SUSE-IU-2024:1758-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:1758-1 Interim 1 1 2025-05-18T14:48:47Z current 2024-11-11T01:00:00Z 2024-11-11T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:1758-1 / google/sles-15-sp6-chost-byos-v20241111-x86-64 This image update for google/sles-15-sp6-chost-byos-v20241111-x86-64 contains the following changes: Package bash was updated: - Add patch boo1227807.patch * Load completion file eveh if a brace expansion is in the command line included (boo#1227807) Package glibc was updated: Package grub2 was updated: - Fix OOM error in loading loopback file (bsc#1230840) * 0001-tpm-Skip-loopback-image-measurement.patch - Fix UEFI PXE boot failure on tagged VLAN network (bsc#1230263) * 0001-efinet-Skip-virtual-VLAN-devices-during-card-enumera.patch - Fix grub screen is filled with artifects from earlier post menu (bsc#1224465) * grub2-SUSE-Add-the-t-hotkey.patch * 0001-fix-grub-screen-filled-with-post-screen-artifects.patch Package kernel-default was updated: - ACPICA: executer/exsystem: Don't nag user about every Stall() violating the spec (git-fixes). - ACPICA: Implement ACPI_WARNING_ONCE and ACPI_ERROR_ONCE (stable-fixes). - commit f94e799 - cachefiles: fix dentry leak in cachefiles_open_file() (bsc#1231183). - ceph: remove the incorrect Fw reference check when dirtying pages (bsc#1231182). - commit ba82da7 - can: mcp251xfd: move mcp251xfd_timestamp_start()/stop() into mcp251xfd_chip_start/stop() (stable-fixes). - Refresh patches.suse/can-mcp251xfd-clarify-the-meaning-of-timestamp.patch. - commit 6779985 - USB: serial: pl2303: add device id for Macrosilicon MS3020 (stable-fixes). - powercap/intel_rapl: Add support for AMD family 1Ah (stable-fixes). - ASoC: amd: yc: Add a quirk for MSI Bravo 17 (D7VEK) (stable-fixes). - ASoC: tda7419: fix module autoloading (stable-fixes). - ASoC: intel: fix module autoloading (stable-fixes). - ASoC: Intel: soc-acpi-cht: Make Lenovo Yoga Tab 3 X90F DMI match less strict (stable-fixes). - ALSA: hda: add HDMI codec ID for Intel PTL (stable-fixes). - drm: komeda: Fix an issue related to normalized zpos (stable-fixes). - can: mcp251xfd: mcp251xfd_ring_init(): check TX-coalescing configuration (stable-fixes). - spi: spidev: Add missing spi_device_id for jg10309-01 (git-fixes). - spi: bcm63xx: Enable module autoloading (stable-fixes). - spi: spidev: Add an entry for elgin,jg10309-01 (stable-fixes). - hwmon: (asus-ec-sensors) remove VRM temp X570-E GAMING (stable-fixes). - wifi: iwlwifi: clear trans-&gt;state earlier upon error (stable-fixes). - wifi: mac80211: free skb on error path in ieee80211_beacon_get_ap() (stable-fixes). - wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead (stable-fixes). - wifi: iwlwifi: mvm: pause TCM when the firmware is stopped (stable-fixes). - wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room() (stable-fixes). - wifi: iwlwifi: mvm: fix iwl_mvm_scan_fits() calculation (stable-fixes). - wifi: iwlwifi: lower message level for FW buffer destination (stable-fixes). - platform/x86: x86-android-tablets: Make Lenovo Yoga Tab 3 X90F DMI match less strict (stable-fixes). - pinctrl: at91: make it work with current gpiolib (stable-fixes). - can: mcp251xfd: properly indent labels (stable-fixes). - commit a530f31 - kthread: Fix task state in kthread worker if being frozen (bsc#1231146). - commit fe88a62 - supported.conf: mark adiantum and xctr crypto modules as supported (bsc#1231035) - commit 59d03d7 - Refresh patches.suse/bpf-kprobe-remove-unused-declaring-of-bpf_kprobe_override.patch. - commit 5a0b269 - bpf: Fix use-after-free in bpf_uprobe_multi_link_attach() (git-fixes). - commit 1884922 - tracing: Avoid possible softlockup in tracing_iter_reset() (git-fixes). - commit d5df75c - tracing: Fix overflow in get_free_elt() (git-fixes CVE-2024-43890 bsc#1229764). - commit ceb524e - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry (bsc#1231120 CVE-2024-46822) - commit cc6d7b5 - mailbox: bcm2835: Fix timeout during suspend mode (git-fixes). - mailbox: rockchip: fix a typo in module autoloading (git-fixes). - i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled (git-fixes). - drm/amd/display: handle nulled pipe context in DCE110's set_drr() (git-fixes). - drm/amdgpu: Fix get each xcp macro (git-fixes). - tomoyo: fallback to realpath if symlink's pathname does not exist (git-fixes). - cxl/pci: Fix to record only non-zero ranges (git-fixes). - ata: libata-scsi: Fix ata_msense_control() CDL page reporting (git-fixes). - firmware_loader: Block path traversal (git-fixes). - driver core: Fix a potential null-ptr-deref in module_add_driver() (git-fixes). - driver core: Fix error handling in driver API device_rename() (git-fixes). - ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() (git-fixes). - iio: magnetometer: ak8975: Fix reading for ak099xx sensors (git-fixes). - iio: chemical: bme680: Fix read/write ops to device by adding mutexes (git-fixes). - ABI: testing: fix admv8818 attr description (git-fixes). - iio: adc: ad7606: fix standby gpio state to match the documentation (git-fixes). - iio: adc: ad7606: fix oversampling gpio array (git-fixes). - tty: rp2: Fix reset with non forgiving PCIe host bridges (git-fixes). - USB: class: CDC-ACM: fix race between get_serial and set_serial (git-fixes). - usb: dwc2: drd: fix clock gating on USB role switch (git-fixes). - usb: cdnsp: Fix incorrect usb_request status (git-fixes). - USB: usbtmc: prevent kernel-usb-infoleak (git-fixes). - USB: serial: kobil_sct: restore initial terminal settings (git-fixes). - xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them (git-fixes). - usb: dwc2: Skip clock gating on Broadcom SoCs (git-fixes). - spi: atmel-quadspi: Avoid overwriting delay register settings (git-fixes). - spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time (git-fixes). - spi: atmel-quadspi: Undo runtime PM changes at driver exit time (git-fixes). - rtc: at91sam9: fix OF node leak in probe() error path (git-fixes). - i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition (git-fixes). - remoteproc: k3-r5: Fix error handling when power-up failed (git-fixes). - remoteproc: imx_rproc: Initialize workqueue earlier (git-fixes). - remoteproc: imx_rproc: Correct ddr alias for i.MX8M (git-fixes). - KEYS: prevent NULL pointer dereference in find_asymmetric_key() (git-fixes). - media: i2c: ar0521: Use cansleep version of gpiod_set_value() (git-fixes). - media: ov5675: Fix power on/off delay timings (git-fixes). - media: sun4i_csi: Implement link validate for sun4i_csi subdev (git-fixes). - media: platform: rzg2l-cru: rzg2l-csi2: Add missing MODULE_DEVICE_TABLE (git-fixes). - media: venus: fix use after free bug in venus_remove due to race condition (git-fixes). - media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags (git-fixes). - clk: ti: dra7-atl: Fix leak of of_nodes (git-fixes). - watchdog: imx_sc_wdt: Don't disable WDT in suspend (git-fixes). - pinctrl: single: fix missing error code in pcs_probe() (git-fixes). - xz: cleanup CRC32 edits from 2018 (git-fixes). - ata: pata_macio: Use WARN instead of BUG (stable-fixes). - commit c5ab3ca - Move upstreamed SCSI patches into sorted section - commit aba5747 - kcm: Serialise kcm_sendmsg() for the same socket (CVE-2024-44946 bsc#1230015). - commit 4310760 - nvme-multipath: avoid hang on inaccessible namespaces (bsc#1228244). - kcm: Serialise kcm_sendmsg() for the same socket (CVE-2024-44946,bsc#1230015). - commit a84ca87 - nvme-multipath: system fails to create generic nvme device (bsc#1228244). - commit 4fc57d2 - erofs: fix incorrect symlink detection in fast symlink (git-fixes). - commit 2e1ae75 - afs: Don't cross .backup mountpoint from backup volume (git-fixes). - commit f35dae1 - afs: Revert &quot;afs: Hide silly-rename files from userspace&quot; (git-fixes). - commit 11353bb - scsi: sd: Fix off-by-one error in sd_read_block_characteristics() (bsc#1223848). - commit 621f2fb - scsi: ibmvfc: Add max_sectors module parameter (bsc#1216223). - commit af0ff0f - drm/amd/display: Check denominator crb_pipes before used (CVE-2024-46772 bsc#1230772) - commit 322be4a - blacklist.conf: CVE-2024-46727 bsc#1230707: not applicable No OTG code and all return values from resource_get_otg_master_for_stream() are checked before use. - commit f44b1e7 - arm64: dts: allwinner: h616: Add r_i2c pinctrl nodes (git-fixes). - commit 642d7e6 - arm64: dts: imx8-ss-dma: Fix adc0 closing brace location (git-fixes). - commit 970cc49 - arm64: dts: rockchip: Correct vendor prefix for Hardkernel ODROID-M1 (git-fixes). - commit 87f0ae6 - arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency (git-fixes). - commit 1582b94 - arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity (git-fixes). - commit 3b2ebbf - arm64: dts: exynos: exynos7885-jackpotlte: Correct RAM amount to 4GB (git-fixes). - commit 1059c29 - arm64: signal: Fix some under-bracketed UAPI macros (git-fixes). - commit 9704ff3 - arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma (git-fixes). - commit 6052a8c - arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma (git-fixes). - commit 8b3743b - Update patches.suse/powerpc-pseries-make-max-polling-consistent-for-long.patch (bsc#1215199 jsc#PED-10954). - Update patches.suse/security-integrity-fix-pointer-to-ESL-data-and-.patch (bsc#1012628 jsc#PED-5085 jsc#PED-10954). - commit ec9be2c - arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E (git-fixes). - commit 7527015 - arm64: acpi: Move get_cpu_for_acpi_id() to a header (git-fixes). - commit 42389f0 - ipmi:ssif: Improve detecting during probing (bsc#1228771) Move patch into the sorted section. - commit 77cf6fc - Update patches.suse/ALSA-line6-Fix-racy-access-to-midibuf.patch (stable-fixes CVE-2024-44954 bsc#1230176). - Update patches.suse/ASoC-dapm-Fix-UAF-for-snd_soc_pcm_runtime-object.patch (git-fixes CVE-2024-46798 bsc#1230830). - Update patches.suse/Bluetooth-btnxpuart-Fix-Null-pointer-dereference-in-.patch (stable-fixes CVE-2024-46749 bsc#1230780). - Update patches.suse/Bluetooth-btnxpuart-Shutdown-timer-and-prevent-rearm.patch (stable-fixes CVE-2024-44962 bsc#1230213). - Update patches.suse/HID-amd_sfh-free-driver_data-after-destroying-hid-de.patch (stable-fixes CVE-2024-46746 bsc#1230751). - Update patches.suse/HID-cougar-fix-slab-out-of-bounds-Read-in-cougar_rep.patch (stable-fixes CVE-2024-46747 bsc#1230752). - Update patches.suse/Input-MT-limit-max-slots.patch (stable-fixes CVE-2024-45008 bsc#1230248). - Update patches.suse/Input-uinput-reject-requests-with-unreasonable-numbe.patch (stable-fixes CVE-2024-46745 bsc#1230748). - Update patches.suse/KVM-arm64-Make-ICC_-SGI-_EL1-undef-in-the-absence-of.patch (git-fixes CVE-2024-46707 bsc#1230582). - Update patches.suse/KVM-s390-fix-validity-interception-issue-when-gisa-is-switched-off.patch (git-fixes bsc#1229167 CVE-2024-45005 bsc#1230173). - Update patches.suse/PCI-Add-missing-bridge-lock-to-pci_bus_lock.patch (stable-fixes CVE-2024-46750 bsc#1230783). - Update patches.suse/Squashfs-sanity-check-symbolic-link-size.patch (git-fixes CVE-2024-46744 bsc#1230747). - Update patches.suse/VMCI-Fix-use-after-free-when-removing-resource-in-vm.patch (git-fixes CVE-2024-46738 bsc#1230731). - Update patches.suse/bpf-Fix-a-kernel-verifier-crash-in-stacksafe.patch (bsc#1225903 CVE-2024-45020 bsc#1230433). - Update patches.suse/btrfs-fix-race-between-direct-IO-write-and-fsync-whe.patch (git-fixes CVE-2024-46734 bsc#1230726). - Update patches.suse/can-bcm-Remove-proc-entry-when-dev-is-unregistered.patch (git-fixes CVE-2024-46771 bsc#1230766). - Update patches.suse/can-mcp251x-fix-deadlock-if-an-interrupt-occurs-duri.patch (git-fixes CVE-2024-46791 bsc#1230821). - Update patches.suse/char-xillybus-Check-USB-endpoints-when-probing-devic.patch (git-fixes CVE-2024-45011 bsc#1230440). - Update patches.suse/char-xillybus-Don-t-destroy-workqueue-from-work-item.patch (stable-fixes CVE-2024-45007 bsc#1230175). - Update patches.suse/dmaengine-altera-msgdma-properly-free-descriptor-in-.patch (stable-fixes CVE-2024-46716 bsc#1230715). - Update patches.suse/driver-core-Fix-uevent_show-vs-driver-detach-race.patch (git-fixes CVE-2024-44952 bsc#1230178). - Update patches.suse/driver-iio-add-missing-checks-on-iio_info-s-callback.patch (stable-fixes CVE-2024-46715 bsc#1230700). - Update patches.suse/drm-amd-display-Assign-linear_pitch_alignment-even-f.patch (stable-fixes CVE-2024-46732 bsc#1230711). - Update patches.suse/drm-amd-display-Check-UnboundedRequestEnabled-s-valu.patch (stable-fixes CVE-2024-46778 bsc#1230776). - Update patches.suse/drm-amd-display-Check-denominator-pbn_div-before-use.patch (stable-fixes CVE-2024-46773 bsc#1230791). - Update patches.suse/drm-amd-display-Check-index-for-aux_rd_interval-befo.patch (stable-fixes CVE-2024-46728 bsc#1230703). - Update patches.suse/drm-amd-display-Ensure-array-index-tg_inst-won-t-be-.patch (stable-fixes CVE-2024-46730 bsc#1230701). - Update patches.suse/drm-amd-display-Ensure-index-calculation-will-not-ov.patch (stable-fixes CVE-2024-46726 bsc#1230706). - Update patches.suse/drm-amd-display-Run-DC_LOG_DC-after-checking-link-li.patch (stable-fixes CVE-2024-46776 bsc#1230775). - Update patches.suse/drm-amd-display-Skip-wbscl_set_scaler_filter-if-filt.patch (stable-fixes CVE-2024-46714 bsc#1230699). - Update patches.suse/drm-amd-display-avoid-using-null-object-of-framebuff.patch (git-fixes CVE-2024-46694 bsc#1230511). - Update patches.suse/drm-amd-pm-fix-the-Out-of-bounds-read-warning.patch (stable-fixes CVE-2024-46731 bsc#1230709). - Update patches.suse/drm-amdgpu-Fix-out-of-bounds-read-of-df_v1_7_channel.patch (stable-fixes CVE-2024-46724 bsc#1230725). - Update patches.suse/drm-amdgpu-Fix-out-of-bounds-write-warning.patch (stable-fixes CVE-2024-46725 bsc#1230705). - Update patches.suse/drm-amdgpu-Forward-soft-recovery-errors-to-userspace.patch (stable-fixes CVE-2024-44961 bsc#1230207). - Update patches.suse/drm-amdgpu-Validate-TA-binary-size.patch (stable-fixes CVE-2024-44977 bsc#1230217). - Update patches.suse/drm-amdgpu-fix-dereference-after-null-check.patch (stable-fixes CVE-2024-46720 bsc#1230724). - Update patches.suse/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch (stable-fixes CVE-2024-46722 bsc#1230712). - Update patches.suse/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch (stable-fixes CVE-2024-46723 bsc#1230702). - Update patches.suse/drm-mgag200-Bind-I2C-lifetime-to-DRM-device.patch (git-fixes CVE-2024-44967 bsc#1230224). - Update patches.suse/drm-msm-dpu-cleanup-FB-if-dpu_format_populate_layout.patch (git-fixes CVE-2024-44982 bsc#1230204). - Update patches.suse/drm-msm-dpu-move-dpu_encoder-s-connector-assignment-.patch (git-fixes CVE-2024-45015 bsc#1230444). - Update patches.suse/drm-vmwgfx-Fix-prime-with-external-buffers.patch (git-fixes CVE-2024-46709 bsc#1230539). - Update patches.suse/fs-netfs-fscache_cookie-add-missing-n_accesses-check.patch (bsc#1229455 CVE-2024-45000 bsc#1230170). - Update patches.suse/fscache-delete-fscache_cookie_lru_timer-when-fscache-.patch (bsc#1230602 CVE-2024-46786 bsc#1230813). - Update patches.suse/fuse-Initialize-beyond-EOF-page-contents-before-setti.patch (bsc#1229456 CVE-2024-44947). - Update patches.suse/hwmon-adc128d818-Fix-underflows-seen-when-writing-li.patch (stable-fixes CVE-2024-46759 bsc#1230814). - Update patches.suse/hwmon-lm95234-Fix-underflows-seen-when-writing-limit.patch (stable-fixes CVE-2024-46758 bsc#1230812). - Update patches.suse/hwmon-nct6775-core-Fix-underflows-seen-when-writing-.patch (stable-fixes CVE-2024-46757 bsc#1230809). - Update patches.suse/hwmon-w83627ehf-Fix-underflows-seen-when-writing-lim.patch (stable-fixes CVE-2024-46756 bsc#1230806). - Update patches.suse/media-dvb-usb-v2-af9035-Fix-null-ptr-deref-in-af9035.patch (git-fixes CVE-2023-52915 bsc#1230270). - Update patches.suse/misc-fastrpc-Fix-double-free-of-buf-in-error-path.patch (git-fixes CVE-2024-46741 bsc#1230749). - Update patches.suse/mmc-mmc_test-Fix-NULL-dereference-on-allocation-fail.patch (git-fixes CVE-2024-45028 bsc#1230450). - Update patches.suse/msft-hv-3046-uio_hv_generic-Fix-kernel-NULL-pointer-dereference-i.patch (git-fixes CVE-2024-46739 bsc#1230732). - Update patches.suse/msft-hv-3048-net-mana-Fix-error-handling-in-mana_create_txq-rxq-s.patch (git-fixes CVE-2024-46784 bsc#1230771). - Update patches.suse/net-ethernet-mtk_wed-fix-use-after-free-panic-in-mtk.patch (git-fixes CVE-2024-44997 bsc#1230232). - Update patches.suse/net-mana-Fix-RX-buf-alloc_size-alignment-and-atomic-.patch (bsc#1229086 CVE-2024-45001 bsc#1230244). - Update patches.suse/net-phy-Fix-missing-of_node_put-for-leds.patch (git-fixes CVE-2024-46767 bsc#1230787). - Update patches.suse/nfc-pn533-Add-poll-mod-list-filling-check.patch (git-fixes CVE-2024-46676 bsc#1230535). - Update patches.suse/nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch (git-fixes CVE-2024-46781 bsc#1230768). - Update patches.suse/nilfs2-protect-references-to-superblock-parameters-exposed-in-sysfs.patch (git-fixes CVE-2024-46780 bsc#1230808). - Update patches.suse/nouveau-firmware-use-dma-non-coherent-allocator.patch (git-fixes CVE-2024-45012 bsc#1230441). - Update patches.suse/nvmet-tcp-fix-kernel-crash-if-commands-allocation-fa.patch (git-fixes CVE-2024-46737 bsc#1230730). - Update patches.suse/pci-hotplug-pnv_php-Fix-hotplug-driver-crash-on-Powe.patch (stable-fixes CVE-2024-46761 bsc#1230761). - Update patches.suse/perf-Fix-event-leak-upon-exit.patch (git-fixes CVE-2024-43870 bsc#1229494). - Update patches.suse/pinctrl-single-fix-potential-NULL-dereference-in-pcs.patch (git-fixes CVE-2024-46685 bsc#1230515). - Update patches.suse/powerpc-qspinlock-Fix-deadlock-in-MCS-queue.patch (bac#1230295 ltc#206656 CVE-2024-46797 bsc#1230831). - Update patches.suse/powerpc-rtas-Prevent-Spectre-v1-gadget-construction-.patch (bsc#1227487 CVE-2024-46774 bsc#1230767). - Update patches.suse/s390-dasd-fix-error-recovery-leading-to-data-corruption-on-ESE-devices.patch (git-fixes bsc#1229452 CVE-2024-45026 bsc#1230454). - Update patches.suse/s390-sclp-Prevent-release-of-buffer-in-I-O.patch (git-fixes bsc#1229169 CVE-2024-44969 bsc#1230200). - Update patches.suse/soc-qcom-cmd-db-Map-shared-memory-as-WC-not-WB.patch (git-fixes CVE-2024-46689 bsc#1230524). - Update