SUSE-IU-2024:720-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:720-1 Interim 1 1 2026-03-19T08:54:12Z current 2024-08-07T01:00:00Z 2024-08-07T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:720-1 / google/sles-15-sp6-chost-byos-v20240807-x86-64 This image update for google/sles-15-sp6-chost-byos-v20240807-x86-64 contains the following changes: Package bind was updated: - Update to release 9.18.28 Bug Fixes: * Command-line options for IPv4-only (named -4) and IPv6-only (named -6) modes are now respected for zone primaries, also-notify, and parental-agents. * An RPZ response’s SOA record TTL was set to 1 instead of the SOA TTL, if add-soa was used. This has been fixed. * When a query related to zone maintenance (NOTIFY, SOA) timed out close to a view shutdown (triggered e.g. by rndc reload), named could crash with an assertion failure. This has been fixed. * The statistics channel counters that indicated the number of currently connected TCP IPv4/IPv6 clients were not properly adjusted in certain failure scenarios. This has been fixed. * Some servers that could not be reached due to EHOSTDOWN or ENETDOWN conditions were incorrectly prioritized during server selection. These are now properly handled as unreachable. * On some systems the libuv call may return an error code when sending a TCP reset for a connection, which triggers an assertion failure in named. This error condition is now dealt with in a more graceful manner, by logging the incident and shutting down the connection. * Changes to listen-on statements were ignored on reconfiguration unless the port or interface address was changed, making it impossible to change a related listener transport type. That issue has been fixed. * A bug in the keymgr code unintentionally slowed down some DNSSEC key rollovers. This has been fixed. * Some ISO 8601 durations were accepted erroneously, leading to shorter durations than expected. This has been fixed * A regression in cache-cleaning code enabled memory use to grow significantly more quickly than before, until the configured max-cache-size limit was reached. This has been fixed. * Using rndc flush inadvertently caused cache cleaning to become less effective. This could ultimately lead to the configured max-cache-size limit being exceeded and has now been fixed. * The logic for cleaning up expired cached DNS records was tweaked to be more aggressive. This change helps with enforcing max-cache-ttl and max-ncache-ttl in a timely manner. * It was possible to trigger a use-after-free assertion when the overmem cache cleaning was initiated. This has been fixed. New Features: * A new option signatures-jitter has been added to dnssec-policy to allow signature expirations to be spread out over a period of time. * The statistics channel now includes counters that indicate the number of currently connected TCP IPv4/IPv6 clients. * Added RESOLVER.ARPA to the built in empty zones. Feature Changes: * DNSSEC signatures that are not valid because the current time falls outside the signature inception and expiration dates are skipped instead of causing an immediate validation failure. Security Fixes: * A malicious DNS client that sent many queries over TCP but never read the responses could cause a server to respond slowly or not at all for other clients. This has been fixed. (CVE-2024-0760) [bsc#1228255] * It is possible to craft excessively large resource records sets, which have the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-records-per-type option. * It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-types-per-name option. (CVE-2024-1737) [bsc#1228256] * Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975) [bsc#1228257] * Due to a logic error, lookups that triggered serving stale data and required lookups in local authoritative zone data could have resulted in an assertion failure. This has been fixed. * Potential data races were found in our DoH implementation, related to HTTP/2 session object management and endpoints set object management after reconfiguration. These issues have been fixed. * When looking up the NS records of parent zones as part of looking up DS records, it was possible for named to trigger an assertion failure if serve-stale was enabled. This has been fixed. (CVE-2024-4076) [bsc#1228258] Package docker was updated: [NOTE: This update was only ever released in SLES and Leap.]- Update to Docker 25.0.6-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2506&gt; - This update includes a fix for CVE-2024-41110. bsc#1228324 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch * 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Fix BuildKit's symlink resolution logic to correctly handle non-lexical symlinks. Backport of &lt;https://github.com/moby/buildkit/pull/4896&gt; and &lt;https://github.com/moby/buildkit/pull/5060&gt;. bsc#1221916 + 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch - Write volume options atomically so sudden system crashes won't result in future Docker starts failing due to empty files. Backport of &lt;https://github.com/moby/moby/pull/48034&gt;. bsc#1214855 + 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch [NOTE: This update was only ever released in SLES and Leap.] - Update to Docker 25.0.5-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2505&gt; bsc#1223409 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Remove upstreamed patches: - 0007-daemon-overlay2-remove-world-writable-permission-fro.patch - Update --add-runtime to point to correct binary path. Package dracut was updated: - Update to version 059+suse.527.g7870f083: * feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529) * fix(mdraid): try to assemble the missing raid device (bsc#1226412) * fix(dracut-install): continue parsing if ldd prints &quot;cannot be preloaded&quot; (bsc#1208690) Package kernel-default was updated: - HID: wacom: Modify pen IDs (git-fixes).- commit 9c450d7 - Move upstreamed ASoC patch into sorted section - commit adae4df - xfs: add bounds checking to xlog_recover_process_data (bsc#1228408 CVE-2024-41014). - commit bb0300d - xfs: don't walk off the end of a directory data block (bsc#1228405 CVE-2024-41013). - commit 8a0b7eb - jfs: don't walk off the end of ealist (bsc#1228403 CVE-2024-41017). - commit 4159bc5 - ext4: fold quota accounting into ext4_xattr_inode_lookup_create() (bsc#1227910 CVE-2024-40972). - commit 94f6f2b - ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() (bsc#1226993 CVE-2024-39276). - commit d72f4d7 - block: fix request.queuelist usage in flush (bsc#1227789 CVE-2024-40925). - commit 4903430 - supported.conf: mark vdpa modules supported (jsc#PED-8954) - commit 483ffd4 - ext4: do not create EA inode under buffer lock (bsc#1227910 CVE-2024-40972). - commit 37fb4de - ext4: fix uninitialized ratelimit_state-&gt;lock access in __ext4_fill_super() (bsc#1227866 CVE-2024-40998). - commit cefc508 - Update patch reference of AMDGPU fix (CVE-2024-41011 bsc#1228115) - commit 96de263 - ceph: fix incorrect kmalloc size of pagevec mempool (bsc#1228417). - commit 84977b0 - ima: Fix use-after-free on a dentry's dname.name (bsc#1227716 CVE-2024-39494). - commit f7cf8d6 - btrfs: zoned: fix use-after-free due to race with dev replace (bsc#1227719 CVE-2024-39496). - commit c878f86 - tun: add missing verification for short frame (CVE-2024-41091 bsc#1228327). - tap: add missing verification for short frame (CVE-2024-41090 bsc#1228328). - net: ena: Add validation for completion descriptors consistency (CVE-2024-40999 bsc#1227913). - commit 7fa5ae2 - Refresh patches.kabi/tty-add-the-option-to-have-a-tty-reject-a-new-ldisc.patch. Fix build for CONFIG_VT=n (ppc64le/kvmsmall). - commit 9280ac5 - spi: spidev: add correct compatible for Rohm BH2228FV (git-fixes). - spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer (git-fixes). - spi: microchip-core: only disable SPI controller when register value change requires it (git-fixes). - spi: microchip-core: defer asserting chip select until just before write to TX FIFO (git-fixes). - spi: microchip-core: fix the issues in the isr (git-fixes). - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use (git-fixes). - decompress_bunzip2: fix rare decompression failure (git-fixes). - commit 536a80d - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera (stable-fixes). - ALSA: usb-audio: Move HD Webcam quirk to the right place (git-fixes). - ALSA: usb-audio: Fix microphone sound on HD webcam (stable-fixes). - commit 07826dc - auxdisplay: ht16k33: Drop reference after LED registration (git-fixes). - ASoC: SOF: ipc4-topology: Preserve the DMA Link ID for ChainDMA on unprepare (git-fixes). - ASoC: TAS2781: Fix tasdev_load_calibrated_data() (git-fixes). - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable (git-fixes). - ASoC: sof: amd: fix for firmware reload failure in Vangogh platform (git-fixes). - ASoC: SOF: imx8m: Fix DSP control regmap retrieval (git-fixes). - ALSA: hda/realtek: cs35l41: Fixup remaining asus strix models (git-fixes). - ALSA: ump: Force 1 Group for MIDI1 FBs (git-fixes). - ALSA: ump: Don't update FB name for static blocks (git-fixes). - drm/amd/amdgpu: Fix uninitialized variable warnings (git-fixes). - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8 (git-fixes). - drm/i915/dp: Don't switch the LTTPR mode on an active link (git-fixes). - commit d7e2deb - ALSA: hda/conexant: Mute speakers at suspend / shutdown (bsc#1228269). - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown (bsc#1228269). - commit e046d5e - Refresh the previous ASoC patch, landed in subsystem tree (bsc#1228269) - commit 180425d - kABI: tty: add the option to have a tty reject a new ldisc (kabi CVE-2024-40966 bsc#1227886). - tty: add the option to have a tty reject a new ldisc (CVE-2024-40966 bsc#1227886). - commit 00113b6 - fs/file: fix the check in find_next_fd() (git-fixes). - commit 3ec6b68 - erofs: ensure m_llen is reset to 0 if metadata is invalid (git-fixes). - commit 03e55bf - jfs: Fix array-index-out-of-bounds in diFree (git-fixes). - commit a89a289 - hfsplus: fix uninit-value in copy_name (git-fixes). - commit 4f0ad7b - mISDN: Fix a use after free in hfcmulti_tx() (git-fixes). - devres: Fix memory leakage caused by driver API devm_free_percpu() (git-fixes). - devres: Fix devm_krealloc() wasting memory (git-fixes). - kobject_uevent: Fix OOB access within zap_modalias_env() (git-fixes). - watchdog: rzn1: Convert comma to semicolon (git-fixes). - watchdog: rzg2l_wdt: Check return status of pm_runtime_put() (git-fixes). - watchdog: rzg2l_wdt: Use pm_runtime_resume_and_get() (git-fixes). - dma: fix call order in dmam_free_coherent (git-fixes). - mISDN: fix MISDN_TIME_STAMP handling (git-fixes). - commit 69aa862 - drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport (stable-fixes). - drm/amd/display: Update efficiency bandwidth for dcn351 (stable-fixes). - drm/ttm: Always take the bo delayed cleanup path for imported bos (git-fixes). - drm/amd/display: change dram_clock_latency to 34us for dcn35 (stable-fixes). - drm/amdgpu: fix locking scope when flushing tlb (stable-fixes). - wifi: mac80211: Avoid address calculations via out of bounds array indexing (stable-fixes). - drm/amdkfd: Let VRAM allocations go to GTT domain on small APUs (stable-fixes). - drm/amd/display: ASSERT when failing to find index by plane/stream id (stable-fixes). - drm/amd/display: Fix overlapping copy within dml_core_mode_programming (stable-fixes). - drm/amd/display: Skip pipe if the pipe idx not set properly (stable-fixes). - drm/amd/display: Workaround register access in idle race with cursor (stable-fixes). - commit 830869c - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused (git-fixes). - commit aadeb44 - spi: mux: set ctlr-&gt;bits_per_word_mask (stable-fixes). - wifi: iwlwifi: mvm: don't wake up rx_sync_waitq upon RFKILL (git-fixes). - wifi: iwlwifi: properly set WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK (stable-fixes). - wifi: mac80211: disable softirqs for queued frame handling (git-fixes). - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check (stable-fixes). - wifi: cfg80211: wext: set ssids=NULL for passive scans (git-fixes). - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() (stable-fixes). - wifi: iwlwifi: mvm: Fix scan abort handling with HW rfkill (stable-fixes). - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option (stable-fixes). - wifi: iwlwifi: mvm: handle BA session teardown in RF-kill (stable-fixes). - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd (stable-fixes). - wifi: iwlwifi: mvm: remove stale STA link data during restart (stable-fixes). - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup (stable-fixes). - wifi: cfg80211: fix 6 GHz scan request building (stable-fixes). - wifi: mac80211: handle tasklet frames before stopping (stable-fixes). - wifi: mac80211: apply mcast rate only if interface is up (stable-fixes). - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata (stable-fixes). - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs (stable-fixes). - tools/power turbostat: Remember global max_die_id (stable-fixes). - commit 37df9b4 - phy: cadence-torrent: Check return value on register read (git-fixes). - kbuild: avoid build error when single DTB is turned into composite DTB (git-fixes). - remoteproc: stm32_rproc: Fix mailbox interrupts queuing (git-fixes). - remoteproc: k3-r5: Fix IPC-only mode detection (git-fixes). - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init (git-fixes). - remoteproc: imx_rproc: Skip over memory region when node value is NULL (git-fixes). - mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() (git-fixes). - power: supply: ingenic: Fix some error handling paths in ingenic_battery_get_property() (git-fixes). - power: supply: ab8500: Fix error handling when calling iio_read_channel_processed() (git-fixes). - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices (stable-fixes). - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() (stable-fixes). - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB (stable-fixes). - platform/x86: lg-laptop: Change ACPI device id (stable-fixes). - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling (stable-fixes). - platform/x86: wireless-hotkey: Add support for LG Airplane Button (stable-fixes). - net: usb: qmi_wwan: add Telit FN912 compositions (stable-fixes). - Input: ads7846 - use spi_device_id table (stable-fixes). - mei: demote client disconnect warning on suspend to debug (stable-fixes). - kconfig: remove wrong expr_trans_bool() (stable-fixes). - kconfig: gconf: give a proper initial state to the Save button (stable-fixes). - commit f6cec75 - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels (git-fixes). - docs: crypto: async-tx-api: fix broken code example (git-fixes). - drm/radeon: check bo_va-&gt;bo is non-NULL before using it (stable-fixes). - drm/amd/display: Fix refresh rate range for some panel (stable-fixes). - drm/amd/display: Account for cursor prefetch BW in DML1 mode support (stable-fixes). - drm/amd/display: Add refresh rate range check (stable-fixes). - gpio: pca953x: fix pca953x_irq_bus_sync_unlock race (stable-fixes). - can: kvaser_usb: fix return value for hif_usb_send_regout (stable-fixes). - Input: xpad - add support for ASUS ROG RAIKIRI PRO (stable-fixes). - Input: i8042 - add Ayaneo Kun to i8042 quirk table (stable-fixes). - Input: elantech - fix touchpad state on resume for Lenovo N24 (stable-fixes). - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency (stable-fixes). - drm/amdgpu: Indicate CU havest info to CP (stable-fixes). - drm/exynos: dp: drop driver owner initialization (stable-fixes). - drm/mediatek: Call drm_atomic_helper_shutdown() at shutdown time (stable-fixes). - drm: panel-orientation-quirks: Add quirk for Aya Neo KUN (stable-fixes). - HID: Ignore battery for ELAN touchscreens 2F2C and 4116 (stable-fixes). - input: Add support for &quot;Do Not Disturb&quot; (stable-fixes). - input: Add event code for accessibility key (stable-fixes). - Input: silead - Always support 10 fingers (stable-fixes). - commit a5bc4da - Bluetooth: btnxpuart: Enable Power Save feature on startup (stable-fixes). - Bluetooth: hci_core: cancel all works upon hci_unregister_dev() (stable-fixes). - ASoC: amd: yc: Fix non-functional mic on ASUS M5602RA (stable-fixes). - ASoC: rt722-sdca-sdw: add debounce time for type detection (stable-fixes). - ASoC: SOF: sof-audio: Skip unprepare for in-use widgets on error rollback (stable-fixes). - ASoC: ti: davinci-mcasp: Set min period size using FIFO config (stable-fixes). - ALSA: dmaengine: Synchronize dma channel after drop() (stable-fixes). - ASoC: ti: omap-hdmi: Fix too long driver name (stable-fixes). - ASoC: topology: Do not assign fields that are already set (stable-fixes). - ASoC: topology: Fix references to freed memory (stable-fixes). - bytcr_rt5640 : inverse jack detect for Archos 101 cesium (stable-fixes). - ASoC: rt722-sdca-sdw: add silence detection register as volatile (stable-fixes). - ALSA: dmaengine_pcm: terminate dmaengine before synchronize (stable-fixes). - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx (stable-fixes). - ALSA: PCM: Allow resume only for suspended streams (stable-fixes). - ACPI: EC: Avoid returning AE_OK on errors in address space handler (stable-fixes). - ACPI: EC: Abort address space access upon error (stable-fixes). - commit aa63c91 - config/arm64: Enable CoreSight PMU drivers (bsc#1228289 jsc#PED-7859) - commit f80ff65 - platform/x86: x86-android-tablets: Unregister devices in reverse order (CVE-2024-40975 bsc#1227926). - commit 16439fd - Avoid hw_desc array overrun in dw-axi-dmac (CVE-2024-40970 bsc#1227899). - commit 8f7016c - ASoC: amd: yc: Support mic on Lenovo Thinkpad E16 Gen 2 (bsc#1228269). - commit 78e0f74 - ima: Avoid blocking in RCU read-side critical section (bsc#1227803, CVE-2024-40947). - commit 6fea688 - bpf: Set run context for rawtp test_run callback (bsc#1227783 CVE-2024-40908). - commit c965ae8 - nfs: Fix up kabi after adding write_congestion_wait (bsc#1218442). - commit fa72236 - ipv6: prevent possible NULL dereference in rt6_probe() (CVE-2024-40960 bsc#1227813). - commit acda250 - PCI: keystone: Relocate ks_pcie_set/clear_dbi_mode() (git-fixes). - commit e717f73 - x86/csum: clean up `csum_partial' further (git-fixes). - commit eb0657c - x86/resctrl: Remove redundant variable in mbm_config_write_domain() (git-fixes). - commit 7ae6079 - blacklist.conf: This patch gets reverted - commit c490f33 - x86/resctrl: Read supported bandwidth sources from CPUID (git-fixes). - commit 907534d - blacklist.conf: Remove dead-end revert We never merged the buggy upstream fix. - commit 9b319fd - x86/shstk: Make return uprobe work with shadow stack (git-fixes). - commit a22c34a - x86/kconfig: Add as-instr64 macro to properly evaluate AS_WRUSS (git-fixes). - commit 0887d68 - x86/insn: Add VEX versions of VPDPBUSD, VPDPBUSDS, VPDPWSSD and VPDPWSSDS (git-fixes). - commit 4b4922f - x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup (git-fixes). - commit 4c24788 - x86/cpu: Provide default cache line size if not enumerated (git-fixes). - commit c2b6a76 - x86/bhi: Avoid warning in #DB handler due to BHI mitigation :(git-fixes). - commit d32b5a4 - x86/apic: Force native_apic_mem_read() to use the MOV instruction (git-fixes). - commit a7c18d6 - x86/amd_nb: Check for invalid SMN reads (git-fixes). - commit 5e0a2ff - cachefiles: flush all requests after setting CACHEFILES_DEAD (bsc#1227797 CVE-2024-40935). - commit 6acb040 - PCI: tegra194: Set EP alignment restriction for inbound ATU (git-fixes). - PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs() (git-fixes). - PCI: keystone: Don't enable BAR 0 for AM654x (git-fixes). - commit 3d6a567 - ipv6: prevent possible NULL deref in fib6_nh_init() (CVE-2024-40961 bsc#1227814). - commit 3de66de - PCI: Extend ACS configurability (bsc#1228090). - commit 571e431 - netfilter: nft_inner: validate mandatory meta and payload (bsc#1227757 CVE-2024-39504). - commit becdc7a - nfs: Block on write congestion (bsc#1218442). - commit b7f1cad - nfs: Properly initialize server-&gt;writeback (bsc#1218442). - commit c293976 - nfs: Drop pointless check from nfs_commit_release_pages() (bsc#1218442). - commit 20931fe - kabi/severities: cleanup and update for WiFi driver entries (bsc#1227149) - commit 777b4e0 - wifi: libertas: Follow renaming of SPI &quot;master&quot; to &quot;controller&quot; (bsc#1227149). - wifi: cw1200: restore endian swapping (bsc#1227149). - wifi: wlcore: sdio: Rate limit wl12xx_sdio_raw_{read,write}() failures warns (bsc#1227149). - wifi: zd1211rw: silence sparse warnings (bsc#1227149). - wifi: rt2x00: silence sparse warnings (bsc#1227149). - wifi: brcmsmac: silence sparse warnings (bsc#1227149). - wifi: b43: silence sparse warnings (bsc#1227149). - wifi: brcmfmac: do not pass hidden SSID attribute as value directly (bsc#1227149). - wifi: brcmfmac: fweh: Fix boot crash on Raspberry Pi 4 (bsc#1227149). - wifi: wilc1000: remove AKM suite be32 conversion for external auth request (bsc#1227149). - wifi: wilc1000: add missing read critical sections around vif list traversal (bsc#1227149). - wifi: wilc1000: fix declarations ordering (bsc#1227149). - wifi: wilc1000: use SRCU instead of RCU for vif list traversal (bsc#1227149). - wifi: wilc1000: split deeply nested RCU list traversal in dedicated helper (bsc#1227149). - wifi: wilc1000: validate chip id during bus probe (bsc#1227149). - wifi: brcmfmac: do not cast hidden SSID attribute value to boolean (bsc#1227149). - wifi: mwifiex: Refactor 1-element array into flexible array in struct mwifiex_ie_types_chan_list_param_set (bsc#1227149). - wifi: wilc1000: correct CRC7 calculation (bsc#1227149). - wifi: wilc1000: set preamble size to auto as default in wilc_init_fw_config() (bsc#1227149). - wifi: mwifiex: use kstrtoX_from_user() in debugfs handlers (bsc#1227149). - wifi: wilc1000: remove setting msg.spi (bsc#1227149). - wifi: cw1200: Convert to GPIO descriptors (bsc#1227149). - wifi: plfxlc: Drop unused include (bsc#1227149). - wifi: mwifiex: Drop unused headers (bsc#1227149). - wifi: ti: wlcore: sdio: Drop unused include (bsc#1227149). - wifi: cw1200: fix __le16 sparse warnings (bsc#1227149). - wifi: rsi: fix restricted __le32 degrades to integer sparse warnings (bsc#1227149). - wifi: zd1211rw: remove __nocast from zd_addr_t (bsc#1227149). - wifi: brcmfmac: add linefeed at end of file (bsc#1227149). - wifi: brcmfmac: allow per-vendor event handling (bsc#1227149). - wifi: brcmfmac: move feature overrides before feature_disable (bsc#1227149). - wifi: brcmfmac: export firmware interface functions (bsc#1227149). - wifi: rt2x00: simplify rt2x00crypto_rx_insert_iv() (bsc#1227149). - wifi: mwifiex: Use helpers to check multicast addresses (bsc#1227149). - wifi: brcmsmac: phy: Remove unreachable code (bsc#1227149). - wifi: wilc1000: fix incorrect power down sequence (bsc#1227149). - wifi: wilc1000: fix driver_handler when committing initial configuration (bsc#1227149). - wifi: fill in MODULE_DESCRIPTION()s for wilc1000 (bsc#1227149). - wifi: fill in MODULE_DESCRIPTION()s for wl18xx (bsc#1227149). - wifi: fill in MODULE_DESCRIPTION()s for p54spi (bsc#1227149). - wifi: fill in MODULE_DESCRIPTION()s for Broadcom WLAN (bsc#1227149). - wifi: fill in MODULE_DESCRIPTION()s for wl1251 and wl12xx (bsc#1227149). - wifi: fill in MODULE_DESCRIPTION()s for wlcore (bsc#1227149). - wifi: p54: fix GCC format truncation warning with wiphy-&gt;fw_version (bsc#1227149). - wifi: mwifiex: use cfg80211_ssid_eq() instead of mwifiex_ssid_cmp() (bsc#1227149). - wifi: rt2x00: remove useless code in rt2x00queue_create_tx_descriptor() (bsc#1227149). - commit 08ddd32 - wifi: rt2x00: make watchdog param per device (bsc#1227149). - wifi: rt2x00: Simplify bool conversion (bsc#1227149). - wifi: mwifiex: mwifiex_process_sleep_confirm_resp(): remove unused priv variable (bsc#1227149). - wifi: rt2x00: disable RTS threshold for rt2800 by default (bsc#1227149). - wifi: rt2x00: introduce DMA busy check watchdog for rt2800 (bsc#1227149). - wifi: wilc1000: simplify wilc_scan() (bsc#1227149). - wifi: wilc1000: cleanup struct wilc_conn_info (bsc#1227149). - wifi: wilc1000: always release SDIO host in wilc_sdio_cmd53() (bsc#1227149). - wifi: wilc1000: simplify remain on channel support (bsc#1227149). - wifi: brcmsmac: replace deprecated strncpy with memcpy (bsc#1227149). - wifi: brcm80211: replace deprecated strncpy with strscpy (bsc#1227149). - wifi: rt2x00: rework MT7620 PA/LNA RF calibration (bsc#1227149). - wifi: rt2x00: rework MT7620 channel config function (bsc#1227149). - commit 055fd52 - wifi: rt2x00: improve MT7620 register initialization (bsc#1227149). - wifi: wlcore: main: replace deprecated strncpy with strscpy (bsc#1227149). - wifi: wlcore: boot: replace deprecated strncpy with strscpy (bsc#1227149). - wifi: wl18xx: replace deprecated strncpy with strscpy (bsc#1227149). - wifi: wl1251: replace deprecated strncpy with strscpy (bsc#1227149). - wifi: rt2x00: fix rt2800 watchdog function (bsc#1227149). - wifi: brcmfmac: fix format-truncation warnings (bsc#1227149). - wifi: hostap: remove unused ioctl function (bsc#1227149). - wifi: atmel: remove unused ioctl function (bsc#1227149). - wifi: p54: Annotate struct p54_cal_database with __counted_by (bsc#1227149). - wifi: brcmfmac: fweh: Add __counted_by for struct brcmf_fweh_queue_item and use struct_size() (bsc#1227149). - wifi: hostap: Add __counted_by for struct prism2_download_data and use struct_size() (bsc#1227149). - wifi: wfx: implement wfx_remain_on_channel() (bsc#1227149). - wifi: wfx: allow to send frames during ROC (bsc#1227149). - wifi: wfx: scan_lock is global to the device (bsc#1227149). - wifi: wfx: simplify exclusion between scan and Rx filters (bsc#1227149). - wifi: wfx: introduce hif_scan_uniq() (bsc#1227149). - wifi: wfx: move wfx_skb_*() out of the header file (bsc#1227149). - wifi: wfx: relocate wfx_rate_mask_to_hw() (bsc#1227149). - wifi: wfx: fix power_save setting when AP is stopped (bsc#1227149). - commit 859f128 - wifi: mwifiex: Replace one-element array with flexible-array member in struct mwifiex_ie_types_rxba_sync (bsc#1227149). - Refresh patches.suse/wifi-mwifiex-Sanity-check-tlv_len-and-tlv_bitmap_len.patch. - commit 0e5befb - wifi: rt2x00: fix MT7620 low RSSI issue (bsc#1227149). - wifi: rt2x00: remove redundant check if u8 array element is less than zero (bsc#1227149). - wifi: mwifiex: followup PCIE and related cleanups (bsc#1227149). - wifi: mwifiex: simplify PCIE write operations (bsc#1227149). - wifi: wilc1000: add back-off algorithm to balance tx queue packets (bsc#1227149). - wifi: mwifiex: use MODULE_FIRMWARE to add firmware files metadata (bsc#1227149). - wifi: mwifiex: cleanup struct mwifiex_sdio_mpa_rx (bsc#1227149). - wifi: brcmfmac: firmware: Annotate struct brcmf_fw_request with __counted_by (bsc#1227149). - wifi: brcmfmac: Annotate struct brcmf_gscan_config with __counted_by (bsc#1227149). - wifi: cw1200: Avoid processing an invalid TIM IE (bsc#1227149). - wifi: wlcore: sdio: Use module_sdio_driver macro to simplify the code (bsc#1227149). - wifi: wilc1000: Remove unused declarations (bsc#1227149). - wifi: rt2x00: limit MT7620 TX power based on eeprom calibration (bsc#1227149). - wifi: wfx: Use devm_kmemdup to replace devm_kmalloc + memcpy (bsc#1227149). - wifi: rsi: rsi_91x_usb_ops: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: rsi: rsi_91x_usb: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: rsi: rsi_91x_sdio_ops: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: rsi: rsi_91x_sdio: Remove unnecessary (void*) conversions (bsc#1227149). - commit a544c26 - wifi: rsi: rsi_91x_main: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: rsi: rsi_91x_mac80211: Remove unnecessary conversions (bsc#1227149). - wifi: rsi: rsi_91x_hal: Remove unnecessary conversions (bsc#1227149). - wifi: rsi: rsi_91x_debugfs: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: rsi: rsi_91x_coex: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: rt2x00: correct MAC_SYS_CTRL register RX mask in R-Calibration (bsc#1227149). - wifi: mwifiex: fix comment typos in SDIO module (bsc#1227149). - wifi: mwifiex: cleanup adapter data (bsc#1227149). - wifi: mwifiex: use is_zero_ether_addr() instead of ether_addr_equal() (bsc#1227149). - wifi: mwifiex: drop BUG_ON from TX paths (bsc#1227149). - wifi: mwifiex: handle possible mwifiex_write_reg() errors (bsc#1227149). - wifi: mwifiex: handle possible sscanf() errors (bsc#1227149). - wifi: mwifiex: cleanup private data structures (bsc#1227149). - wlcore: spi: Remove redundant of_match_ptr() (bsc#1227149). - wifi: brcmsmac: cleanup SCB-related data types (bsc#1227149). - wifi: brcmsmac: remove more unused data types (bsc#1227149). - wifi: libertas: prefer kstrtoX() for simple integer conversions (bsc#1227149). - wifi: libertas: handle possible spu_write_u16() errors (bsc#1227149). - wifi: libertas: cleanup SDIO reset (bsc#1227149). - wifi: libertas: simplify list operations in free_if_spi_card() (bsc#1227149). - wifi: libertas: use convenient lists to manage SDIO packets (bsc#1227149). - wifi: libertas: add missing calls to cancel_work_sync() (bsc#1227149). - wifi: wilc1000: add SPI commands retry mechanism (bsc#1227149). - wifi: wilc1000: remove use of has_thrpt_enh3 flag (bsc#1227149). - wifi: brcmsmac: remove unused data type (bsc#1227149). - wifi: mwifiex: Set WIPHY_FLAG_NETNS_OK flag (bsc#1227149). - wifi: mwifiex: prefer strscpy() over strlcpy() (bsc#1227149). - wifi: zd1211rw: fix typo &quot;tranmits&quot; (bsc#1227149). - wifi: p54: Add missing MODULE_FIRMWARE macro (bsc#1227149). - wifi: hostap: fix stringop-truncations GCC warning (bsc#1227149). - wifi: brcmsmac: fix gnu_printf warnings (bsc#1227149). - wifi: brcmfmac: fix gnu_printf warnings (bsc#1227149). - wifi: rt2x00: fix the typo in comments (bsc#1227149). - wifi: brcmfmac: Detect corner error case earlier with log (bsc#1227149). - wifi: brcmutil: use helper function pktq_empty() instead of open code (bsc#1227149). - wifi: add HAS_IOPORT dependencies (bsc#1227149). - wifi: wilc1000: Increase ASSOC response buffer (bsc#1227149). - wifi: mwifiex: Use list_count_nodes() (bsc#1227149). - wifi: mwifiex: Use default @max_active for workqueues (bsc#1227149). - commit edbabc2 - xfs: Add cond_resched to block unmap range and reflink remap path (bsc#1228211). - commit 4c79a42 - supported.conf: Add support for v4l2-dv-timings (jsc#PED-8644) - commit a3622c5 - netrom: Fix a memory leak in nr_heartbeat_expiry() (CVE-2024-41006 bsc#1227862). - commit 59ef181 - arm64: dts: rockchip: Add missing power-domains for rk356x vop_mmu (git-fixes) - commit 6571948 - arm64: dts: rockchip: Fix mic-in-differential usage on (git-fixes) - commit 67939cb - arm64: dts: rockchip: Fix mic-in-differential usage on rk3566-roc-pc (git-fixes) - commit 5ed815a - arm64: dts: rockchip: Drop invalid mic-in-differential on (git-fixes) - commit af4620a - arm64: dts: rockchip: Increase VOP clk rate on RK3328 (git-fixes) - commit 0171830 - arm64: dts: rockchip: Update WIFi/BT related nodes on (git-fixes) - commit 2186774 - arm64: dts: rockchip: Add mdio and ethernet-phy nodes to (git-fixes) - commit 7bd1596 - arm64: dts: rockchip: Add pinctrl for UART0 to rk3308-rock-pi-s (git-fixes) - commit a5c559a - arm64: dts: rockchip: Add sdmmc related properties on (git-fixes) - commit 07ed999 - arm64: dts: rockchip: Add sound-dai-cells for RK3368 (git-fixes) - commit 0d2dc44 - arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E (git-fixes) - commit 17c17ec - arm64: dts: rockchip: Fix the value of `dlg,jack-det-rate` mismatch (git-fixes) - commit ef568ac - arm64: dts: rockchip: Rename LED related pinctrl nodes on (git-fixes) - commit 3ac3475 - arm64: dts: rockchip: Fix SD NAND and eMMC init on rk3308-rock-pi-s (git-fixes) - commit f0f8ba5 - arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 (git-fixes) - commit a564fef - arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc (git-fixes) - commit d7e72e1 - arm64: dts: freescale: imx8mm-verdin: enable hysteresis on slow input (git-fixes) - commit ca6c1bb - arm64: dts: imx93-11x11-evk: Remove the 'no-sdio' property (git-fixes) - commit a10e3de - blacklist.conf: (&quot;arm64: dts: freescale: imx8mm-verdin: Fix GPU speed&quot;) - commit ea9f475 - Move upstreamed patches into sorted section - commit 0bb0cc8 - fuse: verify {g,u}id mount options correctly (bsc#1228193). - libceph: fix race between delayed_work() and ceph_monc_stop() (bsc#1228192). - commit 10e7bb9 - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro (git-fixes). - checkpatch: really skip LONG_LINE_* when LONG_LINE is ignored (git-fixes). - rtc: interface: Add RTC offset to alarm after fix-up (git-fixes). - rtc: abx80x: Fix return value of nvmem callback on read (git-fixes). - rtc: cmos: Fix return value of nvmem callbacks (git-fixes). - rtc: isl1208: Fix return value of nvmem callbacks (git-fixes). - pinctrl: renesas: r8a779g0: Fix TPU suffixes (git-fixes). - pinctrl: renesas: r8a779g0: Fix TCLK suffixes (git-fixes). - pinctrl: renesas: r8a779g0: FIX PWM suffixes (git-fixes). - pinctrl: renesas: r8a779g0: Fix IRQ suffixes (git-fixes). - pinctrl: renesas: r8a779g0: Fix (H)SCIF3 suffixes (git-fixes). - pinctrl: renesas: r8a779g0: Fix (H)SCIF1 suffixes (git-fixes). - pinctrl: renesas: r8a779g0: Fix FXR_TXEN[AB] suffixes (git-fixes). - pinctrl: renesas: r8a779g0: Fix CANFD5 suffix (git-fixes). - pinctrl: freescale: mxs: Fix refcount of child (git-fixes). - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails (git-fixes). - pinctrl: single: fix possible memory leak when pinctrl_enable() fails (git-fixes). - pinctrl: core: fix possible memory leak when pinctrl_enable() fails (git-fixes). - pinctrl: rockchip: update rk3308 iomux routes (git-fixes). - selftests/sigaltstack: Fix ppc64 GCC build (git-fixes). - PCI: dw-rockchip: Fix initial PERST# GPIO value (git-fixes). - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio (git-fixes). - PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup() (git-fixes). - PCI: qcom-ep: Disable resources unconditionally during PERST# assert (git-fixes). - PCI: dwc: Fix index 0 incorrectly being interpreted as a free ATU slot (git-fixes). - PCI: endpoint: Fix error handling in epf_ntb_epc_cleanup() (git-fixes). - PCI: endpoint: Clean up error handling in vpci_scan_bus() (git-fixes). - PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init() (git-fixes). - PCI: Fix resource double counting on remove &amp; rescan (git-fixes). - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal (git-fixes). - PCI: Introduce cleanup helpers for device reference counts and locks (stable-fixes). - commit a7e6cbc - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 (stable-fixes). - ALSA: hda/tas2781: Add new quirk for Lenovo Hera2 Laptop (stable-fixes). - ASoC: SOF: ipc4-topology: Use correct queue_id for requesting input pin format (stable-fixes). - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 (stable-fixes). - commit be4d8bf - eeprom: at24: Probe for DDR3 thermal sensor in the SPD case (stable-fixes). - Refresh patches.suse/eeprom-at24-fix-memory-corruption-race-condition.patch. - commit 82fbd42 - Input: elan_i2c - do not leave interrupt disabled on suspend failure (git-fixes). - Input: qt1050 - handle CHIP_ID reading error (git-fixes). - interconnect: qcom: qcm2290: Fix mas_snoc_bimc RPM master ID (git-fixes). - iio: frequency: adrf6780: rm clk provider include (git-fixes). - iio: Fix the sorting functionality in iio_gts_build_avail_time_table (git-fixes). - eeprom: digsy_mtc: Fix 93xx46 driver probe failure (git-fixes). - Revert &quot;usb: musb: da8xx: Set phy in OTG mode by default&quot; (stable-fixes). - ALSA: seq: ump: Skip useless ports for static blocks (git-fixes). - ASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value (git-fixes). - ASoC: amd: Adjust error handling in case of absent codec device (git-fixes). - ASoC: max98088: Check for clk_prepare_enable() error (git-fixes). - ASoC: qcom: Adjust issues in case of DT error in asoc_qcom_lpass_cpu_platform_probe() (git-fixes). - ASoC: cs35l56: Accept values greater than 0 as IRQ numbers (git-fixes). - ASoc: tas2781: Enable RCA-based playback without DSP firmware download (git-fixes). - crypto: qat - extend scope of lock in adf_cfg_add_key_value_param() (git-fixes). - hwrng: core - Fix wrong quality calculation at hw rng registration (git-fixes). - crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked (git-fixes). - crypto: ecdsa - Fix the public key format description (git-fixes). - hwrng: amd - Convert PCIBIOS_* return codes to errnos (git-fixes). - commit 7fcc337 - Add Alt-commit for amdgpu patch (git-fixes) - commit 7fbd801 - gve: Clear napi-&gt;skb before dev_kfree_skb_any() (CVE-2024-40937 bsc#1227836). - net: hns3: fix kernel crash problem in concurrent scenario (CVE-2024-39507 bsc#1227730). - net/mlx5: Fix tainted pointer delete is case of flow rules creation fail (CVE-2024-40940 bsc#1227800). - commit 8d4dcfb - net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() (CVE-2024-40928 bsc#1227788). - commit be667d4 - btrfs: zoned: fix lock ordering in btrfs_zone_activate() (bsc#1223731 CVE-2024-26944). - commit c6e27f8 - vmxnet3: disable rx data ring on dma allocation failure (CVE-2024-40923 bsc#1227786). - commit 3828e87 - mptcp: ensure snd_una is properly initialized on connect (CVE-2024-40931 bsc#1227780). - commit 60fd0e2 - bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() (CVE-2024-40919 bsc#1227779). - commit c060c32 - btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes (bsc#1223731 CVE-2024-26944). - btrfs: zoned: fix use-after-free in do_zone_finish() (bsc#1223731 CVE-2024-26944). - btrfs: zoned: fix chunk map leak when loading block group zone info (bsc#1223731 CVE-2024-26944). - btrfs: fix unbalanced unlock of mapping_tree_lock (bsc#1223731 CVE-2024-26944). - btrfs: remove stripe size local variable from insert_dev_extents() (bsc#1223731 CVE-2024-26944). - btrfs: use a dedicated data structure for chunk maps (bsc#1223731 CVE-2024-26944). - commit 201e016 - btrfs: zoned: wait for data BG to be finished on direct IO allocation (bsc#1223731 CVE-2024-26944). - btrfs: zoned: drop no longer valid write pointer check (bsc#1223731 CVE-2024-26944). - commit a5e78f9 - btrfs: do not require EXTENT_NOWAIT for btrfs_redirty_list_add() (bsc#1223731 CVE-2024-26944). - commit f638537 - drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property (git-fixes). - commit f21db33 - btrfs: drop gfp from parameter extent state helpers (bsc#1223731 CVE-2024-26944). - Refresh patches.suse/btrfs-make-find_first_extent_bit-return-a-boolean.patch. - Refresh patches.suse/btrfs-open-code-trivial-btrfs_add_excluded_extent.patch. - commit 2097a9c - drm/fbdev-dma: Fix framebuffer mode for big endian devices (git-fixes). - drm/msm/mdp5: Remove MDP_CAP_SRC_SPLIT from msm8x53_config (git-fixes). - drm/msm/dpu: drop validity checks for clear_pending_flush() ctl op (git-fixes). - drm/msm/dsi: set VIDEO_COMPRESSION_MODE_CTRL_WC (git-fixes). - USB: serial: option: add Rolling RW350-GL variants (stable-fixes). - USB: serial: option: add support for Foxconn T99W651 (stable-fixes). - USB: serial: option: add Netprisma LCUK54 series modules (stable-fixes). - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() (stable-fixes). - usb: dwc3: pci: add support for the Intel Panther Lake (stable-fixes). - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k (stable-fixes). - xhci: always resume roothubs if xHC was reset during resume (stable-fixes). - USB: serial: option: add Telit generic core-dump composition (stable-fixes). - USB: serial: option: add Fibocom FM350-GL (stable-fixes). - USB: serial: option: add Telit FN912 rmnet compositions (stable-fixes). - commit f9ac994 - drm/msm/dpu: fix encoder irq wait skip (git-fixes). - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume (git-fixes). - drm/panfrost: Mark simple_ondemand governor as softdep (git-fixes). - drm/lima: Mark simple_ondemand governor as softdep (git-fixes). - drm/mediatek: Remove less-than-zero comparison of an unsigned value (git-fixes). - drm/mediatek: Fix bit depth overwritten for mtk_ovl_set bit_depth() (git-fixes). - drm/mediatek: Support DRM plane alpha in Mixer (git-fixes). - drm/mediatek: Support DRM plane alpha in OVL (git-fixes). - drm/mediatek: Support RGBA8888 and RGBX8888 in OVL on MT8195 (git-fixes). - drm/mediatek: Set DRM mode configs accordingly (git-fixes). - drm/mediatek: Add OVL compatible name for MT8195 (git-fixes). - drm/mediatek: Turn off the layers with zero width or height (git-fixes). - drm/mediatek: Fix destination alpha error in OVL (git-fixes). - drm/mediatek: Fix XRGB setting error in Mixer (git-fixes). - drm/mediatek: Fix XRGB setting error in OVL (git-fixes). - drm/mediatek: Use 8-bit alpha in ETHDR (git-fixes). - drm/mediatek: Add missing plane settings when async update (git-fixes). - drm/etnaviv: fix DMA direction handling for cached RW buffers (git-fixes). - Revert &quot;drm/bridge: tc358767: Set default CLRSIPO count&quot; (stable-fixes). - drm/qxl: Add check for drm_cvt_mode (git-fixes). - drm: zynqmp_kms: Fix AUX bus not getting unregistered (git-fixes). - drm: zynqmp_dpsub: Fix an error handling path in zynqmp_dpsub_probe() (git-fixes). - drm/bridge: samsung-dsim: Set P divider based on min/max of fin pll (git-fixes). - drm/bridge: it6505: fix hibernate to resume no display issue (git-fixes). - drm/panel: ilitek-ili9882t: Check for errors on the NOP in prepare() (git-fixes). - drm/panel: ilitek-ili9882t: If prepare fails, disable GPIO before regulators (git-fixes). - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare() (git-fixes). - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before regulators (git-fixes). - drm/panel: himax-hx8394: Handle errors from mipi_dsi_dcs_set_display_on() better (git-fixes). - drm/mgag200: Bind I2C lifetime to DRM device (git-fixes). - drm/mgag200: Set DDC timeout in milliseconds (git-fixes). - drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_generic_write_seq() (git-fixes). - drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_dcs_write_seq() (git-fixes). - commit 6fb58b4 - drm/udl: Remove DRM_CONNECTOR_POLL_HPD (git-fixes). - drm/arm/komeda: Fix komeda probe failing if there are no links in the secondary pipeline (git-fixes). - drm/rockchip: vop2: Fix the port mux of VP2 (git-fixes). - drm/amd/display: Move 'struct scaler_data' off stack (git-fixes). - drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1 (git-fixes). - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit (git-fixes). - drm/amdgpu: Fix memory range calculation (git-fixes). - drm/amd/pm: Fix aldebaran pcie speed reporting (git-fixes). - drm/amd/pm: remove logically dead code for renoir (git-fixes). - drm/amdkfd: Fix CU Masking for GFX 9.4.3 (git-fixes). - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() (git-fixes). - commit ba21687 - Add Alt-commit to AMDGPU patches from 6.11-rc1 - commit f4ae72a - PCI/ASPM: Update save_state when configuration changes (bsc#1226915) - commit 5192284 - block: Move checking GENHD_FL_NO_PART to bdev_add_partition() (bsc#1226213). - commit 6855b2f - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() (CVE-2024-39487 bsc#1227573) - commit 1c7a482 - tls: get psock ref after taking rxlock to avoid leak (CVE-2024-35908 bsc#1224490) - commit b0d23d0 - netfilter: nf_tables: flush pending destroy work before exit_net release (CVE-2024-35899 bsc#1224499) - commit 8a86808 - net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() (CVE-2024-35934 bsc#1224641) - commit 812f420 - net/sched: act_skbmod: prevent kernel-infoleak (CVE-2024-35893 bsc#1224512) - commit 5be3514 - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory (bsc#1227762 CVE-2024-40901). - commit 5eb5075 - btrfs: pass NOWAIT for set/clear extent bits as another bit (bsc#1223731 CVE-2024-26944). - commit 33253df - btrfs: drop NOFAIL from set_extent_bit allocation masks (bsc#1223731 CVE-2024-26944). - commit 46559ec - btrfs: open code set_extent_bits (bsc#1223731 CVE-2024-26944). - Refresh patches.suse/btrfs-make-find_first_extent_bit-return-a-boolean.patch. - Refresh patches.suse/btrfs-open-code-trivial-btrfs_add_excluded_extent.patch. - commit 460a0d4 - xfs: fix log recovery buffer allocation for the legacy h_size fixup (bsc#1227432 CVE-2024-39472). - commit 04ef30f - KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() (CVE-2024-40953, bsc#1227806). - commit 60989df - Update config files (bsc#1227282). Update the CONFIG_LSM option to include the selinux LSM in the default set of LSMs. The selinux LSM will not get enabled because it is preceded by apparmor, which is the first exclusive LSM. Updating CONFIG_LSM resolves failures that result in the system not booting up when &quot;security=selinux selinux=1&quot; is passed to the kernel and SELinux policies are installed. - commit 0a95a78 - xfs: use roundup_pow_of_two instead of ffs during xlog_find_tail (git-fixes). - commit 44812b1 - wifi: mt76: connac: use muar idx 0xe for non-mt799x as well (bsc#1227149). - wifi: mt76: mt7996: fix potential memory leakage when reading chip temperature (bsc#1227149). - wifi: mt76: mt7996: fix uninitialized variable in mt7996_irq_tasklet() (bsc#1227149). - wifi: mt76: mt7925: ensure 4-byte alignment for suspend &amp; wow command (bsc#1227149). - wifi: mt76: mt7996: fix size of txpower MCU command (bsc#1227149). - wifi: mt76: connac: check for null before dereferencing (bsc#1227149). - commit 4e5584e - wifi: mt76: Remove redundant assignment to variable tidno (bsc#1227149). - wifi: mt76: fix the issue of missing txpwr settings from ch153 to ch177 (bsc#1227149). - wifi: mt76: mt7921: fix suspend issue on MediaTek COB platform (bsc#1227149). - wifi: mt76: mt7921: fix a potential association failure upon resuming (bsc#1227149). - wifi: mt76: mt7921: fix the unfinished command of regd_notifier before suspend (bsc#1227149). - wifi: mt76: mt792x: update the country list of EU for ACPI SAR (bsc#1227149). - wifi: mt76: mt7925e: fix use-after-free in free_irq() (bsc#1227149). - wifi: mt76: mt792x: add the illegal value check for mtcl table of acpi (bsc#1227149). - wifi: mt76: mt7925: fix the wrong data type for scan command (bsc#1227149). - wifi: mt76: set page_pool napi pointer for mmio devices (bsc#1227149). - wifi: mt76: mt792x: fix ethtool warning (bsc#1227149). - commit 3499113 - wifi: mt76: connac: set correct muar_idx for mt799x chipsets (bsc#1227149). - wifi: mt76: mt7996: remove TXS queue setting (bsc#1227149). - wifi: mt76: mt7996: mark GCMP IGTK unsupported (bsc#1227149). - wifi: mt76: mt7996: ensure 4-byte alignment for beacon commands (bsc#1227149). - wifi: mt76: mt7996: check txs format before getting skb by pid (bsc#1227149). - wifi: mt76: mt7925: support temperature sensor (bsc#1227149). - wifi: mt76: mt7925: update PCIe DMA settings (bsc#1227149). - wifi: mt76: mt7925: add support to set ifs time by mcu command (bsc#1227149). - wifi: mt76: mt7925: add flow to avoid chip bt function fail (bsc#1227149). - wifi: mt76: mt7925: fix the wrong header translation config (bsc#1227149). - commit 7f22357 - wifi: mt76: mt7925: fix WoW failed in encrypted mode (bsc#1227149). - wifi: mt76: mt7925: fix fw download fail (bsc#1227149). - wifi: mt76: mt7925: fix wmm queue mapping (bsc#1227149). - wifi: mt76: mt7925: fix mcu query command fail (bsc#1227149). - wifi: mt76: mt7925: fix SAP no beacon issue in 5Ghz and 6Ghz band (bsc#1227149). - wifi: mt76: mt7925: fix connect to 80211b mode fail in 2Ghz band (bsc#1227149). - wifi: mt76: mt76x2u: add netgear wdna3100v3 to device table (bsc#1227149). - wifi: mt76: mt792xu: enable dmashdl support (bsc#1227149). - wifi: mt76: usb: store usb endpoint in mt76_queue (bsc#1227149). - wifi: mt76: usb: create a dedicated queue for psd traffic (bsc#1227149). - commit 01e1acb - wifi: mt76: mt7996: fix fw loading timeout (bsc#1227149). - wifi: mt76: mt7915: update mt798x_wmac_adie_patch_7976 (bsc#1227149). - wifi: mt76: mt7915: add locking for accessing mapped registers (bsc#1227149). - wifi: mt76: mt7915: fix error recovery with WED enabled (bsc#1227149). - wifi: mt76: check txs format before getting skb by pid (bsc#1227149). - wifi: mt76: disable HW AMSDU when using fixed rate (bsc#1227149). - wifi: mt76: mt7996: fix fortify warning (bsc#1227149). - commit 0013ef2 - wifi: fill in MODULE_DESCRIPTION()s for mt76 drivers (bsc#1227149). - wifi: mt76: mt7996: Use DECLARE_FLEX_ARRAY() and fix - Warray-bounds warnings (bsc#1227149). - wifi: mt76: mt7921: fix wrong 6Ghz power type (bsc#1227149). - wifi: mt76: mt7921: fix CLC command timeout when suspend/resume (bsc#1227149). - wifi: mt76: mt7921: reduce the size of MCU firmware download Rx queue (bsc#1227149). - wifi: mt76: mt7996: set DMA mask to 36 bits for boards with more than 4GB of RAM (bsc#1227149). - wifi: mt76: Convert to platform remove callback returning void (bsc#1227149). - wifi: mt76: mt7925: remove iftype from mt7925_init_eht_caps signature (bsc#1227149). - wifi: mt76: connac: add new definition of tx descriptor (bsc#1227149). - wifi: mt76: mt7996: adjust interface num and wtbl size for mt7992 (bsc#1227149). - commit cbff43f - wifi: mt76: mt7996: support mt7992 eeprom loading (bsc#1227149). - wifi: mt76: mt7996: rework register offsets for mt7992 (bsc#1227149). - wifi: mt76: mt7996: add DMA support for mt7992 (bsc#1227149). - wifi: mt76: connac: add firmware support for mt7992 (bsc#1227149). - wifi: mt76: mt7996: introduce mt7996_band_valid() (bsc#1227149). - wifi: mt76: mt7996: fix mt7996_mcu_all_sta_info_event struct packing (bsc#1227149). - wifi: mt76: mt7915: also MT7981 is 3T3R but nss2 on 5 GHz band (bsc#1227149). - wifi: mt76: mt7915: fix EEPROM offset of TSSI flag on MT7981 (bsc#1227149). - wifi: mt76: connac: add beacon protection support for mt7996 (bsc#1227149). - wifi: mt76: mt7996: rework ampdu params setting (bsc#1227149). - commit 3e59fd6 - wifi: mt76: mt7996: add txpower setting support (bsc#1227149). - commit fd1825a - wifi: mt76: mt7996: fix alignment of sta info event (bsc#1227149). - wifi: mt76: mt7996: switch to mcu command for TX GI report (bsc#1227149). - wifi: mt76: use chainmask for power delta calculation (bsc#1227149). - wifi: mt76: change txpower init to per-phy (bsc#1227149). - wifi: mt76: mt7996: align the format of fixed rate command (bsc#1227149). - wifi: mt76: mt7996: handle IEEE80211_RC_SMPS_CHANGED (bsc#1227149). - wifi: mt76: connac: set fixed_bw bit in TX descriptor for fixed rate frames (bsc#1227149). - wifi: mt76: mt7996: adjust WFDMA settings to improve performance (bsc#1227149). - wifi: mt76: connac: add beacon duplicate TX mode support for mt7996 (bsc#1227149). - commit e90dd6a - wifi: mt76: move wed reset common code in mt76 module (bsc#1227149). - commit b63457a - wifi: mt76: mt7996: add thermal sensor device support (bsc#1227149). - wifi: mt76: connac: add thermal protection support for mt7996 (bsc#1227149). - wifi: mt76: mt7996: add TX statistics for EHT mode in debugfs (bsc#1227149). - wifi: mt76: mt7996: add support for variants with auxiliary RX path (bsc#1227149). - wifi: mt76: mt7996: use u16 for val field in mt7996_mcu_set_rro signature (bsc#1227149). - wifi: mt76: dma: introduce __mt76_dma_queue_reset utility routine (bsc#1227149). - commit dd57284 - wifi: mt76: increase MT_QFLAG_WED_TYPE size (bsc#1227149). - wifi: mt76: introduce wed pointer in mt76_queue (bsc#1227149). - wifi: mt76: introduce mt76_queue_is_wed_tx_free utility routine (bsc#1227149). - wifi: mt76: move mt76_net_setup_tc in common code (bsc#1227149). - wifi: mt76: move mt76_mmio_wed_offload_{enable,disable} in common code (bsc#1227149). - wifi: mt76: mmio: move mt76_mmio_wed_{init,release}_rx_buf in common code (bsc#1227149). - wifi: mt76: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: mt76: permit to load precal from NVMEM cell for mt7915 (bsc#1227149). - wifi: mt76: permit to use alternative cell name to eeprom NVMEM load (bsc#1227149). - commit 15e9dc7 - wifi: mt76: mt7921: support 5.9/6GHz channel config in acpi (bsc#1227149). - Refresh patches.suse/wifi-mt76-mt7921-fix-country-count-limitation-for-CL.patch. - Refresh patches.suse/wifi-mt76-mt7921-fix-incorrect-type-conversion-for-C.patch. - commit 915b272 - wifi: mt76: make mt76_get_of_eeprom static again (bsc#1227149). - wifi: mt76: limit support of precal loading for mt7915 to MTD only (bsc#1227149). - wifi: mt76: fix typo in mt76_get_of_eeprom_from_nvmem function (bsc#1227149). - wifi: mt76: mt7996: fix uninitialized variable in parsing txfree (bsc#1227149). - wifi: mt76: add ability to explicitly forbid LED registration with DT (bsc#1227149). - wifi: mt76: mt7925: fix typo in mt7925_init_he_caps (bsc#1227149). - wifi: mt76: mt7921: fix 6GHz disabled by the missing default CLC config (bsc#1227149). - net: fill in MODULE_DESCRIPTION()s in kuba@'s modules (bsc#1227149). - wifi: mt76: mt7921: fix kernel panic by accessing invalid 6GHz channel info (bsc#1227149). - commit b106ffb - wifi: mt76: Annotate struct mt76_rx_tid with __counted_by (bsc#1227149). - commit aecab86 - wifi: mt76: mt7921: update the channel usage when the regd domain changed (bsc#1227149). - Refresh patches.suse/wifi-mt76-mt7921-fix-country-count-limitation-for-CL.patch. - Refresh patches.suse/wifi-mt76-mt7921-fix-incorrect-type-conversion-for-C.patch. - commit b09df3f - wifi: mt76: mt7921: get regulatory information from the clc event (bsc#1227149). - Refresh patches.suse/wifi-mt76-mt7921-fix-country-count-limitation-for-CL.patch. - Refresh patches.suse/wifi-mt76-mt7921-fix-incorrect-type-conversion-for-C.patch. - commit 04b07d9 - wifi: mt76: mt7921: add 6GHz power type support for clc (bsc#1227149). - Refresh patches.suse/wifi-mt76-mt7921-fix-country-count-limitation-for-CL.patch. - commit b7bb561 - wifi: mt76: mt7921: enable set txpower for UNII-4 (bsc#1227149). - wifi: mt76: mt7921: move connac nic capability handling to mt7921 (bsc#1227149). - wifi: mt76: reduce spin_lock_bh held up in mt76_dma_rx_cleanup (bsc#1227149). - wifi: mt76: mt7996: remove periodic MPDU TXS request (bsc#1227149). - wifi: mt76: mt7996: enable PPDU-TxS to host (bsc#1227149). - wifi: mt76: mt7996: Add mcu commands for getting sta tx statistic (bsc#1227149). - commit e37a1c7 - Update config files for mt76 stuff (bsc#1227149) - commit debbb92 - wifi: mt76: connac: add MBSSID support for mt7996 (bsc#1227149). - Refresh patches.suse/wifi-mt76-update-beacon-size-limitation.patch. - commit 54772eb - wifi: mt76: mt7996: get tx_retries and tx_failed from txfree (bsc#1227149). - wifi: mt76: mt792x: move some common usb code in mt792x module (bsc#1227149). - wifi: mt76: mt792x: move mt7921_skb_add_usb_sdio_hdr in mt792x module (bsc#1227149). - wifi: mt76: mt7915 add tc offloading support (bsc#1227149). - wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips (bsc#1227149). - wifi: mt76: mt7915: update mpdu density capability (bsc#1227149). - wifi: mt76: check vif type before reporting cca and csa (bsc#1227149). - wifi: mt76: check sta rx control frame to multibss capability (bsc#1227149). - wifi: mt76: Use PTR_ERR_OR_ZERO() to simplify code (bsc#1227149). - commit 2106e27 - wifi: mt76: mt7996: support per-band LED control (bsc#1227149). - wifi: mt76: mt7996: support more options for mt7996_set_bitrate_mask() (bsc#1227149). - wifi: mt76: mt7996: only set vif teardown cmds at remove interface (bsc#1227149). - wifi: mt76: connac: add more unified event IDs (bsc#1227149). - wifi: mt76: connac: add more unified command IDs (bsc#1227149). - wifi: mt76: connac: add data field in struct tlv (bsc#1227149). - wifi: mt76: connac: add eht support for tx power (bsc#1227149). - wifi: mt76: connac: add eht support for phy mode config (bsc#1227149). - wifi: mt76: connac: export functions for mt7925 (bsc#1227149). - wifi: mt76: mt792x: support mt7925 chip init (bsc#1227149). - commit 135e742 - wifi: mt76: connac: introduce helper for mt7925 chipset (bsc#1227149). - wifi: mt76: mt7915: fix monitor mode issues (bsc#1227149). - wifi: mt76: add DMA mapping error check in mt76_alloc_txwi() (bsc#1227149). - wifi: mt76: fix race condition related to checking tx queue fill status (bsc#1227149). - wifi: mt76: use atomic iface iteration for pre-TBTT work (bsc#1227149). - wifi: mt76: mt7603: disable A-MSDU tx support on MT7628 (bsc#1227149). - wifi: mt76: mt7603: add missing register initialization for MT7628 (bsc#1227149). - commit 6594bb5 - net: ethernet: mtk_wed: introduce mtk_wed_buf structure (bsc#1227149). - net: ethernet: mtk_wed: rename mtk_rxbm_desc in mtk_wed_bm_desc (bsc#1227149). - wifi: mt76: Replace strlcpy() with strscpy() (bsc#1227149). - wifi: mt76: mt76x02: fix return value check in mt76x02_mac_process_rx (bsc#1227149). - wifi: mt76: mt7921: move mt7921u_disconnect mt792x-lib (bsc#1227149). - wifi: mt76: mt7921: move mt7921_dma_init in pci.c (bsc#1227149). - wifi: mt76: mt792x: move MT7921_PM_TIMEOUT and MT7921_HW_SCAN_TIMEOUT in common code (bsc#1227149). - wifi: mt76: mt76_connac3: move lmac queue enumeration in mt76_connac3_mac.h (bsc#1227149). - wifi: mt76: mt792x: move mt7921_load_firmware in mt792x-lib module (bsc#1227149). - commit 1179b28 - wifi: mt76: mt792x: introduce mt792x-usb module (bsc#1227149). - commit bb743ca - wifi: mt76: mt7921: move acpi_sar code in mt792x-lib module (bsc#1227149). - Refresh patches.suse/wifi-mt76-mt7921-fix-country-count-limitation-for-CL.patch. - Refresh patches.suse/wifi-mt76-mt7921-fix-incorrect-type-conversion-for-C.patch. - Refresh patches.suse/wifi-mt76-mt792x-fix-a-potential-loading-failure-of-.patch. - commit e00ae3f - wifi: mt76: mt7921: move runtime-pm pci code in mt792x-lib (bsc#1227149). - commit 35d834e - wifi: mt76: mt7921: move shared runtime-pm code on mt792x-lib (bsc#1227149). - commit 5efac2c - wifi: mt76: mt7921: move hif_ops macro in mt792x.h (bsc#1227149). - commit 945f2ed - wifi: mt76: mt792x: move more dma shared code in mt792x_dma (bsc#1227149). - Refresh patches.suse/wifi-mt76-mt7921e-fix-use-after-free-in-free_irq.patch. - commit 4136c03 - wifi: mt76: mt792x: introduce mt792x_irq_map (bsc#1227149). - Refresh patches.suse/wifi-mt76-mt7921e-fix-use-after-free-in-free_irq.patch. - Refresh patches.suse/wifi-mt76-mt7921s-fix-potential-hung-tasks-during-ch.patch. - commit 94984c8 - wifi: mt76: mt7921: move init shared code in mt792x-lib module (bsc#1227149). - wifi: mt76: mt7921: move debugfs shared code in mt792x-lib module (bsc#1227149). - wifi: mt76: mt7921: move dma shared code in mt792x-lib module (bsc#1227149). - commit 8138035 - wifi: mt76: mt7921: move mac shared code in mt792x-lib module (bsc#1227149). - commit 118e960 - wifi: mt76: mt792x: introduce mt792x-lib module (bsc#1227149). - Refresh patches.suse/wifi-mt76-move-struct-ieee80211_chanctx_conf-up-to-s.patch. - commit bba35bb - wifi: mt76: mt7921: move mt792x_hw_dev in mt792x.h (bsc#1227149). - Refresh patches.suse/wifi-mt76-move-struct-ieee80211_chanctx_conf-up-to-s.patch. - commit e5956d4 - wifi: mt76: mt7921: move mt792x_mutex_{acquire/release} in mt792x.h (bsc#1227149). - Refresh patches.suse/wifi-mt76-move-struct-ieee80211_chanctx_conf-up-to-s.patch. - commit ea3046f - wifi: mt76: mt792x: move shared structure definition in mt792x.h (bsc#1227149). - Refresh patches.suse/wifi-mt76-move-struct-ieee80211_chanctx_conf-up-to-s.patch. - commit c60dc5e - wifi: mt76: mt7921: rename mt7921_dev in mt792x_dev (bsc#1227149). - Refresh patches.suse/wifi-mt76-move-struct-ieee80211_chanctx_conf-up-to-s.patch. - Refresh patches.suse/wifi-mt76-mt7921e-fix-use-after-free-in-free_irq.patch. - Refresh patches.suse/wifi-mt76-mt792x-fix-a-potential-loading-failure-of-.patch. - commit 845aa52 - wifi: mt76: mt7921: rename mt7921_vif in mt792x_vif (bsc#1227149). - Refresh patches.suse/wifi-mt76-move-struct-ieee80211_chanctx_conf-up-to-s.patch. - commit d4d2c1b - wifi: mt76: mt7921: rename mt7921_hif_ops in mt792x_hif_ops (bsc#1227149). - wifi: mt76: mt7921: rename mt7921_phy in mt792x_phy (bsc#1227149). - wifi: mt76: mt7921: rename mt7921_sta in mt792x_sta (bsc#1227149). - commit 47cecdc - wifi: mt76: move rate info in mt76_vif (bsc#1227149). - Refresh patches.suse/wifi-mt76-move-struct-ieee80211_chanctx_conf-up-to-s.patch. - Refresh patches.suse/wifi-mt76-mt7996-fix-rate-usage-of-inband-discovery-.patch. - commit 8909aa1 - wifi: mt76: mt7921: convert acpisar and clc pointers to void (bsc#1227149). - wifi: mt76: mt7921: move common register definition in mt792x_regs.h (bsc#1227149). - wifi: mt76: mt7603: fix tx filter/flush function (bsc#1227149). - wifi: mt76: mt7603: fix beacon interval after disabling a single vif (bsc#1227149). - wifi: mt76: add support for providing eeprom in nvmem cells (bsc#1227149). - wifi: mt76: split get_of_eeprom in subfunction (bsc#1227149). - wifi: mt76: connac: add connac3 mac library (bsc#1227149). - mt76: connac: move more mt7921/mt7915 mac shared code in connac lib (bsc#1227149). - wifi: mt76: move ampdu_state in mt76_wcid (bsc#1227149). - commit 343ad65 - wifi: mt76: mt7921: rely on shared sta_poll_list and sta_poll_lock (bsc#1227149). - Refresh patches.suse/wifi-mt76-move-struct-ieee80211_chanctx_conf-up-to-s.patch. - commit 72ca75a - wifi: mt76: mt7921: rely on shared poll_list field (bsc#1227149). - wifi: mt76: mt7996: rely on shared poll_list field (bsc#1227149). - wifi: mt76: mt7615: rely on shared poll_list field (bsc#1227149). - wifi: mt76: mt7603: rely on shared poll_list field (bsc#1227149). - wifi: mt76: mt7915: move poll_list in mt76_wcid (bsc#1227149). - wifi: mt76: mt7996: rely on shared sta_poll_list and sta_poll_lock (bsc#1227149). - wifi: mt76: mt7615: rely on shared sta_poll_list and sta_poll_lock (bsc#1227149). - wifi: mt76: mt7603: rely on shared sta_poll_list and sta_poll_lock (bsc#1227149). - wifi: mt76: mt7915: move sta_poll_list and sta_poll_lock in mt76_dev (bsc#1227149). - commit 2965d6e - wifi: mt76: mt7996: increase tx token size (bsc#1227149). - wifi: mt76: mt7996: add muru support (bsc#1227149). - wifi: mt76: connac: add support to set ifs time by mcu command (bsc#1227149). - wifi: mt76: mt7996: enable VHT extended NSS BW feature (bsc#1227149). - wifi: mt76: connac: add support for dsp firmware download (bsc#1227149). - wifi: mt76: mt7996: move radio ctrl commands to proper functions (bsc#1227149). - wifi: mt76: mt7921: get rid of MT7921_RESET_TIMEOUT marco (bsc#1227149). - mt76: mt7996: rely on mt76_sta_stats in mt76_wcid (bsc#1227149). - wifi: mt76: mt7921: make mt7921_mac_sta_poll static (bsc#1227149). - wifi: mt76: mt7996: disable WFDMA Tx/Rx during SER recovery (bsc#1227149). - commit fc1c367 - Update config files: adjust for Arm CONFIG_MT798X_WMAC (bsc#1227149) - commit 5938ea9 - wifi: mt76: mt7921: rely on mib_stats shared definition (bsc#1227149). - Refresh patches.suse/wifi-mt76-move-struct-ieee80211_chanctx_conf-up-to-s.patch. - commit a519a6e - wifi: mt76: mt7915: disable WFDMA Tx/Rx during SER recovery (bsc#1227149). - wifi: mt76: mt7921: Support temp sensor (bsc#1227149). - wifi: mt76: mt7915: accumulate mu-mimo ofdma muru stats (bsc#1227149). - wifi: mt76: add tx_nss histogram to ethtool stats (bsc#1227149). - wifi: mt76: mt7921e: report tx retries/failed counts in tx free event (bsc#1227149). - wifi: mt76: mt7915: add support for MT7981 (bsc#1227149). - wifi: mt76: mt7996: rely on mib_stats shared definition (bsc#1227149). - wifi: mt76: mt7915: move mib_stats structure in mt76.h (bsc#1227149). - wifi: mt76: mt7921: remove macro duplication in regs.h (bsc#1227149). - commit c307798 - wifi: mt76: mt7915: report tx retries/failed counts for non-WED path (bsc#1227149). - Refresh patches.suse/wifi-mt76-mt7915-rework-tx-packets-counting-when-WED.patch. - commit 25e2b06 - wifi: mt76: mt7996: enable BSS_CHANGED_MU_GROUPS support (bsc#1227149). - Refresh patches.suse/wifi-mt76-update-beacon-size-limitation.patch. - commit b121af9 - wifi: mt76: mt7996: drop return in mt7996_sta_statistics (bsc#1227149). - wifi: mt76: mt7915: drop return in mt7915_sta_statistics (bsc#1227149). - wifi: mt76: report non-binding skb tx rate when WED is active (bsc#1227149). - wifi: mt76: enable UNII-4 channel 177 support (bsc#1227149). - wifi: mt76: mt7615: enable BSS_CHANGED_MU_GROUPS support (bsc#1227149). - wifi: mt7601u: replace strlcpy() with strscpy() (bsc#1227149). - wifi: mt7601u: delete dead code checking debugfs returns (bsc#1227149). - commit 3625743 - exfat: fix potential deadlock on __exfat_get_dentry_set (git-fixes). - commit aaa908a - media: venus: fix use after free in vdec_close (git-fixes). - media: venus: flush all buffers in output plane streamoff (git-fixes). - media: v4l: subdev: Fix typo in documentation (git-fixes). - media: imx-pxp: Fix ERR_PTR dereference in pxp_probe() (git-fixes). - media: renesas: vsp1: Store RPF partition configuration per RPF instance (git-fixes). - media: renesas: vsp1: Fix _irqsave and _irq mix (git-fixes). - media: rcar-vin: Fix YUYV8_1X16 handling for CSI-2 (git-fixes). - media: imx-jpeg: Drop initial source change event if capture has been setup (git-fixes). - media: imx-jpeg: Remove some redundant error logs (git-fixes). - media: uvcvideo: Override default flags (git-fixes). - media: uvcvideo: Fix integer overflow calculating timestamp (git-fixes). - saa7134: Unchecked i2c_transfer function result fixed (git-fixes). - media: v4l: async: Fix NULL pointer dereference in adding ancillary links (git-fixes). - media: i2c: Fix imx412 exposure control (git-fixes). - media: imon: Fix race getting ictx-&gt;lock (git-fixes). - media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control() (git-fixes). - media: pci: ivtv: Add check for DMA map result (git-fixes). - leds: flash: leds-qcom-flash: Test the correct variable in init (git-fixes). - Revert &quot;leds: led-core: Fix refcount leak in of_led_get()&quot; (git-fixes). - leds: mt6360: Fix memory leak in mt6360_init_isnk_properties() (git-fixes). - leds: triggers: Flush pending brightness before activating trigger (git-fixes). - leds: ss4200: Convert PCIBIOS_* return codes to errnos (git-fixes). - leds: trigger: Unregister sysfs attributes before calling deactivate() (git-fixes). - mfd: omap-usb-tll: Use struct_size to allocate tll (git-fixes). - mfd: pm8008: Fix regmap irq chip initialisation (git-fixes). - ipmi: ssif_bmc: prevent integer overflow on 32bit systems (git-fixes). - ata: libata-scsi: Fix offsets for the fixed format sense data (git-fixes). - commit a8e6a5f - Update patches.suse/mptcp-ensure-snd_nxt-is-properly-initialized-on-conn.patch (CVE-2024-36889 bsc#1225746). - commit 98abb2b - mptcp: fix data races on remote_id (CVE-2024-27404 bsc#1224422) - commit ed12cfe - netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() (CVE-2024-27020 bsc#1223815) - commit 79c457d - netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() (CVE-2024-27019 bsc#1223813) - commit 73c5c5f - btrfs: open code set_extent_bits_nowait (bsc#1223731 CVE-2024-26944). - commit da5e600 - btrfs: open code set_extent_dirty (bsc#1223731 CVE-2024-26944). - commit 3076056 - btrfs: open code set_extent_new (bsc#1223731 CVE-2024-26944). - Refresh patches.suse/btrfs-make-find_first_extent_bit-return-a-boolean.patch. - commit 3afda0a - mm/page_table_check: fix crash on ZONE_DEVICE (CVE-2024-40948 bsc#1227801). - commit 69b3c59 - btrfs: open code set_extent_delalloc (bsc#1223731 CVE-2024-26944). - btrfs: open code set_extent_defrag (bsc#1223731 CVE-2024-26944). - commit 646bcad - btrfs: use btrfs_next_item() at scrub.c:find_first_extent_item() (bsc#1223731 CVE-2024-26944). - btrfs: unexport extent_map_block_end() (bsc#1223731 CVE-2024-26944). - btrfs: split assert into two different asserts when removing block group (bsc#1223731 CVE-2024-26944). - btrfs: mark sanity checks when getting chunk map as unlikely (bsc#1223731 CVE-2024-26944). - commit b0dd338 - gro: fix ownership transfer (CVE-2024-35890 bsc#1224516). - commit 8c57ce0 - mptcp: ensure snd_nxt is properly initialized on connect (CVE-2024-36889). - commit 724d285 - ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() (CVE-2024-36902 bsc#1225719). - commit d8c5ba2 - phonet: fix rtm_phonet_notify() skb allocation (CVE-2024-36946 bsc#1225851). - commit a878203 - r8169: Fix possible ring buffer corruption on fragmented Tx packets (CVE-2024-38586 bsc#1226750). - commit 1324b27 - btrfs: zoned: factor out DUP bg handling from btrfs_load_block_group_zone_info (bsc#1223731 CVE-2024-26944). - btrfs: zoned: factor out single bg handling from btrfs_load_block_group_zone_info (bsc#1223731 CVE-2024-26944). - btrfs: zoned: factor out per-zone logic from btrfs_load_block_group_zone_info (bsc#1223731 CVE-2024-26944). - btrfs: zoned: introduce a zone_info struct in btrfs_load_block_group_zone_info (bsc#1223731 CVE-2024-26944). - commit f06e144 - wifi: virt_wifi: don't use strlen() in const context (git-fixes). - commit b4154c8 - wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() (git-fixes). - wifi: rtl8xxxu: 8188f: Limit TX power index (git-fixes). - wifi: rtw89: 8852b: fix definition of KIP register number (git-fixes). - wifi: mac80211: chanctx emulation set CHANGE_CHANNEL when in_reconfig (git-fixes). - wifi: virt_wifi: avoid reporting connection success with wrong SSID (git-fixes). - wifi: ath12k: fix peer metadata parsing (git-fixes). - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers (git-fixes). - wifi: ath11k: fix RCU documentation in ath11k_mac_op_ipv6_changed() (git-fixes). - wifi: iwlwifi: mvm: don't limit VLP/AFC to UATS-enabled (git-fixes). - wifi: iwlwifi: fix iwl_mvm_get_valid_rx_ant() (git-fixes). - wifi: mac80211: correcty limit wider BW TDLS STAs (git-fixes). - wifi: mac80211: add ieee80211_tdls_sta_link_id() (stable-fixes). - commit 949fcca - wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() (git-fixes). - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he() (git-fixes). - wifi: ath12k: fix wrong definition of CE ring's base address (git-fixes). - wifi: ath11k: fix wrong definition of CE ring's base address (git-fixes). - wifi: ath12k: fix firmware crash during reo reinject (git-fixes). - wifi: ath12k: fix invalid memory access while processing fragmented packets (git-fixes). - wifi: ath12k: change DMA direction while mapping reinjected packets (git-fixes). - wifi: ath11k: restore country code during resume (git-fixes). - wifi: ath11k: refactor setting country code logic (stable-fixes). - wifi: ath12k: Fix tx completion ring (WBM2SW) setup failure (git-fixes). - wifi: ath12k: Correct 6 GHz frequency value in rx status (git-fixes). - wifi: ath12k: avoid duplicated vdev stop (git-fixes). - wifi: ath12k: drop failed transmitted frames from metric calculation (git-fixes). - wifi: ath12k: Don't drop tx_status in failure case (git-fixes). - wifi: rtw89: fix HW scan not aborting properly (git-fixes). - commit 7f555ea - wifi: mac80211: reset negotiated TTLM on disconnect (git-fixes). - Refresh patches.kabi/wireless-kabi-workaround.patch. - commit e02cbd1 - wifi: mac80211: cancel multi-link reconf work on disconnect (git-fixes). - wifi: mwifiex: Fix interface type change (git-fixes). - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device (git-fixes). - vmlinux.lds.h: catch .bss..L* sections into BSS&quot;) (git-fixes). - wifi: mac80211: Recalc offload when monitor stop (git-fixes). - commit 0c5d63e - Bluetooth: hci_event: Set QoS encryption from BIGInfo report (git-fixes). - Bluetooth: btnxpuart: Add handling for boot-signature timeout errors (git-fixes). - Bluetooth: btintel: Refactor btintel_set_ppag() (git-fixes). - Bluetooth: hci_bcm4377: Use correct unit for timeouts (git-fixes). - lib: objagg: Fix general protection fault (git-fixes). - lib: test_objagg: Fix spelling (git-fixes). - lib: objagg: Fix spelling (git-fixes). - cpufreq: ti-cpufreq: Handle deferred probe with dev_err_probe() (git-fixes). - cpufreq/amd-pstate: Fix the scaling_max_freq setting on shared memory CPPC systems (git-fixes). - firmware: turris-mox-rwtm: Initialize completion before mailbox (git-fixes). - firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout() (git-fixes). - firmware: turris-mox-rwtm: Do not complete if there are no waiters (git-fixes). - drivers: soc: xilinx: check return status of get_api_version() (git-fixes). - soc: xilinx: rename cpu_number1 to dummy_cpu_number (git-fixes). - soc: qcom: pdr: fix parsing of domains lists (git-fixes). - soc: qcom: pdr: protect locator_addr with the main mutex (git-fixes). - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data() callers (git-fixes). - soc: qcom: pmic_glink: Handle the return value of pmic_glink_init (git-fixes). - commit aea26b0 - blacklist.conf: add 54cbc058d86b commit 54cbc058d86b (&quot;fs/aio: Make io_cancel() generate completions again&quot;) was later reverted upstream by commit 28468cbed92e, so blacklist it. - commit bc9be4f - btrfs: remove the need_raid_map parameter from btrfs_map_block() (bsc#1223731 CVE-2024-26944). - btrfs: zoned: skip splitting and logical rewriting on pre-alloc write (bsc#1223731 CVE-2024-26944). - btrfs: zoned: do not zone finish data relocation block group (bsc#1223731 CVE-2024-26944). - btrfs: add comments for btrfs_map_block() (bsc#1223731 CVE-2024-26944). - commit 0c47c71 - Revert &quot;gfs2: fix glock shrinker ref issues&quot; (git-fixes). - commit f7bfdba - gfs2: Fix &quot;ignore unlock failures after withdraw&quot; (git-fixes). - commit 519ac22 - gfs2: Don't forget to complete delayed withdraw (git-fixes). - commit 7f71d47 - gfs2: Fix invalid metadata access in punch_hole (git-fixes). - commit 1be0540 - gfs2: Rename gfs2_lookup_{ simple =&gt; meta } (git-fixes). - commit d7e53ef - gfs2: Use mapping-&gt;gfp_mask for metadata inodes (git-fixes). - commit 78503fa - gfs2: convert to ctime accessor functions (git-fixes). - commit b024418 - gfs2: Get rid of gfs2_alloc_blocks generation parameter (git-fixes). - commit e229d26 - dlm: fix user space lock decision to copy lvb (git-fixes). - commit 9a5eade - ocfs2: fix DIO failure due to insufficient transaction credits (git-fixes). - commit cf885b6 - ocfs2: use coarse time for new created files (git-fixes). - commit 61f3cb7 - ocfs2: fix races between hole punching and AIO+DIO (git-fixes). - commit bdcd35b - filelock: fix potential use-after-free in posix_lock_inode (git-fixes). - commit 4ceada4 - fs/pipe: Fix lockdep false-positive in watchqueue pipe_write() (git-fixes). - commit 047ac8f - tracefs: Add missing lockdown check to tracefs_create_dir() (git-fixes). - commit 65b8efc - f2fs: fix error path of __f2fs_build_free_nids (git-fixes). - commit 6c1efec - btrfs: zoned: re-enable metadata over-commit for zoned mode (bsc#1223731 CVE-2024-26944). - btrfs: zoned: don't activate non-DATA BG on allocation (bsc#1223731 CVE-2024-26944). - btrfs: zoned: no longer count fresh BG region as zone unusable (bsc#1223731 CVE-2024-26944). - commit cc48fd8 - smb: client: fix deadlock in smb2_find_smb_tcon() (bsc#1227103, CVE-2024-39468). - commit 1548cc0 - orangefs: fix out-of-bounds fsid access (git-fixes). - commit 8d69475 - btrfs: zoned: activate metadata block group on write time (bsc#1223731 CVE-2024-26944). - btrfs: zoned: reserve zones for an active metadata/system block group (bsc#1223731 CVE-2024-26944). - commit 00c0b10 - btrfs: zoned: update meta write pointer on zone finish (bsc#1223731 CVE-2024-26944). - btrfs: zoned: defer advancing meta write pointer (bsc#1223731 CVE-2024-26944). - commit 9625328 - net/mlx5: Always stop health timer during driver removal (CVE-2024-40906 bsc#1227763). - commit 3630f6e - btrfs: zoned: return int from btrfs_check_meta_write_pointer (bsc#1223731 CVE-2024-26944). - btrfs: zoned: introduce block group context to btrfs_eb_write_context (bsc#1223731 CVE-2024-26944). - btrfs: introduce struct to consolidate extent buffer write context (bsc#1223731 CVE-2024-26944). - commit d8f8b66 - btrfs: zoned: use vcalloc instead of for vzalloc in btrfs_get_dev_zone_info (bsc#1223731 CVE-2024-26944). - commit 4837f02 - btrfs: open code need_full_stripe conditions (bsc#1223731 CVE-2024-26944). - Refresh patches.suse/btrfs-be-a-bit-more-careful-when-setting-mirror.patch. - commit 0011c1e - nilfs2: fix incorrect inode allocation from reserved inodes (git-fixes). - commit 9ce9b3c - nilfs2: convert persistent object allocator to use kmap_local (git-fixes). - commit dc36fd2 - netfilter: nf_tables: restore set elements when delete set fails (CVE-2024-27012 bsc#1223804). - commit 8ba3bb4 - jffs2: Fix potential illegal address access in jffs2_free_inode (git-fixes). - commit 282ccaf - hfsplus: fix to avoid false alarm of circular locking (git-fixes). - commit 490432a - btrfs: open code btrfs_map_sblock (bsc#1223731 CVE-2024-26944). - commit 5fa5c99 - btrfs: rename __btrfs_map_block to btrfs_map_block (bsc#1223731 CVE-2024-26944). - commit de51f30 - btrfs: remove unused btrfs_map_block (bsc#1223731 CVE-2024-26944). - commit 0ff7c2f - btrfs: optimize simple reads in btrfsic_map_block (bsc#1223731 CVE-2024-26944). - commit 3260913 - btrfs: remove unused BTRFS_MAP_DISCARD (bsc#1223731 CVE-2024-26944). - commit 68b562a - btrfs: pass the new logical address to split_extent_map (bsc#1223731 CVE-2024-26944). - commit c2e8884 - btrfs: defer splitting of ordered extents until I/O completion (bsc#1223731 CVE-2024-26944). - commit 5ae3e38 - btrfs: handle completed ordered extents in btrfs_split_ordered_extent (bsc#1223731 CVE-2024-26944). - commit ddd9e87 - btrfs: atomically insert the new extent in btrfs_split_ordered_extent (bsc#1223731 CVE-2024-26944). - commit 4030656 - btrfs: split btrfs_alloc_ordered_extent to allocation and insertion helpers (bsc#1223731 CVE-2024-26944). - Refresh patches.suse/0002-btrfs-fix-qgroup_free_reserved_data-int-overflow.patch. - commit e1bc1c4 - drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2 (bsc#1227723 CVE-2024-39498) - commit bb19e55 - btrfs: return the new ordered_extent from btrfs_split_ordered_extent (bsc#1223731 CVE-2024-26944). - commit c61ece3 - btrfs: reorder conditions in btrfs_extract_ordered_extent (bsc#1223731 CVE-2024-26944). - commit 7ad1725 - btrfs: move split_extent_map to extent_map.c (bsc#1223731 CVE-2024-26944). - commit 4667690 - btrfs: record orig_physical only for the original bio (bsc#1223731 CVE-2024-26944). - commit f1ddea8 - btrfs: optimize the logical to physical mapping for zoned writes (bsc#1223731 CVE-2024-26944). - Refresh patches.suse/0002-btrfs-fix-qgroup_free_reserved_data-int-overflow.patch. - commit 59cfe96 - ionic: fix use after netif_napi_del() (CVE-2024-39502 bsc#1227755). - commit a8905bd - netfilter: flowtable: validate pppoe header (CVE-2024-27016 bsc#1223807). - commit 4c0256f - i40e: fix: remove needless retries of NVM update (bsc#1227736). - commit df4f038 - spi: spi-microchip-core: Fix the number of chip selects supported (git-fixes). - spi: atmel-quadspi: Add missing check for clk_prepare (git-fixes). - gpio: mc33880: Convert comma to semicolon (git-fixes). - pwm: stm32: Always do lazy disabling (git-fixes). - hwmon: (max6697) Fix swapped temp{1,8} critical alarms (git-fixes). - hwmon: (max6697) Fix underflow when writing limit attributes (git-fixes). - hwmon: (adt7475) Fix default duty on fan is disabled (git-fixes). - platform/chrome: cros_ec_debugfs: fix wrong EC message version (git-fixes). - char: tpm: Fix possible memory leak in tpm_bios_measurements_open() (git-fixes). - tools/memory-model: Fix bug in lock.cat (git-fixes). - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes (git-fixes). - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes (git-fixes). - drm/meson: fix canvas release in bind function (git-fixes). - commit 027008e - Move upstreamed patches into sorted section - commit da52786 - ipv6: prevent NULL dereference in ip6_output() (CVE-2024-36901 bsc#1225711) - commit 299bf13 - i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004 bsc#1224545) - commit 42d6eee - nbd: null check for nla_nest_start (CVE-2024-27025 bsc#1223778) - commit a23796b - btrfs: rename the bytenr field in struct btrfs_ordered_sum to logical (bsc#1223731 CVE-2024-26944). - btrfs: mark the len field in struct btrfs_ordered_sum as unsigned (bsc#1223731 CVE-2024-26944). - btrfs: don't call btrfs_record_physical_zoned for failed append (bsc#1223731 CVE-2024-26944). - btrfs: optimize out btrfs_is_zoned for !CONFIG_BLK_DEV_ZONED (bsc#1223731 CVE-2024-26944). - commit 7e64d12 - btrfs: use SECTOR_SHIFT to convert LBA to physical offset (bsc#1223731 CVE-2024-26944). - Refresh patches.suse/btrfs-don-t-warn-if-discard-range-is-not-aligned-to-.patch. - commit ad23354 - btrfs: don't hold an extra reference for redirtied buffers (bsc#1223731 CVE-2024-26944). - Refresh patches.suse/0003-btrfs-free-qgroup-pertrans-reserve-on-transaction-ab.patch. - commit 47897b2 - btrfs: export bitmap_test_range_all_{set,zero} (bsc#1223731 CVE-2024-26944). - commit fcba900 - Update patch reference for ath12k fix (CVE-2024-40979 bsc#1227855) - commit 0463455 - mlxsw: spectrum_acl_tcam: Fix memory leak during rehash (CVE-2024-35853 bsc#1224604). - commit d46e600 - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update (CVE-2024-35854 bsc#1224636). - commit 7cd7b18 - phonet/pep: fix racy skb_queue_empty() use (CVE-2024-27402 bsc#1224414). - commit 9f9d7b5 - kprobe/ftrace: fix build error due to bad function definition (git-fixes). - commit 16bb0c0 - net: prevent mss overflow in skb_segment() (CVE-2023-52435 bsc#1220138). - commit b718cb4 - netfilter: nf_tables: do not compare internal table flags on updates (CVE-2024-27065 bsc#1223836). - commit 0e49dd8 - tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() (git-fixes). - commit c773566 - tracing: Build event generation tests only as modules (git-fixes). - commit dd7f603 - usb: ucsi: stm32: fix command completion handling (git-fixes). - commit 3155170 - Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional() (git-fixes). - commit 3a34099 - cachefiles: add output string to cachefiles_obj_[get|put]_ondemand_fd (git-fixes). - commit 12446de - iommu/vt-d: Allocate DMAR fault interrupts locally (bsc#1224767). - commit 85bf7e2 - iommu/amd: Fix panic accessing amd_iommu_enable_faulting (bsc#1224767). - commit 567c8c9 - netfilter: flowtable: incorrect pppoe tuple (CVE-2024-27015 bsc#1223806). - commit e834f51 - netfilter: nf_tables: Fix a memory leak in nf_tables_updchain (CVE-2024-27064 bsc#1223740). - commit daf6634 - blacklist.conf: feature, not fix - commit 7a64b31 - kprobe/ftrace: bail out if ftrace was killed (git-fixes). - commit 43ba702 - tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() (CVE-2024-26663 bsc#1222326). - commit fff5ef3 - blacklist.conf: add not-relevant tracing fixes - commit b158327 - Update patches.suse/ring-buffer-Fix-a-race-between-readers-and-resize-checks.patch (bsc#1222893). - commit eebb09a - wifi: ath11k: Add coldboot calibration support for QCN9074 (bsc#1227149). - wifi: ath11k: Split coldboot calibration hw_param (bsc#1227149). - Refresh patches.suse/wifi-ath11k-fix-boot-failure-with-one-MSI-vector.patch. - Refresh patches.suse/wifi-ath11k-support-hibernation.patch. - commit e553d75 - wifi: ath9k: avoid using uninitialized array (bsc#1227149). - Refresh patches.suse/wifi-ath9k-fix-fortify-warnings.patch. - commit 7a06512 - iommu: Fix compilation without CONFIG_IOMMU_INTEL (git-fixes). - commit dcdbf4a - wifi: mt76: mt7615: add missing chanctx ops (bsc#1227149). - wifi: mt76: mt7915: add missing chanctx ops (bsc#1227149). - commit 5e9fc63 - kABI workaround for wireless updates (bsc#1227149). - commit 956c903 - i2c: rcar: bring hardware to known state when probing (git-fixes). - i2c: testunit: avoid re-issued work after read message (git-fixes). - i2c: mark HostNotify target address as used (git-fixes). - i2c: testunit: correct Kconfig description (git-fixes). - commit 834d4d5 - supported.conf: update for mt76 stuff (bsc#1227149) - commit 276fbe5 - kabi/severities: cover all mt76 modules (bsc#1227149) - commit 8877f2f - wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP (bsc#1227149). - commit a3d6465 - wifi: mac80211: fix monitor channel with chanctx emulation (bsc#1227149). - wifi: cfg80211: validate HE operation element parsing (bsc#1227149). - wifi: mac80211: don't select link ID if not provided in scan request (bsc#1227149). - wifi: mac80211: check EHT/TTLM action frame length (bsc#1227149). - wifi: mac80211: correctly set active links upon TTLM (bsc#1227149). - wifi: cfg80211: set correct param change count in ML element (bsc#1227149). - wifi: mac80211: use deflink and fix typo in link ID check (bsc#1227149). - commit e4d62d6 - kabi/severities: ignore kABI changes Realtek WiFi drivers (bsc#1227149) All those symbols are local and used for its own helpers - commit c402c7b - wifi: rtlwifi: Ignore IEEE80211_CONF_CHANGE_RETRY_LIMITS (bsc#1227149). - wifi: rtw89: wow: refine WoWLAN flows of HCI interrupts and low power mode (bsc#1227149). - wifi: rtl8xxxu: enable MFP support with security flag of RX descriptor (bsc#1227149). - wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband (bsc#1227149). - wifi: rtw89: 8852c: add quirk to set PCI BER for certain platforms (bsc#1227149). - wifi: rtw89: download firmware with five times retry (bsc#1227149). - commit 70ec305 - wifi: rtw89: coex: fix configuration for shared antenna for 8922A (bsc#1227149). - wifi: rtw89: wow: move release offload packet earlier for WoWLAN mode (bsc#1227149). - wifi: rtw89: wow: set security engine options for 802.11ax chips only (bsc#1227149). - wifi: rtw89: update suspend/resume for different generation (bsc#1227149). - wifi: rtw89: wow: update config mac function with different generation (bsc#1227149). - wifi: rtw89: update DMA function with different generation (bsc#1227149). - wifi: rtw89: wow: update WoWLAN status register for different generation (bsc#1227149). - wifi: rtw89: wow: update WoWLAN reason register for different chips (bsc#1227149). - wifi: rtw89: coex: Add coexistence policy to decrease WiFi packet CRC-ERR (bsc#1227149). - wifi: rtw89: coex: When Bluetooth not available don't set power/gain (bsc#1227149). - wifi: rtw89: coex: add return value to ensure H2C command is success or not (bsc#1227149). - wifi: rtw89: coex: Reorder H2C command index to align with firmware (bsc#1227149). - wifi: rtw89: coex: add BTC ctrl_info version 7 and related logic (bsc#1227149). - wifi: rtw89: coex: add init_info H2C command format version 7 (bsc#1227149). - wifi: rtw89: 8922a: add coexistence helpers of SW grant (bsc#1227149). - wifi: rtw89: mac: add coexistence helpers {cfg/get}_plt (bsc#1227149). - wifi: rtlwifi: Remove rtl_intf_ops.read_efuse_byte (bsc#1227149). - wifi: rtl8xxxu: fix mixed declarations in rtl8xxxu_set_aifs() (bsc#1227149). - wifi: rtw89: pci: implement PCI CLK/ASPM/L1SS for WiFi 7 chips (bsc#1227149). - wifi: rtw89: Update EHT PHY beamforming capability (bsc#1227149). - wifi: rtw89: advertise missing extended scan feature (bsc#1227149). - wifi: rtlwifi: set initial values for unexpected cases of USB endpoint priority (bsc#1227149). - wifi: rtl8xxxu: check vif before using in rtl8xxxu_tx() (bsc#1227149). - wifi: rtlwifi: rtl8192cu: Fix TX aggregation (bsc#1227149). - commit e9149f1 - wifi: rtw89: 8922a: add helper of set_channel (bsc#1227149). - wifi: rtw89: 8922a: add set_channel RF part (bsc#1227149). - wifi: rtw89: 8922a: add set_channel BB part (bsc#1227149). - wifi: rtw89: 8922a: add set_channel MAC part (bsc#1227149). - wifi: rtlwifi: rtl_usb: Store the endpoint addresses (bsc#1227149). - wifi: rtlwifi: rtl8192cu: Fix 2T2R chip type detection (bsc#1227149). - wifi: rtw89: 8922a: declare to support two chanctx (bsc#1227149). - wifi: rtw89: chan: support MCC on Wi-Fi 7 chips (bsc#1227149). - wifi: rtw89: fw: implement MRC H2C command functions (bsc#1227149). - wifi: rtw89: mac: implement MRC C2H event handling (bsc#1227149). - wifi: rtw89: fw: add definition of H2C command and C2H event for MRC series (bsc#1227149). - wifi: rtw89: change qutoa to DBCC by default for WiFi 7 chips (bsc#1227149). - wifi: rtw89: reference quota mode when setting Tx power (bsc#1227149). - wifi: rtw89: 8922a: implement AP mode related reg for BE generation (bsc#1227149). - wifi: rtw89: 8922a: correct register definition and merge IO for ctrl_nbtg_bt_tx() (bsc#1227149). - wifi: rtw89: differentiate narrow_bw_ru_dis setting according to chip gen (bsc#1227149). - wifi: rtw89: use PLCP information to match BSS_COLOR and AID (bsc#1227149). - wifi: rtw89: mac: reset PHY-1 hardware when going to enable/disable (bsc#1227149). - wifi: rtw89: mac: correct MUEDCA setting for MAC-1 (bsc#1227149). - wifi: rtw89: mac: return held quota of DLE when changing MAC-1 (bsc#1227149). - wifi: rtw89: load BB parameters to PHY-1 (bsc#1227149). - wifi: rtw89: correct PHY register offset for PHY-1 (bsc#1227149). - wifi: rtw89: chan: MCC take reconfig into account (bsc#1227149). - wifi: rtw89: chan: move handling from add/remove to assign/unassign for MLO (bsc#1227149). - wifi: rtw89: chan: tweak weight recalc ahead before MLO (bsc#1227149). - wifi: rtw89: chan: tweak bitmap recalc ahead before MLO (bsc#1227149). - wifi: rtw89: chan: add sub-entity swap function to cover replacing (bsc#1227149). - wifi: rtw89: drop TIMING_BEACON_ONLY and sync beacon TSF by self (bsc#1227149). - wifi: rtl8xxxu: update rate mask per sta (bsc#1227149). - wifi: rtw89: fw: download firmware with key data for secure boot (bsc#1227149). - wifi: rtw89: fw: parse secure section from firmware file (bsc#1227149). - wifi: rtw89: fw: read firmware secure information from efuse (bsc#1227149). - wifi: rtw89: fw: consider checksum length of security data (bsc#1227149). - wifi: rtw89: 8922a: add chip_ops::rfk_hw_init (bsc#1227149). - wifi: rtw89: 8922a: add chip_ops::rfk_init_late to do initial RF calibrations later (bsc#1227149). - commit 28c4b55 - wifi: rtw89: 8922a: rfk: implement chip_ops to call RF calibrations (bsc#1227149). - wifi: rtw89: rfk: add H2C command to trigger TSSI (bsc#1227149). - wifi: rtw89: rfk: add H2C command to trigger TXGAPK (bsc#1227149). - wifi: rtw89: rfk: add H2C command to trigger DACK (bsc#1227149). - wifi: rtw89: rfk: add H2C command to trigger DPK (bsc#1227149). - wifi: rtw89: rfk: add H2C command to trigger RX DCK (bsc#1227149). - wifi: rtw89: rfk: add H2C command to trigger IQK (bsc#1227149). - wifi: rtw89: rfk: send channel information to firmware for RF calibrations (bsc#1227149). - wifi: rtw89: rfk: add a completion to wait RF calibration report from C2H event (bsc#1227149). - wifi: rtl8xxxu: Add TP-Link TL-WN823N V2 (bsc#1227149). - wifi: rtl8xxxu: fix error messages (bsc#1227149). - wifi: rtw89: 8922a: add more fields to beacon H2C command to support multi-links (bsc#1227149). - wifi: rtw89: update ps_state register for chips with different generation (bsc#1227149). - wifi: rtw89: add new H2C for PS mode in 802.11be chip (bsc#1227149). - wifi: rtw89: 8922a: add ieee80211_ops::hw_scan (bsc#1227149). - wifi: rtw89: prepare scan leaf functions for wifi 7 ICs (bsc#1227149). - wifi: rtw89: debug: add FW log component for scan (bsc#1227149). - wifi: rtw89: update scan C2H messages for wifi 7 IC (bsc#1227149). - wifi: rtw89: 8922a: set chip_ops FEM and GPIO to NULL (bsc#1227149). - wifi: rtw89: 8922a: add chip_ops to get thermal value (bsc#1227149). - wifi: rtw89: 8922a: add RF read/write v2 (bsc#1227149). - wifi: rtw89: 8922a: add chip_ops::cfg_txrx_path (bsc#1227149). - wifi: rtw89: 8922a: implement {stop,resume}_sch_tx and cfg_ppdu (bsc#1227149). - wifi: rtw89: 8922a: hook handlers of TX/RX descriptors to chip_ops (bsc#1227149). - wifi: rtw89: pci: validate RX tag for RXQ and RPQ (bsc#1227149). - wifi: rtw89: pci: interrupt v2 refine IMR for SER (bsc#1227149). - wifi: rtw89: pci: update SER timer unit and timeout time (bsc#1227149). - wifi: rtw89: fix disabling concurrent mode TX hang issue (bsc#1227149). - wifi: rtw89: fix HW scan timeout due to TSF sync issue (bsc#1227149). - wifi: rtw89: add wait/completion for abort scan (bsc#1227149). - wifi: rtw89: disable RTS when broadcast/multicast (bsc#1227149). - wifi: rtw89: Set default CQM config if not present (bsc#1227149). - wifi: rtw89: refine hardware scan C2H events (bsc#1227149). - wifi: rtw89: refine add_chan H2C command to encode_bits (bsc#1227149). - wifi: rtw89: 8922a: add BTG functions to assist BT coexistence to control TX/RX (bsc#1227149). - wifi: rtw89: 8922a: add TX power related ops (bsc#1227149). - wifi: rtw89: 8922a: add register definitions of H2C, C2H, page, RRSR and EDCCA (bsc#1227149). - wifi: rtw89: 8922a: add chip_ops related to BB init (bsc#1227149). - wifi: rtw89: 8922a: add chip_ops::{enable,disable}_bb_rf (bsc#1227149). - wifi: rtw89: add mlo_dbcc_mode for WiFi 7 chips (bsc#1227149). - wifi: rtlwifi: Speed up firmware loading for USB (bsc#1227149). - wifi: rtl8xxxu: add missing number of sec cam entries for all variants (bsc#1227149). - wifi: rtl8xxxu: make instances of iface limit and combination to be static const (bsc#1227149). - wifi: rtl8xxxu: convert EN_DESC_ID of TX descriptor to le32 type (bsc#1227149). - wifi: rtlwifi: rtl8192de: Don't read register in _rtl92de_query_rxphystatus (bsc#1227149). - wifi: rtw89: fw: extend JOIN H2C command to support WiFi 7 chips (bsc#1227149). - wifi: rtw89: fw: use struct to fill JOIN H2C command (bsc#1227149). - wifi: rtw89: fw: add H2C command to reset DMAC table for WiFi 7 (bsc#1227149). - wifi: rtw89: fw: add H2C command to reset CMAC table for WiFi 7 (bsc#1227149). - wifi: rtw89: fw: update TX AMPDU parameter to CMAC table (bsc#1227149). - wifi: rtw89: fw: add chip_ops to update CMAC table to associated station (bsc#1227149). - wifi: rtw89: fw: fill CMAC table to associated station for WiFi 7 chips (bsc#1227149). - wifi: rtw89: fw: add H2C command to update security CAM v2 (bsc#1227149). - wifi: rtw89: declare EXT NSS BW of VHT capability (bsc#1227149). - wifi: rtw89: add EHT capabilities for WiFi 7 chips (bsc#1227149). - wifi: rtw89: change supported bandwidths of chip_info to bit mask (bsc#1227149). - wifi: rtw89: adjust init_he_cap() to add EHT cap into iftype_data (bsc#1227149). - wifi: rtw88: use kstrtoX_from_user() in debugfs handlers (bsc#1227149). - wifi: rtl8xxxu: enable channel switch support (bsc#1227149). - wifi: rtlwifi: rtl_usb: Use sync register writes (bsc#1227149). - commit 055a697 - wifi: rtlwifi: cleanup few rtlxxx_tx_fill_desc() routines (bsc#1227149). - wifi: rtw89: add chip_ops::update_beacon to abstract update beacon operation (bsc#1227149). - wifi: rtw89: add H2C command to download beacon frame for WiFi 7 chips (bsc#1227149). - wifi: rtw89: use struct to fill H2C command to download beacon frame (bsc#1227149). - wifi: rtw89: add new H2C command to pause/sleep transmitting by MAC ID (bsc#1227149). - wifi: rtw89: refine H2C command that pause transmitting by MAC ID (bsc#1227149). - wifi: rtw89: fw: use struct to fill BA CAM H2C commands (bsc#1227149). - wifi: rtw89: 8922a: update BA CAM number to 24 (bsc#1227149). - wifi: rtw89: add chip_ops::h2c_ba_cam() to configure BA CAM (bsc#1227149). - wifi: rtw89: mac: add feature_init to initialize BA CAM V1 (bsc#1227149). - wifi: rtw89: add firmware H2C command of BA CAM V1 (bsc#1227149). - wifi: rtl8xxxu: Fix off by one initial RTS rate (bsc#1227149). - wifi: rtl8xxxu: Fix LED control code of RTL8192FU (bsc#1227149). - wifi: rtl8xxxu: declare concurrent mode support for 8188f (bsc#1227149). - wifi: rtl8xxxu: make supporting AP mode only on port 0 transparent (bsc#1227149). - wifi: rtl8xxxu: add hw crypto support for AP mode (bsc#1227149). - wifi: rtl8xxxu: remove obsolete priv-&gt;vif (bsc#1227149). - wifi: rtl8xxxu: add macids for STA mode (bsc#1227149). - wifi: rtl8xxxu: support multiple interface in start_ap() (bsc#1227149). - wifi: rtl8xxxu: support multiple interfaces in bss_info_changed() (bsc#1227149). - wifi: rtl8xxxu: support multiple interfaces in {add,remove}_interface() (bsc#1227149). - wifi: rtl8xxxu: support multiple interfaces in watchdog_callback() (bsc#1227149). - wifi: rtl8xxxu: support multiple interfaces in configure_filter() (bsc#1227149). - wifi: rtl8xxxu: support multiple interfaces in update_beacon_work_callback() (bsc#1227149). - wifi: rtl8xxxu: support multiple interfaces in set_aifs() (bsc#1227149). - wifi: rtl8xxxu: support setting bssid register for multiple interfaces (bsc#1227149). - wifi: rtl8xxxu: don't parse CFO, if both interfaces are connected in STA mode (bsc#1227149). - wifi: rtl8xxxu: extend check for matching bssid to both interfaces (bsc#1227149). - wifi: rtl8xxxu: extend wifi connected check to both interfaces (bsc#1227149). - wifi: rtl8xxxu: support setting mac address register for both interfaces (bsc#1227149). - wifi: rtl8xxxu: 8188e: convert usage of priv-&gt;vif to priv-&gt;vifs[0] (bsc#1227149). - wifi: rtl8xxxu: support setting linktype for both interfaces (bsc#1227149). - wifi: rtl8xxxu: prepare supporting two virtual interfaces (bsc#1227149). - wifi: rtl8xxxu: remove assignment of priv-&gt;vif in rtl8xxxu_bss_info_changed() (bsc#1227149). - wifi: rtw88: 8822ce: refine power parameters for RFE type 5 (bsc#1227149). - wifi: rtw89: mac: Fix spelling mistakes &quot;notfify&quot; -&gt; &quot;notify&quot; (bsc#1227149). - wifi: rtw89: phy: set channel_info for WiFi 7 chips (bsc#1227149). - wifi: rtw89: phy: add BB wrapper of TX power for WiFi 7 chips (bsc#1227149). - wifi: rtw89: 8922a: add NCTL pre-settings for WiFi 7 chips (bsc#1227149). - wifi: rtw89: phy: ignore special data from BB parameter file (bsc#1227149). - wifi: rtw89: 8922a: update the register used in DIG and the DIG flow (bsc#1227149). - wifi: rtw89: 8922a: set RX gain along with set_channel operation (bsc#1227149). - wifi: rtw89: phy: add parser to support RX gain dynamic setting flow (bsc#1227149). - wifi: rtw89: phy: move bb_gain_info used by WiFi 6 chips to union (bsc#1227149). - wifi: rtw89: 8851b: update TX power tables to R37 (bsc#1227149). - wifi: rtw89: 8852b: update TX power tables to R36 (bsc#1227149). - wifi: rtw89: pci: use DBI function for 8852AE/8852BE/8851BE (bsc#1227149). - wifi: rtlwifi: rtl8821ae: phy: using calculate_bit_shift() (bsc#1227149). - wifi: rtw89: coex: To improve Wi-Fi performance while BT is idle (bsc#1227149). - wifi: rtw89: coex: Translate antenna configuration from ID to string (bsc#1227149). - commit d99b9e1 - wifi: rtw89: coex: Update RF parameter control setting logic (bsc#1227149). - wifi: rtw89: coex: Add Bluetooth RSSI level information (bsc#1227149). - wifi: rtw89: coex: Set Bluetooth scan low-priority when Wi-Fi link/scan (bsc#1227149). - wifi: rtw89: coex: Update coexistence policy for Wi-Fi LPS (bsc#1227149). - wifi: rtw89: coex: Still show hardware grant signal info even Wi-Fi is PS (bsc#1227149). - wifi: rtw89: coex: Update BTG control related logic (bsc#1227149). - wifi: rtw89: coex: Add Pre-AGC control to enhance Wi-Fi RX performance (bsc#1227149). - wifi: rtw89: coex: Record down Wi-Fi initial mode information (bsc#1227149). - wifi: rtw89: coex: Fix wrong Wi-Fi role info and FDDT parameter members (bsc#1227149). - wifi: rtw88: use cfg80211_ssid_eq() instead of rtw_ssid_equal() (bsc#1227149). - wifi: rtw89: mac: implement to configure TX/RX engines for WiFi 7 chips (bsc#1227149). - wifi: rtw89: mac: add sys_init and filter option for WiFi 7 chips (bsc#1227149). - wifi: rtw89: only reset BB/RF for existing WiFi 6 chips while starting up (bsc#1227149). - wifi: rtw89: add DBCC H2C to notify firmware the status (bsc#1227149). - wifi: rtw89: mac: add suffix _ax to MAC functions (bsc#1227149). - wifi: rtw89: mac: add flags to check if CMAC and DMAC are enabled (bsc#1227149). - wifi: rtw89: 8922a: add power on/off functions (bsc#1227149). - wifi: rtw89: add XTAL SI for WiFi 7 chips (bsc#1227149). - wifi: rtw89: phy: print out RFK log with formatted string (bsc#1227149). - wifi: rtw89: parse and print out RFK log from C2H events (bsc#1227149). - wifi: rtw89: add C2H event handlers of RFK log and report (bsc#1227149). - wifi: rtw89: load RFK log format string from firmware file (bsc#1227149). - wifi: rtw89: fw: add version field to BB MCU firmware element (bsc#1227149). - wifi: rtw89: fw: load TX power track tables from fw_element (bsc#1227149). - wifi: rtw88: Use random MAC when efuse MAC invalid (bsc#1227149). - wifi: rtw89: avoid stringop-overflow warning (bsc#1227149). - wifi: rtw89: mac: refine SER setting during WiFi CPU power on (bsc#1227149). - wifi: rtw89: 8922a: dump MAC registers when SER occurs (bsc#1227149). - wifi: rtw89: 8922a: add SER IMR tables (bsc#1227149). - wifi: rtw89: fw: extend program counter dump for Wi-Fi 7 chip (bsc#1227149). - wifi: rtw89: 8922a: configure CRASH_TRIGGER FW feature (bsc#1227149). - wifi: rtw89: fix misbehavior of TX beacon in concurrent mode (bsc#1227149). - wifi: rtw89: refine remain on channel flow to improve P2P connection (bsc#1227149). - wifi: rtw89: Refine active scan behavior in 6 GHz (bsc#1227149). - wifi: rtw89: fix not entering PS mode after AP stops (bsc#1227149). - wifi: rtlwifi: Remove bridge vendor/device ids (bsc#1227149). - wifi: rtlwifi: Remove unused PCI related defines and struct (bsc#1227149). - wifi: rtlwifi: rtl8821ae: Access full PMCS reg and use pci_regs.h (bsc#1227149). - wifi: rtlwifi: rtl8821ae: Add pdev into _rtl8821ae_clear_pci_pme_status() (bsc#1227149). - wifi: rtlwifi: rtl8821ae: Use pci_find_capability() (bsc#1227149). - wifi: rtlwifi: rtl8821ae: Reverse PM Capability exists check (bsc#1227149). - wifi: rtlwifi: rtl8821ae: Remove unnecessary PME_Status bit set (bsc#1227149). - wifi: rtlwifi: Convert to use PCIe capability accessors (bsc#1227149). - wifi: rtw89: mac: functions to configure hardware engine and quota for WiFi 7 chips (bsc#1227149). - wifi: rtw89: mac: use pointer to access functions of hardware engine and quota (bsc#1227149). - wifi: rtw89: mac: move code related to hardware engine to individual functions (bsc#1227149). - wifi: rtw89: mac: check queue empty according to chip gen (bsc#1227149). - wifi: rtw89: refine element naming used by queue empty check (bsc#1227149). - wifi: rtw89: add reserved size as factor of DLE used size (bsc#1227149). - wifi: rtw89: mac: add to get DLE reserved quota (bsc#1227149). - commit cf41ac5 - wifi: rtw89: 8922a: extend and add quota number (bsc#1227149). - wifi: rtw89: debug: remove wrapper of rtw89_debug() (bsc#1227149). - wifi: rtw89: debug: add debugfs entry to disable dynamic mechanism (bsc#1227149). - wifi: rtw89: phy: dynamically adjust EDCCA threshold (bsc#1227149). - wifi: rtw89: debug: add to check if debug mask is enabled (bsc#1227149). - wifi: rtlwifi: rtl8821ae: phy: remove some useless code (bsc#1227149). - wifi: rtw88: debug: remove wrapper of rtw_dbg() (bsc#1227149). - wifi: rtw89: 