000 kernel: R13: ffff9eb3c5de9e00 R14: ffffabde81553cc8 R15: ffff9eb404c53000 kernel: FS: 00007f2a77a3ad00(0000) GS:ffff9eb43bd00000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000001030 CR3: 00000001122ab000 CR4: 0000000000350ef0 kernel: bond0: (slave eni0np1): making interface the new active one kernel: Call Trace: kernel: <TASK> kernel: ? __die+0x1f/0x60 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: ? page_fault_oops+0x142/0x4c0 kernel: ? do_user_addr_fault+0x65/0x670 kernel: ? kvm_read_and_reset_apf_flags+0x3b/0x50 kernel: bond0: (slave eni0np1): making interface the new active one kernel: ? exc_page_fault+0x7b/0x180 kernel: ? asm_exc_page_fault+0x22/0x30 kernel: ? nsim_bpf_uninit+0x50/0x50 [netdevsim] kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: ? nsim_ipsec_offload_ok+0xc/0x20 [netdevsim] kernel: bond0: (slave eni0np1): making interface the new active one kernel: bond_ipsec_offload_ok+0x7b/0x90 [bonding] kernel: xfrm_output+0x61/0x3b0 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: ip_push_pending_frames+0x56/0x80 CVE-2024-44989 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bonding: fix null pointer deref in bond_ipsec_offload_ok We must check if there is an active slave before dereferencing the pointer. CVE-2024-44990 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once from a task that failed to clone a new netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"), this function picks up twsk in any dying netns, not just the one passed in via exit_batch list. This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns. This allows the netns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); without the expected 1 -> 0 transition, which then splats. At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 ... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... because refcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seem like an actual bug (no tw sockets got lost and I don't see a use-after-free) but as erroneous trigger of debug check. Add a mutex to force strict ordering: the task that calls tcp_twsk_purge() blocks other task from doing final _dec_and_test before mutex-owner has removed all tw sockets of dying netns. CVE-2024-44991 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() When there are multiple ap interfaces on one band and with WED on, turning the interface down will cause a kernel panic on MT798X. Previously, cb_priv was freed in mtk_wed_setup_tc_block() without marking NULL,and mtk_wed_setup_tc_block_cb() didn't check the value, too. Assign NULL after free cb_priv in mtk_wed_setup_tc_block() and check NULL in mtk_wed_setup_tc_block_cb(). ---------- Unable to handle kernel paging request at virtual address 0072460bca32b4f5 Call trace: mtk_wed_setup_tc_block_cb+0x4/0x38 0xffffffc0794084bc tcf_block_playback_offloads+0x70/0x1e8 tcf_block_unbind+0x6c/0xc8 ... --------- CVE-2024-44997 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: atm: idt77252: prevent use after free in dequeue_rx() We can't dereference "skb" after calling vcc->push() because the skb is released. CVE-2024-44998 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: gtp: pull network headers in gtp_dev_xmit() syzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1] We must make sure the IPv4 or Ipv6 header is pulled in skb->head before accessing fields in them. Use pskb_inet_may_pull() to fix this issue. [1] BUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline] BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline] BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281 ipv6_pdp_find drivers/net/gtp.c:220 [inline] gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline] gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281 __netdev_start_xmit include/linux/netdevice.h:4913 [inline] netdev_start_xmit include/linux/netdevice.h:4922 [inline] xmit_one net/core/dev.c:3580 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596 __dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423 dev_queue_xmit include/linux/netdevice.h:3105 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3145 [inline] packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2204 __do_sys_sendto net/socket.c:2216 [inline] __se_sys_sendto net/socket.c:2212 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212 x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3994 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674 alloc_skb include/linux/skbuff.h:1320 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815 packet_alloc_skb net/packet/af_packet.c:2994 [inline] packet_snd net/packet/af_packet.c:3088 [inline] packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2204 __do_sys_sendto net/socket.c:2216 [inline] __se_sys_sendto net/socket.c:2212 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212 x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 CVE-2024-44999 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs/netfs/fscache_cookie: add missing "n_accesses" check This fixes a NULL pointer dereference bug due to a data race which looks like this: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43 Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018 Workqueue: events_unbound netfs_rreq_write_to_cache_work RIP: 0010:cachefiles_prepare_write+0x30/0xa0 Code: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8b 47 08 48 83 7f 10 00 48 89 34 24 48 8b 68 20 <48> 8b 45 08 4c 8b 38 74 45 49 8b 7f 50 e8 4e a9 b0 ff 48 8b 73 10 RSP: 0018:ffffb4e78113bde0 EFLAGS: 00010286 RAX: ffff976126be6d10 RBX: ffff97615cdb8438 RCX: 0000000000020000 RDX: ffff97605e6c4c68 RSI: ffff97605e6c4c60 RDI: ffff97615cdb8438 RBP: 0000000000000000 R08: 0000000000278333 R09: 0000000000000001 R10: ffff97605e6c4600 R11: 0000000000000001 R12: ffff97605e6c4c68 R13: 0000000000020000 R14: 0000000000000001 R15: ffff976064fe2c00 FS: 0000000000000000(0000) GS:ffff9776dfd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000005942c002 CR4: 00000000001706f0 Call Trace: <TASK> ? __die+0x1f/0x70 ? page_fault_oops+0x15d/0x440 ? search_module_extables+0xe/0x40 ? fixup_exception+0x22/0x2f0 ? exc_page_fault+0x5f/0x100 ? asm_exc_page_fault+0x22/0x30 ? cachefiles_prepare_write+0x30/0xa0 netfs_rreq_write_to_cache_work+0x135/0x2e0 process_one_work+0x137/0x2c0 worker_thread+0x2e9/0x400 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Modules linked in: CR2: 0000000000000008 ---[ end trace 0000000000000000 ]--- This happened because fscache_cookie_state_machine() was slow and was still running while another process invoked fscache_unuse_cookie(); this led to a fscache_cookie_lru_do_one() call, setting the FSCACHE_COOKIE_DO_LRU_DISCARD flag, which was picked up by fscache_cookie_state_machine(), withdrawing the cookie via cachefiles_withdraw_cookie(), clearing cookie->cache_priv. At the same time, yet another process invoked cachefiles_prepare_write(), which found a NULL pointer in this code line: struct cachefiles_object *object = cachefiles_cres_object(cres); The next line crashes, obviously: struct cachefiles_cache *cache = object->volume->cache; During cachefiles_prepare_write(), the "n_accesses" counter is non-zero (via fscache_begin_operation()). The cookie must not be withdrawn until it drops to zero. The counter is checked by fscache_cookie_state_machine() before switching to FSCACHE_COOKIE_STATE_RELINQUISHING and FSCACHE_COOKIE_STATE_WITHDRAWING (in "case FSCACHE_COOKIE_STATE_FAILED"), but not for FSCACHE_COOKIE_STATE_LRU_DISCARDING ("case FSCACHE_COOKIE_STATE_ACTIVE"). This patch adds the missing check. With a non-zero access counter, the function returns and the next fscache_end_cookie_access() call will queue another fscache_cookie_state_machine() call to handle the still-pending FSCACHE_COOKIE_DO_LRU_DISCARD. CVE-2024-45000 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix RX buf alloc_size alignment and atomic op panic The MANA driver's RX buffer alloc_size is passed into napi_build_skb() to create SKB. skb_shinfo(skb) is located at the end of skb, and its alignment is affected by the alloc_size passed into napi_build_skb(). The size needs to be aligned properly for better performance and atomic operations. Otherwise, on ARM64 CPU, for certain MTU settings like 