patches.suse/thunderbolt-Mark-XDomain-as-unplugged-when-router-is.patch (stable-fixes CVE-2024-46702 bsc#1230589). - Update patches.suse/tty-serial-fsl_lpuart-mark-last-busy-before-uart_add.patch (git-fixes CVE-2024-46706 bsc#1230580). - Update patches.suse/usb-dwc3-core-Prevent-USB-core-invalid-event-buffer-.patch (stable-fixes CVE-2024-46675 bsc#1230533). - Update patches.suse/usb-dwc3-st-fix-probed-platform-device-ref-count-on-.patch (git-fixes CVE-2024-46674 bsc#1230507). - Update patches.suse/usb-gadget-core-Check-for-unset-descriptor.patch (git-fixes CVE-2024-44960 bsc#1230191). - Update patches.suse/usb-typec-ucsi-Fix-null-pointer-dereference-in-trace.patch (stable-fixes CVE-2024-46719 bsc#1230722). - Update patches.suse/wifi-brcmfmac-cfg80211-Handle-SSID-based-pmksa-delet.patch (git-fixes CVE-2024-46672 bsc#1230459). - Update patches.suse/wifi-mwifiex-Do-not-return-unused-priv-in-mwifiex_ge.patch (stable-fixes CVE-2024-46755 bsc#1230802). - Update patches.suse/wifi-rtw88-usb-schedule-rx-work-after-everything-is-.patch (stable-fixes CVE-2024-46760 bsc#1230753). - Update patches.suse/x86-mm-Fix-pti_clone_pgtable-alignment-assumption.patch (git-fixes CVE-2024-44965 bsc#1230221). - Update patches.suse/x86-mtrr-Check-if-fixed-MTRRs-exist-before-saving-them.patch (git-fixes CVE-2024-44948 bsc#1230174). - Update patches.suse/xhci-Fix-Panther-point-NULL-pointer-deref-at-full-sp.patch (git-fixes CVE-2024-45006 bsc#1230247). - commit 6da06c4 - Update patches.suse/gfs2-Fix-NULL-pointer-dereference-in-gfs2_log_flush.patch (bsc#1230948) - commit 90a5b1b - userfaultfd: fix checks for huge PMDs (CVE-2024-46787 bsc#1230815). - commit a236c90 - cachefiles: Fix non-taking of sb_writers around set/removexattr (bsc#1231008). - commit 1b01b3e - RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds (git-fixes) - commit a6683f0 - PCI: dwc: Expose dw_pcie_ep_exit() to module (git-fixes). - Refresh patches.suse/PCI-dwc-endpoint-Introduce-.pre_init-and-.deinit.patch. - commit 34c9950 - PCI: xilinx-nwl: Clean up clock on probe failure/removal (git-fixes). - PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler (git-fixes). - PCI: qcom-ep: Enable controller resources like PHY only after refclk is available (git-fixes). - PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() (git-fixes). - PCI: keystone: Fix if-statement expression in ks_pcie_quirk() (git-fixes). - PCI: imx6: Fix missing call to phy_power_off() in error handling (git-fixes). - PCI: dra7xx: Fix error handling when IRQ request fails in probe (git-fixes). - PCI: dra7xx: Fix threaded IRQ request for &quot;dra7xx-pcie-main&quot; IRQ (git-fixes). - PCI: Wait for Link before restoring Downstream Buses (git-fixes). - commit 1528eee - WIP DO NOT PUSH btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() (CVE-2024-46687 bsc#1230518) - commit 17b4a47 - exfat: fix memory leak in exfat_load_bitmap() (git-fixes). - commit 9f477b0 - net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804 bsc#1222629). - commit 0ca3b23 - Input: ps2-gpio - use IRQF_NO_AUTOEN flag in request_irq() (git-fixes). - commit 45cee3b - blacklist.conf: too risky - commit f0e13c3 - Input: ilitek_ts_i2c - avoid wrong input subsystem sync (git-fixes). - commit e5e587b - Input: tsc2004/5 - fix reset handling on probe (git-fixes). - commit 1366de4 - Input: tsc2004/5 - do not hard code interrupt trigger (git-fixes). - commit 110dbdb - Input: tsc2004/5 - use device core to create driver-specific device attributes (git-fixes). - commit 958966c - Input: adp5588-keys - fix check on return code (git-fixes). - commit d15133c - drm/amd/display: Fix incorrect size calculation for loop (bsc#1230704 CVE-2024-46729) - commit 55d78a7 - RDMA/hns: Fix ah error counter in sw stat not increasing (git-fixes) - commit d7bebcf - RDMA/mlx5: Fix MR cache temp entries cleanup (git-fixes) - commit b0aa848 - RDMA/mlx5: Drop redundant work canceling from clean_keys() (git-fixes) - commit 6800d7e - RDMA/irdma: fix error message in irdma_modify_qp_roce() (git-fixes) - commit dcf63e1 - RDMA/cxgb4: Added NULL check for lookup_atid (git-fixes) - commit 23d3195 - RDMA/mlx5: Obtain upper net device only when needed (git-fixes) - commit ca2d8dc - RDMA/hns: Fix restricted __le16 degrades to integer issue (git-fixes) - commit 4481358 - RDMA/hns: Optimize hem allocation performance (git-fixes) - commit 7afe440 - RDMA/hns: Fix 1bit-ECC recovery address in non-4K OS (git-fixes) - commit 25e36c2 - RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler (git-fixes) - commit a18704a - RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled (git-fixes) - commit 7b15e64 - RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range() (git-fixes) - commit 60eb35c - RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 (git-fixes) - commit 3ab1ca2 - RDMA/hns: Don't modify rq next block addr in HIP09 QPC (git-fixes) - commit 7100eb8 - RDMA/mlx5: Limit usage of over-sized mkeys from the MR cache (git-fixes) - commit 914ed66 - RDMA/mlx5: Fix counter update on MR cache mkey creation (git-fixes) - commit 60e75bb - RDMA/erdma: Return QP state in erdma_query_qp (git-fixes) - commit 09a59c3 - IB/core: Fix ib_cache_setup_one error flow cleanup (git-fixes) - commit 38bf526 - RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from peer (git-fixes) - commit c4f28a8 - RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency (git-fixes) - commit 0456b72 - RDMA/core: Remove unused declaration rdma_resolve_ip_route() (git-fixes) - commit 4cb7201 - blacklist.conf: add one for clang and one PCI git-fixes - commit b26aea4 - Revert &quot;PCI: Extend ACS configurability (bsc#1228090).&quot; (bsc#1229019) This reverts commit 571e4310e81312c847a5caee7e45e66aeea2a169. It breaks ACS on certain platforms. Even 6.11 is affected. So drop for now and investigate. - commit 3b92a44 - blacklist.conf: CVE-2024-44972 bsc#1230212: not applicable Subpage code exists but zoned mode is not enabled being hidden behind CONFIG_BTRFS_DEBUG. - commit ed17920 - btrfs: handle errors from btrfs_dec_ref() properly (CVE-2024-46753 bsc#1230796) - commit 3e3b2cb - blacklist.conf: kABI - commit 05421bb - media: vicodec: allow en/decoder cmd w/o CAPTURE (git-fixes). - commit 62ef4d1 - media: qcom: camss: Remove use_count guard in stop_streaming (git-fixes). - commit ef85228 - Revert &quot;media: tuners: fix error return code of hybrid_tuner_request_state()&quot; (git-fixes). - drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error (git-fixes). - drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error (git-fixes). - commit 48dc3a9 - net: bridge: xmit: make sure we have at least eth header len bytes (CVE-2024-38538 bsc#1226606). - commit 2548071 - PKCS#7: Check codeSigning EKU of certificates in PKCS#7 (bsc#1226666). - commit dbae63e - xen/swiotlb: fix allocated size (git-fixes). - commit 199871d - xen/swiotlb: add alignment check for dma buffers (bsc#1229928). - commit 0ffbc04 - xen: tolerate ACPI NVS memory overlapping with Xen allocated memory (bsc#1226003). - commit 3dc14d8 - xen: allow mapping ACPI data using a different physical address (bsc#1226003). - commit 0928eec - x86/tdx: Fix data leak in mmio_read() (CVE-2024-46794 bsc#1230825) - commit 9a2a1c2 - tcp_bpf: fix return value of tcp_bpf_sendmsg() (CVE-2024-46783 bsc#1230810) - commit eb9d143 - nvme: fix namespace removal list (git-fixes). - commit b45d192 - ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() (CVE-2024-46735 bsc#1230727) - commit 23e039f - Update references for patches.suse/nvmet-tcp-fix-kernel-crash-if-commands-allocation-fa.patch (CVE-2024-46737 bsc#1230730) - commit 8ce7f58 - xen: add capability to remap non-RAM pages to different PFNs (bsc#1226003). - commit 47109fd - net/mlx5e: SHAMPO, Fix incorrect page release (CVE-2024-46717 bsc#1230719) - commit d6a30a9 - xen: move max_pfn in xen_memory_setup() out of function scope (bsc#1226003). - commit 2750357 - xen: move checks for e820 conflicts further up (bsc#1226003). - commit 191a602 - xen: introduce generic helper checking for memory map conflicts (bsc#1226003). - commit eb57cec - xen: use correct end address of kernel for conflict checking (bsc#1226003). - commit c40fc6b - scsi: lpfc: Copyright updates for 14.4.0.4 patches (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Update lpfc version to 14.4.0.4 (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Update PRLO handling in direct attached topology (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Fix unintentional double clearing of vmid_flag (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Remove redundant vport assignment when building an abort request (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Change diagnostic log flag during receipt of unknown ELS cmds (bsc#1229429 jsc#PED-9899). - scsi: lpfc: Fix overflow build issue (bsc#1229429 jsc#PED-9899). - commit 18ec475 - drm/vmwgfx: Prevent unmapping active read buffers (bsc#1230540 CVE-2024-46710) - commit 84f019d - nvme-tcp: fix link failure for TCP auth (git-fixes). - nvmet: Identify-Active Namespace ID List command should reject invalid nsid (git-fixes). - nvme-pci: Add sleep quirk for Samsung 990 Evo (git-fixes). - nvme-pci: allocate tagset on reset if necessary (git-fixes). - nvmet-tcp: fix kernel crash if commands allocation fails (git-fixes). - nvme/pci: Add APST quirk for Lenovo N60z laptop (git-fixes). - nvme: use srcu for iterating namespace list (git-fixes). Refresh: - patches.suse/nvme-tcp-sanitize-tls-key-handling.patch - nvmet-rdma: fix possible bad dereference when freeing rsps (git-fixes). - nvmet-tcp: do not continue for invalid icreq (git-fixes). - nvme: clear caller pointer on identify failure (git-fixes). - nvmet-trace: avoid dereferencing pointer too early (git-fixes). - commit 7382ad4 - Update patches.suse/KVM-arm64-vgic-v2-Check-for-non-NULL-vCPU-in-vgic_v2.patch (git-fixes CVE-2024-36953 bsc#1225812). - Update patches.suse/vfio-pci-fix-potential-memory-leak-in-vfio_intx_enab.patch (git-fixes CVE-2024-38632 bsc#1226860). Add CVE references. - commit c9c3b6f - nilfs2: fix potential oob read in nilfs_btree_check_delete() (git-fixes). - commit cc0f59d - nilfs2: determine empty node blocks as corrupted (git-fixes). - commit 3244e52 - nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() (git-fixes). - commit 90f4e49 - media: mtk-vcodec: potential null pointer deference in SCP (CVE-2024-40973 bsc#1227890) - commit ce5074d - btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() (bsc#1230786 CVE-2024-46751). - btrfs: reduce nesting for extent processing at btrfs_lookup_extent_info() (bsc#1230794 CVE-2024-46752). - btrfs: remove superfluous metadata check at btrfs_lookup_extent_info() (bsc#1230794 CVE-2024-46752). - btrfs: replace BUG_ON() with error handling at update_ref_for_cow() (bsc#1230794 CVE-2024-46752). - btrfs: simplify setting the full backref flag at update_ref_for_cow() (bsc#1230794 CVE-2024-46752). - btrfs: remove NULL transaction support for btrfs_lookup_extent_info() (bsc#1230794 CVE-2024-46752). - btrfs: remove level argument from btrfs_set_block_flags (bsc#1230794 CVE-2024-46752). - commit a1c1176 - btrfs: send: allow cloning non-aligned extent if it ends at i_size (bsc#1230854). - commit e9cad4b - blacklist.conf: kABI - commit 5244a06 - ocfs2: cancel dqi_sync_work before freeing oinfo (git-fixes). - commit 1f37ac4 - ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate (git-fixes). - commit b7bf7eb - ocfs2: remove unreasonable unlock in ocfs2_read_blocks (git-fixes). - commit e2cb129 - ocfs2: fix null-ptr-deref when journal load failed (git-fixes). - commit b463b02 - jfs: fix out-of-bounds in dbNextAG() and diAlloc() (git-fixes). - commit d948d87 - of/irq: Prevent device address out-of-bounds read in interrupt map walk (CVE-2024-46743 bsc#1230756). - commit 300f40a - i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes). - i2c: isch: Add missed 'else' (git-fixes). - i2c: xiic: Wait for TX empty to avoid missed TX NAKs (git-fixes). - i2c: aspeed: Update the stop sw state when the bus recovery occurs (git-fixes). - resource: fix region_intersects() vs add_memory_driver_managed() (git-fixes). - drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() (git-fixes). - drm/msm: fix %s null argument error (git-fixes). - drm/msm/dsi: correct programming sequence for SM8350 / SM8450 (git-fixes). - drm/msm/a5xx: workaround early ring-buffer emptiness check (git-fixes). - drm/msm/a5xx: fix races in preemption evaluation stage (git-fixes). - drm/msm/a5xx: properly clear preemption records on resume (git-fixes). - drm/msm/a5xx: disable preemption in submits by default (git-fixes). - drm/msm: Fix incorrect file name output in adreno_request_fw() (git-fixes). - drm/mediatek: ovl_adaptor: Add missing of_node_put() (git-fixes). - drm: omapdrm: Add missing check for alloc_ordered_workqueue (git-fixes). - drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets (git-fixes). - drm/amd/amdgpu: Properly tune the size of struct (git-fixes). - drm/radeon: properly handle vbios fake edid sizing (git-fixes). - drm/amdgpu: properly handle vbios fake edid sizing (git-fixes). - drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func (git-fixes). - drm/amdgpu: fix a possible null pointer dereference (git-fixes). - drm/radeon: fix null pointer dereference in radeon_add_common_modes (git-fixes). - drm/vc4: hdmi: Handle error case of pm_runtime_resume_and_get (git-fixes). - drm/bridge: lontium-lt8912b: Validate mode in drm_bridge_funcs::mode_valid() (git-fixes). - drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode (git-fixes). - drm/rockchip: vop: Allow 4096px width scaling (git-fixes). - drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 (git-fixes). - drm/rockchip: vop: clear DMA stop bit on RK3066 (git-fixes). - drm/stm: ltdc: check memory returned by devm_kzalloc() (git-fixes). - drm/stm: Fix an error handling path in stm_drm_platform_probe() (git-fixes). - ata: libata: Clear DID_TIME_OUT for ATA PT commands with sense data (git-fixes). - HID: wacom: Do not warn about dropped packets for first packet (git-fixes). - HID: wacom: Support sequence numbers smaller than 16-bit (git-fixes). - tpm: Clean up TPM space after command failure (git-fixes). - ipmi: docs: don't advertise deprecated sysfs entries (git-fixes). - commit b4e4911 - smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() (CVE-2024-46686 bsc#1230517) - commit a155846 - firmware: qcom: scm: Mark get_wq_ctx() as atomic call (CVE-2024-46692 bsc#1230520) - commit ee65da0 - scsi: aacraid: Fix double-free on probe failure (CVE-2024-46673 bsc#1230506) - commit 49aab2b - gtp: fix a potential NULL pointer dereference (CVE-2024-46677 bsc#1230549) - commit 9cdd14b - blacklist.conf: CVE-2024-46711 bsc#1230542: code partially present, fix part of refactoring and fix series The patch to backport is one in a number of about 30 patches refactoring and reworking MPTCP subflow handling. Several other patches are needed just to apply it cleanly but also change some of the logic where the actual fix would apply. - commit 1a03613 - ethtool: check device is present when getting link settings (CVE-2024-46679 bsc#1230556) - commit 68643d1 - md/raid5: avoid BUG_ON() while continue reshape after reassembling (bsc#1229790, CVE-2024-43914). - commit bfb799a - xfs: restrict when we try to align cow fork delalloc to cowextsz hints (git-fixes). - commit 96ac1b7 - clk: Provide !COMMON_CLK dummy for devm_clk_rate_exclusive_get() (bsc#1227885). - commit bf3362b - Replace git-fixes tag by bsc#1226507, patches.suse/md-Don-t-wait-for-MD_RECOVERY_NEEDED-for-HOT_REMOVE_DISK-ioctl-a1fd.patch (bsc#1226507). - commit b04e0cb - closures: Change BUG_ON() to WARN_ON() (bsc#1229004, CVE-2024-42252). - commit 84b7984 - clk: Add a devm variant of clk_rate_exclusive_get() (bsc#1227885). - commit b6fb747 - r8152: add vendor/device ID pair for D-Link DUB-E250 (git-fixes). - Refresh patches.suse/r8152-add-vendor-device-ID-pair-for-ASUS-USB-C2500.patch. - commit 0c077ab - usbnet: ipheth: fix carrier detection in modes 1 and 4 (git-fixes). - commit 591cebb - usbnet: ipheth: do not stop RX on failing RX callback (git-fixes). - commit c58c483 - usbnet: ipheth: drop RX URBs with no payload (git-fixes). - commit 73a78e2 - KVM: arm64: Disallow copying MTE to guest memory while KVM is dirty logging (git-fixes). - commit 3cf4c02 - usbnet: ipheth: remove extraneous rx URB length check (git-fixes). - commit 507443a - usbnet: ipheth: add CDC NCM support (git-fixes). - commit 1bf1d1e - KVM: arm64: Release pfn, i.e. put page, if copying MTE tags hits ZONE_DEVICE (git-fixes). - commit 64bccd6 - usbnet: ipheth: transmit URBs without trailing padding (git-fixes). - usbnet: ipheth: fix risk of NULL pointer deallocation (git-fixes). - commit d804072 - KVM: arm64: Invalidate EL1&amp;0 TLB entries for all VMIDs in nvhe hyp init (git-fixes). - commit 30df9d2 - drm/amd/display: Solve mst monitors blank out problem after resume (git-fixes). - commit cd94b30 - virtio-net: synchronize probe with ndo_set_features (git-fixes). - commit 1a471dd - fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() (git-fixes). - hwmon: (ntc_thermistor) fix module autoloading (git-fixes). - hwmon: (max16065) Fix overflows seen when writing limits (git-fixes). - mtd: powernv: Add check devm_kasprintf() returned value (git-fixes). - mtd: slram: insert break after errors in parsing the map (git-fixes). - power: supply: hwmon: Fix missing temp1_max_alarm attribute (git-fixes). - power: supply: Drop use_cnt check from power_supply_property_is_writeable() (git-fixes). - power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense (git-fixes). - power: supply: axp20x_battery: Remove design from min and max voltage (git-fixes). - pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID (stable-fixes). - drm/amdgpu/atomfirmware: Silence UBSAN warning (stable-fixes). - drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct() (git-fixes). - Input: synaptics - enable SMBus for HP Elitebook 840 G2 (stable-fixes). - Input: ads7846 - ratelimit the spi_sync error message (stable-fixes). - drm/msm/adreno: Fix error return if missing firmware-name (stable-fixes). - scripts: kconfig: merge_config: config files: add a trailing newline (stable-fixes). - platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 (stable-fixes). - platform/surface: aggregator_registry: Add Support for Surface Pro 10 (stable-fixes). - HID: multitouch: Add support for GT7868Q (stable-fixes). - drm/mediatek: Set sensible cursor width/height values to fix crash (stable-fixes). - drm: panel-orientation-quirks: Add quirk for Ayn Loki Max (stable-fixes). - drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero (stable-fixes). - wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change (stable-fixes). - net: phy: vitesse: repair vsc73xx autonegotiation (stable-fixes). - cxl/core: Fix incorrect vendor debug UUID define (git-fixes). - drm/amd/display: Fix FEC_READY write on DP LT (stable-fixes). - drm/amd/display: Defer handling mst up request in resume (stable-fixes). - drm/amd/display: Disable error correction if it's not supported (stable-fixes). - commit 040b0ea - i2c: lpi2c: Avoid calling clk_get_rate during transfer (bsc#1227885 CVE-2024-40965). - commit abb755c - x86/mm/ident_map: Use gbpages only where full GB page should be mapped (bsc#1220382). - x86/kexec: Add EFI config table identity mapping for kexec kernel (bsc#1220382). - commit 26eab5b - Move upstreamed nvme patches into sorted section - commit 1e42d2f - spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ (git-fixes). - commit 1cec71a - ASoC: meson: Remove unused declartion in header file (git-fixes). - ASoC: soc-ac97: Fix the incorrect description (git-fixes). - ASoC: rt5682: Return devm_of_clk_add_hw_provider to transfer the error (git-fixes). - ASoC: tas2781-i2c: Get the right GPIO line (git-fixes). - ASoC: cs42l42: Convert comma to semicolon (git-fixes). - ASoC: rt5682s: Return devm_of_clk_add_hw_provider to transfer the error (git-fixes). - ALSA: hda: cs35l41: fix module autoloading (git-fixes). - selftests: lib: remove strscpy test (git-fixes). - scripts: sphinx-pre-install: remove unnecessary double check for $cur_version (git-fixes). - Documentation: ioctl: document 0x07 ioctl code (git-fixes). - module: Fix KCOV-ignored file name (git-fixes). - reset: k210: fix OF node leak in probe() error path (git-fixes). - reset: berlin: fix OF node leak in probe() error path (git-fixes). - bus: integrator-lm: fix OF node leak in probe() (git-fixes). - soc: fsl: cpm1: tsa: Fix tsa_write8() (git-fixes). - firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() (git-fixes). - firmware: arm_scmi: Fix double free in OPTEE transport (git-fixes). - soc: versatile: integrator: fix OF node leak in probe() error path (git-fixes). - memory: mtk-smi: Use devm_clk_get_enabled() (git-fixes). - memory: tegra186-emc: drop unused to_tegra186_emc() (git-fixes). - spi: bcm63xx: Fix module autoloading (git-fixes). - spi: rpc-if: Add missing MODULE_DEVICE_TABLE (git-fixes). - spi: meson-spicc: convert comma to semicolon (git-fixes). - spi: ppc4xx: handle irq_of_parse_and_map() errors (git-fixes). - regulator: core: Fix regulator_is_supported_voltage() kerneldoc return value (git-fixes). - regulator: core: Fix short description for _regulator_check_status_enabled() (git-fixes). - regulator: Return actual error in of_regulator_bulk_get_all() (git-fixes). - regulator: rt5120: Convert comma to semicolon (git-fixes). - regulator: wm831x-isink: Convert comma to semicolon (git-fixes). - clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() (git-fixes). - commit 994b020 - cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately (git-fixes). - ACPI: CPPC: Fix MASK_VAL() usage (git-fixes). - ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() (git-fixes). - ACPI: sysfs: validate return type of _STR method (git-fixes). - crypto: ccp - do not request interrupt on cmd completion when irqs disabled (git-fixes). - hwrng: mtk - Use devm_pm_runtime_enable (git-fixes). - crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure (git-fixes). - hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume (git-fixes). - hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init (git-fixes). - crypto: iaa - Fix potential use after free bug (git-fixes). - crypto: xor - fix template benchmarking (git-fixes). - can: m_can: m_can_close(): stop clocks after device has been shut down (git-fixes). - can: m_can: enable NAPI before enabling interrupts (git-fixes). - can: bcm: Clear bo-&gt;bcm_proc_read after remove_proc_entry() (git-fixes). - Bluetooth: btusb: Fix not handling ZPL/short-transfer (git-fixes). - Bluetooth: hci_sync: Ignore errors from HCI_OP_REMOTE_NAME_REQ_CANCEL (git-fixes). - Bluetooth: hci_core: Fix sending MGMT_EV_CONNECT_FAILED (git-fixes). - wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc (git-fixes). - wifi: mt76: mt7615: check devm_kasprintf() returned value (git-fixes). - wifi: mt76: mt7921: Check devm_kasprintf() returned value (git-fixes). - wifi: mt76: mt7915: check devm_kasprintf() returned value (git-fixes). - wifi: mt76: mt7996: fix uninitialized TLV data (git-fixes). - wifi: mt76: mt7915: fix rx filter setting for bfee functionality (git-fixes). - wifi: mt76: mt7603: fix mixed declarations and code (git-fixes). - wifi: mt76: connac: fix checksum offload fields of connac3 RXD (git-fixes). - wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he (git-fixes). - wifi: mt76: mt7996: fix EHT beamforming capability check (git-fixes). - wifi: mt76: mt7996: fix HE and EHT beamforming capabilities (git-fixes). - wifi: mt76: mt7996: fix wmm set of station interface to 3 (git-fixes). - wifi: mt76: mt7996: fix traffic delay when switching back to working channel (git-fixes). - wifi: mt76: mt7996: use hweight16 to get correct tx antenna (git-fixes). - wifi: mt76: mt7921: fix wrong UNII-4 freq range check for the channel usage (git-fixes). - wifi: mt76: mt7915: fix oops on non-dbdc mt7986 (git-fixes). - wifi: rtw88: remove CPT execution branch never used (git-fixes). - wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param (git-fixes). - wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() (git-fixes). - wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors (git-fixes). - wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() (git-fixes). - wifi: mac80211: fix the comeback long retry times (git-fixes). - wifi: cfg80211: fix bug of mapping AF3x to incorrect User Priority (git-fixes). - wifi: iwlwifi: mvm: increase the time between ranging measurements (git-fixes). - wifi: mac80211: don't use rate mask for offchannel TX either (git-fixes). - wifi: ath12k: fix invalid AMPDU factor calculation in ath12k_peer_assoc_h_he() (git-fixes). - wifi: ath12k: match WMI BSS chan info structure with firmware definition (git-fixes). - wifi: ath12k: fix BSS chan info request WMI command (git-fixes). - wifi: ath9k: Remove error checks when creating debugfs entries (git-fixes). - wifi: rtw88: always wait for both firmware loading attempts (git-fixes). - wifi: rtw88: 8822c: Fix reported RX band width (git-fixes). - wifi: brcmfmac: introducing fwil query functions (git-fixes). - can: j1939: use correct function name in comment (git-fixes). - commit ffce0ad - net: tighten bad gso csum offset check in virtio_net_hdr (git-fixes). - commit 6b94c45 - blacklist.conf: add 840b2d39a2dc (&quot;virtio_ring: fix KMSAN error for premapped mode&quot;) - commit 2b97440 - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE (git-fixes). - commit aeba695 - blacklist.conf: add 611ff1b1ae98 (&quot;xen: privcmd: Fix possible access to a freed kirqfd instance&quot;) - commit d91e53f - fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF (bsc#1230602). - commit d2c95a5 - Update patches.suse/virtio_net-Fix-napi_skb_cache_put-warning.patch (git-fixes CVE-2024-43835 bsc#1229289). - commit b9542fb - x86/hyperv: fix kexec crash due to VP assist page corruption (git-fixes). - Drivers: hv: vmbus: Fix the misplaced function description (git-fixes). - commit c60d936 - Update references patches.suse/selinux-smack-don-t-bypass-permissions-check-in-inod.patch (stable-fixes CVE-2024-46695 bsc#1230519). - commit 2a7bb57 - NFSv4: Add missing rescheduling points in nfs_client_return_marked_delegations (git-fixes). - commit a563f31 - nfsd: Don't leave work of closing files to a work queue (bsc#1228140). - Refresh patches.suse/nfsd-use-__fput_sync-to-avoid-delayed-closing-of-fil.patch. - commit 83ce74a - ASoC: meson: axg-card: fix 'use-after-free' (git-fixes). - ASoC: codecs: avoid possible garbage value in peb2466_reg_read() (git-fixes). - commit 5a67afd - kABI workaround for soc-qcom pmic_glink changes (CVE-2024-46693 bsc#1230521). - commit 9a06e25 - usb: typec: ucsi: Move unregister out of atomic section (CVE-2024-46691 bsc#1230526). - soc: qcom: pmic_glink: Fix race during initialization (CVE-2024-46693 bsc#1230521). - commit 26dd9b4 - spi: nxp-fspi: fix the KASAN report out-of-bounds bug (git-fixes). - drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl (git-fixes). - drm/nouveau/fb: restore init() for ramgp102 (git-fixes). - dma-buf: heaps: Fix off-by-one in CMA heap fault handler (git-fixes). - drm/i915/guc: prevent a possible int overflow in wq offsets (git-fixes). - usbnet: ipheth: race between ipheth_close and error handling (stable-fixes). - commit 8d8bf2f - md/raid1: Fix data corruption for degraded array with slow disk (bsc#1230455, CVE-2024-45023). - commit 34cd7b5 - perf/x86/intel: Limit the period on Haswell (git-fixes). - perf/x86: Fix smp_processor_id()-in-preemptible warnings (git-fixes). - perf/x86/intel/cstate: Add pkg C2 residency counter for Sierra Forest (git-fixes). - ARM: 9406/1: Fix callchain_trace() return value (git-fixes). - bpf, events: Use prog to emit ksymbol event for main program (git-fixes). - perf/x86/intel: Add a distinct name for Granite Rapids (git-fixes). - perf/x86/intel/ds: Fix non 0 retire latency on Raptorlake (git-fixes). - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR (git-fixes). - perf: Fix event leak upon exit (git-fixes). - perf/x86/intel/cstate: Fix Alderlake/Raptorlake/Meteorlake (git-fixes). - perf: Fix default aux_watermark calculation (git-fixes). - perf: Prevent passing zero nr_pages to rb_alloc_aux() (git-fixes). - perf: Fix perf_aux_size() for greater-than 32-bit size (git-fixes). - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation (git-fixes). - perf/x86/intel/pt: Fix a topa_entry base address calculation (git-fixes). - perf/x86/intel/pt: Fix topa_entry base length (git-fixes). - perf/x86: Serialize set_attr_rdpmc() (git-fixes). - perf/core: Fix missing wakeup when waiting for context reference (git-fixes). - perf/x86/intel: Factor out the initialization code for SPR (git fixes). - perf/x86/intel: Use the common uarch name for the shared functions (git fixes). - commit bb48e43 - blacklist.conf: Add perf git-fix that won't be backported - commit fbbd522 - nvme: move stopping keep-alive into nvme_uninit_ctrl() (CVE-2024-45013 bsc#1230442) - commit ce739c4 - i2c: tegra: Do not mark ACPI devices as irq safe (CVE-2024-45029 bsc#1230451) - commit 2870112 - netfilter: flowtable: initialise extack before use (CVE-2024-45018 bsc#1230431) - commit 8b44b15 - net/mlx5e: Take state lock during tx timeout reporter (CVE-2024-45019 bsc#1230432) - commit 2552371 - net/mlx5: Fix IPsec RoCE MPV trace call (CVE-2024-45017 bsc#1230430) - commit 60aac02 - igb: cope with large MAX_SKB_FRAGS (CVE-2024-45030 bsc#1230457) - commit d2d3c69 - Move s390 kabi patch into the kabi section - commit 4ab5d36 - s390/uv: Don't call folio_wait_writeback() without a folio reference (git-fixes bsc#1229380 CVE-2024-43832). - s390/mm: Convert gmap_make_secure to use a folio (git-fixes bsc#1230562). - s390/mm: Convert make_page_secure to use a folio (git-fixes bsc#1230563). - s390: allow pte_offset_map_lock() to fail (git-fixes bsc#1230564). - commit 7069eb7 - mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 (CVE-2024-45022 bsc#1230435). - commit cc8880a Package curl was updated: - Security fix: [bsc#1232528, CVE-2024-9681] * HSTS subdomain overwrites parent cache entry * Add curl-CVE-2024-9681.patch Package gnutls was updated: - FIPS: Do not allow curve P-192 for signature or keypair verification [bsc#1227669] * Add gnutls-FIPS-p192-disabled.patch - FIPS: Allow to perform the integrity check with the hmac provided by each library [bsc#1226724] * Rebase gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch - FIPS: bsc#1230166 * Mark gnutls_hash_fast operations as approved in SLI. * Add gnutls-FIPS-gnutls_hash_fast-SLI.patch - FIPS: bsc#1226733 * Run pairwise consistency test only in FIPS mode * Backport upstream commit 5c276953c1536375fba96bc769e1cb5d3123b4a7 * Add gnutls-pct-in-FIPS-only.patch - FIPS: bsc#1226733 * Use full hash+sign operations, not low level primitives in PCT test. * Add gnutls-FIPS-full-hash_sign.patch - FIPS: bsc#1227642 * Mark SHA1 as not allowed for signature verification in both RSA and ECDSA sigVer. * Add gnutls-FIPS-no-sha1-verify.patch - FIPS: bsc#1227670 * Allow RSA signature verification with min of 2048 bit modulus. * Add gnutls-FIPS-rsa-min-2048.patch - FIPS: [bsc#1227671, bsc#1226731] * Remove not needed DSA in selfchecks in FIPS mode. * Add gnutls-FIPS-no_dsa_selftest.patch Package libnvme was updated: - Update to version 1.8+50.g2b587d3: * types: add new fields added in TP4165 (bsc#1231668) * types: Changed the space into tap space (bsc#1231668) * types: add new field added in TP4090 (bsc#1231668) * ioctl: export nvme_submit_passthru{64} as weak symbol (bsc#1231668) * tree: fix segfault in nvme_free_tree() (bsc#1231668) * tree: fix tls key mem leak (bsc#1231668) * tree: fix dhchap_ctrl_key mem leak (bsc#1231668) * tree: fix dhchap_key mem leak (bsc#1231668) - Update to version 1.8+42.gdc0831f: * tree: handle no address phy slot dirs (bsc#1229193) Package open-iscsi was updated: - Update to version 2.1.10.suse+51.fea0fde82ed1: * Incudes upstream version 2.1.10 plus some fixes * Fix firmware targets startup to always be &quot;onboot&quot; (#482) (bsc#1228084) * Change a discovery function to void return type (#481) * Fix gcc issues (#480) * Bugfix read specific sysfs value &quot;off&quot; of session attribute (#466) * Fix bug where abort_tmo read failures were ignored. (#467) * grammar nitpicks (#464) * Fix memory leak in iscsi_check_session_use_count (#465) * improve the comments in idbm_lock() (#458) * Make it visible when memory allocation failure (#457) * Better handle multiple iscsiadm commands (#453) * iscsiadm: allow hostnames in node-mode commands (#451) * Modify how workqueue priority is set (#445) * Fix authmethod check by printing a warning message when CHAP used and authmethod=None (#443) * iscsid: Rescan devices on relogin (#444) * Adds missing characters in README. (#440) * Turn off iSCSI NOP-Outs, by default. * fix: add usr/iscsid_req.h missinig underline (#431) (#436) - Updated to latest upstream: two small changes, with no known functional changes: * Incorrect documentation for `iscsiadm -m session` print level (upstream issue #432) * Stop using deprecated inet_aton and inet_ntoa (upstream issue [#435]) - Also, stopped using pre-prepared tarballs for the build, instead now using a service file to get latest SUSE srouces directly. This removed these two files: * open-iscsi-2.1.9-suse.tar.bz2, and * open-iscsi-SUSE-latest.diff.bz2 whcih were both created by a shell script, and added a service- file-generated file of the form: * open-iscsi-2.1.9.suse+TAG_OFFSET.tar.xz where TAG_OFFSET is of the form &quot;COMMIT_COUNT.HASH&quot;, where COMMIT_COUNT is the count of commits since 2.1.9-suse (in this case), and HASH is the git commit hash being used. Package openssl-1_1 was updated: - Security fix: [bsc#1220262, CVE-2023-50782] * Implicit rejection in PKCS#1 v1.5 * Add openssl-CVE-2023-50782.patch - FIPS: AES GCM external IV implementation [bsc#1228618] * Mark the standalone AES-GCM encryption with external IV as non-approved in the SLI. * Add openssl-1_1-ossl-sli-021-AES-GCM-external-IV.patch - FIPS: Mark PBKDF2 and HKDF HMAC input keys with size &gt;= 112 bits as approved in the SLI. [bsc#1228623] * openssl-1_1-ossl-sli-020-PBKDF2-HMAC-size-SLI.patch - FIPS: Enforce KDF in FIPS style [bsc#1224270] * Add openssl-1_1-ossl-sli-019-Enforce-KDF.patch - FIPS: Mark HKDF and TLSv1.3 KDF as approved in the SLI [bsc#1228619] * Add openssl-1_1-ossl-sli-018-TLS13-HKDF.patch - FIPS: The X9.31 scheme is not approved for RSA signature operations in FIPS 186-5. [bsc#1224269] * Add openssl-1_1-ossl-sli-017-X9.31-sign.patch - FIPS: Differentiate the PSS length requirements [bsc#1224275] * Add openssl-1_1-ossl-sli-016-PSS-length.patch - FIPS: Mark sigGen and sigVer primitives as non-approved [bsc#1224272] * Add openssl-1_1-ossl-sli-015-sigver-hashing.patch - FIPS: Disable PKCSv1.5 and shake in FIPS mode [bsc#1224271] * FIPS 186-5 Section 5.4 disallows RSA PKCSv1.5 signature operations with XOF. * Add openssl-1_1-ossl-sli-014-PKCSv1.5-and-shake.patch - FIPS: Mark SHA1 as non-approved in the SLI [bsc#1224266] * Add openssl-1_1-ossl-sli-013-Mark-SHA1-unapproved.patch - FIPS: DH FIPS selftest and safe prime group [bsc#1224264] * Add openssl-1_1-ossl-sli-012-DH-selftest-and-safe-prime-group.patch Package openssl-3 was updated: - Security fix: [bsc#1220262, CVE-2023-50782] * Implicit rejection in PKCS#1 v1.5 * Add openssl-CVE-2023-50782.patch Package python3 was updated: - Add CVE-2024-9287-venv_path_unquoted.patch to properly quote path names provided when creating a virtual environment (bsc#1232241, CVE-2024-9287) - Drop .pyc files from docdir for reproducible builds (bsc#1230906). Package cyrus-sasl was updated: - Make DIGEST-MD5 work with openssl3 ( bsc#1230111 ) RC4 is legacy provided since openSSL3 and requires explicit loading, disable openssl3 depricated API warnings. * Add cyrus-sasl-make-digestmd5-work-ssl3.patch Package libzypp was updated: - PluginFrame: Send unescaped colons in header values (bsc#1231043) According to the STOMP protocol it would be correct to escape a colon in a header-value, but it breaks plugin receivers which do not expect this. The first colon separates header-name from header-value, so escaping in the header-value is not needed anyway. Escaping in the header-value affects especially the urlresolver plugins. The input URL is passed in a header, but sent