8922a: read efuse content from physical map (bsc#1227149). - wifi: rtw89: 8922a: read efuse content via efuse map struct from logic map (bsc#1227149). - wifi: rtw89: 8852c: read RX gain offset from efuse for 6GHz channels (bsc#1227149). - wifi: rtw89: mac: add to access efuse for WiFi 7 chips (bsc#1227149). - wifi: rtw89: mac: use mac_gen pointer to access about efuse (bsc#1227149). - wifi: rtw89: 8922a: add 8922A basic chip info (bsc#1227149). - wifi: rtlwifi: drop unused const_amdpci_aspm (bsc#1227149). - wifi: rtw89: regd: update regulatory map to R65-R44 (bsc#1227149). - wifi: rtw89: regd: handle policy of 6 GHz according to BIOS (bsc#1227149). - wifi: rtw89: acpi: process 6 GHz band policy from DSM (bsc#1227149). - wifi: rtlwifi: simplify rtl_action_proc() and rtl_tx_agg_start() (bsc#1227149). - wifi: rtw89: pci: update interrupt mitigation register for 8922AE (bsc#1227149). - wifi: rtw89: pci: correct interrupt mitigation register for 8852CE (bsc#1227149). - wifi: rtw89: 8922ae: add v2 interrupt handlers for 8922AE (bsc#1227149). - wifi: rtw89: pci: generalize interrupt status bits of interrupt handlers (bsc#1227149). - wifi: rtw89: pci: add pre_deinit to be called after probe complete (bsc#1227149). - wifi: rtw89: pci: stop/start DMA for level 1 recovery according to chip gen (bsc#1227149). - wifi: rtw89: pci: reset BDRAM according to chip gen (bsc#1227149). - wifi: rtw88: simplify __rtw_tx_work() (bsc#1227149). - wifi: rtw89: coex: use struct assignment to replace memcpy() to append TDMA content (bsc#1227149). - wifi: rtw89: pci: implement PCI mac_post_init for WiFi 7 chips (bsc#1227149). - wifi: rtw89: pci: add LTR v2 for WiFi 7 chip (bsc#1227149). - wifi: rtw89: pci: implement PCI mac_pre_init for WiFi 7 chips (bsc#1227149). - commit dcfcac7 - wifi: rtw89: pci: use gen_def pointer to configure mac_{pre,post}_init and clear PCI ring index (bsc#1227149). - wifi: rtw89: pci: add PCI generation information to pci_info for each chip (bsc#1227149). - wifi: rtw89: extend PHY status parser to support WiFi 7 chips (bsc#1227149). - wifi: rtw89: consider RX info for WiFi 7 chips (bsc#1227149). - wifi: rtw89: configure PPDU max user by chip (bsc#1227149). - wifi: rtw89: set entry size of address CAM to H2C field by chip (bsc#1227149). - wifi: rtw89: pci: generalize code of PCI control DMA IO for WiFi 7 (bsc#1227149). - wifi: rtw89: pci: add new RX ring design to determine full RX ring efficiently (bsc#1227149). - wifi: rtw89: pci: define PCI ring address for WiFi 7 chips (bsc#1227149). - wifi: rtw89: 8922ae: add 8922AE PCI entry and basic info (bsc#1227149). - wifi: rtlwifi: rtl92ee_dm_dynamic_primary_cca_check(): fix typo in function name (bsc#1227149). - wifi: rtlwifi: cleanup struct rtl_phy (bsc#1227149). - wifi: rtlwifi: cleanup struct rtl_hal (bsc#1227149). - wifi: rtw89: cleanup firmware elements parsing (bsc#1227149). - wifi: rtlwifi: drop chk_switch_dmdp() from HAL interface (bsc#1227149). - wifi: rtlwifi: drop fill_fake_txdesc() from HAL interface (bsc#1227149). - wifi: rtlwifi: drop pre_fill_tx_bd_desc() from HAL interface (bsc#1227149). - wifi: rtw89: move software DCFO compensation setting to proper position (bsc#1227149). - wifi: rtw89: correct the DCFO tracking flow to improve CFO compensation (bsc#1227149). - wifi: rtw89: modify the register setting and the flow of CFO tracking (bsc#1227149). - wifi: rtw89: phy: generalize valid bit of BSS color (bsc#1227149). - wifi: rtw89: phy: change naming related BT coexistence functions (bsc#1227149). - wifi: rtw88: dump firmware debug information in abnormal state (bsc#1227149). - wifi: rtw88: debug: add to check if debug mask is enabled (bsc#1227149). - wifi: rtlwifi: cleanup struct rtl_ps_ctl (bsc#1227149). - wifi: rtw89: mac: do bf_monitor only if WiFi 6 chips (bsc#1227149). - wifi: rtw89: mac: set bf_assoc capabilities according to chip gen (bsc#1227149). - wifi: rtw89: mac: set bfee_ctrl() according to chip gen (bsc#1227149). - wifi: rtw89: mac: add registers of MU-EDCA parameters for WiFi 7 chips (bsc#1227149). - wifi: rtw89: mac: generalize register of MU-EDCA switch according to chip gen (bsc#1227149). - wifi: rtw89: mac: update RTS threshold according to chip gen (bsc#1227149). - wifi: rtlwifi: simplify TX command fill callbacks (bsc#1227149). - wifi: rtw89: coex: add annotation __counted_by() to struct rtw89_btc_btf_set_mon_reg (bsc#1227149). - wifi: rtw89: coex: add annotation __counted_by() for struct rtw89_btc_btf_set_slot_table (bsc#1227149). - wifi: rtw89: add EHT radiotap in monitor mode (bsc#1227149). - wifi: rtw89: show EHT rate in debugfs (bsc#1227149). - wifi: rtw89: parse TX EHT rate selected by firmware from RA C2H report (bsc#1227149). - wifi: rtw89: Add EHT rate mask as parameters of RA H2C command (bsc#1227149). - wifi: rtw89: parse EHT information from RX descriptor and PPDU status packet (bsc#1227149). - wifi: rtlwifi: use convenient list_count_nodes() (bsc#1227149). - commit 53661e1 - wifi: rtlwifi: use unsigned long for bt_coexist_8723 timestamp (bsc#1227149). - wifi: rtw88: 8821c: tweak CCK TX filter setting for SRRC regulation (bsc#1227149). - wifi: rtw88: regd: update regulatory map to R64-R42 (bsc#1227149). - wifi: rtw88: 8822c: update TX power limit to V70 (bsc#1227149). - wifi: rtw88: 8821c: update TX power limit to V67 (bsc#1227149). - wifi: rtw88: regd: configure QATAR and UK (bsc#1227149). - wifi: rtlwifi: remove unreachable code in rtl92d_dm_check_edca_turbo() (bsc#1227149). - wifi: rtw89: debug: txpwr table supports Wi-Fi 7 chips (bsc#1227149). - wifi: rtw89: debug: show txpwr table according to chip gen (bsc#1227149). - wifi: rtw89: phy: set TX power RU limit according to chip gen (bsc#1227149). - wifi: rtw89: phy: set TX power limit according to chip gen (bsc#1227149). - wifi: rtw89: phy: set TX power offset according to chip gen (bsc#1227149). - wifi: rtw89: phy: set TX power by rate according to chip gen (bsc#1227149). - wifi: rtw89: mac: get TX power control register according to chip gen (bsc#1227149). - wifi: rtlwifi: use unsigned long for rtl_bssid_entry timestamp (bsc#1227149). - wifi: rtw89: refine bandwidth 160MHz uplink OFDMA performance (bsc#1227149). - wifi: rtw89: refine uplink trigger based control mechanism (bsc#1227149). - wifi: rtw89: 8851b: update TX power tables to R34 (bsc#1227149). - wifi: rtw89: 8852b: update TX power tables to R35 (bsc#1227149). - wifi: rtw89: 8852c: update TX power tables to R67 (bsc#1227149). - wifi: rtw89: regd: configure Thailand in regulation type (bsc#1227149). - wifi: rtlwifi: cleanup few rtlxxxx_set_hw_reg() routines (bsc#1227149). - wifi: rtw89: declare MCC in interface combination (bsc#1227149). - wifi: rtw89: 8852c: declare to support two chanctx (bsc#1227149). - wifi: rtw89: pause/proceed MCC for ROC and HW scan (bsc#1227149). - wifi: rtw89: mcc: fix NoA start time when GO is auxiliary (bsc#1227149). - wifi: rtw89: load TX power related tables from FW elements (bsc#1227149). - wifi: rtw89: phy: extend TX power common stuffs for Wi-Fi 7 chips (bsc#1227149). - wifi: rtw89: load TX power by rate when RFE parms setup (bsc#1227149). - wifi: rtw89: phy: refine helpers used for raw TX power (bsc#1227149). - commit 62f3f4a - wifi: rtw89: indicate TX power by rate table inside RFE parameter (bsc#1227149). - wifi: rtw89: indicate TX shape table inside RFE parameter (bsc#1227149). - wifi: rtw89: add subband index of primary channel to struct rtw89_chan (bsc#1227149). - wifi: rtl8xxxu: Add a description about the device ID 0x7392:0xb722 (bsc#1227149). - wifi: rtw89: add mac_gen pointer to access mac port registers (bsc#1227149). - wifi: rtw89: consolidate registers of mac port to struct (bsc#1227149). - wifi: rtw89: add chip_info::txwd_info size to generalize TX WD submit (bsc#1227149). - wifi: rtw89: add to fill TX descriptor v2 (bsc#1227149). - wifi: rtw89: add to fill TX descriptor for firmware command v2 (bsc#1227149). - wifi: rtw89: add to query RX descriptor format v2 (bsc#1227149). - wifi: rtw89: mcc: deal with beacon NoA if GO exists (bsc#1227149). - wifi: rtw89: mcc: deal with BT slot change (bsc#1227149). - wifi: rtw89: mcc: deal with P2P PS change (bsc#1227149). - wifi: rtw89: mcc: track beacon offset and update when needed (bsc#1227149). - wifi: rtw89: mcc: update role bitmap when changed (bsc#1227149). - wifi: rtw89: 52c: rfk: disable DPK during MCC (bsc#1227149). - wifi: rtw89: rfk: disable driver tracking during MCC (bsc#1227149). - wifi: rtw89: 52c: rfk: refine MCC channel info notification (bsc#1227149). - wifi: rtw89: 8922a: set memory heap address for secure firmware (bsc#1227149). - wifi: rtw89: fw: refine download flow to support variant firmware suits (bsc#1227149). - wifi: rtw89: 8922a: add chip_ops::bb_preinit to enable BB before downloading firmware (bsc#1227149). - wifi: rtw89: fw: propagate an argument include_bb for BB MCU firmware (bsc#1227149). - wifi: rtw89: fw: add checking type for variant type of firmware (bsc#1227149). - wifi: rtw89: fw: implement supported functions of download firmware for WiFi 7 chips (bsc#1227149). - wifi: rtw89: fw: generalize download firmware flow by mac_gen pointers (bsc#1227149). - wifi: rtw89: fw: move polling function of firmware path ready to an individual function (bsc#1227149). - wifi: rtw89: mcc: trigger FW to start/stop MCC (bsc#1227149). - wifi: rtw89: fix typo of rtw89_fw_h2c_mcc_macid_bitmap() (bsc#1227149). - wifi: rtw89: mcc: decide pattern and calculate parameters (bsc#1227149). - wifi: rtw89: mcc: consider and determine BT duration (bsc#1227149). - commit bd46e4d - wifi: rtw89: mcc: fill fundamental configurations (bsc#1227149). - wifi: rtw89: mcc: initialize start flow (bsc#1227149). - wifi: rtw89: 8852c: Fix TSSI causes transmit power inaccuracy (bsc#1227149). - wifi: rtw89: 8852c: Update bandedge parameters for better performance (bsc#1227149). - wifi: rtl8xxxu: mark TOTOLINK N150UA V5/N150UA-B as tested (bsc#1227149). - wifi: rtw88: fix typo rtw8822cu_probe (bsc#1227149). - wifi: rtlwifi: rtl8723: Remove unused function rtl8723_cmd_send_packet() (bsc#1227149). - wifi: rtw89: Fix clang -Wimplicit-fallthrough in rtw89_query_sar() (bsc#1227149). - wifi: rtw89: phy: modify register setting of ENV_MNTR, PHYSTS and DIG (bsc#1227149). - wifi: rtw89: phy: add phy_gen_def::cr_base to support WiFi 7 chips (bsc#1227149). - wifi: rtw89: mac: define register address of rx_filter to generalize code (bsc#1227149). - wifi: rtw89: mac: define internal memory address for WiFi 7 chip (bsc#1227149). - wifi: rtw89: mac: generalize code to indirectly access WiFi internal memory (bsc#1227149). - wifi: rtw89: mac: add mac_gen_def::band1_offset to map MAC band1 register address (bsc#1227149). - wifi: rtw89: initialize multi-channel handling (bsc#1227149). - wifi: rtw89: provide functions to configure NoA for beacon update (bsc#1227149). - wifi: rtw89: call rtw89_chan_get() by vif chanctx if aware of vif (bsc#1227149). - wifi: rtw89: sar: let caller decide the center frequency to query (bsc#1227149). - wifi: rtw89: refine rtw89_correct_cck_chan() by rtw89_hw_to_nl80211_band() (bsc#1227149). - wifi: rtw89: add function prototype for coex request duration (bsc#1227149). - wifi: rtw89: regd: update regulatory map to R64-R43 (bsc#1227149). - wifi: rtw89: fix a width vs precision bug (bsc#1227149). - wifi: rtlwifi: use eth_broadcast_addr() to assign broadcast address (bsc#1227149). - wifi: rtw89: Introduce Time Averaged SAR (TAS) feature (bsc#1227149). - wifi: rtw89: return failure if needed firmware elements are not recognized (bsc#1227149). - wifi: rtw89: add to parse firmware elements of BB and RF tables (bsc#1227149). - wifi: rtw89: introduce infrastructure of firmware elements (bsc#1227149). - wifi: rtw89: add firmware suit for BB MCU 0/1 (bsc#1227149). - wifi: rtw89: add firmware parser for v1 format (bsc#1227149). - wifi: rtw89: introduce v1 format of firmware header (bsc#1227149). - wifi: rtw89: support firmware log with formatted text (bsc#1227149). - wifi: rtw89: recognize log format from firmware file (bsc#1227149). - wifi: rtw89: get data rate mode/NSS/MCS v1 from RX descriptor (bsc#1227149). - wifi: rtw89: add to display hardware rates v1 histogram in debugfs (bsc#1227149). - wifi: rtw89: add C2H RA event V1 to support WiFi 7 chips (bsc#1227149). - wifi: rtw89: use struct to access RA report (bsc#1227149). - wifi: rtw89: use struct to access firmware C2H event header (bsc#1227149). - wifi: rtw89: add H2C RA command V1 to support WiFi 7 chips (bsc#1227149). - wifi: rtw89: use struct to set RA H2C command (bsc#1227149). - wifi: rtw89: phy: rate pattern handles HW rate by chip gen (bsc#1227149). - commit cdaa97d - wifi: rtlwifi: simplify LED management (bsc#1227149). - Refresh patches.suse/wifi-mac80211-simplify-non-chanctx-drivers.patch. - commit 34b32c5 - wifi: rtw89: define hardware rate v1 for WiFi 7 chips (bsc#1227149). - wifi: rtw89: add chip_info::chip_gen to determine chip generation (bsc#1227149). - wifi: rtl8xxxu: Enable AP mode for RTL8723BU (bsc#1227149). - wifi: rtl8xxxu: Enable AP mode for RTL8192EU (bsc#1227149). - wifi: rtl8xxxu: Enable AP mode for RTL8710BU (RTL8188GU) (bsc#1227149). - wifi: rtl8xxxu: Enable AP mode for RTL8192FU (bsc#1227149). - wifi: rtw88: simplify vif iterators (bsc#1227149). - wifi: rtw88: remove unused USB bulkout size set (bsc#1227149). - wifi: rtw88: remove unused and set but unused leftovers (bsc#1227149). - wifi: rtlwifi: cleanup USB interface (bsc#1227149). - wifi: rtw89: use struct to parse firmware header (bsc#1227149). - wifi: rtw89: TX power stuffs replace confusing naming of _max with _num (bsc#1227149). - wifi: rtw89: 8851b: configure to force 1 TX power value (bsc#1227149). - wifi: rtw89: 8851b: rfk: update IQK to version 0x8 (bsc#1227149). - wifi: rtw89: 8851b: rfk: add LCK track (bsc#1227149). - wifi: rtw89: 8851b: update TX power tables to R28 (bsc#1227149). - wifi: rtw89: 8851b: update RF radio A parameters to R28 (bsc#1227149). - wifi: rtw88: fix not entering PS mode after AP stops (bsc#1227149). - wifi: rtw88: refine register based H2C command (bsc#1227149). - wifi: rtw88: Stop high queue during scan (bsc#1227149). - wifi: rtw88: Skip high queue in hci_flush (bsc#1227149). - wifi: rtw88: Fix AP mode incorrect DTIM behavior (bsc#1227149). - wifi: rtw88: use struct instead of macros to set TX desc (bsc#1227149). - wifi: rtw88: process VO packets without workqueue to avoid PTK rekey failed (bsc#1227149). - wifi: rtw88: Fix action frame transmission fail before association (bsc#1227149). - wifi: rtw89: fix spelling typo of IQK debug messages (bsc#1227149). - wifi: rtw89: cleanup rtw89_iqk_info and related code (bsc#1227149). - wifi: rtw89: cleanup private data structures (bsc#1227149). - wifi: rtw88: add missing unwind goto for __rtw_download_firmware() (bsc#1227149). - commit 9b282ce - wifi: rtlwifi: remove misused flag from HAL data (bsc#1227149). - wifi: rtlwifi: remove unused dualmac control leftovers (bsc#1227149). - wifi: rtlwifi: remove unused timer and related code (bsc#1227149). - wifi: rtw89: 8852c: update RF radio A/B parameters to R63 (bsc#1227149). - wifi: rtw89: 8852c: update TX power tables to R63 with 6 GHz power type (3 of 3) (bsc#1227149). - wifi: rtw89: 8852c: update TX power tables to R63 with 6 GHz power type (2 of 3) (bsc#1227149). - wifi: rtw89: 8852c: update TX power tables to R63 with 6 GHz power type (1 of 3) (bsc#1227149). - wifi: rtw89: process regulatory for 6 GHz power type (bsc#1227149). - wifi: rtw89: regd: update regulatory map to R64-R40 (bsc#1227149). - wifi: rtw89: regd: judge 6 GHz according to chip and BIOS (bsc#1227149). - commit f81b870 - wifi: rtw89: refine clearing supported bands to check 2/5 GHz first (bsc#1227149). - Refresh patches.suse/wifi-cfg80211-annotate-iftype_data-pointer-with-spar.patch. - commit 1873f0a - wifi: rtw89: 8851b: configure CRASH_TRIGGER feature for 8851B (bsc#1227149). - wifi: rtw89: set TX power without precondition during setting channel (bsc#1227149). - wifi: rtw89: debug: txpwr table access only valid page according to chip (bsc#1227149). - wifi: rtw89: 8851b: enable hw_scan support (bsc#1227149). - wifi: rtlwifi: use helper function rtl_get_hdr() (bsc#1227149). - wifi: rtw89: use flexible array member in rtw89_btc_btf_tlv (bsc#1227149). - wifi: rtw89: 8851b: rfk: Fix spelling mistake KIP_RESOTRE -&gt; KIP_RESTORE (bsc#1227149). - wifi: rtw89: use struct to access register-based H2C/C2H (bsc#1227149). - wifi: rtw89: use struct and le32_get_bits() to access RX descriptor (bsc#1227149). - commit 21eb4e8 - Update config files: update for the realtek wifi driver updates (bsc#1227149) - commit 33b8d09 - wifi: rtw89: use struct and le32_get_bits() to access received PHY status IEs (bsc#1227149). - wifi: rtw89: use struct and le32_get_bits to access RX info (bsc#1227149). - wifi: rtw89: add chip_ops::query_rxdesc() and rxd_len as helpers to support newer chips (bsc#1227149). - wifi: rtw89: 8851b: add 8851be to Makefile and Kconfig (bsc#1227149). - wifi: rtw89: add tx_wake notify for 8851B (bsc#1227149). - wifi: rtw89: enlarge supported length of read_reg debugfs entry (bsc#1227149). - wifi: rtw89: 8851b: add RF configurations (bsc#1227149). - wifi: rtw89: 8851b: add MAC configurations to chip_info (bsc#1227149). - wifi: rtw89: 8851b: fill BB related capabilities to chip_info (bsc#1227149). - wifi: rtw89: 8851b: add TX power related functions (bsc#1227149). - commit 66eef0c - Update config files: update for the realtek wifi driver updates (bsc#1227149) - commit 75bc634 - wifi: rtw89: refine packet offload handling under SER (bsc#1227149). - wifi: rtw89: tweak H2C TX waiting function for SER (bsc#1227149). - wifi: rtw89: ser: reset total_sta_assoc and tdls_peer when L2 (bsc#1227149). - wifi: rtw88: Add support for the SDIO based RTL8723DS chipset (bsc#1227149). - wifi: rtw88: rtw8723d: Implement RTL8723DS (SDIO) efuse parsing (bsc#1227149). - wifi: rtw89: 8851b: rfk: add TSSI (bsc#1227149). - wifi: rtw89: 8851b: rfk: add DPK (bsc#1227149). - wifi: rtw89: 8851b: rfk: add RX DCK (bsc#1227149). - wifi: rtw89: 8851b: add to parse efuse content (bsc#1227149). - wifi: rtw89: 8851b: add set channel function (bsc#1227149). - wifi: rtw89: 8851b: add basic power on function (bsc#1227149). - wifi: rtw89: 8851b: add BT coexistence support function (bsc#1227149). - wifi: rtw89: 8851b: configure GPIO according to RFE type (bsc#1227149). - wifi: rtw89: 8851b: add to read efuse version to recognize hardware version B (bsc#1227149). - wifi: rtl8xxxu: Rename some registers (bsc#1227149). - wifi: rtl8xxxu: Support new chip RTL8192FU (bsc#1227149). - wifi: rtw89: suppress the log for specific SER called CMDPSR_FRZTO (bsc#1227149). - wifi: rtw89: ser: L1 add pre-M0 and post-M0 states (bsc#1227149). - wifi: rtw89: pci: fix interrupt enable mask for HALT C2H of RTL8851B (bsc#1227149). - wifi: rtw89: support U-NII-4 channels on 5GHz band (bsc#1227149). - wifi: rtw89: regd: judge UNII-4 according to BIOS and chip (bsc#1227149). - wifi: rtw89: introduce realtek ACPI DSM method (bsc#1227149). - wifi: rtw89: 8851b: rfk: add IQK (bsc#1227149). - wifi: rtw89: 8851b: rfk: add DACK (bsc#1227149). - wifi: rtw89: 8851b: rfk: add RCK (bsc#1227149). - wifi: rtw89: 8851b: rfk: add AACK (bsc#1227149). - wifi: rtw89: 8851b: add set_channel_rf() (bsc#1227149). - wifi: rtw89: 8851b: add DLE mem and HFC quota (bsc#1227149). - wifi: rtw89: 8851b: add support WoWLAN to 8851B (bsc#1227149). - wifi: rtw89: change naming of BA CAM from V1 to V0_EXT (bsc#1227149). - commit a1de2dd - wifi: rtw89: use chip_info::small_fifo_size to choose debug_mask (bsc#1227149). - wifi: rtw89: add CFO XTAL registers field to support 8851B (bsc#1227149). - wifi: rtw89: 8851b: add NCTL post table (bsc#1227149). - wifi: rtw89: 8851be: add 8851BE PCI entry and fill PCI capabilities (bsc#1227149). - wifi: rtw89: 8851b: add 8851B basic chip_info (bsc#1227149). - wifi: rtw89: scan offload wait for FW done ACK (bsc#1227149). - wifi: rtw89: mac: handle C2H receive/done ACK in interrupt context (bsc#1227149). - wifi: rtw89: packet offload wait for FW response (bsc#1227149). - wifi: rtw89: refine packet offload delete flow of 6 GHz probe (bsc#1227149). - wifi: rtw89: release bit in rtw89_fw_h2c_del_pkt_offload() (bsc#1227149). - wifi: rtw89: add EVM for antenna diversity (bsc#1227149). - wifi: rtw89: add RSSI based antenna diversity (bsc#1227149). - wifi: rtw89: initialize antenna for antenna diversity (bsc#1227149). - wifi: rtw89: add EVM and SNR statistics to debugfs (bsc#1227149). - wifi: rtw89: add RSSI statistics for the case of antenna diversity to debugfs (bsc#1227149). - wifi: rtw89: set capability of TX antenna diversity (bsc#1227149). - wifi: rtw89: use struct rtw89_phy_sts_ie0 instead of macro to access PHY IE0 status (bsc#1227149). - wifi: rtw88: fix incorrect error codes in rtw_debugfs_set_* (bsc#1227149). - wifi: rtw88: fix incorrect error codes in rtw_debugfs_copy_from_user (bsc#1227149). - wifi: rtl8xxxu: rtl8xxxu_rx_complete(): remove unnecessary return (bsc#1227149). - commit fef25cd - wifi: rtl8xxxu: Add sta_add() and sta_remove() callbacks (bsc#1227149). - commit a27e0ec - wifi: rtl8xxxu: Support USB RX aggregation for the newer chips (bsc#1227149). - wifi: rtl8xxxu: Set maximum number of supported stations (bsc#1227149). - wifi: rtl8xxxu: Declare AP mode support for 8188f (bsc#1227149). - wifi: rtl8xxxu: Remove usage of tx_info-&gt;control.rates[0].flags (bsc#1227149). - wifi: rtl8xxxu: Remove usage of ieee80211_get_tx_rate() (bsc#1227149). - wifi: rtl8xxxu: Clean up filter configuration (bsc#1227149). - wifi: rtl8xxxu: Enable hw seq for mgmt/non-QoS data frames (bsc#1227149). - wifi: rtl8xxxu: Add parameter macid to update_rate_mask (bsc#1227149). - wifi: rtl8xxxu: Put the macid in txdesc (bsc#1227149). - commit 6125130 - wifi: radiotap: add bandwidth definition of EHT U-SIG (bsc#1227149). - wifi: ieee80211: add UL-bandwidth definition of trigger frame (bsc#1227149). - wifi: rtl8xxxu: Add parameter force to rtl8xxxu_refresh_rate_mask (bsc#1227149). - wifi: rtl8xxxu: Add parameter role to report_connect (bsc#1227149). - wifi: rtl8xxxu: Actually use macid in rtl8xxxu_gen2_report_connect (bsc#1227149). - wifi: rtl8xxxu: Allow creating interface in AP mode (bsc#1227149). - wifi: rtl8xxxu: Allow setting rts threshold to -1 (bsc#1227149). - wifi: rtl8xxxu: Add set_tim() callback (bsc#1227149). - wifi: rtl8xxxu: Add beacon functions (bsc#1227149). - wifi: rtl8xxxu: Select correct queue for beacon frames (bsc#1227149). - wifi: rtl8xxxu: Add start_ap() callback (bsc#1227149). - commit 02b75ed - wifi: iwlwifi: bump FW API to 90 for BZ/SC devices (bsc#1227149 CVE-2023-47210 bsc#1225601 CVE-2023-38417 bsc#1225600). - commit ea4853c - wifi: iwlwifi: bump FW API to 89 for AX/BZ/SC devices (bsc#1227149 CVE-2023-47210 bsc#1225601 CVE-2023-38417 bsc#1225600). - commit bc49209 - ASoC: SOF: Intel: hda-pcm: Limit the maximum number of periods by MAX_BDL_ENTRIES (stable-fixes). - ASoC: rt711-sdw: add missing readable registers (stable-fixes). - ALSA: hda/realtek: Enable Mute LED on HP 250 G7 (stable-fixes). - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX (stable-fixes). - ALSA: hda/realtek: add quirk for Clevo V5[46]0TU (stable-fixes). - commit 1ddd32b - hpet: Support 32-bit userspace (git-fixes). - misc: fastrpc: Restrict untrusted app to attach to privileged PD (git-fixes). - misc: fastrpc: Fix ownership reassignment of remote heap (git-fixes). - misc: fastrpc: Fix memory leak in audio daemon attach operation (git-fixes). - misc: fastrpc: Avoid updating PD type for capability request (git-fixes). - misc: fastrpc: Copy the complete capability structure to user (git-fixes). - misc: fastrpc: Fix DSP capabilities request (git-fixes). - USB: serial: mos7840: fix crash on resume (git-fixes). - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor (git-fixes). - firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files (git-fixes). - ASoC: SOF: Intel: hda: fix null deref on system suspend entry (git-fixes). - firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers (git-fixes). - firmware: cs_dsp: Validate payload length before processing block (git-fixes). - firmware: cs_dsp: Return error if block header overflows file (git-fixes). - firmware: cs_dsp: Fix overflow checking of wmfw header (git-fixes). - ALSA: hda: cs35l41: Fix swapped l/r audio channels for Lenovo ThinBook 13x Gen4 (git-fixes). - commit 34ebce1 - net/smc: avoid data corruption caused by decline (bsc#1225088 CVE-2023-52775). - commit 621e8ca - net: openvswitch: fix overwriting ct original tuple for ICMPv6 (bsc#1226783 CVE-2024-38558). - commit 748cf39 - ipv6: sr: fix missing sk_buff release in seg6_input_core (bsc#1227626 CVE-2024-39490). - commit 3d59f52 - mptcp: fix data re-injection from stale subflow (bsc#1223010 CVE-2024-26826). - commit f3a102e - net/smc: fix illegal rmb_desc access in SMC-D connection dump (bsc#1220942 CVE-2024-26615). - commit f21afb0 - kabi/severities: cover all ath/* drivers (bsc#1227149) All symbols in ath/* network drivers are local and can be ignored - commit d902566 - Refresh kabi workaround ath updates (bsc#1227149#) - commit b0fa38b - wifi: mac80211: simplify non-chanctx drivers (bsc#1227149). - commit eeb4722 - wifi: ath11k: move power type check to ASSOC stage when connecting to 6 GHz AP (bsc#1227149). - wifi: ath11k: fix WCN6750 firmware crash caused by 17 num_vdevs (bsc#1227149). - wifi: ath12k: fix the problem that down grade phy mode operation (bsc#1227149). - wifi: ath12k: check M3 buffer size as well whey trying to reuse it (bsc#1227149). - wifi: ath12k: fix kernel crash during resume (bsc#1227149). - wifi: ath9k: work around memset overflow warning (bsc#1227149). - wifi: ath12k: use correct flag field for 320 MHz channels (bsc#1227149). - commit 58db5ff - wifi: ath11k: use RCU when accessing struct inet6_dev::ac_list (bsc#1227149). - wifi: ath12k: fix license in p2p.c and p2p.h (bsc#1227149). - wifi: ath11k: constify MHI channel and controller configs (bsc#1227149). - wifi: ath12k: add rcu lock for ath12k_wmi_p2p_noa_event() (bsc#1227149). - wifi: ath11k: remove unused scan_events from struct scan_req_params (bsc#1227149). - wifi: ath11k: add support for QCA2066 (bsc#1227149). - wifi: ath11k: move pci.ops registration ahead (bsc#1227149). - commit 29f553c - wifi: ath11k: provide address list if chip supports 2 stations (bsc#1227149). - wifi: ath11k: support 2 station interfaces (bsc#1227149). - wifi: ath12k: remove the unused scan_events from ath12k_wmi_scan_req_arg (bsc#1227149). - wifi: ath12k: Remove unused scan_flags from struct ath12k_wmi_scan_req_arg (bsc#1227149). - wifi: ath12k: Do not use scan_flags from struct ath12k_wmi_scan_req_arg (bsc#1227149). - wifi: carl9170: Remove redundant assignment to pointer super (bsc#1227149). - wifi: ath11k: Remove scan_flags union from struct scan_req_params (bsc#1227149). - wifi: ath11k: Do not directly use scan_flags in struct scan_req_params (bsc#1227149). - wifi: ath12k: Fix uninitialized use of ret in ath12k_mac_allocate() (bsc#1227149). - wifi: ath11k: Really consistently use ath11k_vif_to_arvif() (bsc#1227149). - wifi: ath12k: advertise P2P dev support for WCN7850 (bsc#1227149). - wifi: ath12k: designating channel frequency for ROC scan (bsc#1227149). - wifi: ath12k: move peer delete after vdev stop of station for WCN7850 (bsc#1227149). - wifi: ath12k: allow specific mgmt frame tx while vdev is not up (bsc#1227149). - wifi: ath12k: change WLAN_SCAN_PARAMS_MAX_IE_LEN from 256 to 512 (bsc#1227149). - wifi: ath12k: implement remain on channel for P2P mode (bsc#1227149). - wifi: ath12k: implement handling of P2P NoA event (bsc#1227149). - wifi: ath12k: add P2P IE in beacon template (bsc#1227149). - wifi: ath12k: change interface combination for P2P mode (bsc#1227149). - wifi: ath12k: fix broken structure wmi_vdev_create_cmd (bsc#1227149). - commit 21d36c7 - wifi: ath11k: initialize eirp_power before use (bsc#1227149). - wifi: ath12k: enable 802.11 power save mode in station mode (bsc#1227149). - wifi: ath12k: refactor the rfkill worker (bsc#1227149). - wifi: ath12k: add processing for TWT disable event (bsc#1227149). - wifi: ath12k: add processing for TWT enable event (bsc#1227149). - wifi: ath12k: disable QMI PHY capability learn in split-phy QCN9274 (bsc#1227149). - wifi: ath12k: Read board id to support split-PHY QCN9274 (bsc#1227149). - wifi: ath12k: fix PCI read and write (bsc#1227149). - wifi: ath12k: add MAC id support in WBM error path (bsc#1227149). - wifi: ath12k: subscribe required word mask from rx tlv (bsc#1227149). - commit c884365 - wifi: ath12k: remove hal_desc_sz from hw params (bsc#1227149). - wifi: ath12k: split hal_ops to support RX TLVs word mask compaction (bsc#1227149). - wifi: ath12k: fix firmware assert during insmod in memory segment mode (bsc#1227149). - wifi: ath12k: Add logic to write QRTR node id to scratch (bsc#1227149). - wifi: ath12k: fix fetching MCBC flag for QCN9274 (bsc#1227149). - wifi: ath12k: add support for peer meta data version (bsc#1227149). - wifi: ath12k: fetch correct pdev id from WMI_SERVICE_READY_EXT_EVENTID (bsc#1227149). - wifi: ath12k: indicate NON MBSSID vdev by default during vdev start (bsc#1227149). - wifi: ath12k: add firmware-2.bin support (bsc#1227149). - wifi: ath9k: remove redundant assignment to variable ret (bsc#1227149). - commit 777dc1c - wifi: ath11k: fix connection failure due to unexpected peer delete (bsc#1227149). - wifi: ath11k: avoid forward declaration of ath11k_mac_start_vdev_delay() (bsc#1227149). - wifi: ath11k: rename ath11k_start_vdev_delay() (bsc#1227149). - wifi: fill in MODULE_DESCRIPTION()s for wcn36xx (bsc#1227149). - wifi: fill in MODULE_DESCRIPTION()s for ar5523 (bsc#1227149). - commit d2a4b44 - wifi: ath11k: remove invalid peer create logic (bsc#1227149). - wifi: ath11k: enable 36 bit mask for stream DMA (bsc#1227149). - wifi: ath10k: Fix enum ath10k_fw_crash_dump_type kernel-doc (bsc#1227149). - wifi: ath10k: Fix htt_data_tx_completion kernel-doc warning (bsc#1227149). - wifi: ath10k: fix htt_q_state_conf &amp; htt_q_state kernel-doc (bsc#1227149). - wifi: ath10k: correctly document enum wmi_tlv_tx_pause_id (bsc#1227149). - wifi: ath10k: add missing wmi_10_4_feature_mask documentation (bsc#1227149). - wifi: ath12k: add support for collecting firmware log (bsc#1227149). - wifi: ath12k: Introduce the container for mac80211 hw (bsc#1227149). - wifi: ath12k: Refactor the mac80211 hw access from link/radio (bsc#1227149). - commit 614fabb - iommu/vt-d: Improve ITE fault handling if target device isn't present (git-fixes). - commit 134a3a5 - wifi: ath12k: change MAC buffer ring size to 2048 (bsc#1227149). - wifi: ath12k: add support for BA1024 (bsc#1227149). - wifi: ath12k: fix wrong definitions of hal_reo_update_rx_queue (bsc#1227149). - wifi: ath10k: replace ENOTSUPP with EOPNOTSUPP (bsc#1227149). - wifi: ath11k: replace ENOTSUPP with EOPNOTSUPP (bsc#1227149). - wifi: ath12k: replace ENOTSUPP with EOPNOTSUPP (bsc#1227149). - wifi: ath12k: add QMI PHY capability learn support (bsc#1227149). - wifi: ath12k: refactor QMI MLO host capability helper function (bsc#1227149). - wifi: ath11k: document HAL_RX_BUF_RBM_SW4_BM (bsc#1227149). - wifi: ath12k: ath12k_start_vdev_delay(): convert to use ar (bsc#1227149). - commit dd312dc - wifi: ath12k: refactor ath12k_mac_op_flush() (bsc#1227149). - wifi: ath12k: refactor ath12k_mac_op_ampdu_action() (bsc#1227149). - wifi: ath12k: refactor ath12k_mac_op_configure_filter() (bsc#1227149). - wifi: ath12k: refactor ath12k_mac_op_update_vif_offload() (bsc#1227149). - wifi: ath12k: refactor ath12k_mac_op_stop() (bsc#1227149). - wifi: ath12k: refactor ath12k_mac_op_start() (bsc#1227149). - wifi: ath12k: refactor ath12k_mac_op_conf_tx() (bsc#1227149). - wifi: ath12k: refactor ath12k_bss_assoc() (bsc#1227149). - wifi: ath12k: refactor ath12k_mac_op_config() (bsc#1227149). - wifi: ath12k: refactor ath12k_mac_register() and ath12k_mac_unregister() (bsc#1227149). - commit b6ca728 - wifi: ath12k: refactor ath12k_mac_setup_channels_rates() (bsc#1227149). - wifi: ath12k: refactor ath12k_mac_allocate() and ath12k_mac_destroy() (bsc#1227149). - wifi: ath12k: relocate ath12k_dp_pdev_pre_alloc() call (bsc#1227149). - wifi: ath12k: Use initializers for QMI message buffers (bsc#1227149). - wifi: ath12k: Add missing qmi_txn_cancel() calls (bsc#1227149). - wifi: ath12k: Remove unnecessary struct qmi_txn initializers (bsc#1227149). - wifi: ath11k: use WMI_VDEV_SET_TPC_POWER_CMDID when EXT_TPC_REG_SUPPORT for 6 GHz (bsc#1227149). - wifi: ath11k: add handler for WMI_VDEV_SET_TPC_POWER_CMDID (bsc#1227149). - wifi: ath11k: add WMI_TLV_SERVICE_EXT_TPC_REG_SUPPORT service bit (bsc#1227149). - wifi: ath11k: fill parameters for vdev set tpc power WMI command (bsc#1227149). - commit 3c338b0 - wifi: ath11k: save max transmit power in vdev start response event from firmware (bsc#1227149). - commit 279ae7a - wifi: ath11k: add parse of transmit power envelope element (bsc#1227149). - commit e295f89 - wifi: ath11k: save power spectral density(PSD) of regulatory rule (bsc#1227149). - wifi: ath11k: update regulatory rules when connect to AP on 6 GHz band for station (bsc#1227149). - wifi: ath11k: update regulatory rules when interface added (bsc#1227149). - wifi: ath11k: fix a possible dead lock caused by ab-&gt;base_lock (bsc#1227149). - wifi: ath11k: store cur_regulatory_info for each radio (bsc#1227149). - wifi: ath11k: add support to select 6 GHz regulatory type (bsc#1227149). - wifi: ath12k: refactor ath12k_wmi_tlv_parse_alloc() (bsc#1227149). - wifi: ath11k: fix IOMMU errors on buffer rings (bsc#1227149). - commit d84dbd2 - wifi: ath12k: Make QMI message rules const (bsc#1227149). - wifi: ath12k: support default regdb while searching board-2.bin for WCN7850 (bsc#1227149). - wifi: ath12k: add support to search regdb data in board-2.bin for WCN7850 (bsc#1227149). - wifi: ath12k: remove unused ATH12K_BD_IE_BOARD_EXT (bsc#1227149). - wifi: ath12k: add fallback board name without variant while searching board-2.bin (bsc#1227149). - wifi: ath12k: add string type to search board data in board-2.bin for WCN7850 (bsc#1227149). - wifi: ath10k: remove duplicate memset() in 10.4 TDLS peer update (bsc#1227149). - wifi: ath10k: use flexible array in struct wmi_tdls_peer_capabilities (bsc#1227149). - wifi: ath10k: remove unused template structs (bsc#1227149). - wifi: ath10k: remove struct wmi_pdev_chanlist_update_event (bsc#1227149). - commit e73f8dc - wifi: ath10k: use flexible arrays for WMI start scan TLVs (bsc#1227149). - wifi: ath10k: use flexible array in struct wmi_host_mem_chunks (bsc#1227149). - wifi: ath9k: Convert to platform remove callback returning void (bsc#1227149). - wifi: ath9k: delete some unused/duplicate macros (bsc#1227149). - wifi: ath11k: refactor ath11k_wmi_tlv_parse_alloc() (bsc#1227149). - wifi: ath11k: rely on mac80211 debugfs handling for vif (bsc#1227149). - wifi: ath11k: workaround too long expansion sparse warnings (bsc#1227149). - Revert &quot;wifi: ath12k: use ATH12K_PCI_IRQ_DP_OFFSET for DP IRQ&quot; (bsc#1227149). - wifi: ath9k: reset survey of current channel after a scan started (bsc#1227149). - wifi: ath12k: fix the issue that the multicast/broadcast indicator is not read correctly for WCN7850 (bsc#1227149). - commit 6cf204e - wifi: ath11k: Fix ath11k_htc_record flexible record (bsc#1227149). - wifi: ath5k: remove unused ath5k_eeprom_info::ee_antenna (bsc#1227149). - wifi: ath10k: add support to allow broadcast action frame RX (bsc#1227149). - wifi: ath12k: avoid repeated wiphy access from hw (bsc#1227149). - wifi: ath12k: set IRQ affinity to CPU0 in case of one MSI vector (bsc#1227149). - wifi: ath12k: do not restore ASPM in case of single MSI vector (bsc#1227149). - wifi: ath12k: add support one MSI vector (bsc#1227149). - wifi: ath12k: refactor multiple MSI vector implementation (bsc#1227149). - wifi: ath12k: use ATH12K_PCI_IRQ_DP_OFFSET for DP IRQ (bsc#1227149). - wifi: ath12k: add CE and ext IRQ flag to indicate irq_handler (bsc#1227149). - commit 908caeb - wifi: ath12k: get msi_data again after request_irq is called (bsc#1227149). - wifi: wcn36xx: Convert to platform remove callback returning void (bsc#1227149). - wifi: ath5k: Convert to platform remove callback returning void (bsc#1227149). - wifi: ath12k: avoid repeated hw access from ar (bsc#1227149). - wifi: ath12k: Optimize the mac80211 hw data access (bsc#1227149). - wifi: ath12k: add 320 MHz bandwidth enums (bsc#1227149). - wifi: ath11k: Convert to platform remove callback returning void (bsc#1227149). - wifi: ath11k: remove ath11k_htc_record::pauload[] (bsc#1227149). - wifi: ath10k: Use DECLARE_FLEX_ARRAY() for ath10k_htc_record (bsc#1227149). - wifi: ath10k: remove ath10k_htc_record::pauload[] (bsc#1227149). - commit 67bc0a7 - wifi: ath10k: Update Qualcomm Innovation Center, Inc. copyrights (bsc#1227149). - commit e13fd24 - wifi: ath11k: Update Qualcomm Innovation Center, Inc. copyrights (bsc#1227149). - Refresh patches.suse/wifi-ath11k-do-not-dump-SRNG-statistics-during-resum.patch. - Refresh patches.suse/wifi-ath11k-fix-warning-on-DMA-ring-capabilities-eve.patch. - Refresh patches.suse/wifi-ath11k-support-hibernation.patch. - Refresh patches.suse/wifi-ath11k-thermal-don-t-try-to-register-multiple-t.patch. - commit a886227 - wifi: ath9k: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: ath12k: refactor DP Rxdma ring structure (bsc#1227149). - wifi: ath12k: avoid explicit HW conversion argument in Rxdma replenish (bsc#1227149). - wifi: ath12k: avoid explicit RBM id argument in Rxdma replenish (bsc#1227149). - wifi: ath12k: avoid explicit mac id argument in Rxdma replenish (bsc#1227149). - wifi: ath12k: fix the error handler of rfkill config (bsc#1227149). - wifi: ath12k: use select for CRYPTO_MICHAEL_MIC (bsc#1227149). - wifi: ath11k: use select for CRYPTO_MICHAEL_MIC (bsc#1227149). - commit a869013 - wifi: ath12k: Consolidate WMI peer flags (bsc#1227149). - wifi: ath11k: Consolidate WMI peer flags (bsc#1227149). - wifi: ath12k: Remove obsolete struct wmi_peer_flags_map * peer_flags (bsc#1227149). - wifi: ath11k: Remove obsolete struct wmi_peer_flags_map * peer_flags (bsc#1227149). - wifi: ath12k: Remove struct ath12k::ops (bsc#1227149). - wifi: ath11k: Remove struct ath11k::ops (bsc#1227149). - wifi: ath10k: Remove unused struct ath10k_htc_frame (bsc#1227149). - wifi: ath10k: simplify __ath10k_htt_tx_txq_recalc() (bsc#1227149). - wifi: ath11k: Remove unneeded semicolon (bsc#1227149). - wifi: ath10k: replace deprecated strncpy with memcpy (bsc#1227149). - commit e59240f - wifi: ath12k: drop NULL pointer check in ath12k_update_per_peer_tx_stats() (bsc#1227149). - Revert &quot;wifi: ath11k: call ath11k_mac_fils_discovery() without condition&quot; (bsc#1227149). - wifi: ath12k: Introduce and use ath12k_sta_to_arsta() (bsc#1227149). - wifi: ath12k: rename the sc naming convention to ab (bsc#1227149). - wifi: ath12k: rename the wmi_sc naming convention to wmi_ab (bsc#1227149). - commit f93677e - bus: mhi: host: allow MHI client drivers to provide the firmware via a pointer (bsc#1227149). - commit 494649c - wifi: ath11k: add firmware-2.bin support (bsc#1227149). - Refresh patches.suse/wifi-ath11k-support-hibernation.patch. - commit 677d325 - wifi: ath11k: qmi: refactor ath11k_qmi_m3_load() (bsc#1227149). - commit 296ac8f - wifi: ath11k: rename the sc naming convention to ab (bsc#1227149). - Refresh patches.suse/wifi-ath11k-support-hibernation.patch. - Refresh patches.suse/wifi-ath11k-thermal-don-t-try-to-register-multiple-t.patch. - commit 6eedd0d - wifi: ath11k: rename the wmi_sc naming convention to wmi_ab (bsc#1227149). - wifi: ath6kl: replace deprecated strncpy with memcpy (bsc#1227149). - commit cd59b03 - wifi: ath5k: replace deprecated strncpy with strscpy (bsc#1227149). - wifi: ath12k: Remove ath12k_base::bd_api (bsc#1227149). - wifi: ath11k: Remove ath11k_base::bd_api (bsc#1227149). - wifi: ath12k: Enable Mesh support for QCN9274 (bsc#1227149). - wifi: ath12k: register EHT mesh capabilities (bsc#1227149). - wifi: ath11k: Use device_get_match_data() (bsc#1227149). - wifi: ath11k: Introduce and use ath11k_sta_to_arsta() (bsc#1227149). - wifi: ath11k: Remove unused struct ath11k_htc_frame (bsc#1227149). - wifi: ath12k: fix invalid m3 buffer address (bsc#1227149). - wifi: ath12k: add ath12k_qmi_free_resource() for recovery (bsc#1227149). - commit a18a8d4 - wifi: ath12k: configure RDDM size to MHI for device recovery (bsc#1227149). - wifi: ath12k: add parsing of phy bitmap for reg rules (bsc#1227149). - wifi: ath11k: add parsing of phy bitmap for reg rules (bsc#1227149). - wifi: ath11k: ath11k_debugfs_register(): fix format-truncation warning (bsc#1227149). - wifi: ath12k: Consistently use ath12k_vif_to_arvif() (bsc#1227149). - wifi: ath11k: call ath11k_mac_fils_discovery() without condition (bsc#1227149). - wifi: ath12k: remove redundant memset() in ath12k_hal_reo_qdesc_setup() (bsc#1227149). - wifi: ath9k_htc: fix format-truncation warning (bsc#1227149). - wifi: ath12k: fix debug messages (bsc#1227149). - wifi: ath11k: fix CAC running state during virtual interface start (bsc#1227149). - commit c2f2e92 - wifi: ath10k: simplify ath10k_peer_create() (bsc#1227149). - wifi: ath10k: indicate to mac80211 scan complete with aborted flag for ATH10K_SCAN_STARTING state (bsc#1227149). - wifi: ath: dfs_pattern_detector: Use flex array to simplify code (bsc#1227149). - wifi: carl9170: remove unnecessary (void*) conversions (bsc#1227149). - wifi: ath10k: consistently use kstrtoX_from_user() functions (bsc#1227149). - wifi: ath12k: add keep backward compatibility of PHY mode to avoid firmware crash (bsc#1227149). - wifi: ath12k: add read variant from SMBIOS for download board data (bsc#1227149). - wifi: ath12k: do not drop data frames from unassociated stations (bsc#1227149). - wifi: ath11k: mac: fix struct ieee80211_sband_iftype_data handling (bsc#1227149). - wifi: ath11k: fix ath11k_mac_op_remain_on_channel() stack usage (bsc#1227149). - commit b844022 - wifi: ath12k: add msdu_end structure for WCN7850 (bsc#1227149). - wifi: ath12k: Set default beacon mode to burst mode (bsc#1227149). - wifi: ath12k: call ath12k_mac_fils_discovery() without condition (bsc#1227149). - wifi: ath11k: remove unnecessary (void*) conversions (bsc#1227149). - wifi: ath12k: enable IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS for WCN7850 (bsc#1227149). - wifi: ath12k: change to treat alpha code na as world wide regdomain (bsc#1227149). - wifi: ath12k: indicate scan complete for scan canceled when scan running (bsc#1227149). - wifi: ath12k: indicate to mac80211 scan complete with aborted flag for ATH12K_SCAN_STARTING state (bsc#1227149). - wifi: ath12k: fix recovery fail while firmware crash when doing channel switch (bsc#1227149). - wifi: ath12k: add support for hardware rfkill for WCN7850 (bsc#1227149). - commit 087627b - wifi: ath11k: use kstrtoul_from_user() where appropriate (bsc#1227149). - wifi: ath11k: remove unused members of 'struct ath11k_base' (bsc#1227149). - wifi: ath11k: drop redundant check in ath11k_dp_rx_mon_dest_process() (bsc#1227149). - wifi: ath11k: drop NULL pointer check in ath11k_update_per_peer_tx_stats() (bsc#1227149). - wifi: ath10k: drop HTT_DATA_TX_STATUS_DOWNLOAD_FAIL (bsc#1227149). - wifi: ath10k: Annotate struct ath10k_ce_ring with __counted_by (bsc#1227149). - wifi: wcn36xx: Annotate struct wcn36xx_hal_ind_msg with __counted_by (bsc#1227149). - wifi: ath12k: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: ath10k: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: ath6kl: remove unnecessary (void*) conversions (bsc#1227149). - commit 3f20dbc - wifi: ath5k: remove unnecessary (void*) conversions (bsc#1227149). - wifi: wcn36xx: remove unnecessary (void*) conversions (bsc#1227149). - wifi: ar5523: Remove unnecessary (void*) conversions (bsc#1227149). - wifi: ath9k: clean up function ath9k_hif_usb_resume (bsc#1227149). - wifi: ath11k: add chip id board name while searching board-2.bin for WCN6855 (bsc#1227149). - wifi: ath12k: change to initialize recovery variables earlier in ath12k_core_reset() (bsc#1227149). - wifi: ath12k: enable 320 MHz bandwidth for 6 GHz band in EHT PHY capability for WCN7850 (bsc#1227149). - wifi: ath9k: use u32 for txgain indexes (bsc#1227149). - wifi: ath9k: simplify ar9003_hw_process_ini() (bsc#1227149). - wifi: ath12k: fix radar detection in 160 MHz (bsc#1227149). - commit 0b35606 - wifi: ath12k: fix WARN_ON during ath12k_mac_update_vif_chan (bsc#1227149). - wifi: ath11k: fix tid bitmap is 0 in peer rx mu stats (bsc#1227149). - wifi: ath11k: move references from rsvd2 to info fields (bsc#1227149). - wifi: ath11k: mhi: add a warning message for MHI_CB_EE_RDDM crash (bsc#1227149). - wifi: ath: Use is_multicast_ether_addr() to check multicast Ether address (bsc#1227149). - wifi: ath12k: Remove unused declarations (bsc#1227149). - wifi: ath5k: ath5k_hw_get_median_noise_floor(): use swap() (bsc#1227149). - wifi: ath: remove unused-but-set parameter (bsc#1227149). - wifi: ath11k: Remove unused declarations (bsc#1227149). - wifi: ath10k: fix Wvoid-pointer-to-enum-cast warning (bsc#1227149). - commit 1f3c3b8 - wifi: ath11k: fix Wvoid-pointer-to-enum-cast warning (bsc#1227149). - wifi: ath11k: simplify the code with module_platform_driver (bsc#1227149). - wifi: ath12k: Fix a few spelling errors (bsc#1227149). - wifi: ath11k: Fix a few spelling errors (bsc#1227149). - wifi: ath10k: Fix a few spelling errors (bsc#1227149). - wifi: ath11k: Consistently use ath11k_vif_to_arvif() (bsc#1227149). - wifi: ath9k: Remove unused declarations (bsc#1227149). - wifi: ath9k: Remove unnecessary ternary operators (bsc#1227149). - wifi: ath9k: consistently use kstrtoX_from_user() functions (bsc#1227149). - wifi: ath9k: fix parameter check in ath9k_init_debug() (bsc#1227149). - commit 6c737fb - wifi: ath5k: Remove redundant dev_err() (bsc#1227149). - wifi: ath12k: avoid deadlock by change ieee80211_queue_work for regd_update_work (bsc#1227149). - wifi: ath12k: add handler for scan event WMI_SCAN_EVENT_DEQUEUED (bsc#1227149). - wifi: ath12k: relax list iteration in ath12k_mac_vif_unref() (bsc#1227149). - wifi: ath12k: configure puncturing bitmap (bsc#1227149). - wifi: ath12k: parse WMI service ready ext2 event (bsc#1227149). - wifi: ath12k: add MLO header in peer association (bsc#1227149). - wifi: ath12k: peer assoc for 320 MHz (bsc#1227149). - wifi: ath12k: add WMI support for EHT peer (bsc#1227149). - wifi: ath12k: prepare EHT peer assoc parameters (bsc#1227149). - commit 3191784 - wifi: ath12k: add EHT PHY modes (bsc#1227149). - wifi: ath12k: propagate EHT capabilities to userspace (bsc#1227149). - wifi: ath12k: WMI support to process EHT capabilities (bsc#1227149). - wifi: ath12k: move HE capabilities processing to a new function (bsc#1227149). - commit 7fb64df - wifi: ath12k: rename HE capabilities setup/copy functions (bsc#1227149). - Refresh patches.suse/wifi-cfg80211-annotate-iftype_data-pointer-with-spar.patch. - commit ddfeb0d - wifi: ath12k: change to use dynamic memory for channel list of scan (bsc#1227149). - wifi: ath12k: trigger station disconnect on hardware restart (bsc#1227149). - wifi: ath12k: Use pdev_id rather than mac_id to get pdev (bsc#1227149). - wifi: ath12k: correct the data_type from QMI_OPT_FLAG to QMI_UNSIGNED_1_BYTE for mlo_capable (bsc#1227149). - wifi: ath11k: Remove cal_done check during probe (bsc#1227149). - commit e204950 - wifi: ath11k: simplify ath11k_mac_validate_vht_he_fixed_rate_settings() (bsc#1227149). - wifi: ath6kl: Remove error checking for debugfs_create_dir() (bsc#1227149). - wifi: ath5k: remove phydir check from ath5k_debug_init_device() (bsc#1227149). - wifi: drivers: Explicitly include correct DT includes (bsc#1227149). - wifi: ath10k: improve structure padding (bsc#1227149). - wifi: ath12k: fix conf_mutex in ath12k_mac_op_unassign_vif_chanctx() (bsc#1227149). - wifi: ath11k: debug: add ATH11K_DBG_CE (bsc#1227149). - commit 3345b7e - wifi: ath11k: htc: cleanup debug messages (bsc#1227149). - wifi: ath11k: don't use %pK (bsc#1227149). - wifi: ath11k: hal: cleanup debug message (bsc#1227149). - wifi: ath11k: debug: use all upper case in ATH11k_DBG_HAL (bsc#1227149). - wifi: ath11k: dp: cleanup debug message (bsc#1227149). - wifi: ath11k: pci: cleanup debug logging (bsc#1227149). - wifi: ath11k: wmi: add unified command debug messages (bsc#1227149). - wifi: ath11k: wmi: use common error handling style (bsc#1227149). - wifi: ath11k: wmi: cleanup error handling in ath11k_wmi_send_init_country_cmd() (bsc#1227149). - wifi: ath11k: remove unsupported event handlers (bsc#1227149). - commit 37105bd - wifi: ath11k: add WMI event debug messages (bsc#1227149). - Refresh patches.suse/wifi-ath11k-fix-gtk-offload-status-event-locking.patch. - Refresh patches.suse/wifi-ath11k-fix-temperature-event-locking.patch. - commit 572fd2c - wifi: ath11k: remove manual mask names from debug messages (bsc#1227149). - Refresh patches.suse/wifi-ath11k-fix-gtk-offload-status-event-locking.patch. - commit a7ae7bf - wifi: ath11k: print debug level in debug messages (bsc#1227149). - wifi: ath11k: debug: remove unused ATH11K_DBG_ANY (bsc#1227149). - wifi: ath12k: delete the timer rx_replenish_retry during rmmod (bsc#1227149). - wifi: ath12k: Use msdu_end to check MCBC (bsc#1227149). - wifi: ath12k: check hardware major version for WCN7850 (bsc#1227149). - wifi: ath11k: update proper pdev/vdev id for testmode command (bsc#1227149). - wifi: atk10k: Don't opencode ath10k_pci_priv() in ath10k_ahb_priv() (bsc#1227149). - wifi: ath10k: Convert to platform remove callback returning void (bsc#1227149). - commit cafd8ed - wifi: ath10k: Drop checks that are always false (bsc#1227149). - wifi: ath10k: Drop cleaning of driver data from probe error path and remove (bsc#1227149). - wifi: ath11k: Add HTT stats for PHY reset case (bsc#1227149). - commit dde2040 - wifi: ath11k: Allow ath11k to boot without caldata in ftm mode (bsc#1227149). - Refresh patches.suse/wifi-ath11k-do-not-dump-SRNG-statistics-during-resum.patch. - commit adbddfc - wifi: ath11k: factory test mode support (bsc#1227149). - Refresh patches.suse/wifi-ath11k-fix-warning-on-DMA-ring-capabilities-eve.patch. - Refresh patches.suse/wifi-ath11k-rearrange-IRQ-enable-disable-in-reset-pa.patch. - Refresh patches.suse/wifi-ath11k-support-hibernation.patch. - commit 030f59a - wifi: ath11k: remove unused function ath11k_tm_event_wmi() (bsc#1227149). - wifi: ath12k: Add support to parse new WMI event for 6 GHz regulatory (bsc#1227149). - wifi: wil6210: wmi: Replace zero-length array with DECLARE_FLEX_ARRAY() helper (bsc#1227149). - wifi: wil6210: fw: Replace zero-length arrays with DECLARE_FLEX_ARRAY() helper (bsc#1227149). - wifi: ath11k: Send HT fixed rate in WMI peer fixed param (bsc#1227149). - wifi: ath11k: Relocate the func ath11k_mac_bitrate_mask_num_ht_rates() and change hweight16 to hweight8 (bsc#1227149). - wifi: ath12k: increase vdev setup timeout (bsc#1227149). - wifi: ath11k: EMA beacon support (bsc#1227149). - wifi: ath11k: MBSSID beacon support (bsc#1227149). - wifi: ath11k: refactor vif parameter configurations (bsc#1227149). - wifi: ath11k: MBSSID parameter configuration in AP mode (bsc#1227149). - wifi: ath11k: rename MBSSID fields in wmi_vdev_up_cmd (bsc#1227149). - wifi: ath11k: MBSSID configuration during vdev create/start (bsc#1227149). - wifi: ath11k: driver settings for MBSSID and