4000, atomic operations may panic on the skb_shinfo(skb)->dataref due to alignment fault. To fix this bug, add proper alignment to the alloc_size calculation. Sample panic info: [ 253.298819] Unable to handle kernel paging request at virtual address ffff000129ba5cce [ 253.300900] Mem abort info: [ 253.301760] ESR = 0x0000000096000021 [ 253.302825] EC = 0x25: DABT (current EL), IL = 32 bits [ 253.304268] SET = 0, FnV = 0 [ 253.305172] EA = 0, S1PTW = 0 [ 253.306103] FSC = 0x21: alignment fault Call trace: __skb_clone+0xfc/0x198 skb_clone+0x78/0xe0 raw6_local_deliver+0xfc/0x228 ip6_protocol_deliver_rcu+0x80/0x500 ip6_input_finish+0x48/0x80 ip6_input+0x48/0xc0 ip6_sublist_rcv_finish+0x50/0x78 ip6_sublist_rcv+0x1cc/0x2b8 ipv6_list_rcv+0x100/0x150 __netif_receive_skb_list_core+0x180/0x220 netif_receive_skb_list_internal+0x198/0x2a8 __napi_poll+0x138/0x250 net_rx_action+0x148/0x330 handle_softirqs+0x12c/0x3a0 CVE-2024-45001 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: rtla/osnoise: Prevent NULL dereference in error handling If the "tool->data" allocation fails then there is no need to call osnoise_free_top() and, in fact, doing so will lead to a NULL dereference. CVE-2024-45002 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: vfs: Don't evict inode under the inode lru traversing context The inode reclaiming process(See function prune_icache_sb) collects all reclaimable inodes and mark them with I_FREEING flag at first, at that time, other processes will be stuck if they try getting these inodes (See function find_inode_fast), then the reclaiming process destroy the inodes by function dispose_list(). Some filesystems(eg. ext4 with ea_inode feature, ubifs with xattr) may do inode lookup in the inode evicting callback function, if the inode lookup is operated under the inode lru traversing context, deadlock problems may happen. Case 1: In function ext4_evict_inode(), the ea inode lookup could happen if ea_inode feature is enabled, the lookup process will be stuck under the evicting context like this: 1. File A has inode i_reg and an ea inode i_ea 2. getfattr(A, xattr_buf) // i_ea is added into lru // lru->i_ea 3. Then, following three processes running like this: PA PB echo 2 > /proc/sys/vm/drop_caches shrink_slab prune_dcache_sb // i_reg is added into lru, lru->i_ea->i_reg prune_icache_sb list_lru_walk_one inode_lru_isolate i_ea->i_state |= I_FREEING // set inode state inode_lru_isolate __iget(i_reg) spin_unlock(&i_reg->i_lock) spin_unlock(lru_lock) rm file A i_reg->nlink = 0 iput(i_reg) // i_reg->nlink is 0, do evict ext4_evict_inode ext4_xattr_delete_inode ext4_xattr_inode_dec_ref_all ext4_xattr_inode_iget ext4_iget(i_ea->i_ino) iget_locked find_inode_fast __wait_on_freeing_inode(i_ea) ----→ AA deadlock dispose_list // cannot be executed by prune_icache_sb wake_up_bit(&i_ea->i_state) Case 2: In deleted inode writing function ubifs_jnl_write_inode(), file deleting process holds BASEHD's wbuf->io_mutex while getting the xattr inode, which could race with inode reclaiming process(The reclaiming process could try locking BASEHD's wbuf->io_mutex in inode evicting function), then an ABBA deadlock problem would happen as following: 1. File A has inode ia and a xattr(with inode ixa), regular file B has inode ib and a xattr. 2. getfattr(A, xattr_buf) // ixa is added into lru // lru->ixa 3. Then, following three processes running like this: PA PB PC echo 2 > /proc/sys/vm/drop_caches shrink_slab prune_dcache_sb // ib and ia are added into lru, lru->ixa->ib->ia prune_icache_sb list_lru_walk_one inode_lru_isolate ixa->i_state |= I_FREEING // set inode state inode_lru_isolate __iget(ib) spin_unlock(&ib->i_lock) spin_unlock(lru_lock) rm file B ib->nlink = 0 rm file A iput(ia) ubifs_evict_inode(ia) ubifs_jnl_delete_inode(ia) ubifs_jnl_write_inode(ia) make_reservation(BASEHD) // Lock wbuf->io_mutex ubifs_iget(ixa->i_ino) iget_locked find_inode_fast __wait_on_freeing_inode(ixa) | iput(ib) // ib->nlink is 0, do evict | ubifs_evict_inode | ubifs_jnl_delete_inode(ib) ↓ ubifs_jnl_write_inode ABBA deadlock ←-----make_reservation(BASEHD) dispose_list // cannot be executed by prune_icache_sb wake_up_bit(&ixa->i_state) Fix the possible deadlock by using new inode state flag I_LRU_ISOLATING to pin the inode in memory while inode_lru_isolate( ---truncated--- CVE-2024-45003 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix validity interception issue when gisa is switched off We might run into a SIE validity if gisa has been disabled either via using kernel parameter "kvm.use_gisa=0" or by setting the related sysfs attribute to N (echo N >/sys/module/kvm/parameters/use_gisa). The validity is caused by an invalid value in the SIE control block's gisa designation. That happens because we pass the uninitialized gisa origin to virt_to_phys() before writing it to the gisa designation. To fix this we return 0 in kvm_s390_get_gisa_desc() if the origin is 0. kvm_s390_get_gisa_desc() is used to determine which gisa designation to set in the SIE control block. A value of 0 in the gisa designation disables gisa usage. The issue surfaces in the host kernel with the following kernel message as soon a new kvm guest start is attemted. kvm: unhandled validity intercept 0x1011 WARNING: CPU: 0 PID: 781237 at arch/s390/kvm/intercept.c:101 kvm_handle_sie_intercept+0x42e/0x4d0 [kvm] Modules linked in: vhost_net tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT xt_tcpudp nft_compat x_tables nf_nat_tftp nf_conntrack_tftp vfio_pci_core irqbypass vhost_vsock vmw_vsock_virtio_transport_common vsock vhost vhost_iotlb kvm nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables sunrpc mlx5_ib ib_uverbs ib_core mlx5_core uvdevice s390_trng eadm_sch vfio_ccw zcrypt_cex4 mdev vfio_iommu_type1 vfio sch_fq_codel drm i2c_core loop drm_panel_orientation_quirks configfs nfnetlink lcs ctcm fsm dm_service_time ghash_s390 prng chacha_s390 libchacha aes_s390 des_s390 libdes sha3_512_s390 sha3_256_s390 sha512_s390 sha256_s390 sha1_s390 sha_common dm_mirror dm_region_hash dm_log zfcp scsi_transport_fc scsi_dh_rdac scsi_dh_emc scsi_dh_alua pkey zcrypt dm_multipath rng_core autofs4 [last unloaded: vfio_pci] CPU: 0 PID: 781237 Comm: CPU 0/KVM Not tainted 6.10.0-08682-gcad9f11498ea #6 Hardware name: IBM 3931 A01 701 (LPAR) Krnl PSW : 0704c00180000000 000003d93deb0122 (kvm_handle_sie_intercept+0x432/0x4d0 [kvm]) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 Krnl GPRS: 000003d900000027 000003d900000023 0000000000000028 000002cd00000000 000002d063a00900 00000359c6daf708 00000000000bebb5 0000000000001eff 000002cfd82e9000 000002cfd80bc000 0000000000001011 000003d93deda412 000003ff8962df98 000003d93de77ce0 000003d93deb011e 00000359c6daf960 Krnl Code: 000003d93deb0112: c020fffe7259 larl %r2,000003d93de7e5c4 000003d93deb0118: c0e53fa8beac brasl %r14,000003d9bd3c7e70 #000003d93deb011e: af000000 mc 0,0 >000003d93deb0122: a728ffea lhi %r2,-22 000003d93deb0126: a7f4fe24 brc 15,000003d93deafd6e 000003d93deb012a: 9101f0b0 tm 176(%r15),1 000003d93deb012e: a774fe48 brc 7,000003d93deafdbe 000003d93deb0132: 40a0f0ae sth %r10,174(%r15) Call Trace: [<000003d93deb0122>] kvm_handle_sie_intercept+0x432/0x4d0 [kvm] ([<000003d93deb011e>] kvm_handle_sie_intercept+0x42e/0x4d0 [kvm]) [<000003d93deacc10>] vcpu_post_run+0x1d0/0x3b0 [kvm] [<000003d93deaceda>] __vcpu_run+0xea/0x2d0 [kvm] [<000003d93dead9da>] kvm_arch_vcpu_ioctl_run+0x16a/0x430 [kvm] [<000003d93de93ee0>] kvm_vcpu_ioctl+0x190/0x7c0 [kvm] [<000003d9bd728b4e>] vfs_ioctl+0x2e/0x70 [<000003d9bd72a092>] __s390x_sys_ioctl+0xc2/0xd0 [<000003d9be0e9222>] __do_syscall+0x1f2/0x2e0 [<000003d9be0f9a90>] system_call+0x70/0x98 Last Breaking-Event-Address: [<000003d9bd3c7f58>] __warn_printk+0xe8/0xf0 CVE-2024-45005 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration re-enumerating full-speed devices after a failed address device command can trigger a NULL pointer dereference. Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size value during enumeration. Usb core calls usb_ep0_reinit() in this case, which ends up calling xhci_configure_endpoint(). On Panther point xHC the xhci_configure_endpoint() function will additionally check and reserve bandwidth in software. Other hosts do this in hardware If xHC address device command fails then a new xhci_virt_device structure is allocated as part of re-enabling the slot, but the bandwidth table pointers are not set up properly here. This triggers the NULL pointer dereference the next time usb_ep0_reinit() is called and xhci_configure_endpoint() tries to check and reserve bandwidth [46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd [46710.713699] usb 3-1: Device not responding to setup address. [46710.917684] usb 3-1: Device not responding to setup address. [46711.125536] usb 3-1: device not accepting address 5, error -71 [46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008 [46711.125600] #PF: supervisor read access in kernel mode [46711.125603] #PF: error_code(0x0000) - not-present page [46711.125606] PGD 0 P4D 0 [46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI [46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1 [46711.125620] Hardware name: Gigabyte Technology Co., Ltd. [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore] [46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c Fix this by making sure bandwidth table pointers are set up correctly after a failed address device command, and additionally by avoiding checking for bandwidth in cases like this where no actual endpoints are added or removed, i.e. only context for default control endpoint 0 is evaluated. CVE-2024-45006 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: char: xillybus: Don't destroy workqueue from work item running on it Triggered by a kref decrement, destroy_workqueue() may be called from within a work item for destroying its own workqueue. This illegal situation is averted by adding a module-global workqueue for exclusive use of the offending work item. Other work items continue to be queued on per-device workqueues to ensure performance. CVE-2024-45007 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: MT - limit max slots syzbot is reporting too large allocation at input_mt_init_slots(), for num_slots is supplied from userspace using ioctl(UI_DEV_CREATE). Since nobody knows possible max slots, this patch chose 1024. CVE-2024-45008 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: char: xillybus: Check USB endpoints when probing device Ensure, as the driver probes the device, that all endpoints that the driver may attempt to access exist and are of the correct type. All XillyUSB devices must have a Bulk IN and Bulk OUT endpoint at address 1. This is verified in xillyusb_setup_base_eps(). On top of that, a XillyUSB device may have additional Bulk OUT endpoints. The information about these endpoints' addresses is deduced from a data structure (the IDT) that the driver fetches from the device while probing it. These endpoints are checked in setup_channels(). A XillyUSB device never has more than one IN endpoint, as all data towards the host is multiplexed in this single Bulk IN endpoint. This is why setup_channels() only checks OUT endpoints. CVE-2024-45011 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: use dma non-coherent allocator Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit a BUG() on startup, when the iommu is enabled: kernel BUG at include/linux/scatterlist.h:187! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30 Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019 RIP: 0010:sg_init_one+0x85/0xa0 Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54 24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b 0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00 RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000 RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508 R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018 FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0 Call Trace: <TASK> ? die+0x36/0x90 ? do_trap+0xdd/0x100 ? sg_init_one+0x85/0xa0 ? do_error_trap+0x65/0x80 ? sg_init_one+0x85/0xa0 ? exc_invalid_op+0x50/0x70 ? sg_init_one+0x85/0xa0 ? asm_exc_invalid_op+0x1a/0x20 ? sg_init_one+0x85/0xa0 nvkm_firmware_ctor+0x14a/0x250 [nouveau] nvkm_falcon_fw_ctor+0x42/0x70 [nouveau] ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau] r535_gsp_oneinit+0xb3/0x15f0 [nouveau] ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? nvkm_udevice_new+0x95/0x140 [nouveau] ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? ktime_get+0x47/0xb0 Fix this by using the non-coherent allocator instead, I think there might be a better answer to this, but it involve ripping up some of APIs using sg lists. CVE-2024-45012 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: nvme: move stopping keep-alive into nvme_uninit_ctrl() Commit 4733b65d82bd ("nvme: start keep-alive after admin queue setup") moves starting keep-alive from nvme_start_ctrl() into nvme_init_ctrl_finish(), but don't move stopping keep-alive into nvme_uninit_ctrl(), so keep-alive work can be started and keep pending after failing to start controller, finally use-after-free is triggered if nvme host driver is unloaded. This patch fixes kernel panic when running nvme/004 in case that connection failure is triggered, by moving stopping keep-alive into nvme_uninit_ctrl(). This way is reasonable because keep-alive is now started in nvme_init_ctrl_finish(). CVE-2024-45013 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() For cases where the crtc's connectors_changed was set without enable/active getting toggled , there is an atomic_enable() call followed by an atomic_disable() but without an atomic_mode_set(). This results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in the atomic_enable() as the dpu_encoder's connector was cleared in the atomic_disable() but not re-assigned as there was no atomic_mode_set() call. Fix the NULL ptr access by moving the assignment for atomic_enable() and also use drm_atomic_get_new_connector_for_encoder() to get the connector from the atomic_state. Patchwork: https://patchwork.freedesktop.org/patch/606729/ CVE-2024-45015 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec RoCE MPV trace call Prevent the call trace below from happening, by not allowing IPsec creation over a slave, if master device doesn't support IPsec. WARNING: CPU: 44 PID: 16136 at kernel/locking/rwsem.c:240 down_read+0x75/0x94 Modules linked in: esp4_offload esp4 act_mirred act_vlan cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa mst_pciconf(OE) nfsv3 nfs_acl nfs lockd grace fscache netfs xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill cuse fuse rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel sha1_ssse3 dell_smbios ib_uverbs aesni_intel crypto_simd dcdbas wmi_bmof dell_wmi_descriptor cryptd pcspkr ib_core acpi_ipmi sp5100_tco ccp i2c_piix4 ipmi_si ptdma k10temp ipmi_devintf ipmi_msghandler acpi_power_meter acpi_cpufreq ext4 mbcache jbd2 sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect mlx5_core sysimgblt fb_sys_fops cec ahci libahci mlxfw drm pci_hyperv_intf libata tg3 sha256_ssse3 tls megaraid_sas i2c_algo_bit psample wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mst_pci] CPU: 44 PID: 16136 Comm: kworker/44:3 Kdump: loaded Tainted: GOE 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 #2 Hardware name: Dell Inc. PowerEdge R7525/074H08, BIOS 2.0.3 01/15/2021 Workqueue: events xfrm_state_gc_task RIP: 0010:down_read+0x75/0x94 Code: 00 48 8b 45 08 65 48 8b 14 25 80 fc 01 00 83 e0 02 48 09 d0 48 83 c8 01 48 89 45 08 5d 31 c0 89 c2 89 c6 89 c7 e9 cb 88 3b 00 <0f> 0b 48 8b 45 08 a8 01 74 b2 a8 02 75 ae 48 89 c2 48 83 ca 02 f0 RSP: 0018:ffffb26387773da8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffa08b658af900 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ff886bc5e1366f2f RDI: 0000000000000000 RBP: ffffa08b658af940 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0a9bfb31540 R13: ffffa0a9bfb37900 R14: 0000000000000000 R15: ffffa0a9bfb37905 FS: 0000000000000000(0000) GS:ffffa0a9bfb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055a45ed814e8 CR3: 000000109038a000 CR4: 0000000000350ee0 Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] ? down_read+0x75/0x94 ? __warn+0x80/0x113 ? down_read+0x75/0x94 ? report_bug+0xa4/0x11d ? handle_bug+0x35/0x8b ? exc_invalid_op+0x14/0x75 ? asm_exc_invalid_op+0x16/0x1b ? down_read+0x75/0x94 ? down_read+0xe/0x94 mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] mlx5_ipsec_fs_roce_tx_destroy+0xb1/0x130 [mlx5_core] tx_destroy+0x1b/0xc0 [mlx5_core] tx_ft_put+0x53/0xc0 [mlx5_core] mlx5e_xfrm_free_state+0x45/0x90 [mlx5_core] ___xfrm_state_destroy+0x10f/0x1a2 xfrm_state_gc_task+0x81/0xa9 process_one_work+0x1f1/0x3c6 worker_thread+0x53/0x3e4 ? process_one_work.cold+0x46/0x3c kthread+0x127/0x144 ? set_kthread_struct+0x60/0x52 ret_from_fork+0x22/0x2d </TASK> ---[ end trace 5ef7896144d398e1 ]--- CVE-2024-45017 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: initialise extack before use Fix missing initialisation of extack in flow offload. CVE-2024-45018 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Take state lock during tx timeout reporter mlx5e_safe_reopen_channels() requires the state lock taken. The referenced changed in the Fixes tag removed the lock to fix another issue. This patch adds it back but at a later point (when calling mlx5e_safe_reopen_channels()) to avoid the deadlock referenced in the Fixes tag. CVE-2024-45019 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a kernel verifier crash in stacksafe() Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The 'i' iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add 'i >= cur->allocated_stack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. CVE-2024-45020 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: memcg_write_event_control(): fix a user-triggerable oops we are *not* guaranteed that anything past the terminating NUL is mapped (let alone initialized with anything sane). CVE-2024-45021 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 The __vmap_pages_range_noflush() assumes its argument pages** contains pages with the same page shift. However, since commit e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes __GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation failed for high order, the pages** may contain two different page shifts (high order and order-0). This could lead __vmap_pages_range_noflush() to perform incorrect mappings, potentially resulting in memory corruption. Users might encounter this as follows (vmap_allow_huge = true, 2M is for PMD_SIZE): kvmalloc(2M, __GFP_NOFAIL|GFP_X) __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP) vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0 vmap_pages_range() vmap_pages_range_noflush() __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens We can remove the fallback code because if a high-order allocation fails, __vmalloc_node_range_noprof() will retry with order-0. Therefore, it is unnecessary to fallback to order-0 here. Therefore, fix this by removing the fallback code. CVE-2024-45022 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix data corruption for degraded array with slow disk read_balance() will avoid reading from slow disks as much as possible, however, if valid data only lands in slow disks, and a new normal disk is still in recovery, unrecovered data can be read: raid1_read_request read_balance raid1_should_read_first -> return false choose_best_rdev -> normal disk is not recovered, return -1 choose_bb_rdev -> missing the checking of recovery, return the normal disk -> read unrecovered data Root cause is that the checking of recovery is missing in choose_bb_rdev(). Hence add such checking to fix the problem. Also fix similar problem in choose_slow_rdev(). CVE-2024-45023 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix error recovery leading to data corruption on ESE devices Extent Space Efficient (ESE) or thin provisioned volumes need to be formatted on demand during usual IO processing. The dasd_ese_needs_format function checks for error codes that signal the non existence of a proper track format. The check for incorrect length is to imprecise since other error cases leading to transport of insufficient data also have this flag set. This might lead to data corruption in certain error cases for example during a storage server warmstart. Fix by removing the check for incorrect length and replacing by explicitly checking for invalid track format in transport mode. Also remove the check for file protected since this is not a valid ESE handling case. CVE-2024-45026 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mmc: mmc_test: Fix NULL dereference on allocation failure If the "test->highmem = alloc_pages()" allocation fails then calling __free_pages(test->highmem) will result in a NULL dereference. Also change the error code to -ENOMEM instead of returning success. CVE-2024-45028 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: Do not mark ACPI devices as irq safe On ACPI machines, the tegra i2c module encounters an issue due to a mutex being called inside a spinlock. This leads to the following bug: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 ... Call trace: __might_sleep __mutex_lock_common mutex_lock_nested acpi_subsys_runtime_resume rpm_resume tegra_i2c_xfer The problem arises because during __pm_runtime_resume(), the spinlock &dev->power.lock is acquired before rpm_resume() is called. Later, rpm_resume() invokes acpi_subsys_runtime_resume(), which relies on mutexes, triggering the error. To address this issue, devices on ACPI are now marked as not IRQ-safe, considering the dependency of acpi_subsys_runtime_resume() on mutexes. CVE-2024-45029 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: igb: cope with large MAX_SKB_FRAGS Sabrina reports that the igb driver does not cope well with large MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload corruption on TX. An easy reproducer is to run ssh to connect to the machine. With MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails. This has been reported originally in https://bugzilla.redhat.com/show_bug.cgi?id=2265320 The root cause of the issue is that the driver does not take into account properly the (possibly large) shared info size when selecting the ring layout, and will try to fit two packets inside the same 4K page even when the 1st fraglist will trump over the 2nd head. Address the issue by checking if 2K buffers are insufficient. CVE-2024-45030 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested. CVE-2024-45310 Public Cloud Image google/sles-15-sp6-v20241113-arm64:runc-1.1.14-150000.70.1 low An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libexpat1-2.4.4-150400.3.22.1 moderate An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libexpat1-2.4.4-150400.3.22.1 moderate An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libexpat1-2.4.4-150400.3.22.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the driver for SAE/OWE offload cases") SSID based PMKSA del commands. brcmfmac is not prepared and tries to dereference the NULL bssid and pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based updates so copy the SSID. CVE-2024-46672 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: aacraid: Fix double-free on probe failure aac_probe_one() calls hardware-specific init functions through the aac_driver_ident::init pointer, all of which eventually call down to aac_init_adapter(). If aac_init_adapter() fails after allocating memory for aac_dev::queues, it frees the memory but does not clear that member. After the hardware-specific init function returns an error, aac_probe_one() goes down an error path that frees the memory pointed to by aac_dev::queues, resulting.in a double-free. CVE-2024-46673 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: st: fix probed platform device ref count on probe error path The probe function never performs any paltform device allocation, thus error path "undo_platform_dev_alloc" is entirely bogus. It drops the reference count from the platform device being probed. If error path is triggered, this will lead to unbalanced device reference counts and premature release of device resources, thus possible use-after-free when releasing remaining devm-managed resources. CVE-2024-46674 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Prevent USB core invalid event buffer address access This commit addresses an issue where the USB core could access an invalid event buffer address during runtime suspend, potentially causing SMMU faults and other memory issues in Exynos platforms. The problem arises from the following sequence. 