back as raw data in the frames body. If the plugin receiver does not correctly unescape the URL we may get back a &quot;https\c//&quot; which is not usable. - Do not ignore return value of std::remove_if in MediaSyncFacade (fixes #579) - Fix hang in curl code with no network connection (bsc#1230912) - version 17.35.12 (35) Package shadow was updated: - bsc#1230972: Add useradd warnings when requested UID is outside the default range - add shadow-bsc1230972-useradd-warning.patch Package nvme-cli was updated: - Update to version 2.8+65.gae2c271: * nvme-print-json: update JSON verbose output for nvm-id-ctrl (bsc#1231668) * nvme-print-stdout: update changed-ns-list-log output (bsc#1231668) * nvme: fix uninitialized value in error-log (bsc#1231668) * netapp-smdevices: print single device output too (bsc#1231668) * netapp-smdevices: segregate print routines (bsc#1231668) * fabrics: fix incorrect access filename check (bsc#1231668) * fabrics: check if json config is existing (bsc#1231668) * nvme: update nvme_insert_tls_key_versioned() return handling (bsc#1231668) * nvme-print: sanitize error-log output (bsc#1231668) * nvme-print: update subsys verbose outputs (bsc#1231668) * nvme-print: add subsystype to the list-subsys output (bsc#1231668) * nvme-print-stdout: refactor subsys config (bsc#1231668) * netapp: print output for single device too (bsc#1231668) * netapp: segregate the print routines (bsc#1231668) * netapp: fix uninitialized value from heap error (bsc#1231668) * fabrics: avoid potential segfault in nvmf_dim() (bsc#1231668) * nvme: fix verbose logging (bsc#1231668) * logging: Split to output ioctl latency by log info level (bsc#1231668) * logging: output ioctl debugging info (bsc#1231668) * nvme: track verbose level (bsc#1231668) - Update to version 2.8+45.gb66f0b8: * plugins/sed: add sid password change (bsc#1229677) Package samba was updated: - Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated; (bso#15699); (bsc#1229684). - Update to 4.19.8 * Invalid client warning about command line passwords; (bso#15671); * Version string is truncated in manpages; (bso#15672); * --version-* options are still not ergonomic, and they reject tilde characters; (bso#15673); * cmdline_burn does not always burn secrets; (bso#15674); * Samba doesn't parse SDDL found in defaultSecurityDescriptor in AD_DS_Classes_Windows_Server_v1903.ldf; (bso#15685); * We have added new options --vendor-name and --vendor-patch- revision arguments to ./configure to allow distributions and packagers to put their name in the Samba version string so that when debugging Samba the source of the binary is obvious; (bso#15654); * When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password; (bso#15655); * Fix clock skew error message and memory cache clock skew recovery; (bso#15676); * CTDB RADOS mutex helper misses namespace support; (bso#15665); * The images don't build after the git security release and CentOS 8 Stream is EOL; (bso#15660); * Fix unnecessary delays in CTDB while processing requests under high load; (bso#15678); * Dynamic DNS updates with the internal DNS are not working; (bso#13019); * s4:nbt_server: does not provide unexpected handling, so winbindd can't use nmb requests instead cldap; (bso#15620); * Panic in vfs_offload_token_db_fetch_fsp(); (bso#15664); * &quot;client use kerberos&quot; and --use-kerberos is ignored for the machine account; (bso#15666); * Regression DFS not working with widelinks = true; (bso#15435); * ntlm_auth make logs more consistent with length check; (bso#15677); Package shim was updated: - Update shim-install to apply the missing fix for openSUSE Leap (bsc#1210382) fixed by Gary. * 86b73d1 Fix that bootx64.efi is not updated on Leap - Update shim-install to use the 'removable' way for SL-Micro (bsc#1230316) fixed by Gary. * 433cc4e Always use the removable way for SL-Micro Package wget was updated: - Update 0001-possibly-truncate-pathname-components.patch * Take the patch from savannah repository where the checking of the file length doesn't include path length. * [bsc#1204720, bsc#1231661] Package wicked was updated: - Update to version 0.6.77 - compat-suse: use iftype in sysctl handling (bsc#1230911, gh#openSUSE/wicked#1043) - Always generate the ipv4/ipv6 &lt;enabled&gt;true|false&lt;/enabled&gt; node - Inherit all, default and interface sysctl settings also for loopback, except for use_tempaddr and accept_dad. - Consider only interface specific accept_redirects sysctl settings. - Adopt ifsysctl(5) manual page with wicked specific behavior. - route: fix family and destination processing (bsc#1231060) - man: improve wicked-config(5) file description (gh#openSUSE/wicked#1039) - dhcp4: add ignore-rfc3927-1-6 wicked-config(5) option (jsc#PED-10855, gh#openSUSE/wicked#1038) - team: set arp link watcher interval default to 1s (gh#openSUSE/wicked#1037) - systemd: use `BindsTo=dbus.service` in favor of `Requisite=` (bsc#1229745) - compat-suse: fix use of deprecated `INTERFACETYPE=dummy` (boo#1229555) - arp: don't set target broadcast hardware address (gh#openSUSE/wicked#1036) - dbus: don't memcpy empty/NULL array value (gh#openSUSE/wicked#1035) - ethtool: fix leak and free pause data in ethtool_free (gh#openSUSE/wicked#1030) - Removed patches included in the source archive: [- 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch] - compat-suse: fix dummy interfaces configuration with INTERFACETYPE=dummy (boo#1229555, gh#openSUSE/wicked#1031) [+ 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-chost-byos-v20241111-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 bash-4.4-150400.27.3.2 bash-sh-4.4-150400.27.3.2 glibc-2.38-150600.14.14.2 glibc-locale-2.38-150600.14.14.2 glibc-locale-base-2.38-150600.14.14.2 grub2-2.12-150600.8.9.2 grub2-i386-pc-2.12-150600.8.9.2 grub2-x86_64-efi-2.12-150600.8.9.2 kernel-default-6.4.0-150600.23.25.1 libcurl4-8.6.0-150600.4.12.1 libdevmapper1_03-2.03.22_1.02.196-150600.3.3.2 libgcc_s1-14.2.0+git10526-150000.1.6.1 libgnutls30-3.8.3-150600.4.3.1 libhogweed6-3.9.1-150600.3.2.1 libnettle8-3.9.1-150600.3.2.1 libnvme-mi1-1.8+50.g2b587d3-150600.3.9.2 libnvme1-1.8+50.g2b587d3-150600.3.9.2 libopeniscsiusr0-0.2.0-150600.51.3.2 libopenssl1_1-1.1.1w-150600.5.9.1 libopenssl3-3.1.4-150600.5.21.1 libproxy1-0.5.3-150600.4.3.2 libpxbackend-1_0-0.5.3-150600.4.3.2 libpython3_6m1_0-3.6.15-150300.10.75.1 libreadline7-7.0-150400.27.3.2 libsasl2-3-2.1.28-150600.7.3.1 libstdc++6-14.2.0+git10526-150000.1.6.1 libzypp-17.35.12-150600.3.27.1 login_defs-4.8.1-150600.17.9.1 nvme-cli-2.8+65.gae2c271-150600.3.9.2 open-iscsi-2.1.10-150600.51.3.2 openssl-3-3.1.4-150600.5.21.1 python3-3.6.15-150300.10.75.1 python3-base-3.6.15-150300.10.75.1 samba-client-libs-4.19.8+git.368.51d32c069f-150600.3.6.11 shadow-4.8.1-150600.17.9.1 shim-15.8-150300.4.23.1 sles-release-15.6-150600.64.3.1 suse-build-key-12.0-150000.8.55.1 wget-1.20.3-150600.19.6.2 wicked-0.6.77-150600.11.15.1 wicked-service-0.6.77-150600.11.15.1 bash-4.4-150400.27.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 bash-sh-4.4-150400.27.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 glibc-2.38-150600.14.14.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 glibc-locale-2.38-150600.14.14.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 glibc-locale-base-2.38-150600.14.14.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 grub2-2.12-150600.8.9.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 grub2-i386-pc-2.12-150600.8.9.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 grub2-x86_64-efi-2.12-150600.8.9.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 kernel-default-6.4.0-150600.23.25.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libcurl4-8.6.0-150600.4.12.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libdevmapper1_03-2.03.22_1.02.196-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libgcc_s1-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libgnutls30-3.8.3-150600.4.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libhogweed6-3.9.1-150600.3.2.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libnettle8-3.9.1-150600.3.2.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libnvme-mi1-1.8+50.g2b587d3-150600.3.9.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libnvme1-1.8+50.g2b587d3-150600.3.9.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libopeniscsiusr0-0.2.0-150600.51.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libopenssl1_1-1.1.1w-150600.5.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libopenssl3-3.1.4-150600.5.21.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libproxy1-0.5.3-150600.4.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libpxbackend-1_0-0.5.3-150600.4.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libpython3_6m1_0-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libreadline7-7.0-150400.27.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libsasl2-3-2.1.28-150600.7.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libstdc++6-14.2.0+git10526-150000.1.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 libzypp-17.35.12-150600.3.27.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 login_defs-4.8.1-150600.17.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 nvme-cli-2.8+65.gae2c271-150600.3.9.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 open-iscsi-2.1.10-150600.51.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 openssl-3-3.1.4-150600.5.21.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 python3-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 python3-base-3.6.15-150300.10.75.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 samba-client-libs-4.19.8+git.368.51d32c069f-150600.3.6.11 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 shadow-4.8.1-150600.17.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 shim-15.8-150300.4.23.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 sles-release-15.6-150600.64.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 suse-build-key-12.0-150000.8.55.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 wget-1.20.3-150600.19.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 wicked-0.6.77-150600.11.15.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 wicked-service-0.6.77-150600.11.15.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64 A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. CVE-2023-50782 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:libopenssl1_1-1.1.1w-150600.5.9.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:libopenssl3-3.1.4-150600.5.21.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:openssl-3-3.1.4-150600.5.21.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") CVE-2023-52915 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: prevent perpetual headroom growth syzkaller triggered following kasan splat: BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 [..] kasan_report+0xda/0x110 mm/kasan/report.c:588 __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline] ___skb_get_hash net/core/flow_dissector.c:1791 [inline] __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856 skb_get_hash include/linux/skbuff.h:1556 [inline] ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748 ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592 ... ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 .. iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831 ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 ... The splat occurs because skb->data points past skb->head allocated area. This is because neigh layer does: __skb_pull(skb, skb_network_offset(skb)); ... but skb_network_offset() returns a negative offset and __skb_pull() arg is unsigned. IOW, we skb->data gets "adjusted" by a huge value. The negative value is returned because skb->head and skb->data distance is more than 64k and skb->network_header (u16) has wrapped around. The bug is in the ip_tunnel infrastructure, which can cause dev->needed_headroom to increment ad infinitum. The syzkaller reproducer consists of packets getting routed via a gre tunnel, and route of gre encapsulated packets pointing at another (ipip) tunnel. The ipip encapsulation finds gre0 as next output device. This results in the following pattern: 1). First packet is to be sent out via gre0. Route lookup found an output device, ipip0. 2). ip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future output device, rt.dev->needed_headroom (ipip0). 3). ip output / start_xmit moves skb on to ipip0. which runs the same code path again (xmit recursion). 4). Routing step for the post-gre0-encap packet finds gre0 as output device to use for ipip0 encapsulated packet. tunl0->needed_headroom is then incremented based on the (already bumped) gre0 device headroom. This repeats for every future packet: gre0->needed_headroom gets inflated because previous packets' ipip0 step incremented rt->dev (gre0) headroom, and ipip0 incremented because gre0 needed_headroom was increased. For each subsequent packet, gre/ipip0->needed_headroom grows until post-expand-head reallocations result in a skb->head/data distance of more than 64k. Once that happens, skb->network_header (u16) wraps around when pskb_expand_head tries to make sure that skb_network_offset() is unchanged after the headroom expansion/reallocation. After this skb_network_offset(skb) returns a different (and negative) result post headroom expansion. The next trip to neigh layer (or anything else that would __skb_pull the network header) makes skb->data point to a memory location outside skb->head area. v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to prevent perpetual increase instead of dropping the headroom increment completely. CVE-2024-26804 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr() vgic_v2_parse_attr() is responsible for finding the vCPU that matches the user-provided CPUID, which (of course) may not be valid. If the ID is invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled gracefully. Similar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id() actually returns something and fail the ioctl if not. CVE-2024-36953 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull that amount instead of assuming. Tested with dropwatch: drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3) origin: software timestamp: Mon May 13 11:31:53 2024 778214037 nsec protocol: 0x88a8 length: 2 original length: 2 drop reason: PKT_TOO_SMALL [1] BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] __bpf_tx_skb net/core/filter.c:2136 [inline] __bpf_redirect_common net/core/filter.c:2180 [inline] __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187 ____bpf_clone_redirect net/core/filter.c:2460 [inline] bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline] __se_sys_bpf kernel/bpf/syscall.c:5765 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-38538 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/pci: fix potential memory leak in vfio_intx_enable() If vfio_irq_ctx_alloc() failed will lead to 'name' memory leak. CVE-2024-38632 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: lpi2c: Avoid calling clk_get_rate during transfer Instead of repeatedly calling clk_get_rate for each transfer, lock the clock rate and cache the value. A deadlock has been observed while adding tlv320aic32x4 audio codec to the system. When this clock provider adds its clock, the clk mutex is locked already, it needs to access i2c, which in return needs the mutex for clk_get_rate as well. CVE-2024-40965 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: mtk-vcodec: potential null pointer deference in SCP The return value of devm_kzalloc() needs to be checked to avoid NULL pointer deference. This is similar to CVE-2022-3113. CVE-2024-40973 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: closures: Change BUG_ON() to WARN_ON() If a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON() For reference, this has popped up once in the CI, and we'll need more info to debug it: 03240 ------------[ cut here ]------------ 03240 kernel BUG at lib/closure.c:21! 03240 kernel BUG at lib/closure.c:21! 