EMA (bsc#1227149). - wifi: ath: work around false-positive stringop-overread warning (bsc#1227149). - wifi: ath11k: Use list_count_nodes() (bsc#1227149). - wifi: ath10k: Use list_count_nodes() (bsc#1227149). - wifi: ath12k: fix potential wmi_mgmt_tx_queue race condition (bsc#1227149). - wifi: ath12k: add wait operation for tx management packets for flush from mac80211 (bsc#1227149). - wifi: ath12k: Remove some dead code (bsc#1227149). - wifi: ath12k: send WMI_PEER_REORDER_QUEUE_SETUP_CMDID when ADDBA session starts (bsc#1227149). - wifi: ath12k: set PERST pin no pull request for WCN7850 (bsc#1227149). - wifi: ath12k: add qmi_cnss_feature_bitmap field to hardware parameters (bsc#1227149). - wifi: ath10/11/12k: Use alloc_ordered_workqueue() to create ordered workqueues (bsc#1227149). - commit 1763ceb - net: phy: microchip: lan87xx: reinit PHY after cable test (git-fixes). - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr (git-fixes). - drm/amdgpu/atomfirmware: silence UBSAN warning (stable-fixes). - drm: panel-orientation-quirks: Add quirk for Valve Galileo (stable-fixes). - nilfs2: add missing check for inode numbers on directory entries (stable-fixes). - nilfs2: fix inode number range checks (stable-fixes). - drm/amdgpu: silence UBSAN warning (stable-fixes). - spi: cadence: Ensure data lines set to low during dummy-cycle period (stable-fixes). - regmap-i2c: Subtract reg size from max_write (stable-fixes). - platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro (stable-fixes). - platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6&quot; tablet (stable-fixes). - nfc/nci: Add the inconsistency check between the input data length and count (stable-fixes). - Input: ff-core - prefer struct_size over open coded arithmetic (stable-fixes). - cdrom: rearrange last_media_change check to avoid unintentional overflow (stable-fixes). - serial: imx: Raise TX trigger level to 8 (stable-fixes). - usb: xhci: prevent potential failure in handle_tx_event() for Transfer events without TRB (stable-fixes). - thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data (stable-fixes). - firmware: dmi: Stop decoding on broken entry (stable-fixes). - i2c: i801: Annotate apanel_addr as __ro_after_init (stable-fixes). - media: dvb-frontends: tda10048: Fix integer overflow (stable-fixes). - media: s2255: Use refcount_t instead of atomic_t for num_channels (stable-fixes). - media: dvb-frontends: tda18271c2dd: Remove casting during div (stable-fixes). - media: dw2102: fix a potential buffer overflow (git-fixes). - media: dw2102: Don't translate i2c read into write (stable-fixes). - media: dvb-usb: dib0700_devices: Add missing release_firmware() (stable-fixes). - media: dvb: as102-fe: Fix as10x_register_addr packing (stable-fixes). - drm/amdgpu: fix the warning about the expression (int)size - len (stable-fixes). - drm/amdgpu: fix uninitialized scalar variable warning (stable-fixes). - drm/amd/display: Fix uninitialized variables in DM (stable-fixes). - drm/amd/display: Skip finding free audio for unknown engine_id (stable-fixes). - drm/amd/display: Check pipe offset before setting vblank (stable-fixes). - drm/amd/display: Check index msg_id before read or write (stable-fixes). - drm/amdgpu: Initialize timestamp for some legacy SOCs (stable-fixes). - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc (stable-fixes). - drm/amdgpu: Fix uninitialized variable warnings (stable-fixes). - drm/lima: fix shared irq handling on driver remove (stable-fixes). - wifi: mt76: mt7996: add sanity checks for background radar trigger (stable-fixes). - wifi: mt76: replace skb_put with skb_put_zero (stable-fixes). - crypto: aead,cipher - zeroize key buffer after use (stable-fixes). - crypto: hisilicon/debugfs - Fix debugfs uninit process issue (stable-fixes). - commit 240e65e - Refresh patches.kabi/wireless-kabi-workaround.patch (bsc#1227149) More fixes for 6.9 API updates - commit 25eb11c - wifi: iwlwifi: mvm: fix ROC version check (bsc#1227149). - wifi: iwlwifi: mvm: fix a crash on 7265 (bsc#1227149). - wifi: iwlwifi: Use request_module_nowait (bsc#1227149). - wifi: iwlwifi: mvm: don't always disable EMLSR due to BT coex (bsc#1227149). - wifi: iwlwifi: mvm: calculate EMLSR mode after connection (bsc#1227149). - wifi: iwlwifi: mvm: introduce esr_disable_reason (bsc#1227149). - wifi: iwlwifi: mvm: Do not warn on invalid link on scan complete (bsc#1227149). - wifi: iwlwifi: mvm: support iwl_dev_tx_power_cmd_v8 (bsc#1227149). - commit 74beb0b - net: mana: Fix possible double free in error handling path (git-fixes). - RDMA/mana_ib: Ignore optional access flags for MRs (git-fixes). - net: mana: Fix the extra HZ in mana_hwc_send_request (git-fixes). - commit cb4a2bd - wifi: iwlwifi: mvm: fix link ID management (bsc#1227149). - Revert &quot;wifi: iwlwifi: bump FW API to 90 for BZ/SC devices&quot; (bsc#1227149). - wifi: iwlwifi: mvm: handle debugfs names more carefully (bsc#1227149). - commit 1b2b558 - wifi: iwlwifi: mvm: Configure the link mapping for non-MLD FW (bsc#1227149). - wifi: iwlwifi: mvm: consider having one active link (bsc#1227149). - wifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF (bsc#1227149). - wifi: iwlwifi: mvm: disable MLO for the time being (bsc#1227149). - wifi: cfg80211: add a flag to disable wireless extensions (bsc#1227149). - iwlwifi: mvm: Use for_each_thermal_trip() for walking trip points (bsc#1227149). - iwlwifi: mvm: Populate trip table before registering thermal zone (bsc#1227149). - iwlwifi: mvm: Drop unused fw_trips_index[] from iwl_mvm_thermal_device (bsc#1227149). - commit 53ce28e - wifi: mac80211: add link id to ieee80211_gtk_rekey_add() (bsc#1227149). - wifi: iwlwifi: load b0 version of ucode for HR1/HR2 (bsc#1227149). - wifi: iwlwifi: handle per-phy statistics from fw (bsc#1227149). - wifi: iwlwifi: iwl-fh.h: fix kernel-doc issues (bsc#1227149). - wifi: iwlwifi: api: fix kernel-doc reference (bsc#1227149). - wifi: iwlwifi: mvm: unlock mvm if there is no primary link (bsc#1227149). - wifi: iwlwifi: mvm: partially support PHY context version 6 (bsc#1227149). - commit 590b6b6 - wifi: iwlwifi: cancel session protection only if there is one (bsc#1227149). - wifi: iwlwifi: mvm: remove IWL_MVM_STATUS_NEED_FLUSH_P2P (bsc#1227149). - wifi: iwlwifi: mvm: check own capabilities for EMLSR (bsc#1227149). - wifi: iwlwifi: iwl-trans.h: clean up kernel-doc (bsc#1227149). - wifi: iwlwifi: fw: file: clean up kernel-doc (bsc#1227149). - wifi: iwlwifi: api: dbg-tlv: fix up kernel-doc (bsc#1227149). - wifi: iwlwifi: error-dump: fix kernel-doc issues (bsc#1227149). - commit b9417e2 - wifi: iwlwifi: mvm: fix thermal kernel-doc (bsc#1227149). - wifi: iwlwifi: don't use TRUE/FALSE with bool (bsc#1227149). - wifi: iwlwifi: api: fix constant version to match FW (bsc#1227149). - wifi: iwlwifi: mvm: Extend support for P2P service discovery (bsc#1227149). - wifi: iwlwifi: mvm: work around A-MSDU size problem (bsc#1227149). - wifi: iwlwifi: nvm: parse the VLP/AFC bit from regulatory (bsc#1227149). - wifi: iwlwifi: iwlmvm: handle unprotected deauth/disassoc in d3 (bsc#1227149). - wifi: iwlwifi: fix #ifdef CONFIG_ACPI check (bsc#1227149). - wifi: iwlwifi: queue: improve warning for no skb in reclaim (bsc#1227149). - wifi: iwlwifi: mvm: move BA notif messages before action (bsc#1227149). - commit da274a5 - wifi: cfg80211: report unprotected deauth/disassoc in wowlan (bsc#1227149). - Refresh patches.kabi/wireless-kabi-workaround.patch. - commit 8a7655b - wifi: nl80211: allow reporting wakeup for unprot deauth/disassoc (bsc#1227149). - Refresh patches.kabi/wireless-kabi-workaround.patch. - commit e91caa5 - wifi: cfg80211: rename UHB to 6 GHz (bsc#1227149). - Refresh patches.kabi/wireless-kabi-workaround.patch. - commit 72d3017 - wifi: iwlwifi: mvm: show skb_mac_gso_segment() failure reason (bsc#1227149). - wifi: iwlwifi: mvm: remove flags for enable/disable beacon filter (bsc#1227149). - wifi: iwlwifi: pcie: Add new PCI device id and CNVI (bsc#1227149). - wifi: iwlwifi: mvm: don't send the smart fifo command if not needed (bsc#1227149). - wifi: iwlwifi: fw: allow vmalloc for PNVM image (bsc#1227149). - wifi: iwlwifi: mvm: don't do duplicate detection for nullfunc packets (bsc#1227149). - wifi: iwlwifi: mvm: avoid garbage iPN (bsc#1227149). - wifi: iwlwifi: mvm: always update keys in D3 exit (bsc#1227149). - wifi: iwlwifi: mvm: limit pseudo-D3 to 60 seconds (bsc#1227149). - wifi: iwlwifi: mvm: combine condition/warning (bsc#1227149). - commit 9013bb7 - wifi: iwlwifi: mvm: fix the key PN index (bsc#1227149). - wifi: iwlwifi: mvm: Keep connection in case of missed beacons during RX (bsc#1227149). - wifi: iwlwifi: properly check if link is active (bsc#1227149). - wifi: iwlwifi: take SGOM and UATS code out of ACPI ifdef (bsc#1227149). - wifi: iwlwifi: mvm: don't abort queue sync in CT-kill (bsc#1227149). - wifi: iwlwifi: mvm: define RX queue sync timeout as a macro (bsc#1227149). - wifi: iwlwifi: mvm: expand queue sync warning messages (bsc#1227149). - wifi: iwlwifi: mvm: Declare support for secure LTF measurement (bsc#1227149). - wifi: iwlwifi: mvm: advertise support for protected ranging negotiation (bsc#1227149). - wifi: iwlwifi: mvm: remove one queue sync on BA session stop (bsc#1227149). - commit d32b4ac - wifi: iwlwifi: mvm: don't support reduced tx power on ack for new devices (bsc#1227149). - wifi: iwlwifi: use system_unbound_wq for debug dump (bsc#1227149). - wifi: iwlwifi: mvm: remove EHT code from mac80211.c (bsc#1227149). - wifi: iwlwifi: read mac step from aux register (bsc#1227149). - wifi: iwlwifi: adjust rx_phyinfo debugfs to MLO (bsc#1227149). - wifi: iwlwifi: mvm: const-ify chandef pointers (bsc#1227149). - wifi: iwlwifi: Add support for PPAG cmd v5 and PPAG revision 3 (bsc#1227149). - wifi: iwlwifi: pcie: don't allow hw-rfkill to stop device on gen2 (bsc#1227149). - wifi: iwlwifi: add HONOR to PPAG approved list (bsc#1227149). - commit 6501846 - wifi: mac80211: update beacon counters per link basis (bsc#1227149). - wifi: iwlwifi: return negative -EINVAL instead of positive EINVAL (bsc#1227149). - wifi: iwlwifi: fw: fix compiler warning for NULL string print (bsc#1227149). - wifi: iwlwifi: mvm: make functions public (bsc#1227149). - wifi: iwlwifi: bump FW API to 88 for AX/BZ/SC devices (bsc#1227149). - wifi: iwlwifi: mvm: don't send BT_COEX_CI command on new devices (bsc#1227149). - wifi: iwlwifi: read DSM functions from UEFI (bsc#1227149). - commit 4b3d0a2 - wifi: iwlwifi: prepare for reading DSM from UEFI (bsc#1227149). - wifi: iwlwifi: simplify getting DSM from ACPI (bsc#1227149). - wifi: iwlwifi: take send-DSM-to-FW flows out of ACPI ifdef (bsc#1227149). - wifi: iwlwifi: rfi: use a single DSM function for all RFI configurations (bsc#1227149). - wifi: iwlwifi: read ECKV table from UEFI (bsc#1227149). - wifi: iwlwifi: read WRDD table from UEFI (bsc#1227149). - wifi: iwlwifi: support link command version 2 (bsc#1227149). - wifi: iwlwifi: mvm: use fast balance scan in case of an active P2P GO (bsc#1227149). - wifi: iwlwifi: mvm: don't send NDPs for new tx devices (bsc#1227149). - wifi: iwlwifi: read SPLC from UEFI (bsc#1227149). - commit 10d0457 - wifi: iwlwifi: prepare for reading SPLC from UEFI (bsc#1227149). - wifi: iwlwifi: api: clean up some kernel-doc/typos (bsc#1227149). - wifi: iwlwifi: remove unused function prototype (bsc#1227149). - iwlwifi: fw: fix more kernel-doc warnings (bsc#1227149). - wifi: iwlwifi: read WTAS table from UEFI (bsc#1227149). - commit edb7009 - wifi: iwlwifi: separate TAS 'read-from-BIOS' and 'send-to-FW' flows (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-mvm-fix-warnings-from-dmi_get_system_in.patch. - commit cbe5734 - wifi: iwlwifi: prepare for reading TAS table from UEFI (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-mvm-fix-warnings-from-dmi_get_system_in.patch. - commit 37ff9f0 - wifi: iwlwifi: don't check TAS block list size twice (bsc#1227149). - wifi: iwlwifi: read PPAG table from UEFI (bsc#1227149). - wifi: iwlwifi: validate PPAG table when sent to FW (bsc#1227149). - commit aab6534 - wifi: iwlwifi: prepare for reading PPAG table from UEFI (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-fw-fix-compile-w-o-CONFIG_ACPI.patch. - commit b317fc2 - wifi: iwlwifi: small cleanups in PPAG table flows (bsc#1227149). - wifi: iwlwifi: read SAR tables from UEFI (bsc#1227149). - wifi: iwlwifi: cleanup sending PER_CHAIN_LIMIT_OFFSET_CMD (bsc#1227149). - wifi: iwlwifi: prepare for reading SAR tables from UEFI (bsc#1227149). - wifi: iwlwifi: mvm: check AP supports EMLSR (bsc#1227149). - wifi: iwlwifi: mvm: d3: implement suspend with MLO (bsc#1227149). - wifi: iwlwifi: mvm: refactor duplicate chanctx condition (bsc#1227149). - wifi: iwlwifi: mvm: log dropped packets due to MIC error (bsc#1227149). - commit ab26861 - wifi: iwlwifi: mvm: support SPP A-MSDUs (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-mvm-don-t-set-the-MFP-flag-for-the-GTK.patch. - commit d834590 - wifi: mac80211: add support for SPP A-MSDUs (bsc#1227149). - commit 265cdf6 - wifi: cfg80211: add support for SPP A-MSDUs (bsc#1227149). - Refresh patches.kabi/wireless-kabi-workaround.patch. - commit f498490 - wifi: iwlwifi: implement GLAI ACPI table loading (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-fw-fix-compile-w-o-CONFIG_ACPI.patch. - commit 85303bc - wifi: iwlwifi: remove Gl A-step remnants (bsc#1227149). - wifi: iwlwifi: mvm: Fix FTM initiator flags (bsc#1227149). - wifi: iwlwifi: always have 'uats_enabled' (bsc#1227149). - wifi: iwlwifi: mvm: don't set trigger frame padding in AP mode (bsc#1227149). - wifi: iwlwifi: Fix spelling mistake &quot;SESION&quot; -&gt; &quot;SESSION&quot; (bsc#1227149). - wifi: iwlwifi: mvm: add support for TID to link mapping neg request (bsc#1227149). - wifi: iwlwifi: cleanup uefi variables loading (bsc#1227149). - wifi: iwlwifi: mvm: disconnect station vifs if recovery failed (bsc#1227149). - wifi: iwlwifi: fw: dbg: ensure correct config name sizes (bsc#1227149). - commit ff842c3 - wifi: ieee80211: add definitions for negotiated TID to Link map (bsc#1227149). - commit b1d66f3 - wifi: mac80211: process and save negotiated TID to Link mapping request (bsc#1227149). - Refresh patches.kabi/wireless-kabi-workaround.patch. - commit 32a5092 - wifi: cfg80211: add RNR with reporting AP information (bsc#1227149). - commit 8fede1e - wifi: iwlwifi: implement can_activate_links callback (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-mvm-fix-active-link-counting-during-rec.patch. - commit 7e399ce - wifi: iwlwifi: remove retry loops in start (bsc#1227149). - commit 3c4f0f3 - wifi: iwlwifi: dbg-tlv: use struct_size() for allocation (bsc#1227149). - wifi: iwlwifi: dbg-tlv: avoid extra allocation/copy (bsc#1227149). - wifi: iwlwifi: fix some kernel-doc issues (bsc#1227149). - wifi: iwlwifi: mvm: d3: disconnect on GTK rekey failure (bsc#1227149). - wifi: iwlwifi: mvm: Add support for removing responder TKs (bsc#1227149). - wifi: iwlwifi: disable eSR when BT is active (bsc#1227149). - wifi: iwlwifi: add support for a wiphy_work rx handler (bsc#1227149). - wifi: iwlwifi: bump FW API to 87 for AX/BZ/SC devices (bsc#1227149). - wifi: iwlwifi: mvm: introduce PHY_CONTEXT_CMD_API_VER_5 (bsc#1227149). - wifi: iwlwifi: skip affinity setting on non-SMP (bsc#1227149). - wifi: iwlwifi: nvm-parse: advertise common packet padding (bsc#1227149). - wifi: iwlwifi: change link id in time event to s8 (bsc#1227149). - wifi: iwlwifi: mvm: limit EHT 320 MHz MCS for STEP URM (bsc#1227149). - wifi: iwlwifi: disable 160 MHz based on subsystem device ID (bsc#1227149). - wifi: iwlwifi: make TB reallocation a debug message (bsc#1227149). - wifi: iwlwifi: Add support for new 802.11be device (bsc#1227149). - commit 6617b64 - pmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain (CVE-2024-35942 bsc#1224589). - commit cf74548 - platform/x86: toshiba_acpi: Fix array out-of-bounds access (git-fixes). - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency (git-fixes). - commit ec2c4bc - KVM: SEV-ES: Delegate LBR virtualization to the processor (git-fixes). - commit ca0a7e8 - KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes (git-fixes). - commit 6653b01 - KVM: SEV-ES: Disallow SEV-ES guests when X86_FEATURE_LBRV is absent (git-fixes). - commit 1094992 - KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked (git-fixes). - commit 2cc4a9c - drivers/xen: Improve the late XenStore init protocol (git-fixes). - commit cb805fb - xen/x86: add extra pages to unpopulated-alloc if available (git-fixes). - commit d9de7d9 - kunit: Fix checksum tests on big endian CPUs (git-fixed). - commit 91a58a6 - KVM: arm64: Fix circular locking dependency (bsc#1222463 CVE-2024-26691). - commit 3273efe - Drivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted (bsc#1225744, CVE-2024-36909). - uio_hv_generic: Don't free decrypted memory (bsc#1225717, CVE-2024-36910). - hv_netvsc: Don't free decrypted memory (bsc#1225745, CVE-2024-36911). - Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl (bsc#1225752, CVE-2024-36912). - Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails (bsc#1225753, CVE-2024-36913). - commit a78a9db - x86/speculation, objtool: Use absolute relocations for annotations (git-fixes). - commit 14e0989 - x86/head/64: Move the __head definition to &lt;asm/init.h&gt; (git-fixes). - commit 36d1750 - x86/csum: Remove unnecessary odd handling (git-fixes). - commit 439ef62 - x86/csum: Fix clang -Wuninitialized in csum_partial() (git-fixes). - commit 98db437 - x86/csum: Improve performance of `csum_partial` (git-fixes). - commit 131cca3 - x86/boot: Ignore NMIs during very early boot (git-fixes). - commit 3c94948 - x86/asm: Fix build of UML with KASAN (git-fixes). - commit 89fc5d7 - blacklist.conf: Blacklist useless revert - commit 0a21e69 - tunnels: fix out of bounds access when building IPv6 PMTU error (bsc#1222328 CVE-2024-26665). - commit f28b881 - SUNRPC: avoid soft lockup when transmitting UDP to reachable server (bsc#1225272). - commit 3fc313b - Move upstreamed turbostat patch into sorted section - commit 768422e - Move out-of-tree patch to the right section - commit a3dba46 - powerpc/pseries: Fix scv instruction crash with kexec (bsc#1194869). - commit 245b529 - powerpc/prom: Add CPU info to hardware description string later (bsc#1215199). - commit 75358e1 - kernel-binary: vdso: Own module_dir - commit ff69986 - enic: Validate length of nl attributes in enic_set_vf_port (CVE-2024-38659 bsc#1226883). - commit 82dab70 - wifi: wilc1000: fix ies_len type in connect path (git-fixes). - commit 857b40a - net/dcb: check for detached device before executing callbacks (bsc#1215587). - commit c563440 - Update patches.suse/atm-Fix-Use-After-Free-in-do_vcc_ioctl.patch (git-fixes bsc#1218730 CVE-2023-51780). - commit 93588a3 - powerpc/64s/radix/kfence: map __kfence_pool at page granularity (bsc#1223570 ltc#205770). - commit d4edfeb - crypto/ecdsa: make ecdsa_ecc_ctx_deinit() to zeroize the public key (bsc#1222768). - commit 817f8be - crypto/ecdh: make ecdh_compute_value() to zeroize the public key (bsc#1222768). - commit 3f5391b - PCI: Do not wait for disconnected devices when resuming (git-fixes). - commit f7f9960 - powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() (bsc#1227487). - commit 42da489 - Enable CONFIG_SCHED_CLUSTER=y on arm64 (jsc#PED-8701). - commit 9157a3d - clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs (git-fixes). - clk: qcom: gcc-sm6350: Fix gpll6* &amp; gpll7 parents (git-fixes). - clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg (git-fixes). - commit 1a2b239 - nfs: drop the incorrect assertion in nfs_swap_rw() (git-fixes). - NFS: add barriers when testing for NFS_FSDATA_BLOCKED (git-fixes). - SUNRPC: return proper error from gss_wrap_req_priv (git-fixes). - NFSv4.1 enforce rootpath check in fs_location query (git-fixes). - SUNRPC: Fix loop termination condition in gss_free_in_token_pages() (git-fixes). - nfs: fix undefined behavior in nfs_block_bits() (git-fixes). - pNFS/filelayout: fixup pNfs allocation modes (git-fixes). - rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL (git-fixes). - NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS (git-fixes). - sunrpc: fix NFSACL RPC retry on soft mount (git-fixes). - nfs: keep server info for remounts (git-fixes). - NFSv4: Fixup smatch warning for ambiguous return (git-fixes). - SUNRPC: Fix gss_free_in_token_pages() (git-fixes). - knfsd: LOOKUP can return an illegal error value (git-fixes). - nfs: Handle error of rpc_proc_register() in nfs_net_init() (git-fixes). - nfsd: hold a lighter-weight client reference over CB_RECALL_ANY (git-fixes). - NFSD: Fix checksum mismatches in the duplicate reply cache (git-fixes). - commit e019385 - Update patches.suse/ALSA-hda-intel-sdw-acpi-fix-usage-of-device_get_name.patch (git-fixes CVE-2024-36955 bsc#1225810). - Update patches.suse/ASoC-SOF-ipc4-topology-Fix-input-format-query-of-pro.patch (git-fixes CVE-2024-39473 bsc#1227433). - Update patches.suse/Bluetooth-qca-fix-firmware-check-error-path.patch (git-fixes CVE-2024-36942 bsc#1225843). - Update patches.suse/Reapply-drm-qxl-simplify-qxl_fence_wait.patch (stable-fixes CVE-2024-36944 bsc#1225847). - Update patches.suse/amd-amdkfd-sync-all-devices-to-wait-all-processes-be.patch (stable-fixes CVE-2024-36949 bsc#1225894). - Update patches.suse/drm-amdkfd-range-check-cp-bad-op-exception-interrupt.patch (stable-fixes CVE-2024-36951 bsc#1225896). - Update patches.suse/drm-i915-hwmon-Get-rid-of-devm.patch (stable-fixes CVE-2024-39479 bsc#1227443). - Update patches.suse/fbdev-savage-Handle-err-return-when-savagefb_check_v.patch (git-fixes CVE-2024-39475 bsc#1227435). - Update patches.suse/firewire-ohci-mask-bus-reset-interrupts-between-ISR-.patch (stable-fixes CVE-2024-36950 bsc#1225895). - Update patches.suse/media-mc-Fix-graph-walk-in-media_pipeline_start.patch (git-fixes CVE-2024-39481 bsc#1227446). - Update patches.suse/pinctrl-core-delete-incorrect-free-in-pinctrl_enable.patch (git-fixes CVE-2024-36940 bsc#1225840). - Update patches.suse/pinctrl-devicetree-fix-refcount-leak-in-pinctrl_dt_t.patch (git-fixes CVE-2024-36959 bsc#1225839). - Update patches.suse/qibfs-fix-dentry-leak.patch (git-fixes CVE-2024-36947 bsc#1225856). - Update patches.suse/spi-fix-null-pointer-dereference-within-spi_sync.patch (git-fixes CVE-2024-36930 bsc#1225830). - Update patches.suse/wifi-iwlwifi-read-txq-read_ptr-under-lock.patch (stable-fixes CVE-2024-36922 bsc#1225805). - Update patches.suse/wifi-nl80211-don-t-free-NULL-coalescing-rule.patch (git-fixes CVE-2024-36941 bsc#1225835). - commit ffdc766 - Update patches.suse/crypto-rsa-add-a-check-for-allocation-failure.patch (bsc#1222775 CVE-2023-52472 bsc#1220430 bsc#1220427). - commit 7754b95 - drm/fbdev-generic: Fix framebuffer on big endian devices (git-fixes). - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes (git-fixes). - usb: dwc3: core: Workaround for CSR read timeout (stable-fixes). - usb: gadget: printer: SS+ support (stable-fixes). - drm/amdgpu: avoid using null object of framebuffer (stable-fixes). - drm/amd/display: Send DP_TOTAL_LTTPR_CNT during detection if LTTPR is present (stable-fixes). - drm/amdgpu/atomfirmware: fix parsing of vram_info (stable-fixes). - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes (stable-fixes). - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes (stable-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook 645/665 G11 (stable-fixes). - usb: typec: ucsi: Ack also failed Get Error commands (git-fixes). - iio: pressure: bmp280: Fix BMP580 temperature reading (stable-fixes). - usb: typec: ucsi: Never send a lone connector change ack (stable-fixes). - mtd: partitions: redboot: Added conversion of operands to a larger type (stable-fixes). - media: dvbdev: Initialize sbuf (stable-fixes). - ALSA: emux: improve patch ioctl data validation (stable-fixes). - drm/radeon/radeon_display: Decrease the size of allocated memory (stable-fixes). - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep (stable-fixes). - wifi: ieee80211: check for NULL in ieee80211_mle_size_ok() (stable-fixes). - crypto: ecdh - explicitly zeroize private_key (stable-fixes). - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message (stable-fixes). - usb: dwc3: core: Add DWC31 version 2.00a controller (stable-fixes). - iio: pressure: fix some word spelling errors (stable-fixes). - commit 42cf83f - Drop amd-pstate patch that caused a regression on 6.6.x stable - commit d3672a6 - RDMA/restrack: Fix potential invalid address access (git-fixes) - commit 91e323d - smb: client: fix use-after-free in smb2_query_info_compound() (bsc#1225489, CVE-2023-52751). - Refresh patches.suse/smb-client-fix-potential-OOBs-in-smb2_parse_contexts-.patch. - commit fed05d1 - smb: client: prevent new fids from being removed by laundromat (git-fixes, bsc#1225172). - commit b3d54ea - smb: client: make laundromat a delayed worker (git-fixes, bsc#1225172). - commit 97932f6 - smb3: allow controlling length of time directory entries are cached with dir leases (git-fixes, bsc#1225172). - commit c39c365 - smb: client: do not start laundromat thread on nohandlecache (git-fixes, bsc#1225172). - commit b320db3 - smb3: allow controlling maximum number of cached directories (git-fixes, bsc#1225172). - commit e5e6d01 - smb3: do not start laundromat thread when dir leases disabled (git-fixes, bsc#1225172). - commit b758cab - cifs: Add a laundromat thread for cached directories (git-fixes, bsc#1225172). - commit b1876e3 - bcache: fix variable length array abuse in btree_iter (CVE-2024-39482 bsc#1227447). - commit 3d0cfa1 - mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL (CVE-2024-39474 bsc#1227434). - commit 13add8a - selftests: make order checking verbose in msg_zerocopy selftest (git-fixes). - selftests: fix OOM in msg_zerocopy selftest (git-fixes). - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct (git-fixes). - bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX (git-fixes). - Bluetooth: ISO: Check socket flag instead of hcon (git-fixes). - Bluetooth: Ignore too large handle values in BIG (git-fixes). - Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot (git-fixes). - Bluetooth: hci_event: Fix setting of unicast qos interval (git-fixes). - Bluetooth: hci_bcm4377: Fix msgid release (git-fixes). - mac802154: fix time calculation in ieee802154_configure_durations() (git-fixes). - net: phy: phy_device: Fix PHY LED blinking code comment (git-fixes). - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (git-fixes). - platform/x86: toshiba_acpi: Fix quickstart quirk handling (git-fixes). - commit 3db85da - jfs: xattr: fix buffer overflow for invalid xattr (bsc#1227383). - commit ae2a0d9 - iommu/arm-smmu-v3: Free MSIs in case of ENOMEM (git-fixes). - commit 2fb4aa0 - blacklist.conf: Add d988d9a9b9d1 panic: Flush kernel log buffer at the end - commit 0ce2686 - Update patches.suse/arm64-mm-Batch-dsb-and-isb-when-populating-pgtables.patch (jsc#PED-8688 bsc#1226202). - Update patches.suse/arm64-mm-Don-t-remap-pgtables-for-allocate-vs-populate.patch (jsc#PED-8688 bsc#1226202). - Update patches.suse/arm64-mm-Don-t-remap-pgtables-per-cont-pte-pmd-block.patch (jsc#PED-8688 bsc#1226202). - Update patches.suse/net-ena-Fix-redundant-device-NUMA-node-override.patch (jsc#PED-8688 bsc#1226202). - commit 584efba - Update patches.suse/usb-gadget-printer-fix-races-against-disable.patch (CVE-2024-25741 bsc#1219832). - commit 4a6f084 - llc: make llc_ui_sendmsg() more robust against bonding changes (CVE-2024-26636 bsc#1221659). - commit 1bb1c76 - llc: Drop support for ETH_P_TR_802_2 (CVE-2024-26635 bsc#1221656). - commit 6a42a8d - PCI: vmd: Create domain symlink before pci_bus_add_devices() (bsc#1227363). - commit 3666715 - md: fix resync softlockup when bitmap size is less than array size (CVE-2024-38598, bsc#1226757). - commit 43087c7 - ice: fix LAG and VF lock dependency in ice_reset_vf() (CVE-2024-36003 bsc#1224544). - commit 0af15ab - Refresh patches.suse/nvme-tcp-strict-pdu-pacing-to-avoid-send-stalls-on-T.patch. - commit a27eef2 - block: refine the EOF check in blkdev_iomap_begin (bsc#1226866 CVE-2024-38604). - commit 9e332c1 - blacklist.conf: 9cb46b31f3d0 drm/xe/xe_migrate: Cast to output precision before multiplying operands - commit d95545e - kabi/severities: ignore amd pds internal symbols - commit 3a9ca76 - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() (CVE-2024-26641 bsc#1221654). - commit 5bd1138 - hsr: Fix uninit-value access in hsr_get_node() (bsc#1223021 CVE-2024-26863). - commit 21d04a8 - ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() (CVE-2024-26633 bsc#1221647). - commit 78e628d - pds_core: Prevent race issues involving the adminq (bsc#1221057 CVE-2024-26623). - commit 94351ab - iommufd: Fix protection fault in iommufd_test_syz_conv_iova (bsc#1222779 CVE-2024-26785). - commit 5644693 - devlink: fix possible use-after-free and memory leaks in devlink_init() (bsc#1222438 CVE-2024-26734). - commit d3a3753 - dm snapshot: fix lockup in dm_exception_table_exit (bsc#1224743, CVE-2024-35805). - commit ba12566 - io_uring/rsrc: fix incorrect assignment of iter-&gt;nr_segs in io_import_fixed (git-fixes). - io_uring/rsrc: don't lock while !TASK_RUNNING (git-fixes). - io_uring/io-wq: avoid garbage value of 'match' in io_wq_enqueue() (git-fixes). - commit 7d3e252 - io_uring: check for non-NULL file pointer in io_file_can_poll() (bsc#1226990 CVE-2024-39371). - io_uring/io-wq: Use set_bit() and test_bit() at worker-&gt;flags (git-fixes). - io_uring/sqpoll: work around a potential audit memory leak (git-fixes). - commit 24603fc - io_uring: Fix io_cqring_wait() not restoring sigmask on get_timespec64() failure (git-fixes). - commit e640a65 - hsr: Prevent use after free in prp_create_tagged_frame() (CVE-2023-52846 bsc#1225098). - commit cf63988 - drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() (CVE-2024-38610 bsc#1226758). - commit 7069ac2 - virt: acrn: stop using follow_pfn (CVE-2024-38610 bsc#1226758). - commit c2ea51b - btrfs: fix crash on racing fsync and size-extending write into prealloc (bsc#1227101 CVE-2024-37354). - commit 1d355af - kernel-doc: fix struct_group_tagged() parsing (git-fixes). - commit e3a2a2e - mtd: rawnand: rockchip: ensure NVDDR timings are rejected (git-fixes). - mtd: rawnand: Bypass a couple of sanity checks during NAND identification (git-fixes). - mtd: rawnand: Fix the nand_read_data_op() early check (git-fixes). - mtd: rawnand: Ensure ECC configuration is propagated to upper layers (git-fixes). - commit e545951 - Correct SCSI patch references (bsc#1225767 CVE-2024-36919 bsc#1226785 CVE-2024-38559) - commit e8ea587 - gfs2: Fix potential glock use-after-free on unmount (bsc#1226775 CVE-2024-38570). - gfs2: Rename sd_{ glock =&gt; kill }_wait (bsc#1226775 CVE-2024-38570). - commit f3adbca - X.509: Fix the parser of extended key usage for length (bsc#1218820). - commit a9df6a7 - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique() (CVE-2024-36904 bsc#1225732). - commit d578dcc - Update patches.suse/1352-drm-amdgpu-Fix-possible-null-pointer-dereference.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52883 bsc#1226630). - Update patches.suse/9p-add-missing-locking-around-taking-dentry-fid-list.patch (git-fixes CVE-2024-39463 bsc#1227090). - Update patches.suse/ALSA-Fix-deadlocks-with-kctl-removals-at-disconnecti.patch (stable-fixes CVE-2024-38600 bsc#1226864). - Update patches.suse/ALSA-core-Fix-NULL-module-pointer-assignment-at-card.patch (git-fixes CVE-2024-38605 bsc#1226740). - Update patches.suse/ALSA-hda-Fix-possible-null-ptr-deref-when-assigning-.patch (git-fixes CVE-2023-52806 bsc#1225554). - Update patches.suse/ALSA-hda-cs_dsp_ctl-Use-private_free-for-control-cle.patch (git-fixes CVE-2024-38388 bsc#1226890). - Update patches.suse/ALSA-timer-Set-lower-bound-of-start-tick-time.patch (stable-fixes git-fixes CVE-2024-38618 bsc#1226754). - Update patches.suse/ASoC-kirkwood-Fix-potential-NULL-dereference.patch (git-fixes CVE-2024-38550 bsc#1226633). - Update patches.suse/ASoC-mediatek-Assign-dummy-when-codec-not-specified-.patch (git-fixes CVE-2024-38551 bsc#1226761). - Update patches.suse/Bluetooth-btusb-Add-date-evt_skb-is-NULL-check.patch (git-fixes CVE-2023-52833 bsc#1225595). - Update patches.suse/Bluetooth-hci_core-Fix-possible-buffer-overflow.patch (git-fixes CVE-2024-26889). - Update patches.suse/HID-uclogic-Fix-user-memory-access-bug-in-uclogic_pa.patch (git-fixes CVE-2023-52866 bsc#1225120). - Update patches.suse/IB-mlx5-Fix-init-stage-error-handling-to-avoid-doubl.patch (jsc#PED-6864 CVE-2023-52851 bsc#1225587). - Update patches.suse/Input-cyapa-add-missing-input-core-locking-to-suspen.patch (git-fixes CVE-2023-52884 bsc#1226764). - Update patches.suse/Input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch (git-fixes CVE-2023-52840 bsc#1224928). - Update patches.suse/KEYS-trusted-Do-not-use-WARN-when-encode-fails.patch (git-fixes CVE-2024-36975 bsc#1226520). - Update patches.suse/KEYS-trusted-Fix-memory-leak-in-tpm2_key_encode.patch (git-fixes CVE-2024-36967 bsc#1226131). - Update patches.suse/RDMA-cma-Fix-kmemleak-in-rdma_core-observed-during-b.patch (git-fixes CVE-2024-38539 bsc#1226608). - Update patches.suse/RDMA-hns-Fix-UAF-for-cq-async-event.patch (git-fixes CVE-2024-38545 bsc#1226595). - Update patches.suse/RDMA-hns-Fix-deadlock-on-SRQ-async-events.patch (git-fixes CVE-2024-38591 bsc#1226738). - Update patches.suse/RDMA-hns-Modify-the-print-level-of-CQE-error.patch (git-fixes CVE-2024-38590 bsc#1226839). - Update patches.suse/RDMA-rxe-Fix-seg-fault-in-rxe_comp_queue_pkt.patch (git-fixes CVE-2024-38544 bsc#1226597). - Update patches.suse/SUNRPC-Fix-RPC-client-cleaned-up-the-freed-pipefs-de.patch (git-fixes CVE-2023-52803 bsc#1225008). - Update patches.suse/af_unix-Clear-stale-u-oob_skb.patch (CVE-2024-26676 bsc#1222380 CVE-2024-35970 bsc#1224584). - Update patches.suse/af_unix-Drop-oob_skb-ref-before-purging-queue-in-GC.patch (CVE-2024-26676 bsc#1222380 CVE-2024-26750 bsc#1222617). - Update patches.suse/af_unix-Fix-task-hung-while-purging-oob_skb-in-GC.patch (CVE-2024-26676 bsc#1222380 CVE-2024-26780 bsc#1222588). - Update patches.suse/af_unix-Update-unix_sk-sk-oob_skb-under-sk_receive_queue-lock.patch (CVE-2024-26676 bsc#1222380 CVE-2024-36972 bsc#1226163). - Update patches.suse/arm64-Restrict-CPU_BIG_ENDIAN-to-GNU-as-or-LLVM-IAS-.patch (git-fixes CVE-2023-52750 bsc#1225485). - Update patches.suse/atl1c-Work-around-the-DMA-RX-overflow-issue.patch (git-fixes CVE-2023-52834 bsc#1225599). - Update patches.suse/ax25-Fix-reference-count-leak-issue-of-net_device.patch (git-fixes CVE-2024-38554 bsc#1226742). - Update patches.suse/ax25-Fix-reference-count-leak-issues-of-ax25_dev.patch (git-fixes CVE-2024-38602 bsc#1226613). - Update patches.suse/blk-cgroup-fix-list-corruption-from-reorder-of-WRITE-lqueued.patch (bsc#1225605 CVE-2024-38384 bsc#1226938). - Update patches.suse/blk-cgroup-fix-list-corruption-from-resetting-io-stat.patch (bsc#1225605 CVE-2024-38663 bsc#1226939). - Update patches.suse/bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib.patch (git-fixes CVE-2024-38540 bsc#1226582). - Update patches.suse/bonding-stop-the-device-in-bond_setup_by_slave.patch (git-fixes CVE-2023-52784 bsc#1224946). - Update patches.suse/can-dev-can_put_echo_skb-don-t-crash-kernel-if-can_p.patch (git-fixes CVE-2023-52878 bsc#1225000). - Update patches.suse/clk-mediatek-clk-mt2701-Add-check-for-mtk_alloc_clk_.patch (git-fixes CVE-2023-52875 bsc#1225096). - Update patches.suse/clk-mediatek-clk-mt6765-Add-check-for-mtk_alloc_clk_.patch (git-fixes CVE-2023-52870 bsc#1224937). - Update patches.suse/clk-mediatek-clk-mt6779-Add-check-for-mtk_alloc_clk_.patch (git-fixes CVE-2023-52873 bsc#1225589). - Update patches.suse/clk-mediatek-clk-mt6797-Add-check-for-mtk_alloc_clk_.patch (git-fixes CVE-2023-52865 bsc#1225086). - Update patches.suse/clk-mediatek-clk-mt7629-Add-check-for-mtk_alloc_clk_.patch (git-fixes CVE-2023-52858 bsc#1225566). - Update patches.suse/clk-mediatek-clk-mt7629-eth-Add-check-for-mtk_alloc_.patch (git-fixes CVE-2023-52876 bsc#1225036). - Update patches.suse/cppc_cpufreq-Fix-possible-null-pointer-dereference.patch (git-fixes CVE-2024-38573 bsc#1226739). - Update patches.suse/cpufreq-exit-callback-is-optional.patch (git-fixes CVE-2024-38615 bsc#1226592). - Update patches.suse/crypto-bcm-Fix-pointer-arithmetic.patch (git-fixes CVE-2024-38579 bsc#1226637). - Update patches.suse/crypto-pcrypt-Fix-hungtask-for-PADATA_RESET.patch (git-fixes CVE-2023-52813 bsc#1225527). - Update patches.suse/cxl-mem-Fix-shutdown-order.patch (git-fixes CVE-2023-52849 bsc#1224949). - Update patches.suse/cxl-region-Do-not-try-to-cleanup-after-cxl_region_se.patch (git-fixes CVE-2023-52792 bsc#1225477). - Update patches.suse/cxl-region-Fix-cxlr_pmem-leaks.patch (git-fixes CVE-2024-38391 bsc#1226894). - Update patches.suse/dma-buf-sw-sync-don-t-enable-IRQ-from-sync_print_obj.patch (git-fixes CVE-2024-38780 bsc#1226886). - Update patches.suse/dma-mapping-benchmark-fix-node-id-validation.patch (git-fixes CVE-2024-34777 bsc#1226796). - Update patches.suse/dma-mapping-benchmark-handle-NUMA_NO_NODE-correctly.patch (git-fixes CVE-2024-39277 bsc#1226909). - Update patches.suse/dmaengine-idxd-Avoid-unnecessary-destruction-of-file.patch (git-fixes CVE-2024-38629 bsc#1226905). - Update patches.suse/drm-amd-Fix-UBSAN-array-index-out-of-bounds-for-Pola.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52819 bsc#1225532). - Update patches.suse/drm-amd-Fix-UBSAN-array-index-out-of-bounds-for-SMU7.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52818 bsc#1225530). - Update patches.suse/drm-amd-check-num-of-link-levels-when-update-pcie-pa.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52812 bsc#1225564). - Update patches.suse/drm-amd-display-Avoid-NULL-dereference-of-timing-gen.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52753 bsc#1225478). - Update patches.suse/drm-amd-display-Fix-division-by-zero-in-setup_dsc_co.patch (stable-fixes CVE-2024-36969 bsc#1226155). - Update patches.suse/drm-amd-display-Fix-null-pointer-dereference-in-erro.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52862 bsc#1225015). - Update patches.suse/drm-amd-display-Fix-potential-index-out-of-bounds-in.patch (git-fixes CVE-2024-38552 bsc#1226767). - Update patches.suse/drm-amd-display-fix-a-NULL-pointer-dereference-in-am.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52773 bsc#1225041). - Update patches.suse/drm-amd-display-fixed-integer-types-and-null-check-l.patch (git-fixes CVE-2024-26767). - Update patches.suse/drm-amdgpu-Fix-a-null-pointer-access-when-the-smc_rr.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52817 bsc#1225569). - Update patches.suse/drm-amdgpu-Fix-buffer-size-in-gfx_v9_4_3_init_-cp_co.patch (git-fixes CVE-2024-39291 bsc#1226934). - Update patches.suse/drm-amdgpu-Fix-potential-null-pointer-derefernce.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52814 bsc#1225565). - Update patches.suse/drm-amdgpu-add-error-handle-to-avoid-out-of-bounds.patch (stable-fixes CVE-2024-39471 bsc#1227096). - Update patches.suse/drm-amdgpu-mes-fix-use-after-free-issue.patch (stable-fixes CVE-2024-38581 bsc#1226657). - Update patches.suse/drm-amdgpu-vkms-fix-a-possible-null-pointer-derefere.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52815 bsc#1225568). - Update patches.suse/drm-amdkfd-Fix-a-race-condition-of-vram-buffer-unref.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52825 bsc#1225076). - Update patches.suse/drm-amdkfd-Fix-shift-out-of-bounds-issue.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52816 bsc#1225529). - Update patches.suse/drm-bridge-cdns-mhdp8546-Fix-possible-null-pointer-d.patch (git-fixes CVE-2024-38548). - Update patches.suse/drm-bridge-it66121-Fix-invalid-connector-dereference.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52861 bsc#1224941). - Update patches.suse/drm-bridge-lt8912b-Fix-crash-on-bridge-detach.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52856 bsc#1224932). - Update patches.suse/drm-mediatek-Add-0-size-check-to-mtk_drm_gem_obj.patch (git-fixes CVE-2024-38549 bsc#1226735). - Update patches.suse/drm-mediatek-Fix-coverity-issue-with-unintentional-i.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52857 bsc#1225581). - Update patches.suse/drm-mediatek-Init-ddp_comp-with-devm_kcalloc.patch (git-fixes CVE-2024-38592 bsc#1226844). - Update patches.suse/drm-msm-a6xx-Avoid-a-nullptr-dereference-when-speedb.patch (git-fixes CVE-2024-38390 bsc#1226891). - Update patches.suse/drm-msm-dpu-Add-callback-function-pointer-check-befo.patch (git-fixes CVE-2024-38622 bsc#1226856). - Update patches.suse/drm-panel-fix-a-possible-null-pointer-dereference.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52821 bsc#1225022). - Update patches.suse/drm-panel-panel-tpo-tpg110-fix-a-possible-null-point.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52826 bsc#1225077). - Update patches.suse/drm-radeon-possible-buffer-overflow.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52867 bsc#1225009). - Update patches.suse/drm-vc4-Fix-possible-null-pointer-dereference.patch (git-fixes CVE-2024-38546 bsc#1226593). - Update patches.suse/drm-vmwgfx-Fix-invalid-reads-in-fence-signaled-event.patch (git-fixes CVE-2024-36960 bsc#1225872). - Update patches.suse/drm-zynqmp_dpsub-Always-register-bridge.patch (git-fixes CVE-2024-38664 bsc#1226941). - Update patches.suse/e1000e-change-usleep_range-to-udelay-in-PHY-mdic-acc.patch (CVE-2024-39296 bsc#1226989 CVE-2024-36887 bsc#1225731). - Update patches.suse/ecryptfs-Fix-buffer-size-for-tag-66-packet.patch (git-fixes CVE-2024-38578 bsc#1226634). - Update patches.suse/efi-libstub-only-free-priv.runtime_map-when-allocate.patch (git-fixes CVE-2024-33619 bsc#1226768). - Update patches.suse/fbdev-imsttfb-fix-a-resource-leak-in-probe.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52838 bsc#1225031). - Update patches.suse/fs-9p-only-translate-RWX-permissions-for-plain-9P200.patch (git-fixes CVE-2024-36964 bsc#1225866). - Update patches.suse/fs-jfs-Add-check-for-negative-db_l2nbperpage.patch (git-fixes CVE-2023-52810 bsc#1225557). - Update patches.suse/fs-jfs-Add-validity-check-for-db_maxag-and-db_agpref.patch (git-fixes CVE-2023-52804 bsc#1225550). - Update patches.suse/ftrace-Fix-possible-use-after-free-issue-in-ftrace_location.patch (git-fixes CVE-2024-38588 bsc#1226837). - Update patches.suse/genirq-irqdesc-Prevent-use-after-free-in-irq_find_at.patch (git-fixes CVE-2024-38385 bsc#1227085). - Update patches.suse/gfs2-ignore-negated-quota-changes.patch (git-fixes CVE-2023-52759 bsc#1225560). - Update patches.suse/hid-cp2112-Fix-duplicate-workqueue-initialization.patch (git-fixes CVE-2023-52853 bsc#1224988). - Update patches.suse/hwmon-axi-fan-control-Fix-possible-NULL-pointer-dere.patch (git-fixes CVE-2023-52863 bsc#1225586). - Update patches.suse/i2c-acpi-Unbind-mux-adapters-before-delete.patch (git-fixes CVE-2024-39362 bsc#1226995). - Update patches.suse/i2c-core-Run-atomic-i2c-xfer-when-preemptible.patch (git-fixes CVE-2023-52791 bsc#1225108). - Update patches.suse/i3c-master-mipi-i3c-hci-Fix-a-kernel-panic-for-acces.patch (git-fixes CVE-2023-52763 bsc#1225570). - Update patches.suse/i3c-mipi-i3c-hci-Fix-out-of-bounds-access-in-hci_dma.patch (git-fixes CVE-2023-52766). - Update patches.suse/i915-perf-Fix-NULL-deref-bugs-with-drm_dbg-calls.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-52788 bsc#1225106). - Update patches.suse/igb-Fix-string-truncation-warnings-in-igb_set_fw_ver.patch (git-fixes CVE-2024-36010 bsc#1225594). - Update patches.suse/iommu-vt-d-Fix-WARN_ON-in-iommu-probe-path.patch (git-fixes CVE-2024-35957 bsc#1224673). - Update patches.suse/iommufd-Fix-missing-update-of-domains_itree-after-splitting-iopt (jsc#PED-7779 jsc#PED-7780 CVE-2023-52801 bsc#1225006). - Update patches.suse/ipvlan-add-ipvlan_route_v6_outbound-helper.patch (git-fixes CVE-2023-52796 bsc#1224930). - Update patches.suse/jffs2-prevent-xattr-node-from-overflowing-the-eraseblock.patch (git-fixes CVE-2024-38599 bsc#1226848). - Update patches.suse/jfs-fix-array-index-out-of-bounds-in-dbFindLeaf.patch (git-fixes CVE-2023-52799 bsc#1225472). - Update patches.suse/jfs-fix-array-index-out-of-bounds-in-diAlloc.patch (git-fixes CVE-2023-52805 bsc#1225553). - Update patches.suse/kunit-fortify-Fix-mismatched-kvalloc-vfree-usage.patch (git-fixes CVE-2024-38617 bsc#1226859). - Update patches.suse/lib-generic-radix-tree.c-Don-t-overflow-in-peek.patch (git-fixes CVE-2021-47432 bsc#1225391). - Update patches.suse/lib-test_hmm.c-handle-src_pfns-and-dst_pfns-allocati.patch (git-fixes CVE-2024-38543 bsc#1226594). - Update patches.suse/locking-ww_mutex-test-Fix-potential-workqueue-corrup.patch (bsc#1219953 CVE-2023-52836 bsc#1225609). - Update patches.suse/md-Don-t-ignore-suspended-array-in-md_check_recovery-1baa.patch (bsc#1219596 CVE-2024-26758). - Update patches.suse/media-atomisp-ssh_css-Fix-a-null-pointer-dereference.patch (git-fixes CVE-2024-38547 bsc#1226632). - Update patches.suse/media-bttv-fix-use-after-free-error-due-to-btv-timeo.patch (git-fixes CVE-2023-52847 bsc#1225588). - Update patches.suse/media-gspca-cpia1-shift-out-of-bounds-in-set_flicker.patch (git-fixes CVE-2023-52764 bsc#1225571). - Update patches.suse/media-hantro-Check-whether-reset-op-is-defined-befor.patch (git-fixes CVE-2023-52850 bsc#1225014). - Update patches.suse/media-i2c-et8ek8-Don-t-strip-remove-function-when-dr.patch (git-fixes CVE-2024-38611 bsc#1226760). - Update patches.suse/media-imon-fix-access-to-invalid-resource-for-the-se.patch (git-fixes CVE-2023-52754 bsc#1225490). - Update patches.suse/media-lgdt3306a-Add-a-check-against-null-pointer-def.patch (stable-fixes CVE-2022-48772 bsc#1226976). - Update patches.suse/media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch (git-fixes CVE-2024-38621 bsc#1226895). - Update patches.suse/media-vidtv-mux-Add-check-and-kfree-for-kstrdup.patch (git-fixes CVE-2023-52841 bsc#1225592). - Update patches.suse/media-vidtv-psi-Add-check-for-kstrdup.patch (git-fixes CVE-2023-52844 bsc#1225590). - Update patches.suse/mfd-qcom-spmi-pmic-Fix-revid-implementation.patch (git-fixes CVE-2023-52765 bsc#1225029). - Update patches.suse/misc-microchip-pci1xxxx-fix-double-free-in-the-error.patch (git-fixes CVE-2024-36973 bsc#1226457). - Update patches.suse/net-hns3-fix-out-of-bounds-access-may-occur-when-coa.patch (git-fixes CVE-2023-52807 bsc#1225097). - Update patches.suse/net-ks8851-Queue-RX-packets-in-IRQ-handler-instead-o.patch (git-fixes CVE-2024-36962 bsc#1225827). - Update patches.suse/net-mlx5-Fix-peer-devlink-set-for-SF-representor-dev.patch (git-fixes CVE-2024-38595 bsc#1226741). - Update patches.suse/net-mlx5e-Track-xmit-submission-to-PTP-WQ-after-popu.patch (jsc#PED-3311 CVE-2023-52782 bsc#1225103). - Update patches.suse/net-mvneta-fix-calls-to-page_pool_get_stats.patch (git-fixes CVE-2023-52780 bsc#1224933). - Update patches.suse/net-wangxun-fix-kernel-panic-due-to-null-pointer.patch (git-fixes CVE-2023-52783 bsc#1225104). - Update patches.suse/netfilter-complete-validation-of-user-input.patch (git-fixes CVE-2024-35896 bsc#1224662 CVE-2024-35962 bsc#1224583). - Update patches.suse/nfc-nci-Fix-uninit-value-in-nci_rx_work.patch (git-fixes CVE-2024-38381 bsc#1226878). - Update patches.suse/nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch (git-fixes CVE-2024-39469 bsc#1226992). - Update patches.suse/nilfs2-fix-potential-hang-in-nilfs_detach_log_writer.patch (git-fixes CVE-2024-38582 bsc#1226658). - Update patches.suse/nilfs2-fix-use-after-free-of-timer-for-log-writer-th.patch (git-fixes CVE-2024-38583 bsc#1226777). - Update patches.suse/of-module-add-buffer-overflow-check-in-of_modalias.patch (git-fixes CVE-2024-38541 bsc#1226587). - Update patches.suse/padata-Fix-refcnt-handling-in-padata_free_shell.patch (git-fixes CVE-2023-52854 bsc#1225584). - Update patches.suse/perf-core-Bail-out-early-if-the-request-AUX-area-is-out-of-bound.patch (git-fixes CVE-2023-52835 bsc#1225602). - Update patches.suse/platform-x86-wmi-Fix-opening-of-char-device.patch (git-fixes CVE-2023-52864 bsc#1225132). - Update patches.suse/powerpc-pseries-iommu-LPAR-panics-during-boot-up-wit.patch (bsc#1222011 ltc#205900 CVE-2024-36926 bsc#1225829). - Update patches.suse/pstore-platform-Add-check-for-kstrdup.patch (git-fixes CVE-2023-52869 bsc#1225050). - Update patches.suse/remoteproc-mediatek-Make-sure-IPI-buffer-fits-in-L2T.patch (git-fixes CVE-2024-36965 bsc#1226149). - Update patches.suse/ring-buffer-Fix-a-race-between-readers-and-resize-checks.patch (git-fixes CVE-2024-38601 bsc#1226876). - Update patches.suse/s390-dasd-protect-device-queue-against-concurrent-access.patch (git-fixes bsc#1217481 CVE-2023-52774 bsc#1225572). - Update patches.suse/scsi-hisi_sas-Set-debugfs_dir-pointer-to-NULL-after-removing-debugfs.patch (git-fixes CVE-2023-52808 bsc#1225555). - Update patches.suse/scsi-ibmvfc-Remove-BUG_ON-in-the-case-of-an-empty-ev.patch (bsc#1209834 ltc#202097 CVE-2023-52811 bsc#1225559). - Update patches.suse/scsi-libfc-Fix-potential-NULL-pointer-dereference-in-fc_lport_ptp_setup.patch (git-fixes CVE-2023-52809 bsc#1225556). - Update patches.suse/scsi-lpfc-Move-NPIV-s-transport-unregistration-to-af.patch (bsc#1221777 CVE-2024-36952 bsc#1225898). - Update patches.suse/scsi-lpfc-Release-hbalock-before-calling-lpfc_worker.patch (bsc#1221777 CVE-2024-36924 bsc#1225820). - Update patches.suse/serial-max3100-Lock-port-lock-when-calling-uart_hand.patch (git-fixes CVE-2024-38634 bsc#1226868). - Update patches.suse/serial-max3100-Update-uart_driver_registered-on-driv.patch (git-fixes CVE-2024-38633 bsc#1226867). - Update patches.suse/soc-qcom-llcc-Handle-a-second-device-without-data-co.patch (git-fixes CVE-2023-52871 bsc#1225534). - Update patches.suse/soundwire-cadence-fix-invalid-PDI-offset.patch (stable-fixes CVE-2024-38635 bsc#1226863). - Update patches.suse/speakup-Fix-sizeof-vs-ARRAY_SIZE-bug.patch (git-fixes CVE-2024-38587 bsc#1226780). - Update patches.suse/spi-Fix-null-dereference-on-suspend.patch (git-fixes CVE-2023-52749 bsc#1225476). - Update patches.suse/thermal-core-prevent-potential-string-overflow.patch (git-fixes CVE-2023-52868 bsc#1225044). - Update patches.suse/thermal-drivers-qcom-lmh-Check-for-SCM-availability-.patch (git-fixes CVE-2024-39466 bsc#1227089). - Update patches.suse/thermal-drivers-tsens-Fix-null-pointer-dereference.patch (git-fixes CVE-2024-38571 bsc#1226737). - Update patches.suse/thermal-intel-powerclamp-fix-mismatch-in-get-functio.patch (git-fixes CVE-2023-52794 bsc#1225028). - Update patches.suse/tls-fix-NULL-deref-on-tls_sw_splice_eof-with-empty-r.patch (jsc#PED-6831 CVE-2023-52767 bsc#1224998). - Update patches.suse/tpm_tis_spi-Account-for-SPI-header-when-allocating-T.patch (git-fixes CVE-2024-36477 bsc#1226840). - Update patches.suse/tracing-Have-trace_event_file-have-ref-counters.patch (git-fixes CVE-2023-52879 bsc#1225101). - Update patches.suse/tracing-trigger-Fix-to-return-error-if-failed-to-alloc-snapshot.patch (git-fixes CVE-2024-26920). - Update patches.suse/tty-n_gsm-fix-race-condition-in-status-line-change-o.patch (git-fixes CVE-2023-52872 bsc#1225591). - Update patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch (bsc#1222619 CVE-2023-52880). - Update patches.suse/tty-vcc-Add-check-for-kstrdup-in-vcc_probe.patch (git-fixes CVE-2023-52789 bsc#1225180). - Update