1. In dwc3_gadget_suspend, there is a chance of a timeout when moving the USB core to the halt state after clearing the run/stop bit by software. 2. In dwc3_core_exit, the event buffer is cleared regardless of the USB core's status, which may lead to an SMMU faults and other memory issues. if the USB core tries to access the event buffer address. To prevent this hardware quirk on Exynos platforms, this commit ensures that the event buffer address is not cleared by software when the USB core is active during runtime suspend by checking its status before clearing the buffer address. CVE-2024-46675 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Add poll mod list filling check In case of im_protocols value is 1 and tm_protocols value is 0 this combination successfully passes the check 'if (!im_protocols && !tm_protocols)' in the nfc_start_poll(). But then after pn533_poll_create_mod_list() call in pn533_start_poll() poll mod list will remain empty and dev->poll_mod_count will remain 0 which lead to division by zero. Normally no im protocol has value 1 in the mask, so this combination is not expected by driver. But these protocol values actually come from userspace via Netlink interface (NFC_CMD_START_POLL operation). So a broken or malicious program may pass a message containing a "bad" combination of protocol parameter values so that dev->poll_mod_count is not incremented inside pn533_poll_create_mod_list(), thus leading to division by zero. Call trace looks like: nfc_genl_start_poll() nfc_start_poll() ->start_poll() pn533_start_poll() Add poll mod list filling check. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-46676 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: gtp: fix a potential NULL pointer dereference When sockfd_lookup() fails, gtp_encap_enable_socket() returns a NULL pointer, but its callers only check for error pointers thus miss the NULL pointer case. Fix it by returning an error pointer with the error code carried from sockfd_lookup(). (I found this bug during code inspection.) CVE-2024-46677 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ethtool: check device is present when getting link settings A sysfs reader can race with a device reset or removal, attempting to read device state when the device is not actually present. eg: [exception RIP: qed_get_current_link+17] #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede] #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3 #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4 #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300 #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3 #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1 #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb crash> struct net_device.state ffff9a9d21336000 state = 5, state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100). The device is not present, note lack of __LINK_STATE_PRESENT (0b10). This is the same sort of panic as observed in commit 4224cfd7fb65 ("net-sysfs: add check for netdevice being present to speed_show"). There are many other callers of __ethtool_get_link_ksettings() which don't have a device presence check. Move this check into ethtool to protect all callers. CVE-2024-46679 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: single: fix potential NULL dereference in pcs_get_function() pinmux_generic_get_function() can return NULL and the pointer 'function' was dereferenced without checking against NULL. Add checking of pointer 'function' in pcs_get_function(). Found by code review. CVE-2024-46685 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() This happens when called from SMB2_read() while using rdma and reaching the rdma_readwrite_threshold. CVE-2024-46686 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() [BUG] There is an internal report that KASAN is reporting use-after-free, with the following backtrace: BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs] Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45 CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x5e/0x2f0 print_report+0x118/0x216 kasan_report+0x11d/0x1f0 btrfs_check_read_bio+0xa68/0xb70 [btrfs] process_one_work+0xce0/0x12a0 worker_thread+0x717/0x1250 kthread+0x2e3/0x3c0 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 Allocated by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x7d/0x80 kmem_cache_alloc_noprof+0x16e/0x3e0 mempool_alloc_noprof+0x12e/0x310 bio_alloc_bioset+0x3f0/0x7a0 btrfs_bio_alloc+0x2e/0x50 [btrfs] submit_extent_page+0x4d1/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x4b/0x60 kmem_cache_free+0x214/0x5d0 bio_free+0xed/0x180 end_bbio_data_read+0x1cc/0x580 [btrfs] btrfs_submit_chunk+0x98d/0x1880 [btrfs] btrfs_submit_bio+0x33/0x70 [btrfs] submit_one_bio+0xd4/0x130 [btrfs] submit_extent_page+0x3ea/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [CAUSE] Although I cannot reproduce the error, the report itself is good enough to pin down the cause. The call trace is the regular endio workqueue context, but the free-by-task trace is showing that during btrfs_submit_chunk() we already hit a critical error, and is calling btrfs_bio_end_io() to error out. And the original endio function called bio_put() to free the whole bio. This means a double freeing thus causing use-after-free, e.g.: 1. Enter btrfs_submit_bio() with a read bio The read bio length is 128K, crossing two 64K stripes. 2. The first run of btrfs_submit_chunk() 2.1 Call btrfs_map_block(), which returns 64K 2.2 Call btrfs_split_bio() Now there are two bios, one referring to the first 64K, the other referring to the second 64K. 2.3 The first half is submitted. 3. The second run of btrfs_submit_chunk() 3.1 Call btrfs_map_block(), which by somehow failed Now we call btrfs_bio_end_io() to handle the error 3.2 btrfs_bio_end_io() calls the original endio function Which is end_bbio_data_read(), and it calls bio_put() for the original bio. Now the original bio is freed. 4. The submitted first 64K bio finished Now we call into btrfs_check_read_bio() and tries to advance the bio iter. But since the original bio (thus its iter) is already freed, we trigger the above use-after free. And even if the memory is not poisoned/corrupted, we will later call the original endio function, causing a double freeing. [FIX] Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(), which has the extra check on split bios and do the pr ---truncated--- CVE-2024-46687 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: cmd-db: Map shared memory as WC, not WB Linux does not write into cmd-db region. This region of memory is write protected by XPU. XPU may sometime falsely detect clean cache eviction as "write" into the write protected region leading to secure interrupt which causes an endless loop somewhere in Trust Zone. The only reason it is working right now is because Qualcomm Hypervisor maps the same region as Non-Cacheable memory in Stage 2 translation tables. The issue manifests if we want to use another hypervisor (like Xen or KVM), which does not know anything about those specific mappings. Changing the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC removes dependency on correct mappings in Stage 2 tables. This patch fixes the issue by updating the mapping to MEMREMAP_WC. I tested this on SA8155P with Xen. CVE-2024-46689 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Move unregister out of atomic section Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-lock non-sleeping")' moved the pmic_glink client list under a spinlock, as it is accessed by the rpmsg/glink callback, which in turn is invoked from IRQ context. This means that ucsi_unregister() is now called from atomic context, which isn't feasible as it's expecting a sleepable context. An effort is under way to get GLINK to invoke its callbacks in a sleepable context, but until then lets schedule the unregistration. A side effect of this is that ucsi_unregister() can now happen after the remote processor, and thereby the communication link with it, is gone. pmic_glink_send() is amended with a check to avoid the resulting NULL pointer dereference. This does however result in the user being informed about this error by the following entry in the kernel log: ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5 CVE-2024-46691 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: scm: Mark get_wq_ctx() as atomic call Currently get_wq_ctx() is wrongly configured as a standard call. When two SMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to resume the corresponding sleeping thread. But if get_wq_ctx() is interrupted, goes to sleep and another SMC call is waiting to be allocated a waitq context, it leads to a deadlock. To avoid this get_wq_ctx() must be an atomic call and can't be a standard SMC call. Hence mark get_wq_ctx() as a fast call. CVE-2024-46692 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink: Fix race during initialization As pointed out by Stephen Boyd it is possible that during initialization of the pmic_glink child drivers, the protection-domain notifiers fires, and the associated work is scheduled, before the client registration returns and as a result the local "client" pointer has been initialized. The outcome of this is a NULL pointer dereference as the "client" pointer is blindly dereferenced. Timeline provided by Stephen: CPU0 CPU1 ---- ---- ucsi->client = NULL; devm_pmic_glink_register_client() client->pdr_notify(client->priv, pg->client_state) pmic_glink_ucsi_pdr_notify() schedule_work(&ucsi->register_work) <schedule away> pmic_glink_ucsi_register() ucsi_register() pmic_glink_ucsi_read_version() pmic_glink_ucsi_read() pmic_glink_ucsi_read() pmic_glink_send(ucsi->client) <client is NULL BAD> ucsi->client = client // Too late! This code is identical across the altmode, battery manager and usci child drivers. Resolve this by splitting the allocation of the "client" object and the registration thereof into two operations. This only happens if the protection domain registry is populated at the time of registration, which by the introduction of commit '1ebcde047c54 ("soc: qcom: add pd-mapper implementation")' became much more likely. CVE-2024-46693 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid using null object of framebuffer Instead of using state->fb->obj[0] directly, get object from framebuffer by calling drm_gem_fb_get_obj() and return error code when object is null to avoid using null object of framebuffer. (cherry picked from commit 73dd0ad9e5dad53766ea3e631303430116f834b3) CVE-2024-46694 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: selinux,smack: don't bypass permissions check in inode_setsecctx hook Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode's i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don't do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label. CVE-2024-46695 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Mark XDomain as unplugged when router is removed I noticed that when we do discrete host router NVM upgrade and it gets hot-removed from the PCIe side as a result of NVM firmware authentication, if there is another host connected with enabled paths we hang in tearing them down. This is due to fact that the Thunderbolt networking driver also tries to cleanup the paths and ends up blocking in tb_disconnect_xdomain_paths() waiting for the domain lock. However, at this point we already cleaned the paths in tb_stop() so there is really no need for tb_disconnect_xdomain_paths() to do that anymore. Furthermore it already checks if the XDomain is unplugged and bails out early so take advantage of that and mark the XDomain as unplugged when we remove the parent router. CVE-2024-46702 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tty: serial: fsl_lpuart: mark last busy before uart_add_one_port With "earlycon initcall_debug=1 loglevel=8" in bootargs, kernel sometimes boot hang. It is because normal console still is not ready, but runtime suspend is called, so early console putchar will hang in waiting TRDE set in UARTSTAT. The lpuart driver has auto suspend delay set to 3000ms, but during uart_add_one_port, a child device serial ctrl will added and probed with its pm runtime enabled(see serial_ctrl.c). The runtime suspend call path is: device_add |-> bus_probe_device |->device_initial_probe |->__device_attach |-> pm_runtime_get_sync(dev->parent); |-> pm_request_idle(dev); |-> pm_runtime_put(dev->parent); So in the end, before normal console ready, the lpuart get runtime suspended. And earlycon putchar will hang. To address the issue, mark last busy just after pm_runtime_enable, three seconds is long enough to switch from bootconsole to normal console. CVE-2024-46706 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 On a system with a GICv3, if a guest hasn't been configured with GICv3 and that the host is not capable of GICv2 emulation, a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2. We therefore try to emulate the SGI access, only to hit a NULL pointer as no private interrupt is allocated (no GIC, remember?). The obvious fix is to give the guest what it deserves, in the shape of a UNDEF exception. CVE-2024-46707 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix prime with external buffers Make sure that for external buffers mapping goes through the dma_buf interface instead of trying to access pages directly. External buffers might not provide direct access to readable/writable pages so to make sure the bo's created from external dma_bufs can be read dma_buf interface has to be used. Fixes crashes in IGT's kms_prime with vgem. Regular desktop usage won't trigger this due to the fact that virtual machines will not have multiple GPUs but it enables better test coverage in IGT. CVE-2024-46709 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Prevent unmapping active read buffers The kms paths keep a persistent map active to read and compare the cursor buffer. These maps can race with each other in simple scenario where: a) buffer "a" mapped for update b) buffer "a" mapped for compare c) do the compare d) unmap "a" for compare e) update the cursor f) unmap "a" for update At step "e" the buffer has been unmapped and the read contents is bogus. Prevent unmapping of active read buffers by simply keeping a count of how many paths have currently active maps and unmap only when the count reaches 0. CVE-2024-46710 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix ID 0 endp usage after multiple re-creations 'local_addr_used' and 'add_addr_accepted' are decremented for addresses not related to the initial subflow (ID0), because the source and destination addresses of the initial subflows are known from the beginning: they don't count as "additional local address being used" or "ADD_ADDR being accepted". It is then required not to increment them when the entrypoint used by the initial subflow is removed and re-added during a connection. Without this modification, this entrypoint cannot be removed and re-added more than once. CVE-2024-46711 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip wbscl_set_scaler_filter if filter is null Callers can pass null in filter (i.e. from returned from the function wbscl_get_filter_coeffs_16p) and a null check is added to ensure that is not the case. This fixes 4 NULL_RETURNS issues reported by Coverity. CVE-2024-46714 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: driver: iio: add missing checks on iio_info's callback access Some callbacks from iio_info structure are accessed without any check, so if a driver doesn't implement them trying to access the corresponding sysfs entries produce a kernel oops such as: [ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute [...] [ 2203.783416] Call trace: [ 2203.783429] iio_read_channel_info_avail from dev_attr_show+0x18/0x48 [ 2203.789807] dev_attr_show from sysfs_kf_seq_show+0x90/0x120 [ 2203.794181] sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4 [ 2203.798555] seq_read_iter from vfs_read+0x238/0x2a0 [ 2203.802236] vfs_read from ksys_read+0xa4/0xd4 [ 2203.805385] ksys_read from ret_fast_syscall+0x0/0x54 [ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0) [ 2203.812880] dfa0: 00000003 b6f10f80 00000003 b6eab000 00020000 00000000 [ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000 [ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0 [ 2203.830363] Code: bad PC value [ 2203.832695] ---[ end trace 0000000000000000 ]--- CVE-2024-46715 