03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP 03240 Modules linked in: 03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570 03240 Hardware name: linux,dummy-virt (DT) 03240 Workqueue: btree_update btree_interior_update_work 03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 03240 pc : closure_put+0x224/0x2a0 03240 lr : closure_put+0x24/0x2a0 03240 sp : ffff0000d12071c0 03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360 03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040 03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168 03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001 03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974 03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d 03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e 03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b 03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954 03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000 03240 Call trace: 03240 closure_put+0x224/0x2a0 03240 bch2_check_for_deadlock+0x910/0x1028 03240 bch2_six_check_for_deadlock+0x1c/0x30 03240 six_lock_slowpath.isra.0+0x29c/0xed0 03240 six_lock_ip_waiter+0xa8/0xf8 03240 __bch2_btree_node_lock_write+0x14c/0x298 03240 bch2_trans_lock_write+0x6d4/0xb10 03240 __bch2_trans_commit+0x135c/0x5520 03240 btree_interior_update_work+0x1248/0x1c10 03240 process_scheduled_works+0x53c/0xd90 03240 worker_thread+0x370/0x8c8 03240 kthread+0x258/0x2e8 03240 ret_from_fork+0x10/0x20 03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000) 03240 ---[ end trace 0000000000000000 ]--- 03240 Kernel panic - not syncing: Oops - BUG: Fatal exception 03240 SMP: stopping secondary CPUs 03241 SMP: failed to stop secondary CPUs 13,15 03241 Kernel Offset: disabled 03241 CPU features: 0x00,00000003,80000008,4240500b 03241 Memory Limit: none 03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]--- 03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s CVE-2024-42252 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/uv: Don't call folio_wait_writeback() without a folio reference folio_wait_writeback() requires that no spinlocks are held and that a folio reference is held, as documented. After we dropped the PTL, the folio could get freed concurrently. So grab a temporary reference. CVE-2024-43832 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix napi_skb_cache_put warning After the commit bdacf3e34945 ("net: Use nested-BH locking for napi_alloc_cache.") was merged, the following warning began to appear: WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0 __warn+0x12f/0x340 napi_skb_cache_put+0x82/0x4b0 napi_skb_cache_put+0x82/0x4b0 report_bug+0x165/0x370 handle_bug+0x3d/0x80 exc_invalid_op+0x1a/0x50 asm_exc_invalid_op+0x1a/0x20 __free_old_xmit+0x1c8/0x510 napi_skb_cache_put+0x82/0x4b0 __free_old_xmit+0x1c8/0x510 __free_old_xmit+0x1c8/0x510 __pfx___free_old_xmit+0x10/0x10 The issue arises because virtio is assuming it's running in NAPI context even when it's not, such as in the netpoll case. To resolve this, modify virtnet_poll_tx() to only set NAPI when budget is available. Same for virtnet_poll_cleantx(), which always assumed that it was in a NAPI context. CVE-2024-43835 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf: Fix event leak upon exit When a task is scheduled out, pending sigtrap deliveries are deferred to the target task upon resume to userspace via task_work. However failures while adding an event's callback to the task_work engine are ignored. And since the last call for events exit happen after task work is eventually closed, there is a small window during which pending sigtrap can be queued though ignored, leaking the event refcount addition such as in the following scenario: TASK A ----- do_exit() exit_task_work(tsk); <IRQ> perf_event_overflow() event->pending_sigtrap = pending_id; irq_work_queue(&event->pending_irq); </IRQ> =========> PREEMPTION: TASK A -> TASK B event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) // FAILS: task work has exited task_work_add(&event->pending_task) [...] <IRQ WORK> perf_pending_irq() // early return: event->oncpu = -1 </IRQ WORK> [...] =========> TASK B -> TASK A perf_event_exit_task(tsk) perf_event_exit_event() free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // leak event due to unexpected refcount == 2 As a result the event is never released while the task exits. Fix this with appropriate task_work_add()'s error handling. CVE-2024-43870 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Fix overflow in get_free_elt() "tracing_map->next_elt" in get_free_elt() is at risk of overflowing. Once it overflows, new elements can still be inserted into the tracing_map even though the maximum number of elements (`max_elts`) has been reached. Continuing to insert elements after the overflow could result in the tracing_map containing "tracing_map->max_size" elements, leaving no empty entries. If any attempt is made to insert an element into a full tracing_map using `__tracing_map_insert()`, it will cause an infinite loop with preemption disabled, leading to a CPU hang problem. Fix this by preventing any further increments to "tracing_map->next_elt" once it reaches "tracing_map->max_elt". CVE-2024-43890 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid5: avoid BUG_ON() while continue reshape after reassembling Currently, mdadm support --revert-reshape to abort the reshape while reassembling, as the test 07revert-grow. However, following BUG_ON() can be triggerred by the test: kernel BUG at drivers/md/raid5.c:6278! invalid opcode: 0000 [#1] PREEMPT SMP PTI irq event stamp: 158985 CPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94 RIP: 0010:reshape_request+0x3f1/0xe60 Call Trace: <TASK> raid5_sync_request+0x43d/0x550 md_do_sync+0xb7a/0x2110 md_thread+0x294/0x2b0 kthread+0x147/0x1c0 ret_from_fork+0x59/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> Root cause is that --revert-reshape update the raid_disks from 5 to 4, while reshape position is still set, and after reassembling the array, reshape position will be read from super block, then during reshape the checking of 'writepos' that is caculated by old reshape position will fail. Fix this panic the easy way first, by converting the BUG_ON() to WARN_ON(), and stop the reshape if checkings fail. Noted that mdadm must fix --revert-shape as well, and probably md/raid should enhance metadata validation as well, however this means reassemble will fail and there must be user tools to fix the wrong metadata. CVE-2024-43914 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: kcm: Serialise kcm_sendmsg() for the same socket. syzkaller reported UAF in kcm_release(). [0] The scenario is 1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb. 2. Thread A resumes building skb from kcm->seq_skb but is blocked by sk_stream_wait_memory() 3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb and puts the skb to the write queue 4. Thread A faces an error and finally frees skb that is already in the write queue 5. kcm_release() does double-free the skb in the write queue When a thread is building a MSG_MORE skb, another thread must not touch it. Let's add a per-sk mutex and serialise kcm_sendmsg(). [0]: BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167 CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x178/0x518 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __skb_unlink include/linux/skbuff.h:2366 [inline] __skb_dequeue include/linux/skbuff.h:2385 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] __skb_queue_purge include/linux/skbuff.h:3181 [inline] kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 __sock_release net/socket.c:659 [inline] sock_close+0xa4/0x1e8 net/socket.c:1421 __fput+0x30c/0x738 fs/file_table.c:376 ____fput+0x20/0x30 fs/file_table.c:404 task_work_run+0x230/0x2e0 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x618/0x1f64 kernel/exit.c:871 do_group_exit+0x194/0x22c kernel/exit.c:1020 get_signal+0x1500/0x15ec kernel/signal.c:2893 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Allocated by task 6166: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1296 [inline] kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x220/0x2c0 net/socket.c:768 splice_to_socket+0x7cc/0xd58 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] direct_splice_actor+0xec/0x1d8 fs/splice.c:1164 splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108 do_splice_direct_actor ---truncated--- CVE-2024-44946 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: fuse: Initialize beyond-EOF page contents before setting uptodate fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter). CVE-2024-44947 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: x86/mtrr: Check if fixed MTRRs exist before saving them MTRRs have an obsolete fixed variant for fine grained caching control of the 640K-1MB region that uses separate MSRs. This fixed variant has a separate capability bit in the MTRR capability MSR. So far all x86 CPUs which support MTRR have this separate bit set, so it went unnoticed that mtrr_save_state() does not check the capability bit before accessing the fixed MTRR MSRs. Though on a CPU that does not support the fixed MTRR capability this results in a #GP. The #GP itself is harmless because the RDMSR fault is handled gracefully, but results in a WARN_ON(). Add the missing capability check to prevent this. CVE-2024-44948 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-44952 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: line6: Fix racy access to midibuf There can be concurrent accesses to line6 midibuf from both the URB completion callback and the rawmidi API access. This could be a cause of KMSAN warning triggered by syzkaller below (so put as reported-by here). This patch protects the midibuf call of the former code path with a spinlock for avoiding the possible races. CVE-2024-44954 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: Check for unset descriptor Make sure the descriptor has been set before looking at maxpacket. This fixes a null pointer panic in this case. This may happen if the gadget doesn't properly set up the endpoint for the current speed, or the gadget descriptors are malformed and the descriptor for the speed/endpoint are not found. No current gadget driver is known to have this problem, but this may cause a hard-to-find bug during development of new gadgets. CVE-2024-44960 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Forward soft recovery errors to userspace As we discussed before[1], soft recovery should be forwarded to userspace, or we can get into a really bad state where apps will keep submitting hanging command buffers cascading us to a hard reset. 1: https://lore.kernel.org/all/bf23d5ed-9a6b-43e7-84ee-8cbfd0d60f18@froggi.es/ (cherry picked from commit 434967aadbbbe3ad9103cc29e9a327de20fdba01) CVE-2024-44961 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading When unload the btnxpuart driver, its associated timer will be deleted. If the timer happens to be modified at this moment, it leads to the kernel call this timer even after the driver unloaded, resulting in kernel panic. Use timer_shutdown_sync() instead of del_timer_sync() to prevent rearming. panic log: Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP Modules linked in: algif_hash algif_skcipher af_alg moal(O) mlan(O) crct10dif_ce polyval_ce polyval_generic snd_soc_imx_card snd_soc_fsl_asoc_card snd_soc_imx_audmux mxc_jpeg_encdec v4l2_jpeg snd_soc_wm8962 snd_soc_fsl_micfil snd_soc_fsl_sai flexcan snd_soc_fsl_utils ap130x rpmsg_ctrl imx_pcm_dma can_dev rpmsg_char pwm_fan fuse [last unloaded: btnxpuart] CPU: 5 PID: 723 Comm: memtester Tainted: G O 6.6.23-lts-next-06207-g4aef2658ac28 #1 Hardware name: NXP i.MX95 19X19 board (DT) pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0xffff80007a2cf464 lr : call_timer_fn.isra.0+0x24/0x80 ... Call trace: 0xffff80007a2cf464 __run_timers+0x234/0x280 run_timer_softirq+0x20/0x40 __do_softirq+0x100/0x26c ____do_softirq+0x10/0x1c call_on_irq_stack+0x24/0x4c do_softirq_own_stack+0x1c/0x2c irq_exit_rcu+0xc0/0xdc el0_interrupt+0x54/0xd8 __el0_irq_handler_common+0x18/0x24 el0t_64_irq_handler+0x10/0x1c el0t_64_irq+0x190/0x194 Code: ???????? ???????? ???????? ???????? (????????) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt SMP: stopping secondary CPUs Kernel Offset: disabled CPU features: 0x0,c0000000,40028143,1000721b Memory Limit: none ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- CVE-2024-44962 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix pti_clone_pgtable() alignment assumption Guenter reported dodgy crashes on an i386-nosmp build using GCC-11 that had the form of endless traps until entry stack exhaust and then #DF from the stack guard. It turned out that pti_clone_pgtable() had alignment assumptions on the start address, notably it hard assumes start is PMD aligned. This is true on x86_64, but very much not true on i386. These assumptions can cause the end condition to malfunction, leading to a 'short' clone. Guess what happens when the user mapping has a short copy of the entry text? Use the correct increment form for addr to avoid alignment assumptions. CVE-2024-44965 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/mgag200: Bind I2C lifetime to DRM device Managed cleanup with devm_add_action_or_reset() will release the I2C adapter when the underlying Linux device goes away. But the connector still refers to it, so this cleanup leaves behind a stale pointer in struct drm_connector.ddc. Bind the lifetime of the I2C adapter to the connector's lifetime by using DRM's managed release. When the DRM device goes away (after the Linux device) DRM will first clean up the connector and then clean up the I2C adapter. CVE-2024-44967 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Prevent release of buffer in I/O When a task waiting for completion of a Store Data operation is interrupted, an attempt is made to halt this operation. If this attempt fails due to a hardware or firmware problem, there is a chance that the SCLP facility might store data into buffers referenced by the original operation at a later time. Handle this situation by not releasing the referenced data buffers if the halt attempt fails. For current use cases, this might result in a leak of few pages of memory in case of a rare hardware/firmware malfunction. CVE-2024-44969 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: do not clear page dirty inside extent_write_locked_range() [BUG] For subpage + zoned case, the following workload can lead to rsv data leak at unmount time: # mkfs.btrfs -f -s 4k $dev # mount $dev $mnt # fsstress -w -n 8 -d $mnt -s 1709539240 0/0: fiemap - no filename 0/1: copyrange read - no filename 0/2: write - no filename 0/3: rename - no source filename 0/4: creat f0 x:0 0 0 0/4: creat add id=0,parent=-1 0/5: writev f0[259 1 0 0 0 0] [778052,113,965] 0 0/6: ioctl(FIEMAP) f0[259 1 0 0 224 887097] [1294220,2291618343991484791,0x10000] -1 0/7: dwrite - xfsctl(XFS_IOC_DIOINFO) f0[259 1 0 0 224 887097] return 25, fallback to stat() 0/7: dwrite f0[259 1 0 0 224 887097] [696320,102400] 0 # umount $mnt The dmesg includes the following rsv leak detection warning (all call trace skipped): ------------[ cut here ]------------ WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8653 btrfs_destroy_inode+0x1e0/0x200 [btrfs] ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8654 btrfs_destroy_inode+0x1a8/0x200 [btrfs] ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8660 btrfs_destroy_inode+0x1a0/0x200 [btrfs] ---[ end trace 0000000000000000 ]--- BTRFS info (device sda): last unmount of filesystem 1b4abba9-de34-4f07-9e7f-157cf12a18d6 ------------[ cut here ]------------ WARNING: CPU: 3 PID: 4528 at fs/btrfs/block-group.c:4434 btrfs_free_block_groups+0x338/0x500 [btrfs] ---[ end trace 0000000000000000 ]--- BTRFS info (device sda): space_info DATA has 268218368 free, is not full BTRFS info (device sda): space_info total=268435456, used=204800, pinned=0, reserved=0, may_use=12288, readonly=0 zone_unusable=0 BTRFS info (device sda): global_block_rsv: size 0 reserved 0 BTRFS info (device sda): trans_block_rsv: size 0 reserved 0 BTRFS info (device sda): chunk_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_refs_rsv: size 0 reserved 0 ------------[ cut here ]------------ WARNING: CPU: 3 PID: 4528 at fs/btrfs/block-group.c:4434 btrfs_free_block_groups+0x338/0x500 [btrfs] ---[ end trace 0000000000000000 ]--- BTRFS info (device sda): space_info METADATA has 267796480 free, is not full BTRFS info (device sda): space_info total=268435456, used=131072, pinned=0, reserved=0, may_use=262144, readonly=0 zone_unusable=245760 BTRFS info (device sda): global_block_rsv: size 0 reserved 0 BTRFS info (device sda): trans_block_rsv: size 0 reserved 0 BTRFS info (device sda): chunk_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_refs_rsv: size 0 reserved 0 Above $dev is a tcmu-runner emulated zoned HDD, which has a max zone append size of 64K, and the system has 64K page size. [CAUSE] I have added several trace_printk() to show the events (header skipped): > btrfs_dirty_pages: r/i=5/259 dirty start=774144 len=114688 > btrfs_dirty_pages: r/i=5/259 dirty part of page=720896 off_in_page=53248 len_in_page=12288 > btrfs_dirty_pages: r/i=5/259 dirty part of page=786432 off_in_page=0 len_in_page=65536 > btrfs_dirty_pages: r/i=5/259 dirty part of page=851968 off_in_page=0 len_in_page=36864 The above lines show our buffered write has dirtied 3 pages of inode 259 of root 5: 704K 768K 832K 896K I |////I/////////////////I///////////| I 756K 868K |///| is the dirtied range using subpage bitmaps. and 'I' is the page boundary. Meanwhile all three pages (704K, 768K, 832K) have their PageDirty flag set. > btrfs_direct_write: r/i=5/259 start dio filepos=696320 len=102400 Then direct IO writ ---truncated--- CVE-2024-44972 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Validate TA binary size Add TA binary size validation to avoid OOB write. (cherry picked from commit c0a04e3570d72aaf090962156ad085e37c62e442) CVE-2024-44977 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails If the dpu_format_populate_layout() fails, then FB is prepared, but not cleaned up. This ends up leaking the pin_count on the GEM object and causes a splat during DRM file closure: msm_obj->pin_count WARNING: CPU: 2 PID: 569 at drivers/gpu/drm/msm/msm_gem.c:121 update_lru_locked+0xc4/0xcc [...] Call trace: update_lru_locked+0xc4/0xcc put_pages+0xac/0x100 msm_gem_free_object+0x138/0x180 drm_gem_object_free+0x1c/0x30 drm_gem_object_handle_put_unlocked+0x108/0x10c drm_gem_object_release_handle+0x58/0x70 idr_for_each+0x68/0xec drm_gem_release+0x28/0x40 drm_file_free+0x174/0x234 drm_release+0xb0/0x160 __fput+0xc0/0x2c8 __fput_sync+0x50/0x5c __arm64_sys_close+0x38/0x7c invoke_syscall+0x48/0x118 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x4c/0x120 el0t_64_sync_handler+0x100/0x12c el0t_64_sync+0x190/0x194 irq event stamp: 129818 hardirqs last enabled at (129817): [<ffffa5f6d953fcc0>] console_unlock+0x118/0x124 hardirqs last disabled at (129818): [<ffffa5f6da7dcf04>] el1_dbg+0x24/0x8c softirqs last enabled at (129808): [<ffffa5f6d94afc18>] handle_softirqs+0x4c8/0x4e8 softirqs last disabled at (129785): [<ffffa5f6d94105e4>] __do_softirq+0x14/0x20 Patchwork: https://patchwork.freedesktop.org/patch/600714/ CVE-2024-44982 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() When there are multiple ap interfaces on one band and with WED on, turning the interface down will cause a kernel panic on MT798X. Previously, cb_priv was freed in mtk_wed_setup_tc_block() without marking NULL,and mtk_wed_setup_tc_block_cb() didn't check the value, too. Assign NULL after free cb_priv in mtk_wed_setup_tc_block() and check NULL in mtk_wed_setup_tc_block_cb(). ---------- Unable to handle kernel paging request at virtual address 0072460bca32b4f5 Call trace: mtk_wed_setup_tc_block_cb+0x4/0x38 0xffffffc0794084bc tcf_block_playback_offloads+0x70/0x1e8 tcf_block_unbind+0x6c/0xc8 ... --------- CVE-2024-44997 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs/netfs/fscache_cookie: add missing "n_accesses" check This fixes a NULL pointer dereference bug due to a data race which looks like this: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43 Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018 Workqueue: events_unbound netfs_rreq_write_to_cache_work RIP: 0010:cachefiles_prepare_write+0x30/0xa0 Code: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8b 47 08 48 83 7f 10 00 48 89 34 24 48 8b 68 20 <48> 8b 45 08 4c 8b 38 74 45 49 8b 7f 50 e8 4e a9 b0 ff 48 8b 73 10 RSP: 0018:ffffb4e78113bde0 EFLAGS: 00010286 RAX: ffff976126be6d10 RBX: ffff97615cdb8438 RCX: 0000000000020000 RDX: ffff97605e6c4c68 RSI: ffff97605e6c4c60 RDI: ffff97615cdb8438 RBP: 0000000000000000 R08: 0000000000278333 R09: 0000000000000001 R10: ffff97605e6c4600 R11: 0000000000000001 R12: ffff97605e6c4c68 R13: 0000000000020000 R14: 0000000000000001 R15: ffff976064fe2c00 FS: 0000000000000000(0000) GS:ffff9776dfd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000005942c002 CR4: 00000000001706f0 Call Trace: <TASK> ? __die+0x1f/0x70 ? page_fault_oops+0x15d/0x440 ? search_module_extables+0xe/0x40 ? fixup_exception+0x22/0x2f0 ? exc_page_fault+0x5f/0x100 ? asm_exc_page_fault+0x22/0x30 ? cachefiles_prepare_write+0x30/0xa0 netfs_rreq_write_to_cache_work+0x135/0x2e0 process_one_work+0x137/0x2c0 worker_thread+0x2e9/0x400 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Modules linked in: CR2: 0000000000000008 ---[ end trace 0000000000000000 ]--- This happened because fscache_cookie_state_machine() was slow and was still running while another process invoked fscache_unuse_cookie(); this led to a fscache_cookie_lru_do_one() call, setting the FSCACHE_COOKIE_DO_LRU_DISCARD flag, which was picked up by fscache_cookie_state_machine(), withdrawing the cookie via cachefiles_withdraw_cookie(), clearing cookie->cache_priv. At the same time, yet another process invoked cachefiles_prepare_write(), which found a NULL pointer in this code line: struct cachefiles_object *object = cachefiles_cres_object(cres); The next line crashes, obviously: struct cachefiles_cache *cache = object->volume->cache; During cachefiles_prepare_write(), the "n_accesses" counter is non-zero (via fscache_begin_operation()). The cookie must not be withdrawn until it drops to zero. The counter is checked by fscache_cookie_state_machine() before switching to FSCACHE_COOKIE_STATE_RELINQUISHING and FSCACHE_COOKIE_STATE_WITHDRAWING (in "case FSCACHE_COOKIE_STATE_FAILED"), but not for FSCACHE_COOKIE_STATE_LRU_DISCARDING ("case FSCACHE_COOKIE_STATE_ACTIVE"). This patch adds the missing check. With a non-zero access counter, the function returns and the next fscache_end_cookie_access() call will queue another fscache_cookie_state_machine() call to handle the still-pending FSCACHE_COOKIE_DO_LRU_DISCARD. CVE-2024-45000 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix RX buf alloc_size alignment and atomic op panic The MANA driver's RX buffer alloc_size is passed into napi_build_skb() to create SKB. skb_shinfo(skb) is located at the end of skb, and its alignment is affected by the alloc_size passed into napi_build_skb(). The size needs to be aligned properly for better performance and atomic operations. Otherwise, on ARM64 CPU, for certain MTU settings like 4000, atomic operations may panic on the skb_shinfo(skb)->dataref due to alignment fault. To fix this bug, add proper alignment to the alloc_size calculation. Sample panic info: [ 253.298819] Unable to handle kernel paging request at virtual address ffff000129ba5cce [ 253.300900] Mem abort info: [ 253.301760] ESR = 0x0000000096000021 [ 253.302825] EC = 0x25: DABT (current EL), IL = 32 bits [ 253.304268] SET = 0, FnV = 0 [ 253.305172] EA = 0, S1PTW = 0 [ 253.306103] FSC = 0x21: alignment fault Call trace: __skb_clone+0xfc/0x198 skb_clone+0x78/0xe0 raw6_local_deliver+0xfc/0x228 ip6_protocol_deliver_rcu+0x80/0x500 ip6_input_finish+0x48/0x80 ip6_input+0x48/0xc0 ip6_sublist_rcv_finish+0x50/0x78 ip6_sublist_rcv+0x1cc/0x2b8 ipv6_list_rcv+0x100/0x150 __netif_receive_skb_list_core+0x180/0x220 netif_receive_skb_list_internal+0x198/0x2a8 __napi_poll+0x138/0x250 net_rx_action+0x148/0x330 handle_softirqs+0x12c/0x3a0 CVE-2024-45001 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix validity interception issue when gisa is switched off We might run into a SIE validity if gisa has been disabled either via using kernel parameter "kvm.use_gisa=0" or by setting the related sysfs attribute to N (echo N >/sys/module/kvm/parameters/use_gisa). The validity is caused by an invalid value in the SIE control block's gisa designation. That happens because we pass the uninitialized gisa origin to virt_to_phys() before writing it to the gisa designation. To fix this we return 0 in kvm_s390_get_gisa_desc() if the origin is 0. kvm_s390_get_gisa_desc() is used to determine which gisa designation to set in the SIE control block. A value of 0 in the gisa designation disables gisa usage. The issue surfaces in the host kernel with the following kernel message as soon a new kvm guest start is attemted. kvm: unhandled validity intercept 0x1011 WARNING: CPU: 0 PID: 781237 at arch/s390/kvm/intercept.c:101 kvm_handle_sie_intercept+0x42e/0x4d0 [kvm] Modules linked in: vhost_net tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT xt_tcpudp nft_compat x_tables nf_nat_tftp nf_conntrack_tftp vfio_pci_core irqbypass vhost_vsock vmw_vsock_virtio_transport_common vsock vhost vhost_iotlb kvm nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables sunrpc mlx5_ib ib_uverbs ib_core mlx5_core uvdevice s390_trng eadm_sch vfio_ccw zcrypt_cex4 mdev vfio_iommu_type1 vfio sch_fq_codel drm i2c_core loop drm_panel_orientation_quirks configfs nfnetlink lcs ctcm fsm dm_service_time ghash_s390 prng chacha_s390 libchacha aes_s390 des_s390 libdes sha3_512_s390 sha3_256_s390 sha512_s390 sha256_s390 sha1_s390 sha_common dm_mirror dm_region_hash dm_log zfcp scsi_transport_fc scsi_dh_rdac scsi_dh_emc scsi_dh_alua pkey zcrypt dm_multipath rng_core autofs4 [last unloaded: vfio_pci] CPU: 0 PID: 781237 Comm: CPU 0/KVM Not tainted 6.10.0-08682-gcad9f11498ea #6 Hardware name: IBM 3931 A01 701 (LPAR) Krnl PSW : 0704c00180000000 000003d93deb0122 (kvm_handle_sie_intercept+0x432/0x4d0 [kvm]) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 Krnl GPRS: 000003d900000027 000003d900000023 0000000000000028 000002cd00000000 000002d063a00900 00000359c6daf708 00000000000bebb5 0000000000001eff 000002cfd82e9000 000002cfd80bc000 0000000000001011 000003d93deda412 000003ff8962df98 000003d93de77ce0 000003d93deb011e 00000359c6daf960 Krnl Code: 000003d93deb0112: c020fffe7259 larl %r2,000003d93de7e5c4 000003d93deb0118: c0e53fa8beac brasl %r14,000003d9bd3c7e70 #000003d93deb011e: af000000 mc 0,0 >000003d93deb0122: a728ffea lhi %r2,-22 000003d93deb0126: a7f4fe24 brc 15,000003d93deafd6e 000003d93deb012a: 9101f0b0 tm 176(%r15),1 000003d93deb012e: a774fe48 brc 7,000003d93deafdbe 000003d93deb0132: 40a0f0ae sth %r10,174(%r15) Call Trace: [<000003d93deb0122>] kvm_handle_sie_intercept+0x432/0x4d0 [kvm] ([<000003d93deb011e>] kvm_handle_sie_intercept+0x42e/0x4d0 [kvm]) [<000003d93deacc10>] vcpu_post_run+0x1d0/0x3b0 [kvm] [<000003d93deaceda>] __vcpu_run+0xea/0x2d0 [kvm] [<000003d93dead9da>] kvm_arch_vcpu_ioctl_run+0x16a/0x430 [kvm] [<000003d93de93ee0>] kvm_vcpu_ioctl+0x190/0x7c0 [kvm] [<000003d9bd728b4e>] vfs_ioctl+0x2e/0x70 [<000003d9bd72a092>] __s390x_sys_ioctl+0xc2/0xd0 [<000003d9be0e9222>] __do_syscall+0x1f2/0x2e0 [<000003d9be0f9a90>] system_call+0x70/0x98 Last Breaking-Event-Address: [<000003d9bd3c7f58>] __warn_printk+0xe8/0xf0 CVE-2024-45005 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration re-enumerating full-speed devices after a failed address device command can trigger a NULL pointer dereference. Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size value during enumeration. Usb core calls usb_ep0_reinit() in this case, which ends up calling xhci_configure_endpoint(). On Panther point xHC the xhci_configure_endpoint() function will additionally check and reserve bandwidth in software. Other hosts do this in hardware If xHC address device command fails then a new xhci_virt_device structure is allocated as part of re-enabling the slot, but the bandwidth table pointers are not set up properly here. This triggers the NULL pointer dereference the next time usb_ep0_reinit() is called and xhci_configure_endpoint() tries to check and reserve bandwidth [46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd [46710.713699] usb 3-1: Device not responding to setup address. [46710.917684] usb 3-1: Device not responding to setup address. [46711.125536] usb 3-1: device not accepting address 5, error -71 [46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008 [46711.125600] #PF: supervisor read access in kernel mode [46711.125603] #PF: error_code(0x0000) - not-present page [46711.125606] PGD 0 P4D 0 [46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI [46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1 [46711.125620] Hardware name: Gigabyte Technology Co., Ltd. [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore] [46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c Fix this by making sure bandwidth table pointers are set up correctly after a failed address device command, and additionally by avoiding checking for bandwidth in cases like this where no actual endpoints are added or removed, i.e. only context for default control endpoint 0 is evaluated. CVE-2024-45006 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: char: xillybus: Don't destroy workqueue from work item running on it Triggered by a kref decrement, destroy_workqueue() may be called from within a work item for destroying its own workqueue. This illegal situation is averted by adding a module-global workqueue for exclusive use of the offending work item. Other work items continue to be queued on per-device workqueues to ensure performance. CVE-2024-45007 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: MT - limit max slots syzbot is reporting too large allocation at input_mt_init_slots(), for num_slots is supplied from userspace using ioctl(UI_DEV_CREATE). Since nobody knows possible max slots, this patch chose 1024. CVE-2024-45008 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: char: xillybus: Check USB endpoints when probing device Ensure, as the driver probes the device, that all endpoints that the driver may attempt to access exist and are of the correct type. All XillyUSB devices must have a Bulk IN and Bulk OUT endpoint at address 1. This is verified in xillyusb_setup_base_eps(). On top of that, a XillyUSB device may have additional Bulk OUT endpoints. The information about these endpoints' addresses is deduced from a data structure (the IDT) that the driver fetches from the device while probing it. These endpoints are checked in setup_channels(). A XillyUSB device never has more than one IN endpoint, as all data towards the host is multiplexed in this single Bulk IN endpoint. This is why setup_channels() only checks OUT endpoints. CVE-2024-45011 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: use dma non-coherent allocator Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit a BUG() on startup, when the iommu is enabled: kernel BUG at include/linux/scatterlist.h:187! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30 Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019 RIP: 0010:sg_init_one+0x85/0xa0 Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54 24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b 0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00 RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000 RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508 R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018 FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0 Call Trace: <TASK> ? die+0x36/0x90 ? do_trap+0xdd/0x100 ? sg_init_one+0x85/0xa0 ? do_error_trap+0x65/0x80 ? sg_init_one+0x85/0xa0 ? exc_invalid_op+0x50/0x70 ? sg_init_one+0x85/0xa0 ? asm_exc_invalid_op+0x1a/0x20 ? sg_init_one+0x85/0xa0 nvkm_firmware_ctor+0x14a/0x250 [nouveau] nvkm_falcon_fw_ctor+0x42/0x70 [nouveau] ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau] r535_gsp_oneinit+0xb3/0x15f0 [nouveau] ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? nvkm_udevice_new+0x95/0x140 [nouveau] ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? ktime_get+0x47/0xb0 Fix this by using the non-coherent allocator instead, I think there might be a better answer to this, but it involve ripping up some of APIs using sg lists. CVE-2024-45012 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: nvme: move stopping keep-alive into nvme_uninit_ctrl() Commit 4733b65d82bd ("nvme: start keep-alive after admin queue setup") moves starting keep-alive from nvme_start_ctrl() into nvme_init_ctrl_finish(), but don't move stopping keep-alive into nvme_uninit_ctrl(), so keep-alive work can be started and keep pending after failing to start controller, finally use-after-free is triggered if nvme host driver is unloaded. This patch fixes kernel panic when running nvme/004 in case that connection failure is triggered, by moving stopping keep-alive into nvme_uninit_ctrl(). This way is reasonable because keep-alive is now started in nvme_init_ctrl_finish(). CVE-2024-45013 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() For cases where the crtc's connectors_changed was set without enable/active getting toggled , there is an atomic_enable() call followed by an atomic_disable() but without an atomic_mode_set(). This results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in the atomic_enable() as the dpu_encoder's connector was cleared in the atomic_disable() but not re-assigned as there was no atomic_mode_set() call. Fix the NULL ptr access by moving the assignment for atomic_enable() and also use drm_atomic_get_new_connector_for_encoder() to get the connector from the atomic_state. Patchwork: https://patchwork.freedesktop.org/patch/606729/ CVE-2024-45015 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec RoCE MPV trace call Prevent the call trace below from happening, by not allowing IPsec creation over a slave, if master device doesn't support IPsec. WARNING: CPU: 44 PID: 16136 at kernel/locking/rwsem.c:240 down_read+0x75/0x94 Modules linked in: esp4_offload esp4 act_mirred act_vlan cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa mst_pciconf(OE) nfsv3 nfs_acl nfs lockd grace fscache netfs xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill cuse fuse rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel sha1_ssse3 dell_smbios ib_uverbs aesni_intel crypto_simd dcdbas wmi_bmof dell_wmi_descriptor cryptd pcspkr ib_core acpi_ipmi sp5100_tco ccp i2c_piix4 ipmi_si ptdma k10temp ipmi_devintf ipmi_msghandler acpi_power_meter acpi_cpufreq ext4 mbcache jbd2 sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect mlx5_core sysimgblt fb_sys_fops cec ahci libahci mlxfw drm pci_hyperv_intf libata tg3 sha256_ssse3 tls megaraid_sas i2c_algo_bit psample wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mst_pci] CPU: 44 PID: 16136 Comm: kworker/44:3 Kdump: loaded Tainted: GOE 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 #2 Hardware name: Dell Inc. PowerEdge R7525/074H08, BIOS 2.0.3 01/15/2021 Workqueue: events xfrm_state_gc_task RIP: 0010:down_read+0x75/0x94 Code: 00 48 8b 45 08 65 48 8b 14 25 80 fc 01 00 83 e0 02 48 09 d0 48 83 c8 01 48 89 45 08 5d 31 c0 89 c2 89 c6 89 c7 e9 cb 88 3b 00 <0f> 0b 48 8b 45 08 a8 01 74 b2 a8 02 75 ae 48 89 c2 48 83 ca 02 f0 RSP: 0018:ffffb26387773da8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffa08b658af900 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ff886bc5e1366f2f RDI: 0000000000000000 RBP: ffffa08b658af940 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0a9bfb31540 R13: ffffa0a9bfb37900 R14: 0000000000000000 R15: ffffa0a9bfb37905 FS: 0000000000000000(0000) GS:ffffa0a9bfb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055a45ed814e8 CR3: 000000109038a000 CR4: 0000000000350ee0 Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] ? down_read+0x75/0x94 ? __warn+0x80/0x113 ? down_read+0x75/0x94 ? report_bug+0xa4/0x11d ? handle_bug+0x35/0x8b ? exc_invalid_op+0x14/0x75 ? asm_exc_invalid_op+0x16/0x1b ? down_read+0x75/0x94 ? down_read+0xe/0x94 mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] mlx5_ipsec_fs_roce_tx_destroy+0xb1/0x130 [mlx5_core] tx_destroy+0x1b/0xc0 [mlx5_core] tx_ft_put+0x53/0xc0 [mlx5_core] mlx5e_xfrm_free_state+0x45/0x90 [mlx5_core] ___xfrm_state_destroy+0x10f/0x1a2 xfrm_state_gc_task+0x81/0xa9 process_one_work+0x1f1/0x3c6 worker_thread+0x53/0x3e4 ? process_one_work.cold+0x46/0x3c kthread+0x127/0x144 ? set_kthread_struct+0x60/0x52 ret_from_fork+0x22/0x2d </TASK> ---[ end trace 5ef7896144d398e1 ]--- CVE-2024-45017 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: initialise extack before use Fix missing initialisation of extack in flow offload. CVE-2024-45018 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Take state lock during tx timeout reporter mlx5e_safe_reopen_channels() requires the state lock taken. The referenced changed in the Fixes tag removed the lock to fix another issue. This patch adds it back but at a later point (when calling mlx5e_safe_reopen_channels()) to avoid the deadlock referenced in the Fixes tag. CVE-2024-45019 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a kernel verifier crash in stacksafe() Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The 'i' iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add 'i >= cur->allocated_stack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. CVE-2024-45020 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 The __vmap_pages_range_noflush() assumes its argument pages** contains pages with the same page shift. However, since commit e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes __GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation failed for high order, the pages** may contain two different page shifts (high order and order-0). This could lead __vmap_pages_range_noflush() to perform incorrect mappings, potentially resulting in memory corruption. Users might encounter this as follows (vmap_allow_huge = true, 2M is for PMD_SIZE): kvmalloc(2M, __GFP_NOFAIL|GFP_X) __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP) vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0 