patches.suse/usb-config-fix-iteration-issue-in-usb_get_bos_descri.patch (git-fixes CVE-2023-52781 bsc#1225092). - Update patches.suse/usb-dwc3-Wait-unconditionally-after-issuing-EndXfer-.patch (git-fixes CVE-2024-36977 bsc#1226513). - Update patches.suse/usb-gadget-u_audio-Fix-race-condition-use-of-control.patch (git-fixes CVE-2024-38628 bsc#1226911). - Update patches.suse/usb-storage-alauda-Check-whether-the-media-is-initia.patch (git-fixes CVE-2024-38619 bsc#1226861). - Update patches.suse/usb-typec-tcpm-Fix-NULL-pointer-dereference-in-tcpm_.patch (git-fixes CVE-2023-52877 bsc#1224944). - Update patches.suse/vhost-vdpa-fix-use-after-free-in-vhost_vdpa_probe.patch (jsc#PED-3311 CVE-2023-52795 bsc#1225085). - Update patches.suse/virtio-blk-fix-implicit-overflow-on-virtio_max_dma_s.patch (git-fixes CVE-2023-52762 bsc#1225573). - Update patches.suse/virtio-vsock-Fix-uninit-value-in-virtio_transport_re.patch (jsc#PED-5505 CVE-2023-52842 bsc#1225025). - Update patches.suse/watchdog-cpu5wdt.c-Fix-use-after-free-bug-caused-by-.patch (git-fixes CVE-2024-38630 bsc#1226908). - Update patches.suse/wifi-ar5523-enable-proper-endpoint-verification.patch (git-fixes CVE-2024-38565 bsc#1226747). - Update patches.suse/wifi-ath11k-fix-dfs-radar-event-locking.patch (git-fixes CVE-2023-52798 bsc#1224947). - Update patches.suse/wifi-ath11k-fix-gtk-offload-status-event-locking.patch (git-fixes CVE-2023-52777 bsc#1224992). - Update patches.suse/wifi-ath11k-fix-htt-pktlog-locking.patch (git-fixes CVE-2023-52800). - Update patches.suse/wifi-ath12k-fix-dfs-radar-and-temperature-event-lock.patch (git-fixes CVE-2023-52776 bsc#1225090). - Update patches.suse/wifi-ath12k-fix-htt-mlo-offset-event-locking.patch (git-fixes CVE-2023-52769 bsc#1225001). - Update patches.suse/wifi-ath12k-fix-out-of-bound-access-of-qmi_invoke_ha.patch (git-fixes CVE-2024-38572 bsc#1226776). - Update patches.suse/wifi-ath12k-fix-possible-out-of-bound-read-in-ath12k.patch (git-fixes CVE-2023-52827 bsc#1225078). - Update patches.suse/wifi-ath12k-fix-possible-out-of-bound-write-in-ath12.patch (git-fixes CVE-2023-52829 bsc#1225081). - Update patches.suse/wifi-brcmfmac-pcie-handle-randbuf-allocation-failure.patch (git-fixes CVE-2024-38575 bsc#1226612). - Update patches.suse/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch (git-fixes CVE-2024-38567 bsc#1226769). - Update patches.suse/wifi-carl9170-re-fix-fortified-memset-warning.patch (git-fixes CVE-2024-38616 bsc#1226852). - Update patches.suse/wifi-mac80211-don-t-return-unset-power-in-ieee80211_.patch (git-fixes CVE-2023-52832 bsc#1225577). - Update patches.suse/wifi-nl80211-Avoid-address-calculations-via-out-of-b.patch (git-fixes CVE-2024-38562 bsc#1226788). - Update patches.suse/wifi-wilc1000-use-vmm_table-as-array-in-wilc-struct.patch (git-fixes CVE-2023-52768 bsc#1225004). - Update patches.suse/x86-tdx-Zero-out-the-missing-RSI-in-TDX_HYPERCALL-macro.patch (jsc#PED-5824 CVE-2023-52874 bsc#1225049). - commit 33efdc4 - tcp: do not accept ACK of bytes we never sent (CVE-2023-52881 bsc#1225611). - commit 16404a6 - net: ena: Fix redundant device NUMA node override (jsc#PED-8688). - commit 6ad6684 - ata: ahci: Clean up sysfs file on error (git-fixes). - ata: libata-core: Fix double free on error (git-fixes). - ata,scsi: libata-core: Do not leak memory for ata_port struct members (git-fixes). - ata: libata-core: Fix null pointer dereference on error (git-fixes). - kbuild: Fix build target deb-pkg: ln: failed to create hard link (git-fixes). - kbuild: doc: Update default INSTALL_MOD_DIR from extra to updates (git-fixes). - kbuild: Install dtb files as 0644 in Makefile.dtbinst (git-fixes). - counter: ti-eqep: enable clock at probe (git-fixes). - iio: chemical: bme680: Fix sensor data read operation (git-fixes). - iio: chemical: bme680: Fix overflows in compensate() functions (git-fixes). - iio: chemical: bme680: Fix calibration data variable (git-fixes). - iio: chemical: bme680: Fix pressure value output (git-fixes). - iio: accel: fxls8962af: select IIO_BUFFER &amp; IIO_KFIFO_BUF (git-fixes). - iio: adc: ad7266: Fix variable checking bug (git-fixes). - iio: xilinx-ams: Don't include ams_ctrl_channels in scan_mask (git-fixes). - serial: bcm63xx-uart: fix tx after conversion to uart_port_tx_limited() (git-fixes). - serial: core: introduce uart_port_tx_limited_flags() (git-fixes). - Revert &quot;serial: core: only stop transmit when HW fifo is empty&quot; (git-fixes). - tty: mcf: MCF54418 has 10 UARTS (git-fixes). - usb: gadget: aspeed_udc: fix device address configuration (git-fixes). - usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock (git-fixes). - usb: typec: ucsi: glink: fix child node release in probe function (git-fixes). - usb: musb: da8xx: fix a resource leak in probe() (git-fixes). - usb: atm: cxacru: fix endpoint checking in cxacru_bind() (git-fixes). - usb: gadget: printer: fix races against disable (git-fixes). - PCI/MSI: Fix UAF in msi_capability_init (git-fixes). - commit a2ea5a9 - crypto: deflate - Add aliases to deflate (bsc#1227190). - commit 27ffd92 - crypto: iaa - Account for cpu-less numa nodes (bsc#1227190). - commit cd600aa - i2c: testunit: discard write requests while old command is running (git-fixes). - i2c: testunit: don't erase registers after STOP (git-fixes). - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() (git-fixes). - mmc: sdhci: Do not invert write-protect twice (git-fixes). - mmc: sdhci-brcmstb: check R1_STATUS for erase/trim/discard (git-fixes). - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos (git-fixes). - commit 448487d - gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) (git-fixes). - gpio: davinci: Validate the obtained number of IRQs (git-fixes). - commit 919ebd1 - wifi: iwlwifi: mvm: fix the TXF mapping for BZ devices (bsc#1227149). - wifi: iwlwifi: clear link_id in time_event (bsc#1227149). - wifi: iwlwifi: mvm: fix a battery life regression (bsc#1227149). - wifi: iwlwifi: remove extra kernel-doc (bsc#1227149). - wifi: iwlwifi: mvm: skip adding debugfs symlink for reconfig (bsc#1227149). - wifi: iwlwifi: replace ENOTSUPP with EOPNOTSUPP (bsc#1227149). - wifi: iwlwifi: mvm: use the new command to clear the internal buffer (bsc#1227149). - commit acd03db - wifi: iwlwifi: mvm: add US/Canada MCC to API (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-mvm-fix-warnings-from-dmi_get_system_in.patch. - commit 70a9591 - wifi: iwlwifi: mvm: disallow puncturing in US/Canada (bsc#1227149). - wifi: iwlwifi: Add rf_mapping of new wifi7 devices (bsc#1227149). - wifi: iwlwifi: cleanup BT Shared Single Antenna code (bsc#1227149). - wifi: iwlwifi: mvm: Do not warn if valid link pair was not found (bsc#1227149). - wifi: iwlwifi: mvm: d3: avoid intermediate/early mutex unlock (bsc#1227149). - wifi: iwlwifi: Don't mark DFS channels as NO-IR (bsc#1227149). - wifi: iwlwifi: mvm: Allow DFS concurrent operation (bsc#1227149). - wifi: iwlwifi: mvm: do not send STA_DISABLE_TX_CMD for newer firmware (bsc#1227149). - wifi: iwlwifi: remove async command callback (bsc#1227149). - commit 0205124 - wifi: iwlwifi: fw: file: don't use [0] for variable arrays (bsc#1227149). - wifi: iwlwifi: pcie: get_crf_id() can be void (bsc#1227149). - wifi: iwlwifi: pcie: dump CSRs before removal (bsc#1227149). - wifi: iwlwifi: pcie: clean up device removal work (bsc#1227149). - wifi: iwlwifi: mvm: add a debugfs hook to clear the monitor data (bsc#1227149). - wifi: iwlwifi: refactor RX tracing (bsc#1227149). - wifi: iwlwifi: mvm: Correctly report TSF data in scan complete (bsc#1227149). - wifi: iwlwifi: mvm: Use the link ID provided in scan request (bsc#1227149). - wifi: iwlwifi: fw: replace deprecated strncpy with strscpy_pad (bsc#1227149). - wifi: iwlwifi: fix system commands group ordering (bsc#1227149). - commit 6cae420 - wifi: iwlwifi: drop NULL pointer check in iwl_mvm_tzone_set_trip_temp() (bsc#1227149). - wifi: iwlwifi: bump FW API to 86 for AX/BZ/SC devices (bsc#1227149). - wifi: iwlwifi: read DSM func 2 for specific RF types (bsc#1227149). - wifi: iwlwifi: mvm: show dump even for pldr_sync (bsc#1227149). - wifi: iwlwifi: mvm: cycle FW link on chanctx removal (bsc#1227149). - wifi: iwlwifi: trace full frames with TX status request (bsc#1227149). - wifi: iwlwifi: fw: Add support for UATS table in UHB (bsc#1227149). - wifi: iwlwifi: mvm: add a print when sending RLC command (bsc#1227149). - wifi: iwlwifi: mvm: debugfs for fw system stats (bsc#1227149). - wifi: iwlwifi: mvm: implement new firmware API for statistics (bsc#1227149). - commit ed6b54f - wifi: iwlwifi: disable multi rx queue for 9000 (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-mvm-include-link-ID-when-releasing-fram.patch. - commit 9866ec0 - wifi: iwlwifi: mvm: fix regdb initialization (bsc#1227149). - wifi: iwlwifi: mvm: simplify the reorder buffer (bsc#1227149). - wifi: iwlwifi: mvm: Return success if link could not be removed (bsc#1227149). - wifi: iwlwifi: add support for SNPS DPHYIP region type (bsc#1227149). - wifi: iwlwifi: mvm: remove set_tim callback for MLD ops (bsc#1227149). - wifi: iwlwifi: api: fix center_freq label in PHY diagram (bsc#1227149). - wifi: iwlwifi: support link id in SESSION_PROTECTION_NOTIF (bsc#1227149). - wifi: iwlwifi: support link_id in SESSION_PROTECTION cmd (bsc#1227149). - wifi: iwlwifi: make time_events MLO aware (bsc#1227149). - commit 1ea0f35 - wifi: iwlwifi: add support for activating UNII-1 in WW via BIOS (bsc#1227149). - wifi: iwlwifi: mvm: extend alive timeout to 2 seconds (bsc#1227149). - wifi: iwlwifi: mvm: fix the PHY context resolution for p2p device (bsc#1227149). - wifi: iwlwifi: mvm: fold the ref++ into iwl_mvm_phy_ctxt_add (bsc#1227149). - wifi: iwlwifi: mvm: don't add dummy phy context (bsc#1227149). - wifi: iwlwifi: mvm: cleanup MLO and non-MLO unification code (bsc#1227149). - wifi: iwlwifi: mvm: implement ROC version 3 (bsc#1227149). - wifi: iwlwifi: send EDT table to FW (bsc#1227149). - wifi: iwlmvm: fw: Add new OEM vendor to tas approved list (bsc#1227149). - wifi: iwlwifi: mvm: Fix unreachable code path (bsc#1227149). - commit 50ebcaa - wifi: iwlwifi: mvm: advertise support for SCS traffic description (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-do-not-announce-EPCS-support.patch. - commit 7208326 - wifi: iwlwifi: add new RF support for wifi7 (bsc#1227149). - wifi: iwlwifi: fw: increase fw_version string size (bsc#1227149). - wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware() (bsc#1227149). - wifi: iwlwifi: fix the rf step and flavor bits range (bsc#1227149). - wifi: iwlwifi: fw: Fix debugfs command sending (bsc#1227149). - wifi: iwlwifi: mvm: add start mac ctdp sum calculation debugfs handler (bsc#1227149). - wifi: iwlwifi: abort scan when rfkill on but device enabled (bsc#1227149). - wifi: iwlwifi: mvm: Add basic link selection logic (bsc#1227149). - wifi: iwlwifi: mei: return error from register when not built (bsc#1227149). - commit fddf9eb - wifi: iwlwifi: mvm: fix SB CFG check (bsc#1227149). - wifi: iwlwifi: mvm: add a per-link debugfs (bsc#1227149). - wifi: iwlwifi: mvm: rework debugfs handling (bsc#1227149). - wifi: iwlwifi: add support for new ini region types (bsc#1227149). - wifi: iwlwifi: Extract common prph mac/phy regions data dump logic (bsc#1227149). - wifi: iwlwifi: bump FW API to 84 for AX/BZ/SC devices (bsc#1227149). - wifi: iwlwifi: mvm: offload IGTK in AP if BIGTK is supported (bsc#1227149). - wifi: iwlwifi: pcie: clean up WFPM control bits (bsc#1227149). - wifi: iwlwifi: fix opmode start/stop race (bsc#1227149). - wifi: iwlwifi: skip opmode start retries on dead transport (bsc#1227149). - commit 36551d1 - wifi: iwlwifi: mvm: add support for new wowlan_info_notif (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-mvm-d3-fix-IPN-byte-order.patch. - commit 0b379ae - wifi: iwlwifi: pcie: propagate iwl_pcie_gen2_apm_init() error (bsc#1227149). - wifi: iwlwifi: add mapping of a periphery register crf for WH RF (bsc#1227149). - wifi: iwlwifi: mvm: check for iwl_mvm_mld_update_sta() errors (bsc#1227149). - wifi: iwlwifi: mvm: support injection antenna control (bsc#1227149). - wifi: iwlwifi: mvm: refactor TX rate handling (bsc#1227149). - wifi: iwlwifi: mvm: make pldr_sync AX210 specific (bsc#1227149). - wifi: iwlwifi: fail NIC access fast on dead NIC (bsc#1227149). - wifi: iwlwifi: pcie: (re-)assign BAR0 on driver bind (bsc#1227149). - commit 0882d6d - wifi: iwlwifi: implement enable/disable for China 2022 regulatory (bsc#1227149). - wifi: iwlwifi: mvm: handle link-STA allocation in restart (bsc#1227149). - wifi: iwlwifi: mvm: iterate active links for STA queues (bsc#1227149). - wifi: iwlwifi: mvm: support set_antenna() (bsc#1227149). - wifi: iwlwifi: mvm: add a debug print when we get a BAR (bsc#1227149). - wifi: iwlwifi: mvm: move listen interval to constants (bsc#1227149). - wifi: iwlwifi: no power save during transition to D3 (bsc#1227149). - wifi: iwlwifi: update context info structure definitions (bsc#1227149). - wifi: iwlwifi: mvm: fix recovery flow in CSA (bsc#1227149). - wifi: iwlwifi: mvm: enable FILS DF Tx on non-PSC channel (bsc#1227149). - commit 5c7efaf - wifi: iwlwifi: mvm: make &quot;pldr_sync&quot; mode effective (bsc#1227149). - wifi: iwlwifi: mvm: log dropped frames (bsc#1227149). - wifi: iwlwifi: fw: disable firmware debug asserts (bsc#1227149). - wifi: iwlwifi: remove dead-code (bsc#1227149). - wifi: iwlwifi: pcie: enable TOP fatal error interrupt (bsc#1227149). - wifi: iwlwifi: pcie: give up mem read if HW is dead (bsc#1227149). - wifi: iwlwifi: pcie: rescan bus if no parent (bsc#1227149). - wifi: iwlwifi: mvm: reduce maximum RX A-MPDU size (bsc#1227149). - wifi: iwlwifi: mvm: check link more carefully (bsc#1227149). - wifi: iwlwifi: mvm: move RU alloc B2 placement (bsc#1227149). - commit 8aa4ff8 - virtio: delete vq in vp_find_vqs_msix() when request_irq() fails (CVE-2024-37353 bsc#1226875). - commit 4591439 - wifi: iwlwifi: mvm: fix kernel-doc (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-mvm-ensure-offloading-TID-queue-exists.patch. - commit 68376c9 - wifi: iwlwifi: pcie: fix kernel-doc issues (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-pcie-fix-RB-status-reading.patch. - commit f106797 - wifi: iwlwifi: fw: reconstruct the API/CAPA enum number (bsc#1227149). - wifi: iwlwifi: dvm: remove kernel-doc warnings (bsc#1227149). - wifi: iwlwifi: queue: fix kernel-doc (bsc#1227149). - wifi: iwlwifi: fix some kernel-doc issues (bsc#1227149). - wifi: iwlwifi: mvm: disconnect long CSA only w/o alternative (bsc#1227149). - wifi: iwlwifi: mvm: increase session protection after CSA (bsc#1227149). - wifi: iwlwifi: mvm: support CSA with MLD (bsc#1227149). - wifi: iwlmei: don't send nic info with invalid mac address (bsc#1227149). - commit 85cbe83 - wifi: iwlwifi: mvm: support flush on AP interfaces (bsc#1227149). - Refresh patches.suse/wifi-iwlwifi-mvm-change-iwl_mvm_flush_sta-API.patch. - commit 908ff7c - wifi: iwlmei: send driver down SAP message only if wiamt is enabled (bsc#1227149). - wifi: iwlmei: send HOST_GOES_DOWN message even if wiamt is disabled (bsc#1227149). - wifi: iwlmei: don't send SAP messages if AMT is disabled (bsc#1227149). - wifi: iwlwifi: remove memory check for LMAC error address (bsc#1227149). - wifi: iwlwifi: mvm: enable HE TX/RX &lt;242 tone RU on new RFs (bsc#1227149). - wifi: iwlwifi: add Razer to ppag approved list (bsc#1227149). - wifi: iwlwifi: pcie: point invalid TFDs to invalid data (bsc#1227149). - wifi: iwlwifi: queue: move iwl_txq_gen2_set_tb() up (bsc#1227149). - wifi: iwlwifi: pcie: move gen1 TB handling to header (bsc#1227149). - commit 92ab309 - wifi: iwlwifi: remove 'def_rx_queue' struct member (bsc#1227149). - wifi: iwlwifi: pcie: clean up gen1/gen2 TFD unmap (bsc#1227149). - wifi: iwlwifi: remove WARN from read_mem32() (bsc#1227149). - wifi: iwlwifi: api: fix a small upper/lower-case typo (bsc#1227149). - wifi: iwlwifi: mvm: advertise MLO only if EHT is enabled (bsc#1227149). - commit aa9a391 - Add alt-commit to iwlwifi patches - commit 865aa7a - wifi: mac80211: fix unsolicited broadcast probe config (bsc#1227149). - wifi: mac80211: initialize SMPS mode correctly (bsc#1227149). - wifi: mac80211: fix driver debugfs for vif type change (bsc#1227149). - wifi: mac80211: improve CSA/ECSA connection refusal (bsc#1227149). - wifi: cfg80211: detect stuck ECSA element in probe resp (bsc#1227149). - wifi: mac80211: add/remove driver debugfs entries as appropriate (bsc#1227149). - wifi: mac80211: do not re-add debugfs entries during resume (bsc#1227149). - commit 769161a - wifi: mac80211: remove redundant ML element check (bsc#1227149). - wifi: cfg80211: Update the default DSCP-to-UP mapping (bsc#1227149). - wifi: mac80211: fix spelling typo in comment (bsc#1227149). - wifi: mac80211: add a driver callback to check active_links (bsc#1227149). - wifi: mac80211: fix advertised TTLM scheduling (bsc#1227149). - wifi: cfg80211: avoid double free if updating BSS fails (bsc#1227149). - commit e8bab13 - wifi: cfg80211: handle UHB AP and STA power type (bsc#1227149). - commit 6021aa4 - wifi: cfg80211: ensure cfg80211_bss_update frees IEs on error (bsc#1227149). - wifi: mac80211: allow 64-bit radiotap timestamps (bsc#1227149). - wifi: mac80211: rework RX timestamp flags (bsc#1227149). - wifi: mac80211: Schedule regulatory channels check on bandwith change (bsc#1227149). - wifi: cfg80211: Schedule regulatory check on BSS STA channel change (bsc#1227149). - wifi: cfg80211: reg: Support P2P operation on DFS channels (bsc#1227149). - wifi: mac80211: Skip association timeout update after comeback rejection (bsc#1227149). - wifi: mac80211: address some kerneldoc warnings (bsc#1227149). - wifi: cfg80211: address several kerneldoc warnings (bsc#1227149). - commit bc44e06 - wifi: cfg80211: generate an ML element for per-STA profiles (bsc#1227149). - Refresh patches.suse/wifi-cfg80211-parse-all-ML-elements-in-an-ML-probe-r.patch. - commit d924102 - wifi: cfg80211: introduce cfg80211_ssid_eq() (bsc#1227149). - wifi: mac80211: sta_info.c: fix sentence grammar (bsc#1227149). - wifi: mac80211: rx.c: fix sentence grammar (bsc#1227149). - wifi: cfg80211: fix spelling &amp; punctutation (bsc#1227149). - wifi: cfg80211: sort certificates in build (bsc#1227149). - wifi: mac80211: drop spurious WARN_ON() in ieee80211_ibss_csa_beacon() (bsc#1227149). - wifi: mac80211: don't set ESS capab bit in assoc request (bsc#1227149). - wifi: cfg80211: consume both probe response and beacon IEs (bsc#1227149). - wifi: cfg80211: Replace ENOTSUPP with EOPNOTSUPP (bsc#1227149). - commit 5e5ecdb - wifi: cfg80211: OWE DH IE handling offload (bsc#1227149). - commit 58c8e33 - wifi: cfg80211: add BSS usage reporting (bsc#1227149). - Refresh patches.suse/wifi-cfg80211-parse-all-ML-elements-in-an-ML-probe-r.patch. - commit 5b2693d - wifi: mac80211: Replace ENOTSUPP with EOPNOTSUPP (bsc#1227149). - wifi: mac80211: add a flag to disallow puncturing (bsc#1227149). - wifi: cfg80211: Add support for setting TID to link mapping (bsc#1227149). - wifi: mac80211: update some locking documentation (bsc#1227149). - wifi: nl80211: Extend del pmksa support for SAE and OWE security (bsc#1227149). - wifi: mac80211: cleanup airtime arithmetic with ieee80211_sta_keep_active() (bsc#1227149). - wifi: cfg80211: expose nl80211_chan_width_to_mhz for wide sharing (bsc#1227149). - wifi: cfg80211: make RX assoc data const (bsc#1227149). - commit e4b61c4 - wifi: cfg80211: Extend support for scanning while MLO connected (bsc#1227149). - commit b4c9412 - wifi: cfg80211: hold wiphy mutex for send_interface (bsc#1227149). - Refresh patches.suse/wifi-cfg80211-fix-missing-interfaces-when-dumping.patch. - commit 2123690 - wifi: cfg80211: fix CQM for non-range use (bsc#1227149). - commit 3c8ba48 - wifi: nl80211: refactor nl80211_send_mlme_event() arguments (bsc#1227149). - wifi: mac80211: Extend support for scanning while MLO connected (bsc#1227149). - wifi: mac80211: use wiphy locked debugfs for sdata/link (bsc#1227149). - wifi: mac80211: use wiphy locked debugfs helpers for agg_status (bsc#1227149). - wifi: cfg80211: add locked debugfs wrappers (bsc#1227149). - wifi: mac80211: drop robust action frames before assoc (bsc#1227149). - wifi: cfg80211: Allow AP/P2PGO to indicate port authorization to peer STA/P2PClient (bsc#1227149). - commit 03e12a0 - blacklist: drop the wifi entries to be backported - commit 891934b - wifi: mac80211: fix another key installation error path (bsc#1227149). - wifi: mac80211: rename struct cfg80211_rx_assoc_resp to cfg80211_rx_assoc_resp_data (bsc#1227149). - wifi: mac80211: rename ieee80211_tx_status() to ieee80211_tx_status_skb() (bsc#1227149). - wifi: mac80211: fix change_address deadlock during unregister (bsc#1227149). - wifi: mac80211: Add __counted_by for struct ieee802_11_elems and use struct_size() (bsc#1227149). - wifi: remove unused argument of ieee80211_get_tdls_action() (bsc#1227149). - wifi: mac80211: fix header kernel-doc typos (bsc#1227149). - wifi: cfg80211: fix header kernel-doc typos (bsc#1227149). - wifi: mac80211: add link id to mgd_prepare_tx() (bsc#1227149). - wifi: mac80211: Check if we had first beacon with relevant links (bsc#1227149). - commit fa14599 - kABI fix of KVM: x86/pmu: Prioritize VMX interception over - commit 1f1d114 - wifi: mac80211: flush STA queues on unauthorization (bsc#1227149). - wifi: mac80211: purge TX queues in flush_queues flow (bsc#1227149). - wifi: cfg80211: wext: convert return value to kernel-doc (bsc#1227149). - wifi: mac80211: fix a expired vs. cancel race in roc (bsc#1227149). - wifi: mac80211: make mgd_protect_tdls_discover MLO-aware (bsc#1227149). - wifi: cfg80211: Fix typo in documentation (bsc#1227149). - wifi: cfg80211: Handle specific BSSID in 6GHz scanning (bsc#1227149). - wifi: mac80211: mesh: fix some kdoc warnings (bsc#1227149). - wifi: cfg80211: Include operating class 137 in 6GHz band (bsc#1227149). - wifi: mac80211: Rename and update IEEE80211_VIF_DISABLE_SMPS_OVERRIDE (bsc#1227149). - commit 585676b - wifi: mac80211: split ieee80211_drop_unencrypted_mgmt() return value (bsc#1227149). - commit 3835ef2 - wifi: mac80211: fix error path key leak (bsc#1227149). - Refresh patches.suse/wifi-mac80211-remove-key_mtx.patch. - commit 3b93fe9 - wifi: mac80211: fix potential key leak (bsc#1227149). - Refresh patches.suse/wifi-mac80211-remove-key_mtx.patch. - commit 9fa5ec3 - wifi: mac80211: handle debugfs when switching to/from MLO (bsc#1227149). - wifi: mac80211: add a driver callback to add vif debugfs (bsc#1227149). - wifi: mac80211: cleanup auth_data only if association continues (bsc#1227149). - wifi: mac80211: add back SPDX identifier (bsc#1227149). - wifi: mac80211: fix ieee80211_drop_unencrypted_mgmt return type/value (bsc#1227149). - wifi: mac80211: expand __ieee80211_data_to_8023() status (bsc#1227149). - wifi: mac80211: remove RX_DROP_UNUSABLE (bsc#1227149). - commit e0a6a5e - wifi: cfg80211: add local_state_change to deauth trace (bsc#1227149). - wifi: mac80211: reject MLO channel configuration if not supported (bsc#1227149). - wifi: mac80211: report per-link error during association (bsc#1227149). - wifi: cfg80211: report per-link errors during association (bsc#1227149). - wifi: mac80211: support antenna control in injection (bsc#1227149). - wifi: mac80211: support handling of advertised TID-to-link mapping (bsc#1227149). - wifi: mac80211: add support for parsing TID to Link mapping element (bsc#1227149). - wifi: mac80211: Notify the low level driver on change in MLO valid links (bsc#1227149). - wifi: mac80211: describe return values in kernel-doc (bsc#1227149). - wifi: cfg80211: reg: describe return values in kernel-doc (bsc#1227149). - commit df6c84a - wifi: mac80211: allow for_each_sta_active_link() under RCU (bsc#1227149). - wifi: mac80211: relax RCU check in for_each_vif_active_link() (bsc#1227149). - wifi: mac80211: don't connect to an AP while it's in a CSA process (bsc#1227149). - wifi: mac80211: update the rx_chains after set_antenna() (bsc#1227149). - wifi: mac80211: use bandwidth indication element for CSA (bsc#1227149). - wifi: cfg80211: split struct cfg80211_ap_settings (bsc#1227149). - wifi: mac80211: ethtool: always hold wiphy mutex (bsc#1227149). - wifi: cfg80211: make read-only array centers_80mhz static const (bsc#1227149). - wifi: cfg80211: save power spectral density(psd) of regulatory rule (bsc#1227149). - wifi: cfg80211: fix kernel-doc for wiphy_delayed_work_flush() (bsc#1227149). - commit 7f3b9af - wifi: mac80211: Sanity check tx bitrate if not provided by driver (bsc#1227149). - wifi: cfg80211: export DFS CAC time and usable state helper functions (bsc#1227149). - wifi: cfg80211: call reg_call_notifier on beacon hints (bsc#1227149). - wifi: cfg80211: allow reg update by driver even if wiphy-&gt;regd is set (bsc#1227149). - wifi: mac80211: additions to change_beacon() (bsc#1227149). - wifi: nl80211: additions to NL80211_CMD_SET_BEACON (bsc#1227149). - wifi: cfg80211: modify prototype for change_beacon (bsc#1227149). - wifi: mac80211: fixes in FILS discovery updates (bsc#1227149). - wifi: nl80211: fixes to FILS discovery updates (bsc#1227149). - wifi: lib80211: remove unused variables iv32 and iv16 (bsc#1227149). - commit 67ccb18 - wifi: mac80211: fix various kernel-doc issues (bsc#1227149). - Refresh patches.suse/wifi-mac80211-track-capability-opmode-NSS-separately.patch. - commit b1c042f - wifi: mac80211: remove shifted rate support (bsc#1227149). - wifi: cfg80211: remove scan_width support (bsc#1227149). - wifi: wext: avoid extra calls to strlen() in ieee80211_bss() (bsc#1227149). - wifi: mac80211: fix channel switch link data (bsc#1227149). - wifi: mac80211: Do not force off-channel for management Tx with MLO (bsc#1227149). - wifi: mac80211: take MBSSID/EHT data also from probe resp (bsc#1227149). - wifi: mac80211: Print local link address during authentication (bsc#1227149). - wifi: cfg80211: reg: fix various kernel-doc issues (bsc#1227149). - wifi: mac80211: remove unnecessary struct forward declaration (bsc#1227149). - commit 5936128 - wifi: cfg80211: annotate iftype_data pointer with sparse (bsc#1227149). - Refresh patches.suse/wifi-cfg80211-fix-wiphy-delayed-work-queueing.patch. - commit 031b8a7 - wifi: mac80211: add more warnings about inserting sta info (bsc#1227149). - wifi: mac80211: add support for mld in ieee80211_chswitch_done (bsc#1227149). - wifi: mac80211: fix BA session teardown race (bsc#1227149). - wifi: mac80211: fix TXQ error path and cleanup (bsc#1227149). - commit 8e5b425 - wifi: cfg80211: remove wdev mutex (bsc#1227149). - commit 4d7cf99 - wifi: mac80211: set wiphy for virtual monitors (bsc#1227149). - commit 6022030 - iommu/amd: Fix sysfs leak in iommu init (git-fixes). - commit 5b11e2a - wifi: mac80211: remove key_mtx (bsc#1227149). - commit 36d4ad3 - iommu: Return right value in iommu_sva_bind_device() (git-fixes). - commit 769b149 - wifi: mac80211: remove sta_mtx (bsc#1227149). - Refresh patches.suse/wifi-mac80211-check-if-the-existing-link-config-rema.patch. - Refresh patches.suse/wifi-mac80211-don-t-re-add-debugfs-during-reconfig.patch. - commit 5b967e8 - wifi: mac80211: reduce iflist_mtx (bsc#1227149). - wifi: mac80211: remove local-&gt;mtx (bsc#1227149). - wifi: mac80211: remove ampdu_mlme.mtx (bsc#1227149). - wifi: mac80211: remove chanctx_mtx (bsc#1227149). - wifi: mac80211: take wiphy lock for MAC addr change (bsc#1227149). - wifi: mac80211: extend wiphy lock in interface removal (bsc#1227149). - wifi: mac80211: hold wiphy_lock around concurrency checks (bsc#1227149). - wifi: mac80211: ethtool: hold wiphy mutex (bsc#1227149). - commit b3dacec - wifi: mac80211: check wiphy mutex in ops (bsc#1227149). - Refresh patches.suse/wifi-mac80211-do-not-pass-AP_VLAN-vif-pointer-to-dri.patch. - commit 3b00636 - wifi: cfg80211: check wiphy mutex is held for wdev mutex (bsc#1227149). - wifi: cfg80211: hold wiphy lock in cfg80211_any_wiphy_oper_chan() (bsc#1227149). - wifi: cfg80211: sme: hold wiphy lock for wdev iteration (bsc#1227149). - wifi: cfg80211: reg: hold wiphy mutex for wdev iteration (bsc#1227149). - wifi: mac80211: move color change finalize to wiphy work (bsc#1227149). - wifi: mac80211: move CSA finalize to wiphy work (bsc#1227149). - wifi: mac80211: move filter reconfig to wiphy work (bsc#1227149). - wifi: mac80211: move tspec work to wiphy work (bsc#1227149). - wifi: mac80211: move key tailroom work to wiphy work (bsc#1227149). - commit d930910 - wifi: mac80211: move dynamic PS to wiphy work (bsc#1227149). - Refresh patches.suse/wifi-mac80211-move-sched-scan-stop-work-to-wiphy-wor.patch. - commit 6350819 - wifi: mac80211: move DFS CAC work to wiphy work (bsc#1227149). - Refresh patches.suse/wifi-mac80211-move-radar-detect-work-to-wiphy-work.patch. - commit 46fc728 - wifi: mac80211: move TDLS work to wiphy work (bsc#1227149). - wifi: mac80211: move link activation work to wiphy work (bsc#1227149). - wifi: mac80211: lock wiphy in IP address notifier (bsc#1227149). - wifi: mac80211: move monitor work to wiphy work (bsc#1227149). - wifi: mac80211: add more ops assertions (bsc#1227149). - wifi: mac80211: convert A-MPDU work to wiphy work (bsc#1227149). - wifi: mac80211: flush wiphy work where appropriate (bsc#1227149). - wifi: cfg80211: check RTNL when iterating devices (bsc#1227149). - commit 425f8ad - wifi: mac80211: lock wiphy for aggregation debugfs (bsc#1227149). - wifi: mac80211: hold wiphy lock in netdev/link debugfs (bsc#1227149). - wifi: mac80211: debugfs: lock wiphy instead of RTNL (bsc#1227149). - wifi: mac80211: fix SMPS status handling (bsc#1227149). - wifi: mac80211: Fix SMPS handling in the context of MLO (bsc#1227149). - wifi: mac80211: rework ack_frame_id handling a bit (bsc#1227149). - wifi: mac80211: tx: clarify conditions in if statement (bsc#1227149). - wifi: mac80211: Do not include crypto/algapi.h (bsc#1227149). - wifi: cfg80211: improve documentation for flag fields (bsc#1227149). - wifi: nl80211: Remove unused declaration nl80211_pmsr_dump_results() (bsc#1227149). - commit 75d4c97 - wifi: mac80211: mesh: Remove unused function declaration mesh_ids_set_default() (bsc#1227149). - commit b3033c6 - wifi: mac80211: Remove unused function declarations (bsc#1227149). - Refresh patches.suse/wifi-mac80211-move-radar-detect-work-to-wiphy-work.patch. - commit 343f020 - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs (bsc#1222015 bsc#1226962). - commit ba98363 - KVM: x86/pmu: Prioritize VMX interception over #GP on RDPMC due to bad index (bsc#1226158). - commit fdb5ce1 - net/9p: fix uninit-value in p9_client_rpc() (CVE-2024-39301 bsc#1226994). - commit d8af728 - arm64/io: add constant-argument check (bsc#1226502 git-fixes) - commit 45e8b78 - struct acpi_ec kABI workaround (git-fixes). - commit 3605f74 - wifi: mt76: mt7921s: fix potential hung tasks during chip recovery (stable-fixes). - commit d9504b4 - drm/drm_file: Fix pid refcounting race (git-fixes). - drm/i915/gt: Fix potential UAF by revoke of fence registers (git-fixes). - drm/amdgpu: Fix pci state save during mode-1 reset (git-fixes). - drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA (git-fixes). - drm/fbdev-dma: Only set smem_start is enable per module option (git-fixes). - net: usb: ax88179_178a: improve link status logs (git-fixes). - net: phy: micrel: add Microchip KSZ 9477 to the device table (git-fixes). - batman-adv: Don't accept TT entries for out-of-spec VIDs (git-fixes). - can: mcp251xfd: fix infinite loop when xmit fails (git-fixes). - net: can: j1939: recover socket queue on CAN bus error during BAM transmission (git-fixes). - net: can: j1939: Initialize unused data in j1939_send_one() (git-fixes). - net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new (git-fixes). - ASoC: fsl-asoc-card: set priv-&gt;pdev before using it (git-fixes). - ASoC: amd: acp: remove i2s configuration check in acp_i2s_probe() (git-fixes). - ASoC: amd: acp: add a null check for chip_pdev structure (git-fixes). - ASoC: q6apm-lpass-dai: close graph on prepare errors (git-fixes). - ASoC: rockchip: i2s-tdm: Fix trcm mode by setting clock on right mclk (git-fixes). - ALSA: seq: Fix missing MSB in MIDI2 SPP conversion (git-fixes). - ALSA: hda/realtek: Fix conflicting quirk for PCI SSID 17aa:3820 (git-fixes). - ALSA: seq: Fix missing channel at encoding RPN/NRPN MIDI2 messages (git-fixes). - drm/amdgpu: fix UBSAN warning in kv_dpm.c (stable-fixes). - drm/radeon: fix UBSAN warning in kv_dpm.c (stable-fixes). - ACPI: EC: Evaluate orphan _REG under EC device (git-fixes). - serial: exar: adding missing CTI and Exar PCI ids (stable-fixes). - serial: imx: Introduce timeout when waiting on transmitter empty (stable-fixes). - usb: gadget: function: Remove usage of the deprecated ida_simple_xx() API (stable-fixes). - usb: typec: ucsi_glink: drop special handling for CCI_BUSY (stable-fixes). - usb: dwc3: pci: Don't set &quot;linux,phy_charger_detect&quot; property on Lenovo Yoga Tab2 1380 (stable-fixes). - usb: misc: uss720: check for incompatible versions of the Belkin F5U002 (stable-fixes). - usb: gadget: uvc: configfs: ensure guid to be valid before set (stable-fixes). - cpufreq: amd-pstate: fix memory leak on CPU EPP exit (stable-fixes). - ACPI: EC: Install address space handler at the namespace root (stable-fixes). - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports (stable-fixes). - power: supply: cros_usbpd: provide ID table for avoiding fallback match (stable-fixes). - platform/x86: toshiba_acpi: Add quirk for buttons on Z830 (stable-fixes). - ASoC: Intel: sof-sdw: really remove FOUR_SPEAKER quirk (git-fixes). - ASoC: Intel: sof_sdw: add quirk for Dell SKU 0C0F (stable-fixes). - ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 (stable-fixes). - drm/lima: mask irqs in timeout path before hard reset (stable-fixes). - drm/lima: add mask irq callback to gp and pp (stable-fixes). - drm/amd/display: revert Exit idle optimizations before HDCP execution (stable-fixes). - drm/amd/display: Exit idle optimizations before HDCP execution (stable-fixes). - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl (stable-fixes). - batman-adv: bypass empty buckets in batadv_purge_orig_ref() (stable-fixes). - ssb: Fix potential NULL pointer dereference in ssb_device_uevent() (stable-fixes). - HID: Add quirk for Logitech Casa touchpad (stable-fixes). - ACPI: x86: Add PNP_UART1_SKIP quirk for Lenovo Blade2 tablets (stable-fixes). - crypto: hisilicon/qm - Add the err memory release process to qm uninit (stable-fixes). - crypto: hisilicon/sec - Fix memory leak for sec resource release (stable-fixes). - commit bbedf42 - net/mlx5: Fix MTMP register capability offset in MCAM register (git-fixes). - bonding: fix oops during rmmod (CVE-2024-39296 bsc#1226989). - e1000e: change usleep_range to udelay in PHY mdic access (CVE-2024-39296 bsc#1226989). - dpll: spec: use proper enum for pin capabilities attribute (git-fixes). - tools: ynl: fix handling of multiple mcast groups (git-fixes). - tools: ynl: don't leak mcast_groups on init error (git-fixes). - tools: ynl: make sure we always pass yarg to mnl_cb_run (git-fixes). - commit 164182f - iommu/vt-d: Fix WARN_ON in iommu probe path (git-fixes). - iommu/vt-d: Use device rbtree in iopf reporting path (bsc#1224751 CVE-2024-35843). - iommu/vt-d: Use rbtree to track iommu probed devices (git-fixes). - commit 5f366a7 - nilfs2: fix potential kernel bug due to lack of writeback flag waiting (bsc#1227066 CVE-2024-37078). - commit bd6df7f - kABI workaround for FPGA changes (CVE-2024-35247 bsc#1226948 CVE-2024-36479 bsc#1226949 CVE-2024-37021 bsc#1226950). - commit 4b32e86 - fpga: region: add owner module and take its refcount (CVE-2024-35247 bsc#1226948). - Refresh patches.suse/fpga-add-kABI-padding.patch. - commit 670051c - fpga: manager: add owner module and take its refcount (CVE-2024-37021 bsc#1226950). - Refresh patches.suse/fpga-add-kABI-padding.patch. - commit 34a2533 - fpga: bridge: add owner module and take its refcount (CVE-2024-36479 bsc#1226949). - commit 545627b - Fix build failure on powerpc Refresh patches.suse/powerpc-uaccess-Use-YZ-asm-constraint-for-ld.patch. - commit 4cafc95 - kabi: Use __iowriteXX_copy_inlined for in-kernel modules (bsc#1226502) - commit 54c3656 - net: hns3: Remove io_stop_wc() calls after __iowrite64_copy() (bsc#1226502) - commit 5ea0ed2 - arm64/io: Provide a WC friendly __iowriteXX_copy() (bsc#1226502) - commit a39a193 - s390: Stop using weak symbols for __iowrite64_copy() (bsc#1226502) - commit 4a798a5 - s390: Implement __iowrite32_copy() (bsc#1226502) - commit 80e689b - x86: Stop using weak symbols for __iowrite32_copy() (bsc#1226502) - commit 894aede - net/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules (CVE-2024-36281 bsc#1226799). - commit a7197fd - ceph: switch to use cap_delay_lock for the unlink delay list (bsc#1226022). - ceph: break the check delayed cap loop every 5s (bsc#1226022). - ceph: add ceph_cap_unlink_work to fire check_caps() immediately (bsc#1226022). - ceph: always queue a writeback when revoking the Fb caps (bsc#1226022). - ceph: always check dir caps asynchronously (bsc#1226022). - commit 7eb372a - arm64: mm: Don't remap pgtables for allocate vs populate (jsc#PED-8688). - arm64: mm: Batch dsb and isb when populating pgtables (jsc#PED-8688). - arm64: mm: Don't remap pgtables per-cont(pte|pmd) block (jsc#PED-8688). - commit fdec960 - epoll: be better about file lifetimes (bsc#1226610 CVE-2024-38580). - commit 4ff3c13 - null_blk: Fix return value of nullb_device_power_store() (bsc#1226841 CVE-2024-36478). - commit f213a2a - f2fs: multidev: fix to recognize valid zero block address (bsc#1226879, CVE-2024-38636). - commit ec1ded3 - s390/cpacf: Make use of invalid opcode produce a link error (git-fixes bsc#1227072). - commit 24c76d1 - s390/ap: Fix crash in AP internal function modify_bitmap() (CVE-2024-38661 bsc#1226996 git-fixes). - commit 456a41d - selftests/bpf: Add sockopt case to verify prog_type (bsc#1226789 CVE-2024-38564). - selftests/bpf: Extend sockopt tests to use BPF_LINK_CREATE (bsc#1226789 CVE-2024-38564). - bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE (bsc#1226789 CVE-2024-38564). - commit 2f12314 - bpf: Fix verifier assumptions about socket-&gt;sk (bsc#1226790 CVE-2024-38566). - commit dc586b3 - scsi: qedf: Ensure the copied buf is NUL terminated (bsc#1226758 CVE-2024-38559). - scsi: bfa: Ensure the copied buf is NUL terminated (bsc#1226786 CVE-2024-38560). - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload (bsc#1224767 CVE-2024-36919). - commit 3cabc93 - nvme: do not retry authentication failures (bsc#1186716). - nvme-fabrics: short-circuit reconnect retries (bsc#1186716). - nvme: return kernel error codes for admin queue connect (bsc#1186716). - nvmet: return DHCHAP status codes from nvmet_setup_auth() (bsc#1186716). - nvmet: lock config semaphore when accessing DH-HMAC-CHAP key (bsc#1186716). - commit ac2b954 - net: sched: sch_multiq: fix possible OOB write in multiq_tune() (CVE-2024-36978 bsc#1226514). - commit 3b6fd26 - nvmet: prevent sprintf() overflow in nvmet_subsys_nsid_exists() (git-fixes). - commit 556ea4a - null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' (bsc#1226841 CVE-2024-36478). - commit d0b4b2a - block: fix overflow in blk_ioctl_discard() (bsc#1225770 CVE-2024-36917). - commit bbdd816 - mm: Avoid overflows in dirty throttling logic (bsc#1222364 CVE-2024-26720). - commit 77e301c - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP (CVE-2024-36974 bsc#1226519). - commit f911add - PCI: Clear Secondary Status errors after enumeration (bsc#1226928) - commit 606f4e7 - nvmet-passthru: propagate status from id override functions (git-fixes). - nvme: fix nvme_pr_* status code parsing (git-fixes). - nvmet: fix nvme status code when namespace is disabled (git-fixes). - nvmet-tcp: fix possible memory leak when tearing down a controller (git-fixes). - nvmet-auth: replace pr_debug() with pr_err() to report an error (git-fixes). - nvmet-auth: return the error code to the nvmet_auth_host_hash() callers (git-fixes). - nvme: find numa distance only if controller has valid numa id (git-fixes). - commit 3709ef4 - nvme: cancel pending I/O if nvme controller is in terminal state (bsc#1226503). Refresh: - patches.suse/nvme-multipath-fix-io-accounting-on-failover.patch - commit 7dbf1d4 - stm class: Fix a double free in stm_register_device() (CVE-2024-38627 bsc#1226857). - commit ef5c589 - Input: ili210x - fix ili251x_read_touch_data() return value (git-fixes). - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set (git-fixes). - pinctrl: rockchip: use dedicated pinctrl type for RK3328 (git-fixes). - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins (git-fixes). - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins (git-fixes). - pinctrl: fix deadlock in create_pinctrl() when handling - EPROBE_DEFER (git-fixes). - pinctrl: qcom: spmi-gpio: drop broken pm8008 support (git-fixes). - commit a1b46e3 - drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() (CVE-2024-38603 bsc#1226842). - commit 4db6ba6 - NFSv4.x: by default serialize open/close operations (bsc#1223863 bsc#1227362). - commit 6ed2498 - work around gcc bugs with 'asm goto' with outputs (git-fixes). - Refresh patches.suse/powerpc-uaccess-Fix-build-errors-seen-with-GCC-13-14.patch. - Refresh patches.suse/powerpc-uaccess-Use-YZ-asm-constraint-for-ld.patch. - commit eac0f3f - x86/asm: Remove the __iomem annotation of movdir64b()'s dst argument (git-fixes). - commit 8a8a749 - x86/tdx: Preserve shared bit on mprotect() (git-fixes). - commit ea4a8f6 - x86/sev: Fix position dependent variable references in startup code (git-fixes). - Refresh patches.suse/x86-coco-Require-seeding-RNG-with-RDRAND-on-CoCo-systems.patch. - commit 2efccd0 - x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel (git-fixes). - Refresh patches.suse/x86-mce-Differentiate-real-hardware-MCs-from-TDX-erratum-o.patch. - commit d75f0fd - x86/kexec: Fix bug with call depth tracking (git-fixes). - commit 926155d - x86/nmi: Drop unused declaration of proc_nmi_enabled() (git-fixes). - commit 3441c2e - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map (git-fixes). - commit 820085a - x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking (git-fixes). - commit 1c4403a - blacklist.conf: Blacklist invalid commit (git-fixes) We don't support CPU_MITIGATIONS hence to need for this logic - commit 6899966 - net: fec: remove .ndo_poll_controller to avoid deadlocks (CVE-2024-38553 bsc#1226744). - net/mlx5: Discard command completions in internal error (CVE-2024-38555 bsc#1226607). - net/mlx5: Add a timeout to acquire the command queue semaphore (CVE-2024-38556 bsc#1226774). - net/mlx5: Reload only IB representors upon lag disable/enable (CVE-2024-38557 bsc#1226781). - net/mlx5e: Fix netif state handling (CVE-2024-38608 bsc#1226746). - eth: sungem: remove .ndo_poll_controller to avoid deadlocks (CVE-2024-38597 bsc#1226749). - net: stmmac: move the EST lock to struct stmmac_priv (CVE-2024-38594 bsc#1226734). - commit d6f20aa - i2c: ocores: set IACK bit after core is enabled (git-fixes). - commit dc04936 - regulator: bd71815: fix ramp values (git-fixes). - regulator: core: Fix modpost error &quot;regulator_get_regmap&quot; undefined (git-fixes). - spi: stm32: qspi: Clamp stm32_qspi_get_mode() output to CCR_BUSWIDTH_4 (git-fixes). - spi: stm32: qspi: Fix dual flash mode sanity test in stm32_qspi_setup() (git-fixes). - firmware: psci: Fix return value from psci_system_suspend() (git-fixes). - commit 5c1d1d7 - RDMA/mlx5: Add check for srq max_sge attribute (git-fixes) - commit 5a7a44c - RDMA/mlx5: Fix unwind flow as part of mlx5_ib_stage_init_init (git-fixes) - commit a73b3cb - RDMA/mlx5: Ensure created mkeys always have a populated rb_key (git-fixes) - commit 194920a - RDMA/mlx5: Follow rb_key.ats when creating new mkeys (git-fixes) - commit 93d4abb - RDMA/mlx5: Remove extra unlock on error path (git-fixes) - commit 662ecd8 - RDMA/rxe: Fix responder length checking for UD request packets (git-fixes) - commit 77ecb50 - RDMA/rxe: Fix data copy for IB_SEND_INLINE (git-fixes) - commit 9ec1cd9 - RDMA/bnxt_re: Fix the max msix vectors macro (git-fixes) - commit 19f32fe - drm/i915/mso: using joiner is not possible with eDP MSO (git-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14AHP9 (stable-fixes). - ACPICA: Revert &quot;ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.