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor Remove list_del call in msgdma_chan_desc_cleanup, this should be the role of msgdma_free_descriptor. In consequence replace list_add_tail with list_move_tail in msgdma_free_descriptor. This fixes the path: msgdma_free_chan_resources -> msgdma_free_descriptors -> msgdma_free_desc_list -> msgdma_free_descriptor which does not correctly free the descriptors as first nodes were not removed from the list. CVE-2024-46716 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: SHAMPO, Fix incorrect page release Under the following conditions: 1) No skb created yet 2) header_size == 0 (no SHAMPO header) 3) header_index + 1 % MLX5E_SHAMPO_WQ_HEADER_PER_PAGE == 0 (this is the last page fragment of a SHAMPO header page) a new skb is formed with a page that is NOT a SHAMPO header page (it is a regular data page). Further down in the same function (mlx5e_handle_rx_cqe_mpwrq_shampo()), a SHAMPO header page from header_index is released. This is wrong and it leads to SHAMPO header pages being released more than once. CVE-2024-46717 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Fix null pointer dereference in trace ucsi_register_altmode checks IS_ERR for the alt pointer and treats NULL as valid. When CONFIG_TYPEC_DP_ALTMODE is not enabled, ucsi_register_displayport returns NULL which causes a NULL pointer dereference in trace. Rather than return NULL, call typec_port_register_altmode to register DisplayPort alternate mode as a non-controllable mode when CONFIG_TYPEC_DP_ALTMODE is not enabled. CVE-2024-46719 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix dereference after null check check the pointer hive before use. CVE-2024-46720 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix mc_data out-of-bounds read warning Clear warning that read mc_data[i-1] may out-of-bounds. CVE-2024-46722 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ucode out-of-bounds read warning Clear warning that read ucode[] may out-of-bounds. CVE-2024-46723 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Check the fb_channel_number range to avoid the array out-of-bounds read error CVE-2024-46724 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds write warning Check the ring type value to fix the out-of-bounds write warning CVE-2024-46725 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Ensure index calculation will not overflow [WHY & HOW] Make sure vmid0p72_idx, vnom0p8_idx and vmax0p9_idx calculation will never overflow and exceess array size. This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity. CVE-2024-46726 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update [Why] Coverity reports NULL_RETURN warning. [How] Add otg_master NULL check. CVE-2024-46727 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check index for aux_rd_interval before using aux_rd_interval has size of 7 and should be checked. This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity. CVE-2024-46728 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix incorrect size calculation for loop [WHY] fe_clk_en has size of 5 but sizeof(fe_clk_en) has byte size 20 which is lager than the array size. [HOW] Divide byte size 20 by its element size. This fixes 2 OVERRUN issues reported by Coverity. CVE-2024-46729 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Ensure array index tg_inst won't be -1 [WHY & HOW] tg_inst will be a negative if timing_generator_count equals 0, which should be checked before used. This fixes 2 OVERRUN issues reported by Coverity. CVE-2024-46730 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fix the Out-of-bounds read warning using index i - 1U may beyond element index for mc_data[] when i = 0. CVE-2024-46731 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign linear_pitch_alignment even for VM [Description] Assign linear_pitch_alignment so we don't cause a divide by 0 error in VM environments CVE-2024-46732 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between direct IO write and fsync when using same fd If we have 2 threads that are using the same file descriptor and one of them is doing direct IO writes while the other is doing fsync, we have a race where we can end up either: 1) Attempt a fsync without holding the inode's lock, triggering an assertion failures when assertions are enabled; 2) Do an invalid memory access from the fsync task because the file private points to memory allocated on stack by the direct IO task and it may be used by the fsync task after the stack was destroyed. The race happens like this: 1) A user space program opens a file descriptor with O_DIRECT; 2) The program spawns 2 threads using libpthread for example; 3) One of the threads uses the file descriptor to do direct IO writes, while the other calls fsync using the same file descriptor. 4) Call task A the thread doing direct IO writes and task B the thread doing fsyncs; 5) Task A does a direct IO write, and at btrfs_direct_write() sets the file's private to an on stack allocated private with the member 'fsync_skip_inode_lock' set to true; 6) Task B enters btrfs_sync_file() and sees that there's a private structure associated to the file which has 'fsync_skip_inode_lock' set to true, so it skips locking the inode's VFS lock; 7) Task A completes the direct IO write, and resets the file's private to NULL since it had no prior private and our private was stack allocated. Then it unlocks the inode's VFS lock; 8) Task B enters btrfs_get_ordered_extents_for_logging(), then the assertion that checks the inode's VFS lock is held fails, since task B never locked it and task A has already unlocked it. The stack trace produced is the following: assertion failed: inode_is_locked(&inode->vfs_inode), in fs/btrfs/ordered-data.c:983 ------------[ cut here ]------------ kernel BUG at fs/btrfs/ordered-data.c:983! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 9 PID: 5072 Comm: worker Tainted: G U OE 6.10.5-1-default #1 openSUSE Tumbleweed 69f48d427608e1c09e60ea24c6c55e2ca1b049e8 Hardware name: Acer Predator PH315-52/Covini_CFS, BIOS V1.12 07/28/2020 RIP: 0010:btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs] Code: 50 d6 86 c0 e8 (...) RSP: 0018:ffff9e4a03dcfc78 EFLAGS: 00010246 RAX: 0000000000000054 RBX: ffff9078a9868e98 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff907dce4a7800 RDI: ffff907dce4a7800 RBP: ffff907805518800 R08: 0000000000000000 R09: ffff9e4a03dcfb38 R10: ffff9e4a03dcfb30 R11: 0000000000000003 R12: ffff907684ae7800 R13: 0000000000000001 R14: ffff90774646b600 R15: 0000000000000000 FS: 00007f04b96006c0(0000) GS:ffff907dce480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f32acbfc000 CR3: 00000001fd4fa005 CR4: 00000000003726f0 Call Trace: <TASK> ? __die_body.cold+0x14/0x24 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x6a/0x90 ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a] ? exc_invalid_op+0x50/0x70 ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a] ? asm_exc_invalid_op+0x1a/0x20 ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a] ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a] btrfs_sync_file+0x21a/0x4d0 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a] ? __seccomp_filter+0x31d/0x4f0 __x64_sys_fdatasync+0x4f/0x90 do_syscall_64+0x82/0x160 ? do_futex+0xcb/0x190 ? __x64_sys_futex+0x10e/0x1d0 ? switch_fpu_return+0x4f/0xd0 ? syscall_exit_to_user_mode+0x72/0x220 ? do_syscall_64+0x8e/0x160 ? syscall_exit_to_user_mod ---truncated--- CVE-2024-46734 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference issue. Fix it by adding the check in ublk_ctrl_start_recovery() and return immediately in case of zero 'ub->nr_queues_ready'. BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x75/0x170 ? exc_page_fault+0x64/0x140 ? asm_exc_page_fault+0x22/0x30 ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180 ublk_ctrl_uring_cmd+0x4f7/0x6c0 ? pick_next_task_idle+0x26/0x40 io_uring_cmd+0x9a/0x1b0 io_issue_sqe+0x193/0x3f0 io_wq_submit_work+0x9b/0x390 io_worker_handle_work+0x165/0x360 io_wq_worker+0xcb/0x2f0 ? finish_task_switch.isra.0+0x203/0x290 ? finish_task_switch.isra.0+0x203/0x290 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> CVE-2024-46735 