vmap_pages_range() vmap_pages_range_noflush() __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens We can remove the fallback code because if a high-order allocation fails, __vmalloc_node_range_noprof() will retry with order-0. Therefore, it is unnecessary to fallback to order-0 here. Therefore, fix this by removing the fallback code. CVE-2024-45022 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix data corruption for degraded array with slow disk read_balance() will avoid reading from slow disks as much as possible, however, if valid data only lands in slow disks, and a new normal disk is still in recovery, unrecovered data can be read: raid1_read_request read_balance raid1_should_read_first -> return false choose_best_rdev -> normal disk is not recovered, return -1 choose_bb_rdev -> missing the checking of recovery, return the normal disk -> read unrecovered data Root cause is that the checking of recovery is missing in choose_bb_rdev(). Hence add such checking to fix the problem. Also fix similar problem in choose_slow_rdev(). CVE-2024-45023 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix error recovery leading to data corruption on ESE devices Extent Space Efficient (ESE) or thin provisioned volumes need to be formatted on demand during usual IO processing. The dasd_ese_needs_format function checks for error codes that signal the non existence of a proper track format. The check for incorrect length is to imprecise since other error cases leading to transport of insufficient data also have this flag set. This might lead to data corruption in certain error cases for example during a storage server warmstart. Fix by removing the check for incorrect length and replacing by explicitly checking for invalid track format in transport mode. Also remove the check for file protected since this is not a valid ESE handling case. CVE-2024-45026 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mmc: mmc_test: Fix NULL dereference on allocation failure If the "test->highmem = alloc_pages()" allocation fails then calling __free_pages(test->highmem) will result in a NULL dereference. Also change the error code to -ENOMEM instead of returning success. CVE-2024-45028 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: Do not mark ACPI devices as irq safe On ACPI machines, the tegra i2c module encounters an issue due to a mutex being called inside a spinlock. This leads to the following bug: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 ... Call trace: __might_sleep __mutex_lock_common mutex_lock_nested acpi_subsys_runtime_resume rpm_resume tegra_i2c_xfer The problem arises because during __pm_runtime_resume(), the spinlock &dev->power.lock is acquired before rpm_resume() is called. Later, rpm_resume() invokes acpi_subsys_runtime_resume(), which relies on mutexes, triggering the error. To address this issue, devices on ACPI are now marked as not IRQ-safe, considering the dependency of acpi_subsys_runtime_resume() on mutexes. CVE-2024-45029 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: igb: cope with large MAX_SKB_FRAGS Sabrina reports that the igb driver does not cope well with large MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload corruption on TX. An easy reproducer is to run ssh to connect to the machine. With MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails. This has been reported originally in https://bugzilla.redhat.com/show_bug.cgi?id=2265320 The root cause of the issue is that the driver does not take into account properly the (possibly large) shared info size when selecting the ring layout, and will try to fit two packets inside the same 4K page even when the 1st fraglist will trump over the 2nd head. Address the issue by checking if 2K buffers are insufficient. CVE-2024-45030 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the driver for SAE/OWE offload cases") SSID based PMKSA del commands. brcmfmac is not prepared and tries to dereference the NULL bssid and pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based updates so copy the SSID. CVE-2024-46672 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: aacraid: Fix double-free on probe failure aac_probe_one() calls hardware-specific init functions through the aac_driver_ident::init pointer, all of which eventually call down to aac_init_adapter(). If aac_init_adapter() fails after allocating memory for aac_dev::queues, it frees the memory but does not clear that member. After the hardware-specific init function returns an error, aac_probe_one() goes down an error path that frees the memory pointed to by aac_dev::queues, resulting.in a double-free. CVE-2024-46673 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: st: fix probed platform device ref count on probe error path The probe function never performs any paltform device allocation, thus error path "undo_platform_dev_alloc" is entirely bogus. It drops the reference count from the platform device being probed. If error path is triggered, this will lead to unbalanced device reference counts and premature release of device resources, thus possible use-after-free when releasing remaining devm-managed resources. CVE-2024-46674 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Prevent USB core invalid event buffer address access This commit addresses an issue where the USB core could access an invalid event buffer address during runtime suspend, potentially causing SMMU faults and other memory issues in Exynos platforms. The problem arises from the following sequence. 1. In dwc3_gadget_suspend, there is a chance of a timeout when moving the USB core to the halt state after clearing the run/stop bit by software. 2. In dwc3_core_exit, the event buffer is cleared regardless of the USB core's status, which may lead to an SMMU faults and other memory issues. if the USB core tries to access the event buffer address. To prevent this hardware quirk on Exynos platforms, this commit ensures that the event buffer address is not cleared by software when the USB core is active during runtime suspend by checking its status before clearing the buffer address. CVE-2024-46675 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Add poll mod list filling check In case of im_protocols value is 1 and tm_protocols value is 0 this combination successfully passes the check 'if (!im_protocols && !tm_protocols)' in the nfc_start_poll(). But then after pn533_poll_create_mod_list() call in pn533_start_poll() poll mod list will remain empty and dev->poll_mod_count will remain 0 which lead to division by zero. Normally no im protocol has value 1 in the mask, so this combination is not expected by driver. But these protocol values actually come from userspace via Netlink interface (NFC_CMD_START_POLL operation). So a broken or malicious program may pass a message containing a "bad" combination of protocol parameter values so that dev->poll_mod_count is not incremented inside pn533_poll_create_mod_list(), thus leading to division by zero. Call trace looks like: nfc_genl_start_poll() nfc_start_poll() ->start_poll() pn533_start_poll() Add poll mod list filling check. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-46676 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: gtp: fix a potential NULL pointer dereference When sockfd_lookup() fails, gtp_encap_enable_socket() returns a NULL pointer, but its callers only check for error pointers thus miss the NULL pointer case. Fix it by returning an error pointer with the error code carried from sockfd_lookup(). (I found this bug during code inspection.) CVE-2024-46677 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ethtool: check device is present when getting link settings A sysfs reader can race with a device reset or removal, attempting to read device state when the device is not actually present. eg: [exception RIP: qed_get_current_link+17] #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede] #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3 #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4 #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300 #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3 #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1 #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb crash> struct net_device.state ffff9a9d21336000 state = 5, state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100). The device is not present, note lack of __LINK_STATE_PRESENT (0b10). This is the same sort of panic as observed in commit 4224cfd7fb65 ("net-sysfs: add check for netdevice being present to speed_show"). There are many other callers of __ethtool_get_link_ksettings() which don't have a device presence check. Move this check into ethtool to protect all callers. CVE-2024-46679 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: single: fix potential NULL dereference in pcs_get_function() pinmux_generic_get_function() can return NULL and the pointer 'function' was dereferenced without checking against NULL. Add checking of pointer 'function' in pcs_get_function(). Found by code review. CVE-2024-46685 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() This happens when called from SMB2_read() while using rdma and reaching the rdma_readwrite_threshold. CVE-2024-46686 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() [BUG] There is an internal report that KASAN is reporting use-after-free, with the following backtrace: BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs] Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45 CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x5e/0x2f0 print_report+0x118/0x216 kasan_report+0x11d/0x1f0 btrfs_check_read_bio+0xa68/0xb70 [btrfs] process_one_work+0xce0/0x12a0 worker_thread+0x717/0x1250 kthread+0x2e3/0x3c0 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 Allocated by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x7d/0x80 kmem_cache_alloc_noprof+0x16e/0x3e0 mempool_alloc_noprof+0x12e/0x310 bio_alloc_bioset+0x3f0/0x7a0 btrfs_bio_alloc+0x2e/0x50 [btrfs] submit_extent_page+0x4d1/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x4b/0x60 kmem_cache_free+0x214/0x5d0 bio_free+0xed/0x180 end_bbio_data_read+0x1cc/0x580 [btrfs] btrfs_submit_chunk+0x98d/0x1880 [btrfs] btrfs_submit_bio+0x33/0x70 [btrfs] submit_one_bio+0xd4/0x130 [btrfs] submit_extent_page+0x3ea/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [CAUSE] Although I cannot reproduce the error, the report itself is good enough to pin down the cause. The call trace is the regular endio workqueue context, but the free-by-task trace is showing that during btrfs_submit_chunk() we already hit a critical error, and is calling btrfs_bio_end_io() to error out. And the original endio function called bio_put() to free the whole bio. This means a double freeing thus causing use-after-free, e.g.: 1. Enter btrfs_submit_bio() with a read bio The read bio length is 128K, crossing two 64K stripes. 2. The first run of btrfs_submit_chunk() 2.1 Call btrfs_map_block(), which returns 64K 2.2 Call btrfs_split_bio() Now there are two bios, one referring to the first 64K, the other referring to the second 64K. 2.3 The first half is submitted. 3. The second run of btrfs_submit_chunk() 3.1 Call btrfs_map_block(), which by somehow failed Now we call btrfs_bio_end_io() to handle the error 3.2 btrfs_bio_end_io() calls the original endio function Which is end_bbio_data_read(), and it calls bio_put() for the original bio. Now the original bio is freed. 4. The submitted first 64K bio finished Now we call into btrfs_check_read_bio() and tries to advance the bio iter. But since the original bio (thus its iter) is already freed, we trigger the above use-after free. And even if the memory is not poisoned/corrupted, we will later call the original endio function, causing a double freeing. [FIX] Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(), which has the extra check on split bios and do the pr ---truncated--- CVE-2024-46687 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: cmd-db: Map shared memory as WC, not WB Linux does not write into cmd-db region. This region of memory is write protected by XPU. XPU may sometime falsely detect clean cache eviction as "write" into the write protected region leading to secure interrupt which causes an endless loop somewhere in Trust Zone. The only reason it is working right now is because Qualcomm Hypervisor maps the same region as Non-Cacheable memory in Stage 2 translation tables. The issue manifests if we want to use another hypervisor (like Xen or KVM), which does not know anything about those specific mappings. Changing the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC removes dependency on correct mappings in Stage 2 tables. This patch fixes the issue by updating the mapping to MEMREMAP_WC. I tested this on SA8155P with Xen. CVE-2024-46689 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Move unregister out of atomic section Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-lock non-sleeping")' moved the pmic_glink client list under a spinlock, as it is accessed by the rpmsg/glink callback, which in turn is invoked from IRQ context. This means that ucsi_unregister() is now called from atomic context, which isn't feasible as it's expecting a sleepable context. An effort is under way to get GLINK to invoke its callbacks in a sleepable context, but until then lets schedule the unregistration. A side effect of this is that ucsi_unregister() can now happen after the remote processor, and thereby the communication link with it, is gone. pmic_glink_send() is amended with a check to avoid the resulting NULL pointer dereference. This does however result in the user being informed about this error by the following entry in the kernel log: ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5 CVE-2024-46691 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: scm: Mark get_wq_ctx() as atomic call Currently get_wq_ctx() is wrongly configured as a standard call. When two SMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to resume the corresponding sleeping thread. But if get_wq_ctx() is interrupted, goes to sleep and another SMC call is waiting to be allocated a waitq context, it leads to a deadlock. To avoid this get_wq_ctx() must be an atomic call and can't be a standard SMC call. Hence mark get_wq_ctx() as a fast call. CVE-2024-46692 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink: Fix race during initialization As pointed out by Stephen Boyd it is possible that during initialization of the pmic_glink child drivers, the protection-domain notifiers fires, and the associated work is scheduled, before the client registration returns and as a result the local "client" pointer has been initialized. The outcome of this is a NULL pointer dereference as the "client" pointer is blindly dereferenced. Timeline provided by Stephen: CPU0 CPU1 ---- ---- ucsi->client = NULL; devm_pmic_glink_register_client() client->pdr_notify(client->priv, pg->client_state) pmic_glink_ucsi_pdr_notify() schedule_work(&ucsi->register_work) <schedule away> pmic_glink_ucsi_register() ucsi_register() pmic_glink_ucsi_read_version() pmic_glink_ucsi_read() pmic_glink_ucsi_read() pmic_glink_send(ucsi->client) <client is NULL BAD> ucsi->client = client // Too late! This code is identical across the altmode, battery manager and usci child drivers. Resolve this by splitting the allocation of the "client" object and the registration thereof into two operations. This only happens if the protection domain registry is populated at the time of registration, which by the introduction of commit '1ebcde047c54 ("soc: qcom: add pd-mapper implementation")' became much more likely. CVE-2024-46693 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid using null object of framebuffer Instead of using state->fb->obj[0] directly, get object from framebuffer by calling drm_gem_fb_get_obj() and return error code when object is null to avoid using null object of framebuffer. (cherry picked from commit 73dd0ad9e5dad53766ea3e631303430116f834b3) CVE-2024-46694 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: selinux,smack: don't bypass permissions check in inode_setsecctx hook Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode's i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don't do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label. CVE-2024-46695 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Mark XDomain as unplugged when router is removed I noticed that when we do discrete host router NVM upgrade and it gets hot-removed from the PCIe side as a result of NVM firmware authentication, if there is another host connected with enabled paths we hang in tearing them down. This is due to fact that the Thunderbolt networking driver also tries to cleanup the paths and ends up blocking in tb_disconnect_xdomain_paths() waiting for the domain lock. However, at this point we already cleaned the paths in tb_stop() so there is really no need for tb_disconnect_xdomain_paths() to do that anymore. Furthermore it already checks if the XDomain is unplugged and bails out early so take advantage of that and mark the XDomain as unplugged when we remove the parent router. CVE-2024-46702 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tty: serial: fsl_lpuart: mark last busy before uart_add_one_port With "earlycon initcall_debug=1 loglevel=8" in bootargs, kernel sometimes boot hang. It is because normal console still is not ready, but runtime suspend is called, so early console putchar will hang in waiting TRDE set in UARTSTAT. The lpuart driver has auto suspend delay set to 3000ms, but during uart_add_one_port, a child device serial ctrl will added and probed with its pm runtime enabled(see serial_ctrl.c). The runtime suspend call path is: device_add |-> bus_probe_device |->device_initial_probe |->__device_attach |-> pm_runtime_get_sync(dev->parent); |-> pm_request_idle(dev); |-> pm_runtime_put(dev->parent); So in the end, before normal console ready, the lpuart get runtime suspended. And earlycon putchar will hang. To address the issue, mark last busy just after pm_runtime_enable, three seconds is long enough to switch