&quot; (git-fixes). - thermal/drivers/mediatek/lvts_thermal: Return error in case of invalid efuse data (git-fixes). - dmaengine: ioatdma: Fix missing kmem_cache_destroy() (git-fixes). - dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() (git-fixes). - dmaengine: ioatdma: Fix error path in ioat3_dma_probe() (git-fixes). - dmaengine: ioatdma: Fix leaking on version mismatch (git-fixes). - dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list (git-fixes). - xhci: Apply broken streams quirk to Etron EJ188 xHCI host (stable-fixes). - xhci: Apply reset resume quirk to Etron EJ188 xHCI host (stable-fixes). - xhci: Set correct transferred length for cancelled bulk transfers (stable-fixes). - drm/exynos/vidi: fix memory leak in .get_modes() (stable-fixes). - ACPI: x86: Force StorageD3Enable on more products (stable-fixes). - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors (git-fixes). - kheaders: explicitly define file modes for archived headers (stable-fixes). - intel_th: pci: Add Lunar Lake support (stable-fixes). - intel_th: pci: Add Meteor Lake-S support (stable-fixes). - intel_th: pci: Add Sapphire Rapids SOC support (stable-fixes). - intel_th: pci: Add Granite Rapids SOC support (stable-fixes). - intel_th: pci: Add Granite Rapids support (stable-fixes). - clkdev: Update clkdev id usage to allow for longer names (stable-fixes). - nilfs2: return the mapped address from nilfs_get_page() (stable-fixes). - commit 8bec8e0 - drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group (CVE-2024-38569 bsc#1226772). - commit 6715b52 - drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group (CVE-2024-38568 bsc#1226771). - commit 33d69e0 - sched/core: Fix incorrect initialization of the 'burst' parameter in cpu_max_write() (bsc#1226791). - commit 6b67975 - blacklist.conf: Add 6fb454606153 sched: Simplify tg_set_cfs_bandwidth() - commit 4e56705 - virtio_net: checksum offloading handling fix (git-fixes). - commit d283709 - virtio_net: avoid data-races on dev-&gt;stats fields (git-fixes). - commit 50373fb - vfio/fsl-mc: Block calling interrupt handler without trigger (bsc#1222810 CVE-2024-26814). - commit b1aee55 - vfio/platform: Create persistent IRQ handlers (bsc#1222809 CVE-2024-26813). - commit 28ae90e - ALSA: hda/realtek: Add more codec ID to no shutup pins list (stable-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ARP8 (stable-fixes). - ALSA: hda/realtek: Support Lenovo Thinkbook 13x Gen 4 (stable-fixes). - ALSA: hda/realtek: Support Lenovo Thinkbook 16P Gen 5 (stable-fixes). - ALSA: hda: cs35l41: Support Lenovo Thinkbook 13x Gen 4 (stable-fixes). - ALSA: hda: cs35l41: Support Lenovo Thinkbook 16P Gen 5 (stable-fixes). - ALSA: hda/realtek: Limit mic boost on N14AP7 (stable-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 445/465 G11 (stable-fixes). - ALSA: hda: cs35l56: Fix lifecycle of codec pointer (stable-fixes). - commit 3c2cbdc - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings (git-fixes). - net: usb: ax88179_178a: improve reset check (git-fixes). - net: phy: mxl-gpy: Remove interrupt mask clearing from config_init (git-fixes). - net: lan743x: Support WOL at both the PHY and MAC appropriately (git-fixes). - net: lan743x: disable WOL upon resume to restore full data path operation (git-fixes). - ALSA: hda/realtek: Enable headset mic on IdeaPad 330-17IKB 81DM (git-fixes). - ALSA: hda: tas2781: Component should be unbound before deconstruction (git-fixes). - ALSA: hda: cs35l41: Component should be unbound before deconstruction (git-fixes). - ALSA: hda: cs35l56: Component should be unbound before deconstruction (git-fixes). - ALSA/hda: intel-dsp-config: Document AVS as dsp_driver option (git-fixes). - ALSA: hda/realtek: Remove Framework Laptop 16 from quirks (git-fixes). - ALSA: seq: ump: Fix missing System Reset message handling (git-fixes). - ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind() (git-fixes). - commit 045593b - tcp: Dump bound-only sockets in inet_diag (bsc#1204562). - commit ff006da - cachefiles: remove requests from xarray during flushing requests (bsc#1226588). - commit b238f81 - blacklist.conf: add ppdev cleanup - commit 58ce126 - net/smc: fix neighbour and rtable leak in smc_ib_find_route() (git-fixes bsc#1225823 CVE-2024-36945 bsc#1226547). - commit d4aa573 - selftests/bpf: test case for callback_depth states pruning logic (bsc#1225903). - bpf: check bpf_func_state-&gt;callback_depth when pruning states (bsc#1225903). - commit 6632e43 - gpio: tqmx86: introduce shadow register for GPIO output value (git-fixes). - Refresh patches.suse/gpio-tqmx86-store-IRQ-trigger-type-and-unmask-status.patch. - commit 559245f - efi/x86: Free EFI memory map only when installing a new one (git-fixes). - gpio: lpc32xx: fix module autoloading (stable-fixes). - commit d39df35 - Move upstreamed NFS patch into sorted section - commit 19c3986 - nfsd: optimise recalculate_deny_mode() for a common case (bsc#1217912). - commit 882d2ff - NFS: avoid infinite loop in pnfs_update_layout (bsc#1219633 bsc#1226226). - commit b98e69a - NFS: abort nfs_atomic_open_v23 if name is too long (bsc#1219847). - NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly (bsc#1219847). - commit 772961e - fs/9p: fix uninitialized values during inode evict (bsc#1225815 CVE-2024-36923). - commit b349473 - x86/mce: Dynamically size space for machine check records (bsc#1222241). - commit 2d0d4b2 - nvme-tcp: Export the nvme_tcp_wq to sysfs (bsc#1224049). - Refresh patches.suse/nvme-tcp-Add-wq_unbound-modparam-for-nvme_tcp_wq.patch. - commit 099b967 - net: preserve kabi for struct dst_ops (CVE-2024-36971 bsc#1226145). - commit 6d764b6 - kcov: don't lose track of remote references during softirqs (git-fixes). - commit fc5abf0 - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back (CVE-2024-27414 bsc#1224439). - commit 6651625 - netfilter: nf_tables: reject new basechain after table flag update (CVE-2024-35900 bsc#1224497). - commit ef2c4d5 - net: fix __dst_negative_advice() race (CVE-2024-36971 bsc#1226145). - commit 604ed28 - ipv6: Fix infinite recursion in fib6_dump_done() (CVE-2024-35886 bsc#1224670). - commit ba91bc1 - drm/amd/display: Disable idle reallow as part of command/gpint (bsc#1225702 CVE-2024-36024) - commit 6d53e8c - RAS/AMD/ATL: Use system settings for MI300 DRAM to normalized address translation (bsc#1225300). - RAS/AMD/ATL: Fix MI300 bank hash (bsc#1225300). - commit 82b08f9 - i2c: designware: Fix the functionality flags of the slave-only interface (git-fixes). - i2c: at91: Fix the functionality flags of the slave-only interface (git-fixes). - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages (git-fixes). - xhci: Handle TD clearing for multiple streams case (git-fixes). - thunderbolt: debugfs: Fix margin debugfs node creation condition (git-fixes). - usb-storage: alauda: Check whether the media is initialized (git-fixes). - usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state (git-fixes). - usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps (git-fixes). - USB: xen-hcd: Traverse host/ when CONFIG_USB_XEN_HCD is selected (git-fixes). - tty: n_tty: Fix buffer offsets when lookahead is used (git-fixes). - drivers: core: synchronize really_probe() and dev_uevent() (git-fixes). - iio: imu: inv_icm42600: delete unneeded update watermark call (git-fixes). - iio: dac: ad5592r: fix temperature channel scaling value (git-fixes). - iio: adc: ad9467: fix scan type sign (git-fixes). - misc: microchip: pci1xxxx: Fix a memory leak in the error handling of gp_aux_bus_probe() (git-fixes). - misc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe() (git-fixes). - mei: me: release irq in mei_me_pci_resume error path (git-fixes). - ax25: Fix refcount imbalance on inbound connections (git-fixes). - tpm_tis: Do *not* flush uninitialized work (git-fixes). - selftests/mm: fix build warnings on ppc64 (stable-fixes). - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages (git-fixes). - genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after() (git-fixes). - drm/amdgpu/atomfirmware: add intergrated info v2.3 table (stable-fixes). - intel_th: pci: Add Meteor Lake-S CPU support (stable-fixes). - mmc: sdhci-acpi: Add quirk to enable pull-up on the card-detect GPIO on Asus T100TA (git-fixes). - mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A (stable-fixes). - mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working (stable-fixes). - mmc: sdhci-acpi: Sort DMI quirks alphabetically (stable-fixes). - mmc: sdhci: Add support for &quot;Tuning Error&quot; interrupts (stable-fixes). - mmc: core: Add mmc_gpiod_set_cd_config() function (stable-fixes). - media: mxl5xx: Move xpt structures off stack (stable-fixes). - media: lgdt3306a: Add a check against null-pointer-def (stable-fixes). - media: v4l2-core: hold videodev_lock until dev reg, finishes (stable-fixes). - drm/amdgpu: add error handle to avoid out-of-bounds (stable-fixes). - drm/i915/hwmon: Get rid of devm (stable-fixes). - wifi: rtw89: correct aSIFSTime for 6GHz band (stable-fixes). - wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path (stable-fixes). - wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE (stable-fixes). - wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power (stable-fixes). - wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU (stable-fixes). - ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx (stable-fixes). - crypto: ecrdsa - Fix module auto-load on add_key (stable-fixes). - drm/sun4i: hdmi: Move mode_set into enable (stable-fixes). - drm/sun4i: hdmi: Convert encoder to atomic (stable-fixes). - mmc: core: Do not force a retune before RPMB switch (stable-fixes). - commit 8df97c4 - nvme/tcp: Add wq_unbound modparam for nvme_tcp_wq (bsc#1224049). - commit 7af7bce - ocfs2: fix sparse warnings (bsc#1219224). - ocfs2: speed up chain-list searching (bsc#1219224). - ocfs2: adjust enabling place for la window (bsc#1219224). - ocfs2: improve write IO performance when fragmentation is high (bsc#1219224). - commit 98a3adb - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found (git-fixes). - drm/nouveau: don't attempt to schedule hpd_work on headless cards (git-fixes). - drm/bridge/panel: Fix runtime warning on panel bridge release (git-fixes). - drm/komeda: check for error-valued pointer (git-fixes). - commit b393dd7 Package curl was updated: - Security fix: [bsc#1228535, CVE-2024-7264] * curl: ASN.1 date parser overread * Add curl-CVE-2024-7264.patch - Security fix: [bsc#1227888, CVE-2024-6197] * Freeing stack buffer in utf8asn1str * x509asn1: remove superfluous free() * Add curl-CVE-2024-6197.patch Package libnvme was updated: - Update to version 1.8+39.ge289971: * linux: update TLS version 1 PSK derivation (bsc#1228376) * test: add hostnqn lookup test (bsc#1226216) * tree: add helper to lookup hostnqn/hostid (bsc#1226216) * fabrics: extend hostnqn/hostid variable inject interface (bsc#1226216) * test: add config-pcie-with-tcp-config test case (bsc#1226216) * test: add config dump test (bsc#1226216) * test: revamp sysfs tree dump test (bsc#1226216) * json: filter out pcie transport (bsc#1226216) * tree: preserve parsing order of a config file (bsc#1226216) * test: use diff to compare sysfs output (bsc#1226216) * libnvme: Introduce functions to generate host identifier and host NQN (bsc#1226216) * linux: add nvme_revoke_tls_key (bsc#1226197) * libnvme: add missing symbol nvme_scan_tls_keys (bsc#1226197) - refresh 0001-build-disable-sysfs-test.patch Package oniguruma was updated: - Added oniguruma-6.8.2-CVE-2019-13225-fix.patch (boo#1141157 CVE-2019-13225) oniguruma: null-pointer dereference in match_at() in regexec.c Package openssl-3 was updated: - Build with no-afalgeng [bsc#1226463] - Security fix: [bsc#1227138, CVE-2024-5535] * SSL_select_next_proto buffer overread * Add openssl-CVE-2024-5535.patch - Build with enabled sm2 and sm4 support [bsc#1222899] - Add reproducible.patch to fix bsc#1223336 aes-gcm-avx512.pl: fix non-reproducibility issue Package systemd was updated: - Import commit 957aeb6452837326866e1f89092e6d0e0665fc10 (merge of v254.15) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/ea63a23a20292d4136612808bc8777db283d0bca...957aeb6452837326866e1f89092e6d0e0665fc10 - Import commit ea63a23a20292d4136612808bc8777db283d0bca (merge of v254.14) - Drop 5013-Revert-run-pass-the-pty-slave-fd-to-transient-servic.patch as v254.14 contains the workaround (commit e2d6762fa3fca4bf) for the broken commit 28459ba1f4df. Package shadow was updated: - bsc#1228770: Fix not copying of skel files Update shadow-CVE-2013-4235.patch - bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition Add shadow-CVE-2013-4235.patch Package nvme-cli was updated: - Update to version 2.8+43.g1d9dae6: * nvme: avoid segfault in show-topology (bsc#1226197) * fabrics: connect all hosts in config.json (bsc#1226216) * fabrics: refactore discover from json config (bsc#1226216) * fabrics: first read config before topology scanning (bsc#1226216) * fabrics: use helper to lookup default hostnqn/hostid (bsc#1226216) * fabrics: extend already connected message (bsc#1226216) * fabrics: Always pass hostid and hostnqn (bsc#1226216) * fabrics: Make some symbols public (bsc#1226216) * completion: add support for tls-key (bsc#1226197) * doc: add tls-key --revoke documentation (bsc#1226197) * doc: fix tls-key --keyfile shorthand (bsc#1226197) * build: sort documentation files entries (bsc#1226197) * nvme: add support to revoke TLS key (bsc#1226197) * nvme: return error code/message for TLS commands (bsc#1226197) * nvme: factor out import key function (bsc#1226197) * nvme: use cleanup helper to close file descriptor (bsc#1226216) * nvme: use cleanup helper for STREAM objects (bsc#1226216) * nvme: strip newline when parsing TLS key files (bsc#1226197) * nvme: use stdout for exporting TLS keys (bsc#1226197) * nvme: change _cleanup_file_ to _cleanup_fd_ (bsc#1226197) * nvme: use cleanup helper for nvme_root_t objects (bsc#1226197) * nvme: add new function 'tls_key' (bsc#1226197) * completions: Fix _nvme indentation errors (bsc#1226197) * completions: Fix bash-nvme-completion.sh indentation errors (bsc#1226197) - Always build documentation Package openssh was updated: - Remove empty line at the end of sshd-sle.pamd (bsc#1227456) - Add patch from upstream to fix proxy multiplexing mode: * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch - Add patch from upstream to restore correctly sigprocmask * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch - Add patch from upstream to fix a logic error in ObscureKeystrokeTiming that rendered this feature ineffective, allowing a passive observer to detect which network packets contained real keystrokes (bsc#1227318, CVE-2024-39894): * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch - Add obsoletes for openssh-server-config-rootlogin since that package existed for a brief period of time during SLE 15 SP6/ Leap 15.6 development but even if it was removed from the repositories before GM, some users might have it in their systems from having tried a beta/RC release (boo#1227350). - Add #include &lt;stdlib.h&gt; in some files added by the ldap patch to fix build with gcc14 (boo#1225904). * openssh-7.7p1-ldap.patch - Remove the recommendation for openssh-server-config-rootlogin from openssh-server. Since the default for that config option was changed in SLE it's not needed anymore in SLE nor in TW (boo#1224392). Package permissions was updated: - New branch for SLE-15-SP6- Update to version 20240801: * cockpit: moved setuid executable (bsc#1228548) Package python3-lxml was updated: - Add libexpat-2.6.0-backport.patch to fix compatibility with system libexpat in tests (bsc#1222075, CVE-2023-52425). Package python-urllib3 was updated: Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.13. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.12&gt;. - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch - Backport &lt;https://github.com/opencontainers/runc/pull/3931&gt; to fix a performance issue when running lots of containers, caused by system getting too many mount notifications. bsc#1214960 + 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch Package sudo was updated: Package suse-build-key was updated: - added missing ; in shell script (bsc#1227681) - Added new keys of the SLE Micro 6.0 / SLES 16 series, and auto import them. (bsc#1227429) gpg-pubkey-09d9ea69-645b99ce.asc: Main SLE Micro 6/SLES 16 key gpg-pubkey-73f03759-626bd414.asc: Backup SLE Micro 6/SLES 16 key. Package suseconnect-ng was updated: - Update version to 1.11 - Added uname as collector - Added SAP workload detection - Added detection of container runtimes - Multiple fixes on ARM64 detection - Use `read_values` for the CPU collector on Z - Fixed data collection for ppc64le - Grab the home directory from /etc/passwd if needed (bsc#1226128) - Update version to 1.10.0 * Build zypper-migration and zypper-packages-search as standalone binaries rather then one single binary * Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004) * Include /etc/products.d in directories whose content are backed up and restored if a zypper-migration rollback happens. (bsc#1219004) * Add the ability to upload the system uptime logs, produced by the suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report. (jsc#PED-7982) (jsc#PED-8018) * Add support for third party packages in SUSEConnect * Refactor existing system information collection implementation Package wicked was updated: - Update to version 0.6.76 - compat-suse: warn user and create missing parent config of infiniband children (gh#openSUSE/wicked#1027) - client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125) - ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976) - wireless: add frequency-list in station mode (jsc#PED-8715) - client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664) - man: add supported bonding options to ifcfg-bonding(5) man page (gh#openSUSE/wicked#1021) - arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019) - man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018) - client: warn on interface wait time reached (gh#openSUSE/wicked#1017) - compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces (gh#openSUSE/wicked#1016) - compat-suse: fix infiniband and infiniband child type detection from ifname (gh#openSUSE/wicked#1015) - Removed patches included in the source archive: [- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch] [- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch] Package xen was updated: - bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86 guest IRQ handling (XSA-458) xsa458.patch - bsc#1214718 - The system hangs intermittently when Power Control Mode is set to Minimum Power on SLES15SP5 Xen 6666ba52-x86-irq-remove-offline-CPUs-from-old-CPU-mask-when.patch 666994ab-x86-SMP-no-shorthand-IPI-in-hotplug.patch 666994f0-x86-IRQ-limit-interrupt-movement-in-fixup_irqs.patch 66718849-x86-IRQ-old_cpu_mask-in-fixup_irqs.patch 6671885e-x86-IRQ-handle-moving-in-_assign_irq_vector.patch 6673ffdc-x86-IRQ-forward-pending-to-new-dest-in-fixup_irqs.patch - Upstream bug fixes (bsc#1027519) 66450626-sched-set-all-sched_resource-data-inside-locked.patch 66450627-x86-respect-mapcache_domain_init-failing.patch 6646031f-x86-ucode-further-identify-already-up-to-date.patch 666b07ee-x86-EPT-special-page-in-epte_get_entry_emt.patch 666b0819-x86-EPT-avoid-marking-np-ents-for-reconfig.patch 666b085a-x86-EPT-drop-questionable-mfn_valid-from-.patch 667187cc-x86-Intel-unlock-CPUID-earlier.patch 6672c846-x86-xstate-initialisation-of-XSS-cache.patch 6672c847-x86-CPUID-XSAVE-dynamic-leaves.patch - bsc#1225953 - Package xen does not build with gcc14 because of new errors gcc14-fixes.patch - bsc#1221984 - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may trigger Xen bug check (XSA-454) 6617d62c-x86-hvm-Misra-Rule-19-1-regression.patch - Upstream bug fixes (bsc#1027519) 6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch 6627a5fc-x86-MTRR-inverted-WC-check.patch 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch 663090fd-x86-gen-cpuid-syntax.patch 663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch 663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch 663d05b5-x86-ucode-distinguish-up-to-date.patch 663eaa27-libxl-XenStore-error-handling-in-device-creation.patch The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-chost-byos-v20240807-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 bind-utils-9.18.28-150600.3.3.1 docker-25.0.6_ce-150000.203.1 dracut-059+suse.527.g7870f083-150600.3.3.2 google-guest-agent-20240314.00-150400.1.48.7 google-guest-configs-20240307.00-150400.13.11.6 google-guest-oslogin-20240311.00-150400.1.45.7 google-osconfig-agent-20240320.00-150400.1.35.7 growpart-rootgrow-1.0.7-150400.1.14.7 kernel-default-6.4.0-150600.23.17.1 libassuan0-2.5.5-150000.4.7.1 libcurl4-8.6.0-150600.4.3.1 libgpgme11-1.23.0-150600.3.2.1 libnvme-mi1-1.8+39.ge289971-150600.3.3.2 libnvme1-1.8+39.ge289971-150600.3.3.2 libonig4-6.7.0-150000.3.6.1 libopenssl3-3.1.4-150600.5.10.1 libpython3_6m1_0-3.6.15-150300.10.65.1 libsystemd0-254.15-150600.4.8.1 libudev1-254.15-150600.4.8.1 login_defs-4.8.1-150600.17.6.1 nvme-cli-2.8+43.g1d9dae6-150600.3.3.2 openssh-9.6p1-150600.6.9.1 openssh-clients-9.6p1-150600.6.9.1 openssh-common-9.6p1-150600.6.9.1 openssh-server-9.6p1-150600.6.9.1 openssl-3-3.1.4-150600.5.10.1 permissions-20240801-150600.10.4.1 python-instance-billing-flavor-check-0.0.6-150400.1.11.7 python3-3.6.15-150300.10.65.2 python3-base-3.6.15-150300.10.65.1 python3-cssselect-1.0.3-150400.3.7.4 python3-lxml-4.9.1-150500.3.4.3 python3-urllib3-1.25.10-150300.4.12.1 runc-1.1.13-150000.67.1 shadow-4.8.1-150600.17.6.1 sudo-1.9.15p5-150600.3.6.2 suse-build-key-12.0-150000.8.49.2 suseconnect-ng-1.11.0-150600.3.5.3 systemd-254.15-150600.4.8.1 udev-254.15-150600.4.8.1 wicked-0.6.76-150600.11.9.1 wicked-service-0.6.76-150600.11.9.1 xen-libs-4.18.2_06-150600.3.3.1 bind-utils-9.18.28-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 docker-25.0.6_ce-150000.203.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 dracut-059+suse.527.g7870f083-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 google-guest-agent-20240314.00-150400.1.48.7 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 google-guest-configs-20240307.00-150400.13.11.6 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 google-guest-oslogin-20240311.00-150400.1.45.7 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 google-osconfig-agent-20240320.00-150400.1.35.7 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 growpart-rootgrow-1.0.7-150400.1.14.7 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 kernel-default-6.4.0-150600.23.17.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 libassuan0-2.5.5-150000.4.7.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 libcurl4-8.6.0-150600.4.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 libgpgme11-1.23.0-150600.3.2.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 libnvme-mi1-1.8+39.ge289971-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 libnvme1-1.8+39.ge289971-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 libonig4-6.7.0-150000.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 libopenssl3-3.1.4-150600.5.10.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 libpython3_6m1_0-3.6.15-150300.10.65.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 libsystemd0-254.15-150600.4.8.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 libudev1-254.15-150600.4.8.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 login_defs-4.8.1-150600.17.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 nvme-cli-2.8+43.g1d9dae6-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 openssh-9.6p1-150600.6.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 openssh-clients-9.6p1-150600.6.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 openssh-common-9.6p1-150600.6.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 openssh-server-9.6p1-150600.6.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 openssl-3-3.1.4-150600.5.10.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 permissions-20240801-150600.10.4.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 python-instance-billing-flavor-check-0.0.6-150400.1.11.7 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 python3-3.6.15-150300.10.65.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 python3-base-3.6.15-150300.10.65.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 python3-cssselect-1.0.3-150400.3.7.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 python3-lxml-4.9.1-150500.3.4.3 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 python3-urllib3-1.25.10-150300.4.12.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 runc-1.1.13-150000.67.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 shadow-4.8.1-150600.17.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 sudo-1.9.15p5-150600.3.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 suse-build-key-12.0-150000.8.49.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 suseconnect-ng-1.11.0-150600.3.5.3 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 systemd-254.15-150600.4.8.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 udev-254.15-150600.4.8.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 wicked-0.6.76-150600.11.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 wicked-service-0.6.76-150600.11.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 xen-libs-4.18.2_06-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64 shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees CVE-2013-4235 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:login_defs-4.8.1-150600.17.6.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:shadow-4.8.1-150600.17.6.1 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. CVE-2019-13225 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:libonig4-6.7.0-150000.3.6.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Don't overflow in peek() When we started spreading new inode numbers throughout most of the 64 bit inode space, that triggered some corner case bugs, in particular some integer overflows related to the radix tree code. Oops. CVE-2021-47432 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: lgdt3306a: Add a check against null-pointer-def The driver should check whether the client provides the platform_data. The following log reveals it: [ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40 [ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414 [ 29.612820] Call Trace: [ 29.613030] <TASK> [ 29.613201] dump_stack_lvl+0x56/0x6f [ 29.613496] ? kmemdup+0x30/0x40 [ 29.613754] print_report.cold+0x494/0x6b7 [ 29.614082] ? kmemdup+0x30/0x40 [ 29.614340] kasan_report+0x8a/0x190 [ 29.614628] ? kmemdup+0x30/0x40 [ 29.614888] kasan_check_range+0x14d/0x1d0 [ 29.615213] memcpy+0x20/0x60 [ 29.615454] kmemdup+0x30/0x40 [ 29.615700] lgdt3306a_probe+0x52/0x310 [ 29.616339] i2c_device_probe+0x951/0xa90 CVE-2022-48772 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. CVE-2023-46842 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:xen-libs-4.18.2_06-150600.3.3.1 moderate Improper input validation for some Intel(R) PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access. CVE-2023-47210 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition. CVE-2023-51780 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:python3-lxml-4.9.1-150500.3.4.3 moderate In the Linux kernel, the following vulnerability has been resolved: net: prevent mss overflow in skb_segment() Once again syzbot is able to crash the kernel in skb_segment() [1] GSO_BY_FRAGS is a forbidden value, but unfortunately the following computation in skb_segment() can reach it quite easily : mss = mss * partial_segs; 65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to a bad final result. Make sure to limit segmentation so that the new mss value is smaller than GSO_BY_FRAGS. [1] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0 R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046 FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626 __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 __sys_sendto+0x255/0x340 net/socket.c:2190 __do_sys_sendto net/socket.c:2202 [inline] __se_sys_sendto net/socket.c:2198 [inline] __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f8692032aa9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9 RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480 R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R0 ---truncated--- CVE-2023-52435 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: rsa - add a check for allocation failure Static checkers insist that the mpi_alloc() allocation can fail so add a check to prevent a NULL dereference. Small allocations like this can't actually fail in current kernels, but adding a check is very simple and makes the static checkers happy. CVE-2023-52472 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: spi: Fix null dereference on suspend A race condition exists where a synchronous (noqueue) transfer can be active during a system suspend. This can cause a null pointer dereference exception to occur when the system resumes. Example order of events leading to the exception: 1. spi_sync() calls __spi_transfer_message_noqueue() which sets ctlr->cur_msg 2. Spi transfer begins via spi_transfer_one_message() 3. System is suspended interrupting the transfer context 4. System is resumed 6. spi_controller_resume() calls spi_start_queue() which resets cur_msg to NULL 7. Spi transfer context resumes and spi_finalize_current_message() is called which dereferences cur_msg (which is now NULL) Wait for synchronous transfers to complete before suspending by acquiring the bus mutex and setting/checking a suspend flag. CVE-2023-52749 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer Prior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly byte-swap NOP when compiling for big-endian, and the resulting series of bytes happened to match the encoding of FNMADD S21, S30, S0, S0. This went unnoticed until commit: 34f66c4c4d5518c1 ("arm64: Use a positive cpucap for FP/SIMD") Prior to that commit, the kernel would always enable the use of FPSIMD early in boot when __cpu_setup() initialized CPACR_EL1, and so usage of FNMADD within the kernel was not detected, but could result in the corruption of user or kernel FPSIMD state. After that commit, the instructions happen to trap during boot prior to FPSIMD being detected and enabled, e.g. | Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD | CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 | Hardware name: linux,dummy-virt (DT) | pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : __pi_strcmp+0x1c/0x150 | lr : populate_properties+0xe4/0x254 | sp : ffffd014173d3ad0 | x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000 | x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008 | x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044 | x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005 | x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000 | x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000 | x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000 | x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000 | x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a | x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8 | Kernel panic - not syncing: Unhandled exception | CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 | Hardware name: linux,dummy-virt (DT) | Call trace: | dump_backtrace+0xec/0x108 | show_stack+0x18/0x2c | dump_stack_lvl+0x50/0x68 | dump_stack+0x18/0x24 | panic+0x13c/0x340 | el1t_64_irq_handler+0x0/0x1c | el1_abort+0x0/0x5c | el1h_64_sync+0x64/0x68 | __pi_strcmp+0x1c/0x150 | unflatten_dt_nodes+0x1e8/0x2d8 | __unflatten_device_tree+0x5c/0x15c | unflatten_device_tree+0x38/0x50 | setup_arch+0x164/0x1e0 | start_kernel+0x64/0x38c | __primary_switched+0xbc/0xc4 Restrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is either GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked commit. CVE-2023-52750 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in smb2_query_info_compound() The following UAF was triggered when running fstests generic/072 with KASAN enabled against Windows Server 2022 and mount options 'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm' BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs] Read of size 8 at addr ffff888014941048 by task xfs_io/27534 CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0x7f ? srso_alias_return_thunk+0x5/0x7f ? __phys_addr+0x46/0x90 kasan_report+0xda/0x110 ? smb2_query_info_compound+0x423/0x6d0 [cifs] ? smb2_query_info_compound+0x423/0x6d0 [cifs] smb2_query_info_compound+0x423/0x6d0 [cifs] ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __stack_depot_save+0x39/0x480 ? kasan_save_stack+0x33/0x60 ? kasan_set_track+0x25/0x30 ? ____kasan_slab_free+0x126/0x170 smb2_queryfs+0xc2/0x2c0 [cifs] ? __pfx_smb2_queryfs+0x10/0x10 [cifs] ? __pfx___lock_acquire+0x10/0x10 smb311_queryfs+0x210/0x220 [cifs] ? __pfx_smb311_queryfs+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __lock_acquire+0x480/0x26c0 ? lock_release+0x1ed/0x640 ? srso_alias_return_thunk+0x5/0x7f ? do_raw_spin_unlock+0x9b/0x100 cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 ? __pfx___do_sys_fstatfs+0x10/0x10 ? srso_alias_return_thunk+0x5/0x7f ? lockdep_hardirqs_on_prepare+0x136/0x200 ? srso_alias_return_thunk+0x5/0x7f do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f/0xa0 open_cached_dir+0x71b/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] smb311_queryfs+0x210/0x220 [cifs] cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 ____kasan_slab_free+0x126/0x170 slab_free_freelist_hook+0xd0/0x1e0 __kmem_cache_free+0x9d/0x1b0 open_cached_dir+0xff5/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] This is a race between open_cached_dir() and cached_dir_lease_break() where the cache entry for the open directory handle receives a lease break while creating it. And before returning from open_cached_dir(), we put the last reference of the new @cfid because of !@cfid->has_lease. Besides the UAF, while running xfstests a lot of missed lease breaks have been noticed in tests that run several concurrent statfs(2) calls on those cached fids CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108 CIFS: VFS: Dump pending requests: CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108 ... To fix both, in open_cached_dir() ensure that @cfid->has_lease is set right before sending out compounded request so that any potential lease break will be get processed by demultiplex thread while we're still caching @cfid. And, if open failed for some reason, re-check @cfid->has_lease to decide whether or not put lease reference. CVE-2023-52751 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid NULL dereference of timing generator [Why & How] Check whether assigned timing generator is NULL or not before accessing its funcs to prevent NULL dereference. CVE-2023-52753 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: imon: fix access to invalid resource for the second interface imon driver probes two USB interfaces, and at the probe of the second interface, the driver assumes blindly that the first interface got bound with the same imon driver. It's usually true, but it's still possible that the first interface is bound with another driver via a malformed descriptor. Then it may lead to a memory corruption, as spotted by syzkaller; imon driver accesses the data from drvdata as struct imon_context object although it's a completely different one that was assigned by another driver. This patch adds a sanity check -- whether the first interface is really bound with the imon driver or not -- for avoiding the problem above at the probe time. CVE-2023-52754 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2023-52759 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: virtio-blk: fix implicit overflow on virtio_max_dma_size The following codes have an implicit conversion from size_t to u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev); This may lead overflow, Ex (size_t)4G -> (u32)0. Once virtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX instead. CVE-2023-52762 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data. The `i3c_master_bus_init` function may attach the I2C devices before the I3C bus initialization. In this flow, the DAT `alloc_entry`` will be used before the DAT `init`. Additionally, if the `i3c_master_bus_init` fails, the DAT `cleanup` will execute before the device is detached, which will execue DAT `free_entry` function. The above scenario can cause the driver to use DAT_data when it is NULL. CVE-2023-52763 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: gspca: cpia1: shift-out-of-bounds in set_flicker Syzkaller reported the following issue: UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 shift exponent 245 is too large for 32-bit type 'int' When the value of the variable "sd->params.exposure.gain" exceeds the number of bits in an integer, a shift-out-of-bounds error is reported. It is triggered because the variable "currentexp" cannot be left-shifted by more than the number of bits in an integer. In order to avoid invalid range during left-shift, the conditional expression is added. CVE-2023-52764 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: mfd: qcom-spmi-pmic: Fix revid implementation The Qualcomm SPMI PMIC revid implementation is broken in multiple ways. First, it assumes that just because the sibling base device has been registered that means that it is also bound to a driver, which may not be the case (e.g. due to probe deferral or asynchronous probe). This could trigger a NULL-pointer dereference when attempting to access the driver data of the unbound device. Second, it accesses driver data of a sibling device directly and without any locking, which means that the driver data may be freed while it is being accessed (e.g. on driver unbind). Third, it leaks a struct device reference to the sibling device which is looked up using the spmi_device_from_of() every time a function (child) device is calling the revid function (e.g. on probe). Fix this mess by reimplementing the revid lookup so that it is done only at probe of the PMIC device; the base device fetches the revid info from the hardware, while any secondary SPMI device fetches the information from the base device and caches it so that it can be accessed safely from its children. If the base device has not been probed yet then probe of a secondary device is deferred. CVE-2023-52765 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers. CVE-2023-52766 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix NULL deref on tls_sw_splice_eof() with empty record syzkaller discovered that if tls_sw_splice_eof() is executed as part of sendfile() when the plaintext/ciphertext sk_msg are empty, the send path gets confused because the empty ciphertext buffer does not have enough space for the encryption overhead. This causes tls_push_record() to go on the `split = true` path (which is only supposed to be used when interacting with an attached BPF program), and then get further confused and hit the tls_merge_open_record() path, which then assumes that there must be at least one populated buffer element, leading to a NULL deref. It is possible to have empty plaintext/ciphertext buffers if we previously bailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path. tls_sw_push_pending_record() already handles this case correctly; let's do the same check in tls_sw_splice_eof(). CVE-2023-52767 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: use vmm_table as array in wilc struct Enabling KASAN and running some iperf tests raises some memory issues with vmm_table: BUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4 Write of size 4 at addr c3a61540 by task wlan0-tx/95 KASAN detects that we are writing data beyond range allocated to vmm_table. There is indeed a mismatch between the size passed to allocator in wilc_wlan_init, and the range of possible indexes used later: allocation size is missing a multiplication by sizeof(u32) CVE-2023-52768 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix htt mlo-offset event locking The ath12k active pdevs are protected by RCU but the htt mlo-offset event handling code calling ath12k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only. CVE-2023-52769 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix a NULL pointer dereference in amdgpu_dm_i2c_xfer() When ddc_service_construct() is called, it explicitly checks both the link type and whether there is something on the link which will dictate whether the pin is marked as hw_supported. If the pin isn't set or the link is not set (such as from unloading/reloading amdgpu in an IGT test) then fail the amdgpu_dm_i2c_xfer() call. CVE-2023-52773 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: protect device queue against concurrent access In dasd_profile_start() the amount of requests on the device queue are counted. The access to the device queue is unprotected against concurrent access. With a lot of parallel I/O, especially with alias devices enabled, the device queue can change while dasd_profile_start() is accessing the queue. In the worst case this leads to a kernel panic due to incorrect pointer accesses. Fix this by taking the device lock before accessing the queue and counting the requests. Additionally the check for a valid profile data pointer can be done earlier to avoid unnecessary locking in a hot path. CVE-2023-52774 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid data corruption caused by decline We found a data corruption issue during testing of SMC-R on Redis applications. The benchmark has a low probability of reporting a strange error as shown below. "Error: Protocol error, got "\xe2" as reply type byte" Finally, we found that the retrieved error data was as follows: 0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C 0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2 It is quite obvious that this is a SMC DECLINE message, which means that the applications received SMC protocol message. We found that this was caused by the following situations: client server | clc proposal -------------> | clc accept <------------- | clc confirm -------------> wait llc confirm send llc confirm |failed llc confirm | x------ (after 2s)timeout wait llc confirm rsp wait decline (after 1s) timeout (after 2s) timeout | decline --------------> | decline <-------------- As a result, a decline message was sent in the implementation, and this message was read from TCP by the already-fallback connection. This patch double the client timeout as 2x of the server value, With this simple change, the Decline messages should never cross or collide (during Confirm link timeout). This issue requires an immediate solution, since the protocol updates involve a more long-term solution. CVE-2023-52775 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dfs-radar and temperature event locking The ath12k active pdevs are protected by RCU but the DFS-radar and temperature event handling code calling ath12k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as RCU read-side critical sections to avoid any potential use-after-free issues. Note that the temperature event handler looks like a place holder currently but would still trigger an RCU lockdep splat. Compile tested only. CVE-2023-52776 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix gtk offload status event locking The ath11k active pdevs are protected by RCU but the gtk offload status event handling code calling ath11k_mac_get_arvif_by_vdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only. CVE-2023-52777 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm is not used. The page pool is also not allocated when the port is stopped. It can also be not allocated in case of errors. The current implementation leads to the following crash calling ethstats on a port that is down or when calling it at the wrong moment: ble to handle kernel NULL pointer dereference at virtual address 00000070 [00000070] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Hardware name: Marvell Armada 380/385 (Device Tree) PC is at page_pool_get_stats+0x18/0x1cc LR is at mvneta_ethtool_get_stats+0xa0/0xe0 [mvneta] pc : [<c0b413cc>] lr : [<bf0a98d8>] psr: a0000013 sp : f1439d48 ip : f1439dc0 fp : 0000001d r10: 00000100 r9 : c4816b80 r8 : f0d75150 r7 : bf0b400c r6 : c238f000 r5 : 00000000 r4 : f1439d68 r3 : c2091040 r2 : ffffffd8 r1 : f1439d68 r0 : 00000000 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 066b004a DAC: 00000051 Register r0 information: NULL pointer Register r1 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390 Register r2 information: non-paged memory Register r3 information: slab kmalloc-2k start c2091000 pointer offset 64 size 2048 Register r4 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390 Register r5 information: NULL pointer Register r6 information: slab kmalloc-cg-4k start c238f000 pointer offset 0 size 4096 Register r7 information: 15-page vmalloc region starting at 0xbf0a8000 allocated at load_module+0xa30/0x219c Register r8 information: 1-page vmalloc region starting at 0xf0d75000 allocated at ethtool_get_stats+0x138/0x208 Register r9 information: slab task_struct start c4816b80 pointer offset 0 Register r10 information: non-paged memory Register r11 information: non-paged memory Register r12 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390 Process snmpd (pid: 733, stack limit = 0x38de3a88) Stack: (0xf1439d48 to 0xf143a000) 9d40: 000000c0 00000001 c238f000 bf0b400c f0d75150 c4816b80 9d60: 00000100 bf0a98d8 00000000 00000000 00000000 00000000 00000000 00000000 9d80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9da0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9dc0: 00000dc0 5335509c 00000035 c238f000 bf0b2214 01067f50 f0d75000 c0b9b9c8 9de0: 0000001d 00000035 c2212094 5335509c c4816b80 c238f000 c5ad6e00 01067f50 9e00: c1b0be80 c4816b80 00014813 c0b9d7f0 00000000 00000000 0000001d 0000001d 9e20: 00000000 00001200 00000000 00000000 c216ed90 c73943b8 00000000 00000000 9e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9e60: 00000000 c0ad9034 00000000 00000000 00000000 00000000 00000000 00000000 9e80: 00000000 00000000 00000000 5335509c c1b0be80 f1439ee4 00008946 c1b0be80 9ea0: 01067f50 f1439ee3 00000000 00000046 b6d77ae0 c0b383f0 00008946 becc83e8 9ec0: c1b0be80 00000051 0000000b c68ca480 c7172d00 c0ad8ff0 f1439ee3 cf600e40 9ee0: 01600e40 32687465 00000000 00000000 00000000 01067f50 00000000 00000000 9f00: 00000000 5335509c 00008946 00008946 00000000 c68ca480 becc83e8 c05e2de0 9f20: f1439fb0 c03002f0 00000006 5ac3c35a c4816b80 00000006 b6d77ae0 c030caf0 9f40: c4817350 00000014 f1439e1c 0000000c 00000000 00000051 01000000 00000014 9f60: 00003fec f1439edc 00000001 c0372abc b6d77ae0 c0372abc cf600e40 5335509c 9f80: c21e6800 01015c9c 0000000b 00008946 00000036 c03002f0 c4816b80 00000036 9fa0: b6d77ae0 c03000c0 01015c9c 0000000b 0000000b 00008946 becc83e8 00000000 9fc0: 01015c9c 0000000b 00008946 00000036 00000035 010678a0 b6d797ec b6d77ae0 9fe0: b6dbf738 becc838c b6d186d7 b6baa858 40000030 0000000b 00000000 00000000 page_pool_get_s ---truncated--- CVE-2023-52780 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: config: fix iteration issue in 'usb_get_bos_descriptor()' The BOS descriptor defines a root descriptor and is the base descriptor for accessing a family of related descriptors. Function 'usb_get_bos_descriptor()' encounters an iteration issue when skipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in the same descriptor being read repeatedly. To address this issue, a 'goto' statement is introduced to ensure that the pointer and the amount read is updated correctly. This ensures that the function iterates to the next descriptor instead of reading the same descriptor repeatedly. CVE-2023-52781 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Track xmit submission to PTP WQ after populating metadata map Ensure the skb is available in metadata mapping to skbs before tracking the metadata index for detecting undelivered CQEs. If the metadata index is put in the tracking list before putting the skb in the map, the metadata index might be used for detecting undelivered CQEs before the relevant skb is available in the map, which can lead to a null-ptr-deref. Log: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 0 PID: 1243 Comm: kworker/0:2 Not tainted 6.6.0-rc4+ #108 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events mlx5e_rx_dim_work [mlx5_core] RIP: 0010:mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core] Code: 8c 24 38 cc ff ff 4c 8d 3c c1 4c 89 f9 48 c1 e9 03 42 80 3c 31 00 0f 85 97 0f 00 00 4d 8b 3f 49 8d 7f 28 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 8b 0f 00 00 49 8b 47 28 48 85 c0 0f 84 05 07 RSP: 0018:ffff8884d3c09c88 EFLAGS: 00010206 RAX: 0000000000000069 RBX: ffff8881160349d8 RCX: 0000000000000005 RDX: ffffed10218f48cf RSI: 0000000000000004 RDI: 0000000000000028 RBP: ffff888122707700 R08: 0000000000000001 R09: ffffed109a781383 R10: 0000000000000003 R11: 0000000000000003 R12: ffff88810c7a7a40 R13: ffff888122707700 R14: dffffc0000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8884d3c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4f878dd6e0 CR3: 000000014d108002 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? die_addr+0x3c/0xa0 ? exc_general_protection+0x144/0x210 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core] ? mlx5e_ptp_napi_poll+0x8f6/0x2290 [mlx5_core] __napi_poll.constprop.0+0xa4/0x580 net_rx_action+0x460/0xb80 ? _raw_spin_unlock_irqrestore+0x32/0x60 ? __napi_poll.constprop.0+0x580/0x580 ? tasklet_action_common.isra.0+0x2ef/0x760 __do_softirq+0x26c/0x827 irq_exit_rcu+0xc2/0x100 common_interrupt+0x7f/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:__kmem_cache_alloc_node+0xb/0x330 Code: 41 5d 41 5e 41 5f c3 8b 44 24 14 8b 4c 24 10 09 c8 eb d5 e8 b7 43 ca 01 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 <41> 56 41 89 d6 41 55 41 89 f5 41 54 49 89 fc 53 48 83 e4 f0 48 83 RSP: 0018:ffff88812c4079c0 EFLAGS: 00000246 RAX: 1ffffffff083c7fe RBX: ffff888100042dc0 RCX: 0000000000000218 RDX: 00000000ffffffff RSI: 0000000000000dc0 RDI: ffff888100042dc0 RBP: ffff88812c4079c8 R08: ffffffffa0289f96 R09: ffffed1025880ea9 R10: ffff888138839f80 R11: 0000000000000002 R12: 0000000000000dc0 R13: 0000000000000100 R14: 000000000000008c R15: ffff8881271fc450 ? cmd_exec+0x796/0x2200 [mlx5_core] kmalloc_trace+0x26/0xc0 cmd_exec+0x796/0x2200 [mlx5_core] mlx5_cmd_do+0x22/0xc0 [mlx5_core] mlx5_cmd_exec+0x17/0x30 [mlx5_core] mlx5_core_modify_cq_moderation+0x139/0x1b0 [mlx5_core] ? mlx5_add_cq_to_tasklet+0x280/0x280 [mlx5_core] ? lockdep_set_lock_cmp_fn+0x190/0x190 ? process_one_work+0x659/0x1220 mlx5e_rx_dim_work+0x9d/0x100 [mlx5_core] process_one_work+0x730/0x1220 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? max_active_store+0xf0/0xf0 ? assign_work+0x168/0x240 worker_thread+0x70f/0x12d0 ? __kthread_parkme+0xd1/0x1d0 ? process_one_work+0x1220/0x1220 kthread+0x2d9/0x3b0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x2d/0x70 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_as ---truncated--- CVE-2023-52782 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: wangxun: fix kernel panic due to null pointer When the device uses a custom subsystem vendor ID, the function wx_sw_init() returns before the memory of 'wx->mac_table' is allocated. The null pointer will causes the kernel panic. CVE-2023-52783 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bond_setup_by_slave() Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. In the following splat [1], the issue is that a lapbether device has been created on a bonding device without members. Then adding a non ARPHRD_ETHER member forced the bonding master to change its type. The fix is to make sure we call dev_close() in bond_setup_by_slave() so that the potential linked lapbether devices (or any other devices having assumptions on the physical device) are removed. A similar bug has been addressed in commit 40baec225765 ("bonding: fix panic on non-ARPHRD_ETHER enslave failure") [1] skbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0 kernel BUG at net/core/skbuff.c:192 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:188 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 lr : skb_panic net/core/skbuff.c:188 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 sp : ffff800096a06aa0 x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000 x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140 x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100 x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001 x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00 x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 Call trace: skb_panic net/core/skbuff.c:188 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 skb_push+0xf0/0x108 net/core/skbuff.c:2446 ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384 dev_hard_header include/linux/netdevice.h:3136 [inline] lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 __lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326 lapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 lapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 bond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332 bond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539 dev_ifsioc+0x754/0x9ac dev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786 sock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217 sock_ioctl+0x4e8/0x834 net/socket.c:1322 vfs_ioctl fs/ioctl.c:51 [inline] __do_ ---truncated--- CVE-2023-52784 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: i915/perf: Fix NULL deref bugs with drm_dbg() calls When i915 perf interface is not available dereferencing it will lead to NULL dereferences. As returning -ENOTSUPP is pretty clear return when perf interface is not available. [tursulin: added stable tag] (cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889) CVE-2023-52788 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tty: vcc: Add check for kstrdup() in vcc_probe() Add check for the return value of kstrdup() and return the error, if it fails in order to avoid NULL pointer dereference. CVE-2023-52789 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: core: Run atomic i2c xfer when !preemptible Since bae1d3a05a8b, i2c transfers are non-atomic if preemption is disabled. However, non-atomic i2c transfers require preemption (e.g. in wait_for_completion() while waiting for the DMA). panic() calls preempt_disable_notrace() before calling emergency_restart(). Therefore, if an i2c device is used for the restart, the xfer should be atomic. This avoids warnings like: [ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0 [ 12.676926] Voluntary context switch within RCU read-side critical section! ... [ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114 [ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70 ... [ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58 [ 13.001050] machine_restart from panic+0x2a8/0x32c Use !preemptible() instead, which is basically the same check as pre-v5.2. CVE-2023-52791 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails Commit 5e42bcbc3fef ("cxl/region: decrement ->nr_targets on error in cxl_region_attach()") tried to avoid 'eiw' initialization errors when ->nr_targets exceeded 16, by just decrementing ->nr_targets when cxl_region_setup_targets() failed. Commit 86987c766276 ("cxl/region: Cleanup target list on attach error") extended that cleanup to also clear cxled->pos and p->targets[pos]. The initialization error was incidentally fixed separately by: Commit 8d4285425714 ("cxl/region: Fix port setup uninitialized variable warnings") which was merged a few days after 5e42bcbc3fef. But now the original cleanup when cxl_region_setup_targets() fails prevents endpoint and switch decoder resources from being reused: 1) the cleanup does not set the decoder's region to NULL, which results in future dpa_size_store() calls returning -EBUSY 2) the decoder is not properly freed, which results in future commit errors associated with the upstream switch Now that the initialization errors were fixed separately, the proper cleanup for this case is to just return immediately. Then the resources associated with this target get cleanup up as normal when the failed region is deleted. The ->nr_targets decrement in the error case also helped prevent a p->targets[] array overflow, so add a new check to prevent against that overflow. Tested by trying to create an invalid region for a 2 switch * 2 endpoint topology, and then following up with creating a valid region. CVE-2023-52792 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: thermal: intel: powerclamp: fix mismatch in get function for max_idle KASAN reported this [ 444.853098] BUG: KASAN: global-out-of-bounds in param_get_int+0x77/0x90 [ 444.853111] Read of size 4 at addr ffffffffc16c9220 by task cat/2105 ... [ 444.853442] The buggy address belongs to the variable: [ 444.853443] max_idle+0x0/0xffffffffffffcde0 [intel_powerclamp] There is a mismatch between the param_get_int and the definition of max_idle. Replacing param_get_int with param_get_byte resolves this issue. CVE-2023-52794 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: vhost-vdpa: fix use after free in vhost_vdpa_probe() The put_device() calls vhost_vdpa_release_dev() which calls ida_simple_remove() and frees "v". So this call to ida_simple_remove() is a use after free and a double free. CVE-2023-52795 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipvlan: add ipvlan_route_v6_outbound() helper Inspired by syzbot reports using a stack of multiple ipvlan devices. Reduce stack size needed in ipvlan_process_v6_outbound() by moving the flowi6 struct used for the route lookup in an non inlined helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack, immediately reclaimed. Also make sure ipvlan_process_v4_outbound() is not inlined. We might also have to lower MAX_NEST_DEV, because only syzbot