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference. nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails. CVE-2024-46737 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove(). CVE-2024-46738 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel. CVE-2024-46739 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix double free of 'buf' in error path smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf. CVE-2024-46741 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg="func of_irq_parse_* +p"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size. CVE-2024-46743 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a "KMSAN: uninit-value in pick_link" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- V2: fix spelling mistake. CVE-2024-46744 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts. CVE-2024-46745 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] <TASK> [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated--- CVE-2024-46746 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it CVE-2024-46747 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]--- CVE-2024-46749 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: <TASK> ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com] CVE-2024-46750 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message. CVE-2024-46751 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory). CVE-2024-46752 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error. CVE-2024-46753 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid="somessid" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk="12345678" } When waiting for the AP to be established, interrupting wpa_supplicant with <ctrl-c> and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]--- CVE-2024-46755 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-46756 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-46757 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-46758 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. CVE-2024-46759 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status. CVE-2024-46760 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash. The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed. CVE-2024-46761 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it. CVE-2024-46767 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 </TASK> remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456' CVE-2024-46771 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity. CVE-2024-46772 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity. CVE-2024-46773 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. CVE-2024-46774 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity. CVE-2024-46776 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity. CVE-2024-46778 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore "nilfs->ns_sem". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it. CVE-2024-46780 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts. CVE-2024-46781 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES; Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here. ------------[ cut here ]------------ kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline] pc : sock_sendmsg_nosec net/socket.c:728 [inline] pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline] lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline] __sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]--- CVE-2024-46783 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80 CVE-2024-46784 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: <IRQ> tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 </TASK> Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module. CVE-2024-46786 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series "userfaultfd: fix races around pmd_trans_huge() check", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ <zap PMD> pmdp_get_lockless() [reads none pmd] <bail if trans_huge> <if none:> <pagefault creates transhuge zeropage> __pte_alloc [no-op] <zap PMD> <bail if pmd_trans_huge(*dst_pmd)> BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b ("mm/pgtable: allow pte_offset_map[_lock]() to fail"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no "struct page" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding "struct page" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels. CVE-2024-46787 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() <interrupt> mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running. CVE-2024-46791 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ] CVE-2024-46794 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the "next" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's "next" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \ --maximize --oomable --verify --syslog \ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ▼ | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ▼ | Interrupt | (happens before "nodes[0].lock = B") | | | ▼ | spin_lock_irqsave(A) | | | ▼ | id = qnodesp->count++ | nodes[1].lock = A | | | ▼ | Tail of MCS queue | | spin_lock_irqsave(A) ▼ | Head of MCS queue ▼ | CPU0 is previous tail ▼ | Spin indefinitely ▼ (until "nodes[1].next != NULL") prev = get_tail_qnode(A, CPU0) | ▼ prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated--- CVE-2024-46797 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it. CVE-2024-46798 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility. CVE-2024-46822 Public Cloud Image google/sles-15-sp6-v20241113-arm64:kernel-default-6.4.0-150600.23.25.1 moderate Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. CVE-2024-5535 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libopenssl1_1-1.1.1w-150600.5.9.1 moderate CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured). CVE-2024-5642 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-3.6.15-150300.10.75.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-curses-3.6.15-150300.10.75.1 moderate Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-6119 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libopenssl3-3.1.4-150600.5.21.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:openssl-3-3.1.4-150600.5.21.1 moderate There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. CVE-2024-6232 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-3.6.15-150300.10.75.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-curses-3.6.15-150300.10.75.1 important A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-setuptools-44.1.1-150400.9.9.1 important There is a MEDIUM severity vulnerability affecting CPython. The email module didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. CVE-2024-6923 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-3.6.15-150300.10.75.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-curses-3.6.15-150300.10.75.1 important There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. CVE-2024-7592 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-3.6.15-150300.10.75.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-curses-3.6.15-150300.10.75.1 moderate Remote packet capture support is disabled by default in libpcap. When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex(). One of the function arguments can be a filesystem path, which normally means a directory with input data files. When the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer derefence. CVE-2024-8006 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libpcap1-1.10.4-150600.3.6.2 moderate When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. CVE-2024-8096 Public Cloud Image google/sles-15-sp6-v20241113-arm64:curl-8.6.0-150600.4.12.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libcurl4-8.6.0-150600.4.12.1 moderate A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. CVE-2024-9287 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-3.6.15-150300.10.75.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:python3-curses-3.6.15-150300.10.75.1 moderate When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. CVE-2024-9681 Public Cloud Image google/sles-15-sp6-v20241113-arm64:curl-8.6.0-150600.4.12.1 Public Cloud Image google/sles-15-sp6-v20241113-arm64:libcurl4-8.6.0-150600.4.12.1 moderate