from bootconsole to normal console. CVE-2024-46706 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 On a system with a GICv3, if a guest hasn't been configured with GICv3 and that the host is not capable of GICv2 emulation, a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2. We therefore try to emulate the SGI access, only to hit a NULL pointer as no private interrupt is allocated (no GIC, remember?). The obvious fix is to give the guest what it deserves, in the shape of a UNDEF exception. CVE-2024-46707 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix prime with external buffers Make sure that for external buffers mapping goes through the dma_buf interface instead of trying to access pages directly. External buffers might not provide direct access to readable/writable pages so to make sure the bo's created from external dma_bufs can be read dma_buf interface has to be used. Fixes crashes in IGT's kms_prime with vgem. Regular desktop usage won't trigger this due to the fact that virtual machines will not have multiple GPUs but it enables better test coverage in IGT. CVE-2024-46709 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Prevent unmapping active read buffers The kms paths keep a persistent map active to read and compare the cursor buffer. These maps can race with each other in simple scenario where: a) buffer "a" mapped for update b) buffer "a" mapped for compare c) do the compare d) unmap "a" for compare e) update the cursor f) unmap "a" for update At step "e" the buffer has been unmapped and the read contents is bogus. Prevent unmapping of active read buffers by simply keeping a count of how many paths have currently active maps and unmap only when the count reaches 0. CVE-2024-46710 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix ID 0 endp usage after multiple re-creations 'local_addr_used' and 'add_addr_accepted' are decremented for addresses not related to the initial subflow (ID0), because the source and destination addresses of the initial subflows are known from the beginning: they don't count as "additional local address being used" or "ADD_ADDR being accepted". It is then required not to increment them when the entrypoint used by the initial subflow is removed and re-added during a connection. Without this modification, this entrypoint cannot be removed and re-added more than once. CVE-2024-46711 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip wbscl_set_scaler_filter if filter is null Callers can pass null in filter (i.e. from returned from the function wbscl_get_filter_coeffs_16p) and a null check is added to ensure that is not the case. This fixes 4 NULL_RETURNS issues reported by Coverity. CVE-2024-46714 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: driver: iio: add missing checks on iio_info's callback access Some callbacks from iio_info structure are accessed without any check, so if a driver doesn't implement them trying to access the corresponding sysfs entries produce a kernel oops such as: [ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute [...] [ 2203.783416] Call trace: [ 2203.783429] iio_read_channel_info_avail from dev_attr_show+0x18/0x48 [ 2203.789807] dev_attr_show from sysfs_kf_seq_show+0x90/0x120 [ 2203.794181] sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4 [ 2203.798555] seq_read_iter from vfs_read+0x238/0x2a0 [ 2203.802236] vfs_read from ksys_read+0xa4/0xd4 [ 2203.805385] ksys_read from ret_fast_syscall+0x0/0x54 [ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0) [ 2203.812880] dfa0: 00000003 b6f10f80 00000003 b6eab000 00020000 00000000 [ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000 [ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0 [ 2203.830363] Code: bad PC value [ 2203.832695] ---[ end trace 0000000000000000 ]--- CVE-2024-46715 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor Remove list_del call in msgdma_chan_desc_cleanup, this should be the role of msgdma_free_descriptor. In consequence replace list_add_tail with list_move_tail in msgdma_free_descriptor. This fixes the path: msgdma_free_chan_resources -> msgdma_free_descriptors -> msgdma_free_desc_list -> msgdma_free_descriptor which does not correctly free the descriptors as first nodes were not removed from the list. CVE-2024-46716 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: SHAMPO, Fix incorrect page release Under the following conditions: 1) No skb created yet 2) header_size == 0 (no SHAMPO header) 3) header_index + 1 % MLX5E_SHAMPO_WQ_HEADER_PER_PAGE == 0 (this is the last page fragment of a SHAMPO header page) a new skb is formed with a page that is NOT a SHAMPO header page (it is a regular data page). Further down in the same function (mlx5e_handle_rx_cqe_mpwrq_shampo()), a SHAMPO header page from header_index is released. This is wrong and it leads to SHAMPO header pages being released more than once. CVE-2024-46717 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Fix null pointer dereference in trace ucsi_register_altmode checks IS_ERR for the alt pointer and treats NULL as valid. When CONFIG_TYPEC_DP_ALTMODE is not enabled, ucsi_register_displayport returns NULL which causes a NULL pointer dereference in trace. Rather than return NULL, call typec_port_register_altmode to register DisplayPort alternate mode as a non-controllable mode when CONFIG_TYPEC_DP_ALTMODE is not enabled. CVE-2024-46719 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix dereference after null check check the pointer hive before use. CVE-2024-46720 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix mc_data out-of-bounds read warning Clear warning that read mc_data[i-1] may out-of-bounds. CVE-2024-46722 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ucode out-of-bounds read warning Clear warning that read ucode[] may out-of-bounds. CVE-2024-46723 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Check the fb_channel_number range to avoid the array out-of-bounds read error CVE-2024-46724 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds write warning Check the ring type value to fix the out-of-bounds write warning CVE-2024-46725 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Ensure index calculation will not overflow [WHY & HOW] Make sure vmid0p72_idx, vnom0p8_idx and vmax0p9_idx calculation will never overflow and exceess array size. This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity. CVE-2024-46726 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update [Why] Coverity reports NULL_RETURN warning. [How] Add otg_master NULL check. CVE-2024-46727 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check index for aux_rd_interval before using aux_rd_interval has size of 7 and should be checked. This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity. CVE-2024-46728 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix incorrect size calculation for loop [WHY] fe_clk_en has size of 5 but sizeof(fe_clk_en) has byte size 20 which is lager than the array size. [HOW] Divide byte size 20 by its element size. This fixes 2 OVERRUN issues reported by Coverity. CVE-2024-46729 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Ensure array index tg_inst won't be -1 [WHY & HOW] tg_inst will be a negative if timing_generator_count equals 0, which should be checked before used. This fixes 2 OVERRUN issues reported by Coverity. CVE-2024-46730 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fix the Out-of-bounds read warning using index i - 1U may beyond element index for mc_data[] when i = 0. CVE-2024-46731 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign linear_pitch_alignment even for VM [Description] Assign linear_pitch_alignment so we don't cause a divide by 0 error in VM environments CVE-2024-46732 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between direct IO write and fsync when using same fd If we have 2 threads that are using the same file descriptor and one of them is doing direct IO writes while the other is doing fsync, we have a race where we can end up either: 1) Attempt a fsync without holding the inode's lock, triggering an assertion failures when assertions are enabled; 2) Do an invalid memory access from the fsync task because the file private points to memory allocated on stack by the direct IO task and it may be used by the fsync task after the stack was destroyed. The race happens like this: 1) A user space program opens a file descriptor with O_DIRECT; 2) The program spawns 2 threads using libpthread for example; 3) One of the threads uses the file descriptor to do direct IO writes, while the other calls fsync using the same file descriptor. 4) Call task A the thread doing direct IO writes and task B the thread doing fsyncs; 5) Task A does a direct IO write, and at btrfs_direct_write() sets the file's private to an on stack allocated private with the member 'fsync_skip_inode_lock' set to true; 6) Task B enters btrfs_sync_file() and sees that there's a private structure associated to the file which has 'fsync_skip_inode_lock' set to true, so it skips locking the inode's VFS lock; 7) Task A completes the direct IO write, and resets the file's private to NULL since it had no prior private and our private was stack allocated. Then it unlocks the inode's VFS lock; 8) Task B enters btrfs_get_ordered_extents_for_logging(), then the assertion that checks the inode's VFS lock is held fails, since task B never locked it and task A has already unlocked it. The stack trace produced is the following: assertion failed: inode_is_locked(&inode->vfs_inode), in fs/btrfs/ordered-data.c:983 ------------[ cut here ]------------ kernel BUG at fs/btrfs/ordered-data.c:983! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 9 PID: 5072 Comm: worker Tainted: G U OE 6.10.5-1-default #1 openSUSE Tumbleweed 69f48d427608e1c09e60ea24c6c55e2ca1b049e8 Hardware name: Acer Predator PH315-52/Covini_CFS, BIOS V1.12 07/28/2020 RIP: 0010:btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs] Code: 50 d6 86 c0 e8 (...) RSP: 0018:ffff9e4a03dcfc78 EFLAGS: 00010246 RAX: 0000000000000054 RBX: ffff9078a9868e98 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff907dce4a7800 RDI: ffff907dce4a7800 RBP: ffff907805518800 R08: 0000000000000000 R09: ffff9e4a03dcfb38 R10: ffff9e4a03dcfb30 R11: 0000000000000003 R12: ffff907684ae7800 R13: 0000000000000001 R14: ffff90774646b600 R15: 0000000000000000 FS: 00007f04b96006c0(0000) GS:ffff907dce480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f32acbfc000 CR3: 00000001fd4fa005 CR4: 00000000003726f0 Call Trace: <TASK> ? __die_body.cold+0x14/0x24 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x6a/0x90 ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a] ? exc_invalid_op+0x50/0x70 ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a] ? asm_exc_invalid_op+0x1a/0x20 ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a] ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a] btrfs_sync_file+0x21a/0x4d0 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a] ? __seccomp_filter+0x31d/0x4f0 __x64_sys_fdatasync+0x4f/0x90 do_syscall_64+0x82/0x160 ? do_futex+0xcb/0x190 ? __x64_sys_futex+0x10e/0x1d0 ? switch_fpu_return+0x4f/0xd0 ? syscall_exit_to_user_mode+0x72/0x220 ? do_syscall_64+0x8e/0x160 ? syscall_exit_to_user_mod ---truncated--- CVE-2024-46734 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference issue. Fix it by adding the check in ublk_ctrl_start_recovery() and return immediately in case of zero 'ub->nr_queues_ready'. BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x75/0x170 ? exc_page_fault+0x64/0x140 ? asm_exc_page_fault+0x22/0x30 ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180 ublk_ctrl_uring_cmd+0x4f7/0x6c0 ? pick_next_task_idle+0x26/0x40 io_uring_cmd+0x9a/0x1b0 io_issue_sqe+0x193/0x3f0 io_wq_submit_work+0x9b/0x390 io_worker_handle_work+0x165/0x360 io_wq_worker+0xcb/0x2f0 ? finish_task_switch.isra.0+0x203/0x290 ? finish_task_switch.isra.0+0x203/0x290 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> CVE-2024-46735 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference. nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails. CVE-2024-46737 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove(). CVE-2024-46738 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel. CVE-2024-46739 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix double free of 'buf' in error path smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf. CVE-2024-46741 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 important In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg="func of_irq_parse_* +p"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size. CVE-2024-46743 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a "KMSAN: uninit-value in pick_link" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- V2: fix spelling mistake. CVE-2024-46744 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts. CVE-2024-46745 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] <TASK> [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated--- CVE-2024-46746 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it CVE-2024-46747 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]--- CVE-2024-46749 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: <TASK> ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com] CVE-2024-46750 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message. CVE-2024-46751 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory). CVE-2024-46752 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error. CVE-2024-46753 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid="somessid" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk="12345678" } When waiting for the AP to be established, interrupting wpa_supplicant with <ctrl-c> and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]--- CVE-2024-46755 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-46756 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 low ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-46757 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 low ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-46758 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. CVE-2024-46759 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status. CVE-2024-46760 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash. The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed. CVE-2024-46761 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it. CVE-2024-46767 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 </TASK> remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456' CVE-2024-46771 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity. CVE-2024-46772 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity. CVE-2024-46773 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. CVE-2024-46774 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity. CVE-2024-46776 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity. CVE-2024-46778 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore "nilfs->ns_sem". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it. CVE-2024-46780 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts. CVE-2024-46781 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES; Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here. ------------[ cut here ]------------ kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline] pc : sock_sendmsg_nosec net/socket.c:728 [inline] pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline] lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline] __sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]--- CVE-2024-46783 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80 CVE-2024-46784 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: <IRQ> tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 </TASK> Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module. CVE-2024-46786 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series "userfaultfd: fix races around pmd_trans_huge() check", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ <zap PMD> pmdp_get_lockless() [reads none pmd] <bail if trans_huge> <if none:> <pagefault creates transhuge zeropage> __pte_alloc [no-op] <zap PMD> <bail if pmd_trans_huge(*dst_pmd)> BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b ("mm/pgtable: allow pte_offset_map[_lock]() to fail"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no "struct page" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding "struct page" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels. CVE-2024-46787 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() <interrupt> mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running. CVE-2024-46791 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ] CVE-2024-46794 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 low In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the "next" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's "next" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \ --maximize --oomable --verify --syslog \ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ▼ | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ▼ | Interrupt | (happens before "nodes[0].lock = B") | | | ▼ | spin_lock_irqsave(A) | | | ▼ | id = qnodesp->count++ | nodes[1].lock = A | | | ▼ | Tail of MCS queue | | spin_lock_irqsave(A) ▼ | Head of MCS queue ▼ | CPU0 is previous tail ▼ | Spin indefinitely ▼ (until "nodes[1].next != NULL") prev = get_tail_qnode(A, CPU0) | ▼ prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated--- CVE-2024-46797 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it. CVE-2024-46798 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility. CVE-2024-46822 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:kernel-default-6.4.0-150600.23.25.1 moderate A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. CVE-2024-9287 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:python3-3.6.15-150300.10.75.1 moderate When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. CVE-2024-9681 Public Cloud Image google/sles-15-sp6-chost-byos-v20241111-x86-64:libcurl4-8.6.0-150600.4.12.1 moderate