uses setups with more than four stacked devices. BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000) stack guard page: 0000 [#1] SMP KASAN CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89 RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <#DF> </#DF> <TASK> [<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 [<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline] [<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] [<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline] [<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline] [<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline] [<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 [<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 [<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline] [<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 [<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 [<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline] [<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 [<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638 [<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 [<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline] [<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline] [<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<f ---truncated--- CVE-2023-52796 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix dfs radar event locking The ath11k active pdevs are protected by RCU but the DFS radar event handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only. CVE-2023-52798 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in dbFindLeaf Currently while searching for dmtree_t for sufficient free blocks there is an array out of bounds while getting element in tp->dm_stree. To add the required check for out of bound we first need to determine the type of dmtree. Thus added an extra parameter to dbFindLeaf so that the type of tree can be determined and the required check can be applied. CVE-2023-52799 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix htt pktlog locking The ath11k active pdevs are protected by RCU but the htt pktlog handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only. CVE-2023-52800 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix missing update of domains_itree after splitting iopt_area In iopt_area_split(), if the original iopt_area has filled a domain and is linked to domains_itree, pages_nodes have to be properly reinserted. Otherwise the domains_itree becomes corrupted and we will UAF. CVE-2023-52801 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir() workqueue,which takes care about pipefs superblock locking. In some special scenarios, when kernel frees the pipefs sb of the current client and immediately alloctes a new pipefs sb, rpc_remove_pipedir function would misjudge the existence of pipefs sb which is not the one it used to hold. As a result, the rpc_remove_pipedir would clean the released freed pipefs dentries. To fix this issue, rpc_remove_pipedir should check whether the current pipefs sb is consistent with the original pipefs sb. This error can be catched by KASAN: ========================================================= [ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200 [ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503 [ 250.500549] Workqueue: events rpc_free_client_work [ 250.501001] Call Trace: [ 250.502880] kasan_report+0xb6/0xf0 [ 250.503209] ? dget_parent+0x195/0x200 [ 250.503561] dget_parent+0x195/0x200 [ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10 [ 250.504384] rpc_rmdir_depopulate+0x1b/0x90 [ 250.504781] rpc_remove_client_dir+0xf5/0x150 [ 250.505195] rpc_free_client_work+0xe4/0x230 [ 250.505598] process_one_work+0x8ee/0x13b0 ... [ 22.039056] Allocated by task 244: [ 22.039390] kasan_save_stack+0x22/0x50 [ 22.039758] kasan_set_track+0x25/0x30 [ 22.040109] __kasan_slab_alloc+0x59/0x70 [ 22.040487] kmem_cache_alloc_lru+0xf0/0x240 [ 22.040889] __d_alloc+0x31/0x8e0 [ 22.041207] d_alloc+0x44/0x1f0 [ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140 [ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110 [ 22.042459] rpc_create_client_dir+0x34/0x150 [ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0 [ 22.043284] rpc_client_register+0x136/0x4e0 [ 22.043689] rpc_new_client+0x911/0x1020 [ 22.044057] rpc_create_xprt+0xcb/0x370 [ 22.044417] rpc_create+0x36b/0x6c0 ... [ 22.049524] Freed by task 0: [ 22.049803] kasan_save_stack+0x22/0x50 [ 22.050165] kasan_set_track+0x25/0x30 [ 22.050520] kasan_save_free_info+0x2b/0x50 [ 22.050921] __kasan_slab_free+0x10e/0x1a0 [ 22.051306] kmem_cache_free+0xa5/0x390 [ 22.051667] rcu_core+0x62c/0x1930 [ 22.051995] __do_softirq+0x165/0x52a [ 22.052347] [ 22.052503] Last potentially related work creation: [ 22.052952] kasan_save_stack+0x22/0x50 [ 22.053313] __kasan_record_aux_stack+0x8e/0xa0 [ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0 [ 22.054209] dentry_free+0xb2/0x140 [ 22.054540] __dentry_kill+0x3be/0x540 [ 22.054900] shrink_dentry_list+0x199/0x510 [ 22.055293] shrink_dcache_parent+0x190/0x240 [ 22.055703] do_one_tree+0x11/0x40 [ 22.056028] shrink_dcache_for_umount+0x61/0x140 [ 22.056461] generic_shutdown_super+0x70/0x590 [ 22.056879] kill_anon_super+0x3a/0x60 [ 22.057234] rpc_kill_sb+0x121/0x200 CVE-2023-52803 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs/jfs: Add validity check for db_maxag and db_agpref Both db_maxag and db_agpref are used as the index of the db_agfree array, but there is currently no validity check for db_maxag and db_agpref, which can lead to errors. The following is related bug reported by Syzbot: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20 index 7936 is out of range for type 'atomic_t[128]' Add checking that the values of db_maxag and db_agpref are valid indexes for the db_agfree array. CVE-2023-52804 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in diAlloc Currently there is not check against the agno of the iag while allocating new inodes to avoid fragmentation problem. Added the check which is required. CVE-2023-52805 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix possible null-ptr-deref when assigning a stream While AudioDSP drivers assign streams exclusively of HOST or LINK type, nothing blocks a user to attempt to assign a COUPLED stream. As supplied substream instance may be a stub, what is the case when code-loading, such scenario ends with null-ptr-deref. CVE-2023-52806 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix out-of-bounds access may occur when coalesce info is read via debugfs The hns3 driver define an array of string to show the coalesce info, but if the kernel adds a new mode or a new state, out-of-bounds access may occur when coalesce info is read via debugfs, this patch fix the problem. CVE-2023-52807 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs If init debugfs failed during device registration due to memory allocation failure, debugfs_remove_recursive() is called, after which debugfs_dir is not set to NULL. debugfs_remove_recursive() will be called again during device removal. As a result, illegal pointer is accessed. [ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs! ... [ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 [ 1669.872669] pc : down_write+0x24/0x70 [ 1669.876315] lr : down_write+0x1c/0x70 [ 1669.879961] sp : ffff000036f53a30 [ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8 [ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000 [ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270 [ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8 [ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310 [ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10 [ 1669.914982] x17: 0000000000000000 x16: 0000000000000000 [ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870 [ 1669.925555] x13: 0000000000000040 x12: 0000000000000228 [ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0 [ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10 [ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff [ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00 [ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000 [ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001 [ 1669.962563] Call trace: [ 1669.965000] down_write+0x24/0x70 [ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0 [ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main] [ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw] [ 1669.984175] pci_device_remove+0x48/0xd8 [ 1669.988082] device_release_driver_internal+0x1b4/0x250 [ 1669.993282] device_release_driver+0x28/0x38 [ 1669.997534] pci_stop_bus_device+0x84/0xb8 [ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40 [ 1670.007244] remove_store+0xfc/0x140 [ 1670.010802] dev_attr_store+0x44/0x60 [ 1670.014448] sysfs_kf_write+0x58/0x80 [ 1670.018095] kernfs_fop_write+0xe8/0x1f0 [ 1670.022000] __vfs_write+0x60/0x190 [ 1670.025472] vfs_write+0xac/0x1c0 [ 1670.028771] ksys_write+0x6c/0xd8 [ 1670.032071] __arm64_sys_write+0x24/0x30 [ 1670.035977] el0_svc_common+0x78/0x130 [ 1670.039710] el0_svc_handler+0x38/0x78 [ 1670.043442] el0_svc+0x8/0xc To fix this, set debugfs_dir to NULL after debugfs_remove_recursive(). CVE-2023-52808 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() fc_lport_ptp_setup() did not check the return value of fc_rport_create() which can return NULL and would cause a NULL pointer dereference. Address this issue by checking return value of fc_rport_create() and log error message on fc_rport_create() failed. CVE-2023-52809 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs/jfs: Add check for negative db_l2nbperpage l2nbperpage is log2(number of blks per page), and the minimum legal value should be 0, not negative. In the case of l2nbperpage being negative, an error will occur when subsequently used as shift exponent. Syzbot reported this bug: UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12 shift exponent -16777216 is negative CVE-2023-52810 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool In practice the driver should never send more commands than are allocated to a queue's event pool. In the unlikely event that this happens, the code asserts a BUG_ON, and in the case that the kernel is not configured to crash on panic returns a junk event pointer from the empty event list causing things to spiral from there. This BUG_ON is a historical artifact of the ibmvfc driver first being upstreamed, and it is well known now that the use of BUG_ON is bad practice except in the most unrecoverable scenario. There is nothing about this scenario that prevents the driver from recovering and carrying on. Remove the BUG_ON in question from ibmvfc_get_event() and return a NULL pointer in the case of an empty event pool. Update all call sites to ibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate failure or recovery action. CVE-2023-52811 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd: check num of link levels when update pcie param In SR-IOV environment, the value of pcie_table->num_of_link_levels will be 0, and num_of_levels - 1 will cause array index out of bounds CVE-2023-52812 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix hungtask for PADATA_RESET We found a hungtask bug in test_aead_vec_cfg as follows: INFO: task cryptomgr_test:391009 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Call trace: __switch_to+0x98/0xe0 __schedule+0x6c4/0xf40 schedule+0xd8/0x1b4 schedule_timeout+0x474/0x560 wait_for_common+0x368/0x4e0 wait_for_completion+0x20/0x30 wait_for_completion+0x20/0x30 test_aead_vec_cfg+0xab4/0xd50 test_aead+0x144/0x1f0 alg_test_aead+0xd8/0x1e0 alg_test+0x634/0x890 cryptomgr_test+0x40/0x70 kthread+0x1e0/0x220 ret_from_fork+0x10/0x18 Kernel panic - not syncing: hung_task: blocked tasks For padata_do_parallel, when the return err is 0 or -EBUSY, it will call wait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal case, aead_request_complete() will be called in pcrypt_aead_serial and the return err is 0 for padata_do_parallel. But, when pinst->flags is PADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it won't call aead_request_complete(). Therefore, test_aead_vec_cfg will hung at wait_for_completion(&wait->completion), which will cause hungtask. The problem comes as following: (padata_do_parallel) | rcu_read_lock_bh(); | err = -EINVAL; | (padata_replace) | pinst->flags |= PADATA_RESET; err = -EBUSY | if (pinst->flags & PADATA_RESET) | rcu_read_unlock_bh() | return err In order to resolve the problem, we replace the return err -EBUSY with -EAGAIN, which means parallel_data is changing, and the caller should call it again. v3: remove retry and just change the return err. v2: introduce padata_try_do_parallel() in pcrypt_aead_encrypt and pcrypt_aead_decrypt to solve the hungtask. CVE-2023-52813 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix potential null pointer derefernce The amdgpu_ras_get_context may return NULL if device not support ras feature, so add check before using. CVE-2023-52814 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vkms: fix a possible null pointer dereference In amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_cvt_mode(). Add a check to avoid null pointer dereference. CVE-2023-52815 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix shift out-of-bounds issue [ 567.613292] shift exponent 255 is too large for 64-bit type 'long unsigned int' [ 567.614498] CPU: 5 PID: 238 Comm: kworker/5:1 Tainted: G OE 6.2.0-34-generic #34~22.04.1-Ubuntu [ 567.614502] Hardware name: AMD Splinter/Splinter-RPL, BIOS WS43927N_871 09/25/2023 [ 567.614504] Workqueue: events send_exception_work_handler [amdgpu] [ 567.614748] Call Trace: [ 567.614750] <TASK> [ 567.614753] dump_stack_lvl+0x48/0x70 [ 567.614761] dump_stack+0x10/0x20 [ 567.614763] __ubsan_handle_shift_out_of_bounds+0x156/0x310 [ 567.614769] ? srso_alias_return_thunk+0x5/0x7f [ 567.614773] ? update_sd_lb_stats.constprop.0+0xf2/0x3c0 [ 567.614780] svm_range_split_by_granularity.cold+0x2b/0x34 [amdgpu] [ 567.615047] ? srso_alias_return_thunk+0x5/0x7f [ 567.615052] svm_migrate_to_ram+0x185/0x4d0 [amdgpu] [ 567.615286] do_swap_page+0x7b6/0xa30 [ 567.615291] ? srso_alias_return_thunk+0x5/0x7f [ 567.615294] ? __free_pages+0x119/0x130 [ 567.615299] handle_pte_fault+0x227/0x280 [ 567.615303] __handle_mm_fault+0x3c0/0x720 [ 567.615311] handle_mm_fault+0x119/0x330 [ 567.615314] ? lock_mm_and_find_vma+0x44/0x250 [ 567.615318] do_user_addr_fault+0x1a9/0x640 [ 567.615323] exc_page_fault+0x81/0x1b0 [ 567.615328] asm_exc_page_fault+0x27/0x30 [ 567.615332] RIP: 0010:__get_user_8+0x1c/0x30 CVE-2023-52816 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL In certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log: 1. Navigate to the directory: /sys/kernel/debug/dri/0 2. Execute command: cat amdgpu_regs_smc 3. Exception Log:: [4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000 [4005007.702562] #PF: supervisor instruction fetch in kernel mode [4005007.702567] #PF: error_code(0x0010) - not-present page [4005007.702570] PGD 0 P4D 0 [4005007.702576] Oops: 0010 [#1] SMP NOPTI [4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u [4005007.702590] RIP: 0010:0x0 [4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. [4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206 [4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68 [4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000 [4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980 [4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000 [4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000 [4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000 [4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0 [4005007.702633] Call Trace: [4005007.702636] <TASK> [4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu] [4005007.703002] full_proxy_read+0x5c/0x80 [4005007.703011] vfs_read+0x9f/0x1a0 [4005007.703019] ksys_read+0x67/0xe0 [4005007.703023] __x64_sys_read+0x19/0x20 [4005007.703028] do_syscall_64+0x5c/0xc0 [4005007.703034] ? do_user_addr_fault+0x1e3/0x670 [4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0 [4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20 [4005007.703052] ? irqentry_exit+0x19/0x30 [4005007.703057] ? exc_page_fault+0x89/0x160 [4005007.703062] ? asm_exc_page_fault+0x8/0x30 [4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae [4005007.703075] RIP: 0033:0x7f5e07672992 [4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24 [4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992 [4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003 [4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010 [4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000 [4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 [4005007.703105] </TASK> [4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca [4005007.703184] CR2: 0000000000000000 [4005007.703188] ---[ en ---truncated--- CVE-2023-52817 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 For pptable structs that use flexible array sizes, use flexible arrays. CVE-2023-52818 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga For pptable structs that use flexible array sizes, use flexible arrays. CVE-2023-52819 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/panel: fix a possible null pointer dereference In versatile_panel_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2023-52821 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix a race condition of vram buffer unref in svm code prange->svm_bo unref can happen in both mmu callback and a callback after migrate to system ram. Both are async call in different tasks. Sync svm_bo unref operation to avoid random "use-after-free". CVE-2023-52825 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference In tpg110_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. CVE-2023-52826 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats() len is extracted from HTT message and could be an unexpected value in case errors happen, so add validation before using to avoid possible out-of-bound read in the following message iteration and parsing. The same issue also applies to ppdu_info->ppdu_stats.common.num_users, so validate it before using too. These are found during code review. Compile test only. CVE-2023-52827 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() reg_cap.phy_id is extracted from WMI event and could be an unexpected value in case some errors happen. As a result out-of-bound write may occur to soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it. This is found during code review. Compile tested only. CVE-2023-52829 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't return unset power in ieee80211_get_tx_power() We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. CVE-2023-52832 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: Add date->evt_skb is NULL check fix crash because of null pointers [ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8 [ 6104.969667] #PF: supervisor read access in kernel mode [ 6104.969668] #PF: error_code(0x0000) - not-present page [ 6104.969670] PGD 0 P4D 0 [ 6104.969673] Oops: 0000 [#1] SMP NOPTI [ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb] [ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246 [ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006 [ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000 [ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001 [ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0 [ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90 [ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000 [ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0 [ 6104.969701] PKRU: 55555554 [ 6104.969702] Call Trace: [ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb] [ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth] [ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth] [ 6104.969753] rfkill_set_block+0x92/0x160 [ 6104.969755] rfkill_fop_write+0x136/0x1e0 [ 6104.969759] __vfs_write+0x18/0x40 [ 6104.969761] vfs_write+0xdf/0x1c0 [ 6104.969763] ksys_write+0xb1/0xe0 [ 6104.969765] __x64_sys_write+0x1a/0x20 [ 6104.969769] do_syscall_64+0x51/0x180 [ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 6104.969773] RIP: 0033:0x7f5a21f18fef [ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef [ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012 [ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017 [ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002 [ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0 CVE-2023-52833 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: atl1c: Work around the DMA RX overflow issue This is based on alx driver commit 881d0327db37 ("net: alx: Work around the DMA RX overflow issue"). The alx and atl1c drivers had RX overflow error which was why a custom allocator was created to avoid certain addresses. The simpler workaround then created for alx driver, but not for atl1c due to lack of tester. Instead of using a custom allocator, check the allocated skb address and use skb_reserve() to move away from problematic 0x...fc0 address. Tested on AR8131 on Acer 4540. CVE-2023-52834 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf/core: Bail out early if the request AUX area is out of bound When perf-record with a large AUX area, e.g 4GB, it fails with: #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory) and it reveals a WARNING with __alloc_pages(): ------------[ cut here ]------------ WARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248 Call trace: __alloc_pages+0x1ec/0x248 __kmalloc_large_node+0xc0/0x1f8 __kmalloc_node+0x134/0x1e8 rb_alloc_aux+0xe0/0x298 perf_mmap+0x440/0x660 mmap_region+0x308/0x8a8 do_mmap+0x3c0/0x528 vm_mmap_pgoff+0xf4/0x1b8 ksys_mmap_pgoff+0x18c/0x218 __arm64_sys_mmap+0x38/0x58 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x58/0x188 do_el0_svc+0x34/0x50 el0_svc+0x34/0x108 el0t_64_sync_handler+0xb8/0xc0 el0t_64_sync+0x1a4/0x1a8 'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to maintains AUX trace pages. The allocated page for this array is physically contiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the size of pointer array crosses the limitation set by MAX_ORDER, it reveals a WARNING. So bail out early with -ENOMEM if the request AUX area is out of bound, e.g.: #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory) CVE-2023-52835 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: locking/ww_mutex/test: Fix potential workqueue corruption In some cases running with the test-ww_mutex code, I was seeing odd behavior where sometimes it seemed flush_workqueue was returning before all the work threads were finished. Often this would cause strange crashes as the mutexes would be freed while they were being used. Looking at the code, there is a lifetime problem as the controlling thread that spawns the work allocates the "struct stress" structures that are passed to the workqueue threads. Then when the workqueue threads are finished, they free the stress struct that was passed to them. Unfortunately the workqueue work_struct node is in the stress struct. Which means the work_struct is freed before the work thread returns and while flush_workqueue is waiting. It seems like a better idea to have the controlling thread both allocate and free the stress structures, so that we can be sure we don't corrupt the workqueue by freeing the structure prematurely. So this patch reworks the test to do so, and with this change I no longer see the early flush_workqueue returns. CVE-2023-52836 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: fbdev: imsttfb: fix a resource leak in probe I've re-written the error handling but the bug is that if init_imstt() fails we need to call iounmap(par->cmap_regs). CVE-2023-52838 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() The put_device() calls rmi_release_function() which frees "fn" so the dereference on the next line "fn->num_of_irqs" is a use after free. Move the put_device() to the end to fix this. CVE-2023-52840 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: vidtv: mux: Add check and kfree for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. Moreover, use kfree() in the later error handling in order to avoid memory leak. CVE-2023-52841 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt() KMSAN reported the following uninit-value access issue: ===================================================== BUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit was stored to memory at: virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline] virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit was created at: slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline] virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58 virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline] virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 CPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: vsock-loopback vsock_loopback_work ===================================================== The following simple reproducer can cause the issue described above: int main(void) { int sock; struct sockaddr_vm addr = { .svm_family = AF_VSOCK, .svm_cid = VMADDR_CID_ANY, .svm_port = 1234, }; sock = socket(AF_VSOCK, SOCK_STREAM, 0); connect(sock, (struct sockaddr *)&addr, sizeof(addr)); return 0; } This issue occurs because the `buf_alloc` and `fwd_cnt` fields of the `struct virtio_vsock_hdr` are not initialized when a new skb is allocated in `virtio_transport_init_hdr()`. This patch resolves the issue by initializing these fields during allocation. CVE-2023-52842 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: vidtv: psi: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. CVE-2023-52844 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: hsr: Prevent use after free in prp_create_tagged_frame() The prp_fill_rct() function can fail. In that situation, it frees the skb and returns NULL. Meanwhile on the success path, it returns the original skb. So it's straight forward to fix bug by using the returned value. CVE-2023-52846 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: media: bttv: fix use after free error due to btv->timeout timer There may be some a race condition between timer function bttv_irq_timeout and bttv_remove. The timer is setup in probe and there is no timer_delete operation in remove function. When it hit kfree btv, the function might still be invoked, which will cause use after free bug. This bug is found by static analysis, it may be false positive. Fix it by adding del_timer_sync invoking to the remove function. cpu0 cpu1 bttv_probe ->timer_setup ->bttv_set_dma ->mod_timer; bttv_remove ->kfree(btv); ->bttv_irq_timeout ->USE btv CVE-2023-52847 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: cxl/mem: Fix shutdown order Ira reports that removing cxl_mock_mem causes a crash with the following trace: BUG: kernel NULL pointer dereference, address: 0000000000000044 [..] RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core] [..] Call Trace: <TASK> cxl_region_detach+0xe8/0x210 [cxl_core] cxl_decoder_kill_region+0x27/0x40 [cxl_core] cxld_unregister+0x29/0x40 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 bus_remove_device+0xd7/0x150 device_del+0x155/0x3e0 device_unregister+0x13/0x60 devm_release_action+0x4d/0x90 ? __pfx_unregister_port+0x10/0x10 [cxl_core] delete_endpoint+0x121/0x130 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 bus_remove_device+0xd7/0x150 device_del+0x155/0x3e0 ? lock_release+0x142/0x290 cdev_device_del+0x15/0x50 cxl_memdev_unregister+0x54/0x70 [cxl_core] This crash is due to the clearing out the cxl_memdev's driver context (@cxlds) before the subsystem is done with it. This is ultimately due to the region(s), that this memdev is a member, being torn down and expecting to be able to de-reference @cxlds, like here: static int cxl_region_decode_reset(struct cxl_region *cxlr, int count) ... if (cxlds->rcd) goto endpoint_reset; ... Fix it by keeping the driver context valid until memdev-device unregistration, and subsequently the entire stack of related dependencies, unwinds. CVE-2023-52849 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: hantro: Check whether reset op is defined before use The i.MX8MM/N/P does not define the .reset op since reset of the VPU is done by genpd. Check whether the .reset op is defined before calling it to avoid NULL pointer dereference. Note that the Fixes tag is set to the commit which removed the reset op from i.MX8M Hantro G2 implementation, this is because before this commit all the implementations did define the .reset op. CVE-2023-52850 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF In the unlikely event that workqueue allocation fails and returns NULL in mlx5_mkey_cache_init(), delete the call to mlx5r_umr_resource_cleanup() (which frees the QP) in mlx5_ib_stage_post_ib_reg_umr_init(). This will avoid attempted double free of the same QP when __mlx5_ib_add() does its cleanup. Resolves a splat: Syzkaller reported a UAF in ib_destroy_qp_user workqueue: Failed to create a rescuer kthread for wq "mkey_cache": -EINTR infiniband mlx5_0: mlx5_mkey_cache_init:981:(pid 1642): failed to create work queue infiniband mlx5_0: mlx5_ib_stage_post_ib_reg_umr_init:4075:(pid 1642): mr cache init failed -12 ================================================================== BUG: KASAN: slab-use-after-free in ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073) Read of size 8 at addr ffff88810da310a8 by task repro_upstream/1642 Call Trace: <TASK> kasan_report (mm/kasan/report.c:590) ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073) mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198) __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4178) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ... </TASK> Allocated by task 1642: __kmalloc (./include/linux/kasan.h:198 mm/slab_common.c:1026 mm/slab_common.c:1039) create_qp (./include/linux/slab.h:603 ./include/linux/slab.h:720 ./include/rdma/ib_verbs.h:2795 drivers/infiniband/core/verbs.c:1209) ib_create_qp_kernel (drivers/infiniband/core/verbs.c:1347) mlx5r_umr_resource_init (drivers/infiniband/hw/mlx5/umr.c:164) mlx5_ib_stage_post_ib_reg_umr_init (drivers/infiniband/hw/mlx5/main.c:4070) __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4168) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ... Freed by task 1642: __kmem_cache_free (mm/slub.c:1826 mm/slub.c:3809 mm/slub.c:3822) ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2112) mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198) mlx5_ib_stage_post_ib_reg_umr_init (drivers/infiniband/hw/mlx5/main.c:4076 drivers/infiniband/hw/mlx5/main.c:4065) __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4168) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ... CVE-2023-52851 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: hid: cp2112: Fix duplicate workqueue initialization Previously the cp2112 driver called INIT_DELAYED_WORK within cp2112_gpio_irq_startup, resulting in duplicate initilizations of the workqueue on subsequent IRQ startups following an initial request. This resulted in a warning in set_work_data in workqueue.c, as well as a rare NULL dereference within process_one_work in workqueue.c. Initialize the workqueue within _probe instead. CVE-2023-52853 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: padata: Fix refcnt handling in padata_free_shell() In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead to system UAF (Use-After-Free) issues. Due to the lengthy analysis of the pcrypt_aead01 function call, I'll describe the problem scenario using a simplified model: Suppose there's a user of padata named `user_function` that adheres to the padata requirement of calling `padata_free_shell` after `serial()` has been invoked, as demonstrated in the following code: ```c struct request { struct padata_priv padata; struct completion *done; }; void parallel(struct padata_priv *padata) { do_something(); } void serial(struct padata_priv *padata) { struct request *request = container_of(padata, struct request, padata); complete(request->done); } void user_function() { DECLARE_COMPLETION(done) padata->parallel = parallel; padata->serial = serial; padata_do_parallel(); wait_for_completion(&done); padata_free_shell(); } ``` In the corresponding padata.c file, there's the following code: ```c static void padata_serial_worker(struct work_struct *serial_work) { ... cnt = 0; while (!list_empty(&local_list)) { ... padata->serial(padata); cnt++; } local_bh_enable(); if (refcount_sub_and_test(cnt, &pd->refcnt)) padata_free_pd(pd); } ``` Because of the high system load and the accumulation of unexecuted softirq at this moment, `local_bh_enable()` in padata takes longer to execute than usual. Subsequently, when accessing `pd->refcnt`, `pd` has already been released by `padata_free_shell()`, resulting in a UAF issue with `pd->refcnt`. The fix is straightforward: add `refcount_dec_and_test` before calling `padata_free_pd` in `padata_free_shell`. CVE-2023-52854 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/bridge: lt8912b: Fix crash on bridge detach The lt8912b driver, in its bridge detach function, calls drm_connector_unregister() and drm_connector_cleanup(). drm_connector_unregister() should be called only for connectors explicitly registered with drm_connector_register(), which is not the case in lt8912b. The driver's drm_connector_funcs.destroy hook is set to drm_connector_cleanup(). Thus the driver should not call either drm_connector_unregister() nor drm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a crash on bridge detach: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000 [0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks CPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2 Hardware name: Toradex Verdin AM62 on Verdin Development Board (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_connector_cleanup+0x78/0x2d4 [drm] lr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b] sp : ffff800082ed3a90 x29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000 x26: 0000000000000000 x25: dead000000000122 x24: dead000000000122 x23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000 x20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8 x17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038 x14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e x11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48 x8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0 x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: drm_connector_cleanup+0x78/0x2d4 [drm] lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b] drm_bridge_detach+0x44/0x84 [drm] drm_encoder_cleanup+0x40/0xb8 [drm] drmm_encoder_alloc_release+0x1c/0x30 [drm] drm_managed_release+0xac/0x148 [drm] drm_dev_put.part.0+0x88/0xb8 [drm] devm_drm_dev_init_release+0x14/0x24 [drm] devm_action_release+0x14/0x20 release_nodes+0x5c/0x90 devres_release_all+0x8c/0xe0 device_unbind_cleanup+0x18/0x68 device_release_driver_internal+0x208/0x23c driver_detach+0x4c/0x94 bus_remove_driver+0x70/0xf4 driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 tidss_platform_driver_exit+0x18/0xb2c [tidss] __arm64_sys_delete_module+0x1a0/0x2b4 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x60/0x10c do_el0_svc_compat+0x1c/0x40 el0_svc_compat+0x40/0xac el0t_32_sync_handler+0xb0/0x138 el0t_32_sync+0x194/0x198 Code: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420) CVE-2023-52856 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix coverity issue with unintentional integer overflow 1. Instead of multiplying 2 variable of different types. Change to assign a value of one variable and then multiply the other variable. 2. Add a int variable for multiplier calculation instead of calculating different types multiplier with dma_addr_t variable directly. CVE-2023-52857 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference. CVE-2023-52858 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: bridge: it66121: Fix invalid connector dereference Fix the NULL pointer dereference when no monitor is connected, and the sound card is opened from userspace. Instead return an empty buffer (of zeroes) as the EDID information to the sound framework if there is no connector attached. CVE-2023-52861 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null pointer dereference in error message This patch fixes a null pointer dereference in the error message that is printed when the Display Core (DC) fails to initialize. The original message includes the DC version number, which is undefined if the DC is not initialized. CVE-2023-52862 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (axi-fan-control) Fix possible NULL pointer dereference axi_fan_control_irq_handler(), dependent on the private axi_fan_control_data structure, might be called before the hwmon device is registered. That will cause an "Unable to handle kernel NULL pointer dereference" error. CVE-2023-52863 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: wmi: Fix opening of char device Since commit fa1f68db6ca7 ("drivers: misc: pass miscdevice pointer via file private data"), the miscdevice stores a pointer to itself inside filp->private_data, which means that private_data will not be NULL when wmi_char_open() is called. This might cause memory corruption should wmi_char_open() be unable to find its driver, something which can happen when the associated WMI device is deleted in wmi_free_devices(). Fix the problem by using the miscdevice pointer to retrieve the WMI device data associated with a char device using container_of(). This also avoids wmi_char_open() picking a wrong WMI device bound to a driver with the same name as the original driver. CVE-2023-52864 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference. CVE-2023-52865 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Fix user-memory-access bug in uclogic_params_ugee_v2_init_event_hooks() When CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch kernel and then the below user-memory-access bug occurs. In hid_test_uclogic_params_cleanup_event_hooks(),it call uclogic_params_ugee_v2_init_event_hooks() with the first arg=NULL, so when it calls uclogic_params_ugee_v2_has_battery(), the hid_get_drvdata() will access hdev->dev with hdev=NULL, which will cause below user-memory-access. So add a fake_device with quirks member and call hid_set_drvdata() to assign hdev->dev->driver_data which avoids the null-ptr-def bug for drvdata->quirks in uclogic_params_ugee_v2_has_battery(). After applying this patch, the below user-memory-access bug never occurs. general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f] CPU: 5 PID: 2189 Comm: kunit_try_catch Tainted: G B W N 6.6.0-rc2+ #30 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600 Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00 RSP: 0000:ffff88810679fc88 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0 R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92 R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080 FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0 DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6 DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? uclogic_params_ugee_v2_init_event_hooks+0x87/0x600 ? sched_clock_cpu+0x69/0x550 ? uclogic_parse_ugee_v2_desc_gen_params+0x70/0x70 ? load_balance+0x2950/0x2950 ? rcu_trc_cmpxchg_need_qs+0x67/0xa0 hid_test_uclogic_params_cleanup_event_hooks+0x9e/0x1a0 ? uclogic_params_ugee_v2_init_event_hooks+0x600/0x600 ? __switch_to+0x5cf/0xe60 ? migrate_enable+0x260/0x260 ? __kthread_parkme+0x83/0x150 ? kunit_try_run_case_cleanup+0xe0/0xe0 kunit_generic_run_threadfn_adapter+0x4a/0x90 ? kunit_try_catch_throw+0x80/0x80 kthread+0x2b5/0x380 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x2d/0x70 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK> Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace 0000000000000000 ]--- RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600 Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00 RSP: 0000:ffff88810679fc88 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0 R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92 R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080 FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0 DR0: ffffffff8fdd6cf4 DR1: ---truncated--- CVE-2023-52866 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: possible buffer overflow Buffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is checked after access. CVE-2023-52867 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: thermal: core: prevent potential string overflow The dev->id value comes from ida_alloc() so it's a number between zero and INT_MAX. If it's too high then these sprintf()s will overflow. CVE-2023-52868 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: pstore/platform: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. CVE-2023-52869 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference. CVE-2023-52870 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: llcc: Handle a second device without data corruption Usually there is only one llcc device. But if there were a second, even a failed probe call would modify the global drv_data pointer. So check if drv_data is valid before overwriting it. CVE-2023-52871 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix race condition in status line change on dead connections gsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all timers, removing the virtual tty devices and clearing the data queues. This procedure, however, may cause subsequent changes of the virtual modem status lines of a DLCI. More data is being added the outgoing data queue and the deleted kick timer is restarted to handle this. At this point many resources have already been removed by the cleanup procedure. Thus, a kernel panic occurs. Fix this by proving in gsm_modem_update() that the cleanup procedure has not been started and the mux is still alive. Note that writing to a virtual tty is already protected by checks against the DLCI specific connection state. CVE-2023-52872 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference. CVE-2023-52873 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro In the TDX_HYPERCALL asm, after the TDCALL instruction returns from the untrusted VMM, the registers that the TDX guest shares to the VMM need to be cleared to avoid speculative execution of VMM-provided values. RSI is specified in the bitmap of those registers, but it is missing when zeroing out those registers in the current TDX_HYPERCALL. It was there when it was originally added in commit 752d13305c78 ("x86/tdx: Expand __tdx_hypercall() to handle more arguments"), but was later removed in commit 1e70c680375a ("x86/tdx: Do not corrupt frame-pointer in __tdx_hypercall()"), which was correct because %rsi is later restored in the "pop %rsi". However a later commit 7a3a401874be ("x86/tdx: Drop flags from __tdx_hypercall()") removed that "pop %rsi" but forgot to add the "xor %rsi, %rsi" back. Fix by adding it back. CVE-2023-52874 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference. CVE-2023-52875 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data Add the check for the return value of mtk_alloc_clk_data() in order to avoid NULL pointer dereference. CVE-2023-52876 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm() It is possible that typec_register_partner() returns ERR_PTR on failure. When port->partner is an error, a NULL pointer dereference may occur as shown below. [91222.095236][ T319] typec port0: failed to register partner (-17) ... [91225.061491][ T319] Unable to handle kernel NULL pointer dereference at virtual address 000000000000039f [91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc [91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc [91225.308067][ T319] Call trace: [91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc [91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8 [91225.355900][ T319] kthread_worker_fn+0x178/0x58c [91225.355902][ T319] kthread+0x150/0x200 [91225.355905][ T319] ret_from_fork+0x10/0x30 Add a check for port->partner to avoid dereferencing a NULL pointer. CVE-2023-52877 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds If the "struct can_priv::echoo_skb" is accessed out of bounds, this would cause a kernel crash. Instead, issue a meaningful warning message and return with an error. CVE-2023-52878 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Have trace_event_file have ref counters The following can crash the kernel: # cd /sys/kernel/tracing # echo 'p:sched schedule' > kprobe_events # exec 5>>events/kprobes/sched/enable # > kprobe_events # exec 5>&- The above commands: 1. Change directory to the tracefs directory 2. Create a kprobe event (doesn't matter what one) 3. Open bash file descriptor 5 on the enable file of the kprobe event 4. Delete the kprobe event (removes the files too) 5. Close the bash file descriptor 5 The above causes a crash! BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:tracing_release_file_tr+0xc/0x50 What happens here is that the kprobe event creates a trace_event_file "file" descriptor that represents the file in tracefs to the event. It maintains state of the event (is it enabled for the given instance?). Opening the "enable" file gets a reference to the event "file" descriptor via the open file descriptor. When the kprobe event is deleted, the file is also deleted from the tracefs system which also frees the event "file" descriptor. But as the tracefs file is still opened by user space, it will not be totally removed until the final dput() is called on it. But this is not true with the event "file" descriptor that is already freed. If the user does a write to or simply closes the file descriptor it will reference the event "file" descriptor that was just freed, causing a use-after-free bug. To solve this, add a ref count to the event "file" descriptor as well as a new flag called "FREED". The "file" will not be freed until the last reference is released. But the FREE flag will be set when the event is removed to prevent any more modifications to that event from happening, even if there's still a reference to the event "file" descriptor. CVE-2023-52879 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that. CVE-2023-52880 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian Rossow. ACK seq validation is currently following RFC 5961 5.2 guidelines: The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. It needs to be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return". The "ignored" above implies that the processing of the incoming data segment continues, which means the ACK value is treated as acceptable. This mitigation makes the ACK check more stringent since any ACK < SND.UNA wouldn't be accepted, instead only ACKs that are in the range ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through. This can be refined for new (and possibly spoofed) flows, by not accepting ACK for bytes that were never sent. This greatly improves TCP security at a little cost. I added a Fixes: tag to make sure this patch will reach stable trees, even if the 'blamed' patch was adhering to the RFC. tp->bytes_acked was added in linux-4.2 Following packetdrill test (courtesy of Yepeng Pan) shows the issue at hand: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1024) = 0 // ---------------- Handshake ------------------- // // when window scale is set to 14 the window size can be extended to // 65535 * (2^14) = 1073725440. Linux would accept an ACK packet // with ack number in (Server_ISN+1-1073725440. Server_ISN+1) // ,though this ack number acknowledges some data never // sent by the server. +0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14> +0 > S. 0:0(0) ack 1 <...> +0 < . 1:1(0) ack 1 win 65535 +0 accept(3, ..., ...) = 4 // For the established connection, we send an ACK packet, // the ack packet uses ack number 1 - 1073725300 + 2^32, // where 2^32 is used to wrap around. // Note: we used 1073725300 instead of 1073725440 to avoid possible // edge cases. // 1 - 1073725300 + 2^32 = 3221241997 // Oops, old kernels happily accept this packet. +0 < . 1:1001(1000) ack 3221241997 win 65535 // After the kernel fix the following will be replaced by a challenge ACK, // and prior malicious frame would be dropped. +0 > . 1:1(0) ack 1001 CVE-2023-52881 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix possible null pointer dereference abo->tbo.resource may be NULL in amdgpu_vm_bo_update. CVE-2023-52883 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: cyapa - add missing input core locking to suspend/resume functions Grab input->mutex during suspend/resume functions like it is done in other input drivers. This fixes the following warning during system suspend/resume cycle on Samsung Exynos5250-based Snow Chromebook: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c Modules linked in: ... CPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events_unbound async_run_entry_fn unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from __warn+0x1a8/0x1cc __warn from warn_slowpath_fmt+0x18c/0x1b4 warn_slowpath_fmt from input_device_enabled+0x68/0x6c input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c cyapa_reinitialize from cyapa_resume+0x48/0x98 cyapa_resume from dpm_run_callback+0x90/0x298 dpm_run_callback from device_resume+0xb4/0x258 device_resume from async_resume+0x20/0x64 async_resume from async_run_entry_fn+0x40/0x15c async_run_entry_fn from process_scheduled_works+0xbc/0x6a8 process_scheduled_works from worker_thread+0x188/0x454 worker_thread from kthread+0x108/0x140 kthread from ret_from_fork+0x14/0x28 Exception stack(0xf1625fb0 to 0xf1625ff8) ... ---[ end trace 0000000000000000 ]--- ... ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c Modules linked in: ... CPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events_unbound async_run_entry_fn unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from __warn+0x1a8/0x1cc __warn from warn_slowpath_fmt+0x18c/0x1b4 warn_slowpath_fmt from input_device_enabled+0x68/0x6c input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c cyapa_reinitialize from cyapa_resume+0x48/0x98 cyapa_resume from dpm_run_callback+0x90/0x298 dpm_run_callback from device_resume+0xb4/0x258 device_resume from async_resume+0x20/0x64 async_resume from async_run_entry_fn+0x40/0x15c async_run_entry_fn from process_scheduled_works+0xbc/0x6a8 process_scheduled_works from worker_thread+0x188/0x454 worker_thread from kthread+0x108/0x140 kthread from ret_from_fork+0x14/0x28 Exception stack(0xf1625fb0 to 0xf1625ff8) ... ---[ end trace 0000000000000000 ]--- CVE-2023-52884 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-0760 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:bind-utils-9.18.28-150600.3.3.1 important Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1737 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:bind-utils-9.18.28-150600.3.3.1 important If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1975 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:bind-utils-9.18.28-150600.3.3.1 important printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact. CVE-2024-25741 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproduced by following steps: - run nginx/wrk test: smc_run nginx smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL> - continuously dump SMC-D connections in parallel: watch -n 1 'smcss -D' BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x66/0x150 ? exc_page_fault+0x69/0x140 ? asm_exc_page_fault+0x26/0x30 ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] ? __kmalloc_node_track_caller+0x35d/0x430 ? __alloc_skb+0x77/0x170 smc_diag_dump_proto+0xd0/0xf0 [smc_diag] smc_diag_dump+0x26/0x60 [smc_diag] netlink_dump+0x19f/0x320 __netlink_dump_start+0x1dc/0x300 smc_diag_handler_dump+0x6a/0x80 [smc_diag] ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag] sock_diag_rcv_msg+0x121/0x140 ? __pfx_sock_diag_rcv_msg+0x10/0x10 netlink_rcv_skb+0x5a/0x110 sock_diag_rcv+0x28/0x40 netlink_unicast+0x22a/0x330 netlink_sendmsg+0x1f8/0x420 __sock_sendmsg+0xb0/0xc0 ____sys_sendmsg+0x24e/0x300 ? copy_msghdr_from_user+0x62/0x80 ___sys_sendmsg+0x7c/0xd0 ? __do_fault+0x34/0x160 ? do_read_fault+0x5f/0x100 ? do_fault+0xb0/0x110 ? __handle_mm_fault+0x2b0/0x6c0 __sys_sendmsg+0x4d/0x80 do_syscall_64+0x69/0x180 entry_SYSCALL_64_after_hwframe+0x6e/0x76 It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smc_conn_create() but the rmb_desc has not yet been initialized by smc_buf_create(), thus causing the illegal access to conn->rmb_desc. So fix it by checking before dump. CVE-2024-26615 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent race issues involving the adminq There are multiple paths that can result in using the pdsc's adminq. [1] pdsc_adminq_isr and the resulting work from queue_work(), i.e. pdsc_work_thread()->pdsc_process_adminq() [2] pdsc_adminq_post() When the device goes through reset via PCIe reset and/or a fw_down/fw_up cycle due to bad PCIe state or bad device state the adminq is destroyed and recreated. A NULL pointer dereference can happen if [1] or [2] happens after the adminq is already destroyed. In order to fix this, add some further state checks and implement reference counting for adminq uses. Reference counting was used because multiple threads can attempt to access the adminq at the same time via [1] or [2]. Additionally, multiple clients (i.e. pds-vfio-pci) can be using [2] at the same time. The adminq_refcnt is initialized to 1 when the adminq has been allocated and is ready to use. Users/clients of the adminq (i.e. [1] and [2]) will increment the refcnt when they are using the adminq. When the driver goes into a fw_down cycle it will set the PDSC_S_FW_DEAD bit and then wait for the adminq_refcnt to hit 1. Setting the PDSC_S_FW_DEAD before waiting will prevent any further adminq_refcnt increments. Waiting for the adminq_refcnt to hit 1 allows for any current users of the adminq to finish before the driver frees the adminq. Once the adminq_refcnt hits 1 the driver clears the refcnt to signify that the adminq is deleted and cannot be used. On the fw_up cycle the driver will once again initialize the adminq_refcnt to 1 allowing the adminq to be used again. CVE-2024-26623 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 __pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendms ---truncated--- CVE-2024-26633 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16) llc_conn_handler() initialises local variables {saddr,daddr}.mac based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes them to __llc_lookup(). However, the initialisation is done only when skb->protocol is htons(ETH_P_802_2), otherwise, __llc_lookup_established() and __llc_lookup_listener() will read garbage. The missing initialisation existed prior to commit 211ed865108e ("net: delete all instances of special processing for token ring"). It removed the part to kick out the token ring stuff but forgot to close the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv(). Let's remove llc_tr_packet_type and complete the deprecation. [0]: BUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90 __llc_lookup_established+0xe9d/0xf90 __llc_lookup net/llc/llc_conn.c:611 [inline] llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 __netif_receive_skb_one_core net/core/dev.c:5527 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5786 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x1490 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Local variable daddr created at: llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 CPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 CVE-2024-26635 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: llc: make llc_ui_sendmsg() more robust against bonding changes syzbot was able to trick llc_ui_sendmsg(), allocating an skb with no headroom, but subsequently trying to push 14 bytes of Ethernet header [1] Like some others, llc_ui_sendmsg() releases the socket lock before calling sock_alloc_send_skb(). Then it acquires it again, but does not redo all the sanity checks that were performed. This fix: - Uses LL_RESERVED_SPACE() to reserve space. - Check all conditions again after socket lock is held again. - Do not account Ethernet header for mtu limitation. [1] skbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0 kernel BUG at net/core/skbuff.c:193 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:189 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 lr : skb_panic net/core/skbuff.c:189 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 sp : ffff800096f97000 x29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000 x26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2 x23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0 x20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce x17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001 x14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400 x8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089 Call trace: skb_panic net/core/skbuff.c:189 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 skb_push+0xf0/0x108 net/core/skbuff.c:2451 eth_header+0x44/0x1f8 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3188 [inline] llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33 llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85 llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline] llc_sap_next_state net/llc/llc_sap.c:182 [inline] llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209 llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270 llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x194/0x274 net/socket.c:767 splice_to_socket+0x7cc/0xd58 fs/splice.c:881 do_splice_from fs/splice.c:933 [inline] direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142 splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088 do_splice_direct+0x20c/0x348 fs/splice.c:1194 do_sendfile+0x4bc/0xc70 fs/read_write.c:1254 __do_sys_sendfile64 fs/read_write.c:1322 [inline] __se_sys_sendfile64 fs/read_write.c:1308 [inline] __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Code: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000) CVE-2024-26636 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 CVE-2024-26641 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() syzbot reported the following general protection fault [1]: general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] ... RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291 ... Call Trace: <TASK> tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646 tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089 genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367 netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b The cause of this issue is that when tipc_nl_bearer_add() is called with the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called even if the bearer is not UDP. tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that the media_ptr field of the tipc_bearer has an udp_bearer type object, so the function goes crazy for non-UDP bearers. This patch fixes the issue by checking the bearer type before calling tipc_udp_nl_bearer_add() in tipc_nl_bearer_add(). CVE-2024-26663 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tunnels: fix out of bounds access when building IPv6 PMTU error If the ICMPv6 error is built from a non-linear skb we get the following splat, BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240 Read of size 4 at addr ffff88811d402c80 by task netperf/820 CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543 ... kasan_report+0xd8/0x110 do_csum+0x220/0x240 csum_partial+0xc/0x20 skb_tunnel_check_pmtu+0xeb9/0x3280 vxlan_xmit_one+0x14c2/0x4080 vxlan_xmit+0xf61/0x5c00 dev_hard_start_xmit+0xfb/0x510 __dev_queue_xmit+0x7cd/0x32a0 br_dev_queue_push_xmit+0x39d/0x6a0 Use skb_checksum instead of csum_partial who cannot deal with non-linear SKBs. CVE-2024-26665 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. syzbot reported a warning [0] in __unix_gc() with a repro, which creates a socketpair and sends one socket's fd to itself using the peer. socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}], msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[3]}], msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1 This forms a self-cyclic reference that GC should finally untangle but does not due to lack of MSG_OOB handling, resulting in memory leak. Recently, commit 11498715f266 ("af_unix: Remove io_uring code for GC.") removed io_uring's dead code in GC and revealed the problem. The code was executed at the final stage of GC and unconditionally moved all GC candidates from gc_candidates to gc_inflight_list. That papered over the reported problem by always making the following WARN_ON_ONCE(!list_empty(&gc_candidates)) false. The problem has been there since commit 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support") added full scm support for MSG_OOB while fixing another bug. To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb if the socket still exists in gc_candidates after purging collected skb. Then, we need to set NULL to oob_skb before calling kfree_skb() because it calls last fput() and triggers unix_release_sock(), where we call duplicate kfree_skb(u->oob_skb) if not NULL. Note that the leaked socket remained being linked to a global list, so kmemleak also could not detect it. We need to check /proc/net/protocol to notice the unfreed socket. [0]: WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Modules linked in: CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events_unbound __unix_gc RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345 Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8 RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30 RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66 R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000 R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 kthread+0x2c6/0x3b0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 </TASK> CVE-2024-26676 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix circular locking dependency The rule inside kvm enforces that the vcpu->mutex is taken *inside* kvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires the kvm->lock while already holding the vcpu->mutex lock from kvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by protecting the hyp vm handle with the config_lock, much like we already do for other forms of VM-scoped data. CVE-2024-26691 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-26720 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: devlink: fix possible use-after-free and memory leaks in devlink_init() The pernet operations structure for the subsystem must be registered before registering the generic netlink family. Make an unregister in case of unsuccessful registration. CVE-2024-26734 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: md: Don't ignore suspended array in md_check_recovery() mddev_suspend() never stop sync_thread, hence it doesn't make sense to ignore suspended array in md_check_recovery(), which might cause sync_thread can't be unregistered. After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following hang can be triggered by test shell/integrity-caching.sh: 1) suspend the array: raid_postsuspend mddev_suspend 2) stop the array: raid_dtr md_stop __md_stop_writes stop_sync_thread set_bit(MD_RECOVERY_INTR, &mddev->recovery); md_wakeup_thread_directly(mddev->sync_thread); wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) 3) sync thread done: md_do_sync set_bit(MD_RECOVERY_DONE, &mddev->recovery); md_wakeup_thread(mddev->thread); 4) daemon thread can't unregister sync thread: md_check_recovery if (mddev->suspended) return; -> return directly md_read_sync_thread clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery); -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang; This problem is not just related to dm-raid, fix it by ignoring suspended array in md_check_recovery(). And follow up patches will improve dm-raid better to frozen sync thread during suspend. CVE-2024-26758 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fixed integer types and null check locations [why]: issues fixed: - comparison with wider integer type in loop condition which can cause infinite loops - pointer dereference before null check CVE-2024-26767 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix protection fault in iommufd_test_syz_conv_iova Syzkaller reported the following bug: general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7] Call Trace: lock_acquire lock_acquire+0x1ce/0x4f0 down_read+0x93/0x4a0 iommufd_test_syz_conv_iova+0x56/0x1f0 iommufd_test_access_rw.isra.0+0x2ec/0x390 iommufd_test+0x1058/0x1e30 iommufd_fops_ioctl+0x381/0x510 vfs_ioctl __do_sys_ioctl __se_sys_ioctl __x64_sys_ioctl+0x170/0x1e0 do_syscall_x64 do_syscall_64+0x71/0x140 This is because the new iommufd_access_change_ioas() sets access->ioas to NULL during its process, so the lock might be gone in a concurrent racing context. Fix this by doing the same access->ioas sanity as iommufd_access_rw() and iommufd_access_pin_pages() functions do. CVE-2024-26785 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/platform: Create persistent IRQ handlers The vfio-platform SET_IRQS ioctl currently allows loopback triggering of an interrupt before a signaling eventfd has been configured by the user, which thereby allows a NULL pointer dereference. Rather than register the IRQ relative to a valid trigger, register all IRQs in a disabled state in the device open path. This allows mask operations on the IRQ to nest within the overall enable state governed by a valid eventfd signal. This decouples @masked, protected by the @locked spinlock from @trigger, protected via the @igate mutex. In doing so, it's guaranteed that changes to @trigger cannot race the IRQ handlers because the IRQ handler is synchronously disabled before modifying the trigger, and loopback triggering of the IRQ via ioctl is safe due to serialization with trigger changes via igate. For compatibility, request_irq() failures are maintained to be local to the SET_IRQS ioctl rather than a fatal error in the open device path. This allows, for example, a userspace driver with polling mode support to continue to work regardless of moving the request_irq() call site. This necessarily blocks all SET_IRQS access to the failed index. CVE-2024-26813 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/fsl-mc: Block calling interrupt handler without trigger The eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is initially NULL and may become NULL if the user sets the trigger eventfd to -1. The interrupt handler itself is guaranteed that trigger is always valid between request_irq() and free_irq(), but the loopback testing mechanisms to invoke the handler function need to test the trigger. The triggering and setting ioctl paths both make use of igate and are therefore mutually exclusive. The vfio-fsl-mc driver does not make use of irqfds, nor does it support any sort of masking operations, therefore unlike vfio-pci and vfio-platform, the flow can remain essentially unchanged. CVE-2024-26814 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: fix data re-injection from stale subflow When the MPTCP PM detects that a subflow is stale, all the packet scheduler must re-inject all the mptcp-level unacked data. To avoid acquiring unneeded locks, it first try to check if any unacked data is present at all in the RTX queue, but such check is currently broken, as it uses TCP-specific helper on an MPTCP socket. Funnily enough fuzzers and static checkers are happy, as the accessed memory still belongs to the mptcp_sock struct, and even from a functional perspective the recovery completed successfully, as the short-cut test always failed. A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize tcp_sock fast path variables") - exposed the issue, as the tcp field reorganization makes the mptcp code always skip the re-inection. Fix the issue dropping the bogus call: we are on a slow path, the early optimization proved once again to be evil. CVE-2024-26826 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: hsr: Fix uninit-value access in hsr_get_node() KMSAN reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 fill_frame_info net/hsr/hsr_forward.c:577 [inline] hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615 hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 packet_alloc_skb net/packet/af_packet.c:2936 [inline] packet_snd net/packet/af_packet.c:3030 [inline] packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== If the packet type ID field in the Ethernet header is either ETH_P_PRP or ETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr() reads an invalid value as a sequence number. This causes the above issue. This patch fixes the issue by returning NULL if the Ethernet header is not followed by an HSR tag. CVE-2024-26863 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix possible buffer overflow struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy. CVE-2024-26889 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing/trigger: Fix to return error if failed to alloc snapshot Fix register_snapshot_trigger() to return error code if it failed to allocate a snapshot instead of 0 (success). Unless that, it will register snapshot trigger without an error. CVE-2024-26920 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free in do_zone_finish() Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070. BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007 CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0x200/0x3e0 kasan_report+0xd8/0x110 ? do_zone_finish+0x91a/0xb90 [btrfs] ? do_zone_finish+0x91a/0xb90 [btrfs] do_zone_finish+0x91a/0xb90 [btrfs] btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs] ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] ? btrfs_put_root+0x2d/0x220 [btrfs] ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs] cleaner_kthread+0x21e/0x380 [btrfs] ? __pfx_cleaner_kthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 3493983: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_alloc_device+0xb3/0x4e0 [btrfs] device_list_add.constprop.0+0x993/0x1630 [btrfs] btrfs_scan_one_device+0x219/0x3d0 [btrfs] btrfs_control_ioctl+0x26e/0x310 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 3494056: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3f/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x32/0x70 kfree+0x11b/0x320 btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs] btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs] btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] btrfs_ioctl+0xb27/0x57d0 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400) The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb This UAF happens because we're accessing stale zone information of a already removed btrfs_device in do_zone_finish(). The sequence of events is as follows: btrfs_dev_replace_start btrfs_scrub_dev btrfs_dev_replace_finishing btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced btrfs_rm_dev_replace_free_srcdev btrfs_free_device <-- device freed cleaner_kthread btrfs_delete_unused_bgs btrfs_zone_finish do_zone_finish <-- refers the freed device The reason for this is that we're using a ---truncated--- CVE-2024-26944 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] <TASK> [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] CVE-2024-27012 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: incorrect pppoe tuple pppoe traffic reaching ingress path does not match the flowtable entry because the pppoe header is expected to be at the network header offset. This bug causes a mismatch in the flow table lookup, so pppoe packets enter the classical forwarding path. CVE-2024-27015 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: validate pppoe header Ensure there is sufficient room to access the protocol field of the PPPoe header. Validate it once before the flowtable lookup, then use a helper function to access protocol field. CVE-2024-27016 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process. CVE-2024-27019 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() nft_unregister_expr() can concurrent with __nft_expr_type_get(), and there is not any protection when iterate over nf_tables_expressions list in __nft_expr_type_get(). Therefore, there is potential data-race of nf_tables_expressions list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_expressions list in __nft_expr_type_get(), and use rcu_read_lock() in the caller nft_expr_type_get() to protect the entire type query process. CVE-2024-27020 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: nbd: null check for nla_nest_start nla_nest_start() may fail and return NULL. Insert a check and set errno based on other call sites within the same source code. CVE-2024-27025 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix a memory leak in nf_tables_updchain If nft_netdev_register_hooks() fails, the memory associated with nft_stats is not freed, causing a memory leak. This patch fixes it by moving nft_stats_alloc() down after nft_netdev_register_hooks() succeeds. CVE-2024-27064 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not compare internal table flags on updates Restore skipping transaction if table update does not modify flags. CVE-2024-27065 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: phonet/pep: fix racy skb_queue_empty() use The receive queues are protected by their respective spin-lock, not the socket lock. This could lead to skb_peek() unexpectedly returning NULL or a pointer to an already dequeued socket buffer. CVE-2024-27402 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: fix data races on remote_id Similar to the previous patch, address the data race on remote_id, adding the suitable ONCE annotations. CVE-2024-27404 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic in the function `rtnl_bridge_setlink` to enable the loop to also check the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment removed the `break` statement and led to an error logic of the flags writing back at the end of this function. if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr should point to IFLA_BRIDGE_FLAGS NLA !!! Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS. However, this is not necessarily true fow now as the updated loop will let the attr point to the last NLA, even an invalid NLA which could cause overflow writes. This patch introduces a new variable `br_flag` to save the NLA pointer that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned error logic. CVE-2024-27414 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVE-2024-31143 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:xen-libs-4.18.2_06-150600.3.3.1 moderate In the Linux kernel, the following vulnerability has been resolved: efi: libstub: only free priv.runtime_map when allocated priv.runtime_map is only allocated when efi_novamap is not set. Otherwise, it is an uninitialized value. In the error path, it is freed unconditionally. Avoid passing an uninitialized value to free_pool. Free priv.runtime_map only when it was allocated. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. CVE-2024-33619 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-mapping: benchmark: fix node id validation While validating node ids in map_benchmark_ioctl(), node_possible() may be provided with invalid argument outside of [0,MAX_NUMNODES-1] range leading to: BUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214) Read of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971 CPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) kasan_report (mm/kasan/report.c:603) kasan_check_range (mm/kasan/generic.c:189) variable_test_bit (arch/x86/include/asm/bitops.h:227) [inline] arch_test_bit (arch/x86/include/asm/bitops.h:239) [inline] _test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline] node_state (include/linux/nodemask.h:423) [inline] map_benchmark_ioctl (kernel/dma/map_benchmark.c:214) full_proxy_unlocked_ioctl (fs/debugfs/file.c:333) __x64_sys_ioctl (fs/ioctl.c:890) do_syscall_64 (arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Compare node ids with sane bounds first. NUMA_NO_NODE is considered a special valid case meaning that benchmarking kthreads won't be bound to a cpuset of a given node. Found by Linux Verification Center (linuxtesting.org). CVE-2024-34777 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: fpga: region: add owner module and take its refcount The current implementation of the fpga region assumes that the low-level module registers a driver for the parent device and uses its owner pointer to take the module's refcount. This approach is problematic since it can lead to a null pointer dereference while attempting to get the region during programming if the parent device does not have a driver. To address this problem, add a module owner pointer to the fpga_region struct and use it to take the module's refcount. Modify the functions for registering a region to take an additional owner module parameter and rename them to avoid conflicts. Use the old function names for helper macros that automatically set the module that registers the region as the owner. This ensures compatibility with existing low-level control modules and reduces the chances of registering a region without setting the owner. Also, update the documentation to keep it consistent with the new interface for registering an fpga region. CVE-2024-35247 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm snapshot: fix lockup in dm_exception_table_exit There was reported lockup when we exit a snapshot with many exceptions. Fix this by adding "cond_resched" to the loop that frees the exceptions. CVE-2024-35805 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Use device rbtree in iopf reporting path The existing I/O page fault handler currently locates the PCI device by calling pci_get_domain_bus_and_slot(). This function searches the list of all PCI devices until the desired device is found. To improve lookup efficiency, replace it with device_rbtree_find() to search the device within the probed device rbtree. The I/O page fault is initiated by the device, which does not have any synchronization mechanism with the software to ensure that the device stays in the probed device tree. Theoretically, a device could be released by the IOMMU subsystem after device_rbtree_find() and before iopf_get_dev_fault_param(), which would cause a use-after-free problem. Add a mutex to synchronize the I/O page fault reporting path and the IOMMU release device path. This lock doesn't introduce any performance overhead, as the conflict between I/O page fault reporting and device releasing is very rare. CVE-2024-35843 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash The rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the filters with the same priority) in the region and in each chunk iterating over all the filters. If the migration fails, the code tries to migrate the filters back to the old region. However, the rollback itself can also fail in which case another migration will be erroneously performed. Besides the fact that this ping pong is not a very good idea, it also creates a problem. Each virtual chunk references two chunks: The currently used one ('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the first holds the chunk we want to migrate filters to and the second holds the chunk we are migrating filters from. The code currently assumes - but does not verify - that the backup chunk does not exist (NULL) if the currently used chunk does not reference the target region. This assumption breaks when we are trying to rollback a rollback, resulting in the backup chunk being overwritten and leaked [1]. Fix by not rolling back a failed rollback and add a warning to avoid future cases. [1] WARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20 Modules linked in: CPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:parman_destroy+0x17/0x20 [...] Call Trace: <TASK> mlxsw_sp_acl_atcam_region_fini+0x19/0x60 mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> CVE-2024-35853 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash delayed work migrates filters from one region to another according to the number of available credits. The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration. The destruction of a region that still has filters referencing it can result in a use-after-free [1]. Fix by not destroying the region if migration failed. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70 mlxsw_sp_acl_atcam_entry_del+0x81/0x210 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_region_destroy+0x272/0x310 mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 CVE-2024-35854 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix infinite recursion in fib6_dump_done(). syzkaller reported infinite recursive calls of fib6_dump_done() during netlink socket destruction. [1] From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then the response was generated. The following recvmmsg() resumed the dump for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due to the fault injection. [0] 12:01:34 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, ... snip ...) recvmmsg(r0, ... snip ...) (fail_nth: 8) Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped receiving the response halfway through, and finally netlink_sock_destruct() called nlk_sk(sk)->cb.done(). fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling itself recursively and hitting the stack guard page. To avoid the issue, let's set the destructor after kzalloc(). [0]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3733) kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) rtnl_dump_all (net/core/rtnetlink.c:4029) netlink_dump (net/netlink/af_netlink.c:2269) netlink_recvmsg (net/netlink/af_netlink.c:1988) ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) ___sys_recvmsg (net/socket.c:2846) do_recvmmsg (net/socket.c:2943) __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034) [1]: BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb) stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570) Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000 R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <#DF> </#DF> <TASK> fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) ... fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) netlink_sock_destruct (net/netlink/af_netlink.c:401) __sk_destruct (net/core/sock.c:2177 (discriminator 2)) sk_destruct (net/core/sock.c:2224) __sk_free (net/core/sock.c:2235) sk_free (net/core/sock.c:2246) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue. ---truncated--- CVE-2024-35886 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: gro: fix ownership transfer If packets are GROed with fraglist they might be segmented later on and continue their journey in the stack. In skb_segment_list those skbs can be reused as-is. This is an issue as their destructor was removed in skb_gro_receive_list but not the reference to their socket, and then they can't be orphaned. Fix this by also removing the reference to the socket. For example this could be observed, kernel BUG at include/linux/skbuff.h:3131! (skb_orphan) RIP: 0010:ip6_rcv_core+0x11bc/0x19a0 Call Trace: ipv6_list_rcv+0x250/0x3f0 __netif_receive_skb_list_core+0x49d/0x8f0 netif_receive_skb_list_internal+0x634/0xd40 napi_complete_done+0x1d2/0x7d0 gro_cell_poll+0x118/0x1f0 A similar construction is found in skb_gro_receive, apply the same change there. CVE-2024-35890 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: prevent kernel-infoleak syzbot found that tcf_skbmod_dump() was copying four bytes from kernel stack to user space [1]. The issue here is that 'struct tc_skbmod' has a four bytes hole. We need to clear the structure before filling fields. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] simple_copy_to_iter net/core/datagram.c:532 [inline] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [inline] __se_sys_recvfrom net/socket.c:2256 [inline] __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317 netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [inline] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline] tcf_add_notify net/sched/act_api.c:2048 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: __nla_put lib/nlattr.c:1041 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 [inline] tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [inline] tcf_add_notify net/sched/act_api.c:2042 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncated--- CVE-2024-35893 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: validate user input for expected length I got multiple syzbot reports showing old bugs exposed by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc in cgroup/{s,g}etsockopt") setsockopt() @optlen argument should be taken into account before copying data. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238 CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101 do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a RIP: 0033:0x7fd22067dde9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9 RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8 </TASK> Allocated by task 7238: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:4069 [inline] __kmalloc_noprof+0x200/0x410 mm/slub.c:4082 kmalloc_noprof include/linux/slab.h:664 [inline] __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869 do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a The buggy address belongs to the object at ffff88802cd73da0 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73 flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff) page_type: 0xffffefff(slab) raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122 raw: ffff88802cd73020 000000008080007f 00000001ffffefff 00 ---truncated--- CVE-2024-35896 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: flush pending destroy work before exit_net release Similar to 2c9f0293280e ("netfilter: nf_tables: flush pending destroy work before netlink notifier") to address a race between exit_net and the destroy workqueue. The trace below shows an element to be released via destroy workqueue while exit_net path (triggered via module removal) has already released the set that is used in such transaction. [ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465 [ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359 [ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables] [ 1360.547984] Call Trace: [ 1360.547991] <TASK> [ 1360.547998] dump_stack_lvl+0x53/0x70 [ 1360.548014] print_report+0xc4/0x610 [ 1360.548026] ? __virt_addr_valid+0xba/0x160 [ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548176] kasan_report+0xae/0xe0 [ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables] [ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30 [ 1360.548591] process_one_work+0x2f1/0x670 [ 1360.548610] worker_thread+0x4d3/0x760 [ 1360.548627] ? __pfx_worker_thread+0x10/0x10 [ 1360.548640] kthread+0x16b/0x1b0 [ 1360.548653] ? __pfx_kthread+0x10/0x10 [ 1360.548665] ret_from_fork+0x2f/0x50 [ 1360.548679] ? __pfx_kthread+0x10/0x10 [ 1360.548690] ret_from_fork_asm+0x1a/0x30 [ 1360.548707] </TASK> [ 1360.548719] Allocated by task 192061: [ 1360.548726] kasan_save_stack+0x20/0x40 [ 1360.548739] kasan_save_track+0x14/0x30 [ 1360.548750] __kasan_kmalloc+0x8f/0xa0 [ 1360.548760] __kmalloc_node+0x1f1/0x450 [ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables] [ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink] [ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink] [ 1360.548927] netlink_unicast+0x367/0x4f0 [ 1360.548935] netlink_sendmsg+0x34b/0x610 [ 1360.548944] ____sys_sendmsg+0x4d4/0x510 [ 1360.548953] ___sys_sendmsg+0xc9/0x120 [ 1360.548961] __sys_sendmsg+0xbe/0x140 [ 1360.548971] do_syscall_64+0x55/0x120 [ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 1360.548994] Freed by task 192222: [ 1360.548999] kasan_save_stack+0x20/0x40 [ 1360.549009] kasan_save_track+0x14/0x30 [ 1360.549019] kasan_save_free_info+0x3b/0x60 [ 1360.549028] poison_slab_object+0x100/0x180 [ 1360.549036] __kasan_slab_free+0x14/0x30 [ 1360.549042] kfree+0xb6/0x260 [ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables] [ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables] [ 1360.549221] ops_exit_list+0x50/0xa0 [ 1360.549229] free_exit_list+0x101/0x140 [ 1360.549236] unregister_pernet_operations+0x107/0x160 [ 1360.549245] unregister_pernet_subsys+0x1c/0x30 [ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables] [ 1360.549345] __do_sys_delete_module+0x253/0x370 [ 1360.549352] do_syscall_64+0x55/0x120 [ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d (gdb) list *__nft_release_table+0x473 0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354). 11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 11350 list_del(&flowtable->list); 11351 nft_use_dec(&table->use); 11352 nf_tables_flowtable_destroy(flowtable); 11353 } 11354 list_for_each_entry_safe(set, ns, &table->sets, list) { 11355 list_del(&set->list); 11356 nft_use_dec(&table->use); 11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 11358 nft_map_deactivat ---truncated--- CVE-2024-35899 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject new basechain after table flag update When dormant flag is toggled, hooks are disabled in the commit phase by iterating over current chains in table (existing and new). The following configuration allows for an inconsistent state: add table x add chain x y { type filter hook input priority 0; } add table x { flags dormant; } add chain x w { type filter hook input priority 1; } which triggers the following warning when trying to unregister chain w which is already unregistered. [ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260 [...] [ 127.322519] Call Trace: [ 127.322521] <TASK> [ 127.322524] ? __warn+0x9f/0x1a0 [ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260 [ 127.322537] ? report_bug+0x1b1/0x1e0 [ 127.322545] ? handle_bug+0x3c/0x70 [ 127.322552] ? exc_invalid_op+0x17/0x40 [ 127.322556] ? asm_exc_invalid_op+0x1a/0x20 [ 127.322563] ? kasan_save_free_info+0x3b/0x60 [ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260 [ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260 [ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260 [ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables] [ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables] [ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables] CVE-2024-35900 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: get psock ref after taking rxlock to avoid leak At the start of tls_sw_recvmsg, we take a reference on the psock, and then call tls_rx_reader_lock. If that fails, we return directly without releasing the reference. Instead of adding a new label, just take the reference after locking has succeeded, since we don't need it before. CVE-2024-35908 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() Many syzbot reports show extreme rtnl pressure, and many of them hint that smc acquires rtnl in netns creation for no good reason [1] This patch returns early from smc_pnet_net_init() if there is no netdevice yet. I am not even sure why smc_pnet_create_pnetids_list() even exists, because smc_pnet_netdev_event() is also calling smc_pnet_add_base_pnetid() when handling NETDEV_UP event. [1] extract of typical syzbot reports 2 locks held by syz-executor.3/12252: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.4/12253: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.1/12257: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.2/12261: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.0/12265: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.3/12268: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.4/12271: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.1/12274: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.2/12280: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 CVE-2024-35934 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain According to i.MX8MP RM and HDMI ADD, the fdcc clock is part of hdmi rx verification IP that should not enable for HDMI TX. But actually if the clock is disabled before HDMI/LCDIF probe, LCDIF will not get pixel clock from HDMI PHY and print the error logs: [CRTC:39:crtc-2] vblank wait timed out WARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260 Add fdcc clock to LCDIF and HDMI TX power domains to fix the issue. CVE-2024-35942 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix WARN_ON in iommu probe path Commit 1a75cc710b95 ("iommu/vt-d: Use rbtree to track iommu probed devices") adds all devices probed by the iommu driver in a rbtree indexed by the source ID of each device. It assumes that each device has a unique source ID. This assumption is incorrect and the VT-d spec doesn't state this requirement either. The reason for using a rbtree to track devices is to look up the device with PCI bus and devfunc in the paths of handling ATS invalidation time out error and the PRI I/O page faults. Both are PCI ATS feature related. Only track the devices that have PCI ATS capabilities in the rbtree to avoid unnecessary WARN_ON in the iommu probe path. Otherwise, on some platforms below kernel splat will be displayed and the iommu probe results in failure. WARNING: CPU: 3 PID: 166 at drivers/iommu/intel/iommu.c:158 intel_iommu_probe_device+0x319/0xd90 Call Trace: <TASK> ? __warn+0x7e/0x180 ? intel_iommu_probe_device+0x319/0xd90 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? intel_iommu_probe_device+0x319/0xd90 ? debug_mutex_init+0x37/0x50 __iommu_probe_device+0xf2/0x4f0 iommu_probe_device+0x22/0x70 iommu_bus_notifier+0x1e/0x40 notifier_call_chain+0x46/0x150 blocking_notifier_call_chain+0x42/0x60 bus_notify+0x2f/0x50 device_add+0x5ed/0x7e0 platform_device_add+0xf5/0x240 mfd_add_devices+0x3f9/0x500 ? preempt_count_add+0x4c/0xa0 ? up_write+0xa2/0x1b0 ? __debugfs_create_file+0xe3/0x150 intel_lpss_probe+0x49f/0x5b0 ? pci_conf1_write+0xa3/0xf0 intel_lpss_pci_probe+0xcf/0x110 [intel_lpss_pci] pci_device_probe+0x95/0x120 really_probe+0xd9/0x370 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x73/0x150 driver_probe_device+0x19/0xa0 __driver_attach+0xb6/0x180 ? __pfx___driver_attach+0x10/0x10 bus_for_each_dev+0x77/0xd0 bus_add_driver+0x114/0x210 driver_register+0x5b/0x110 ? __pfx_intel_lpss_pci_driver_init+0x10/0x10 [intel_lpss_pci] do_one_initcall+0x57/0x2b0 ? kmalloc_trace+0x21e/0x280 ? do_init_module+0x1e/0x210 do_init_module+0x5f/0x210 load_module+0x1d37/0x1fc0 ? init_module_from_file+0x86/0xd0 init_module_from_file+0x86/0xd0 idempotent_init_module+0x17c/0x230 __x64_sys_finit_module+0x56/0xb0 do_syscall_64+0x6e/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79 CVE-2024-35957 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: fix LAG and VF lock dependency in ice_reset_vf() 9f74a3dfcf83 ("ice: Fix VF Reset paths when interface in a failed over aggregate"), the ice driver has acquired the LAG mutex in ice_reset_vf(). The commit placed this lock acquisition just prior to the acquisition of the VF configuration lock. If ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK flag, this could deadlock with ice_vc_cfg_qs_msg() because it always acquires the locks in the order of the VF configuration lock and then the LAG mutex. Lockdep reports this violation almost immediately on creating and then removing 2 VF: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-rc6 #54 Tainted: G W O ------------------------------------------------------ kworker/60:3/6771 is trying to acquire lock: ff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice] but task is already holding lock: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&pf->lag_mutex){+.+.}-{3:3}: __lock_acquire+0x4f8/0xb40 lock_acquire+0xd4/0x2d0 __mutex_lock+0x9b/0xbf0 ice_vc_cfg_qs_msg+0x45/0x690 [ice] ice_vc_process_vf_msg+0x4f5/0x870 [ice] __ice_clean_ctrlq+0x2b5/0x600 [ice] ice_service_task+0x2c9/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 kthread+0x104/0x140 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1b/0x30 -> #0 (&vf->cfg_lock){+.+.}-{3:3}: check_prev_add+0xe2/0xc50 validate_chain+0x558/0x800 __lock_acquire+0x4f8/0xb40 lock_acquire+0xd4/0x2d0 __mutex_lock+0x9b/0xbf0 ice_reset_vf+0x22f/0x4d0 [ice] ice_process_vflr_event+0x98/0xd0 [ice] ice_service_task+0x1cc/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 kthread+0x104/0x140 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1b/0x30 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pf->lag_mutex); lock(&vf->cfg_lock); lock(&pf->lag_mutex); lock(&vf->cfg_lock); *** DEADLOCK *** 4 locks held by kworker/60:3/6771: #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0 #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0 #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice] #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice] stack backtrace: CPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54 Hardware name: Workqueue: ice ice_service_task [ice] Call Trace: <TASK> dump_stack_lvl+0x4a/0x80 check_noncircular+0x12d/0x150 check_prev_add+0xe2/0xc50 ? save_trace+0x59/0x230 ? add_chain_cache+0x109/0x450 validate_chain+0x558/0x800 __lock_acquire+0x4f8/0xb40 ? lockdep_hardirqs_on+0x7d/0x100 lock_acquire+0xd4/0x2d0 ? ice_reset_vf+0x22f/0x4d0 [ice] ? lock_is_held_type+0xc7/0x120 __mutex_lock+0x9b/0xbf0 ? ice_reset_vf+0x22f/0x4d0 [ice] ? ice_reset_vf+0x22f/0x4d0 [ice] ? rcu_is_watching+0x11/0x50 ? ice_reset_vf+0x22f/0x4d0 [ice] ice_reset_vf+0x22f/0x4d0 [ice] ? process_one_work+0x176/0x4d0 ice_process_vflr_event+0x98/0xd0 [ice] ice_service_task+0x1cc/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x104/0x140 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> To avoid deadlock, we must acquire the LAG ---truncated--- CVE-2024-36003 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue Issue reported by customer during SRIOV testing, call trace: When both i40e and the i40iw driver are loaded, a warning in check_flush_dependency is being triggered. This seems to be because of the i40e driver workqueue is allocated with the WQ_MEM_RECLAIM flag, and the i40iw one is not. Similar error was encountered on ice too and it was fixed by removing the flag. Do the same for i40e too. [Feb 9 09:08] ------------[ cut here ]------------ [ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is flushing !WQ_MEM_RECLAIM infiniband:0x0 [ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966 check_flush_dependency+0x10b/0x120 [ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq snd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4 nls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr rfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma intel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core iTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore ioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich intel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe drm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel libata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror dm_region_hash dm_log dm_mod fuse [ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not tainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1 [ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020 [ +0.000001] Workqueue: i40e i40e_service_task [i40e] [ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120 [ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48 81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd ff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90 [ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282 [ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX: 0000000000000027 [ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI: ffff94d47f620bc0 [ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000ffff7fff [ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12: ffff94c5451ea180 [ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15: ffff94c5f1330ab0 [ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000) knlGS:0000000000000000 [ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4: 00000000007706f0 [ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ +0.000001] PKRU: 55555554 [ +0.000001] Call Trace: [ +0.000001] <TASK> [ +0.000002] ? __warn+0x80/0x130 [ +0.000003] ? check_flush_dependency+0x10b/0x120 [ +0.000002] ? report_bug+0x195/0x1a0 [ +0.000005] ? handle_bug+0x3c/0x70 [ +0.000003] ? exc_invalid_op+0x14/0x70 [ +0.000002] ? asm_exc_invalid_op+0x16/0x20 [ +0.000006] ? check_flush_dependency+0x10b/0x120 [ +0.000002] ? check_flush_dependency+0x10b/0x120 [ +0.000002] __flush_workqueue+0x126/0x3f0 [ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core] [ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core] [ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core] [ +0.000020] i40iw_close+0x4b/0x90 [irdma] [ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e] [ +0.000035] i40e_service_task+0x126/0x190 [i40e] [ +0.000024] process_one_work+0x174/0x340 [ +0.000003] worker_th ---truncated--- CVE-2024-36004 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: igb: Fix string truncation warnings in igb_set_fw_version Commit 1978d3ead82c ("intel: fix string truncation warnings") fixes '-Wformat-truncation=' warnings in igb_main.c by using kasprintf. drivers/net/ethernet/intel/igb/igb_main.c:3092:53: warning:'%d' directive output may be truncated writing between 1 and 5 bytes into a region of size between 1 and 13 [-Wformat-truncation=] 3092 | "%d.%d, 0x%08x, %d.%d.%d", | ^~ drivers/net/ethernet/intel/igb/igb_main.c:3092:34: note:directive argument in the range [0, 65535] 3092 | "%d.%d, 0x%08x, %d.%d.%d", | ^~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/intel/igb/igb_main.c:3092:34: note:directive argument in the range [0, 65535] drivers/net/ethernet/intel/igb/igb_main.c:3090:25: note:'snprintf' output between 23 and 43 bytes into a destination of size 32 kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Fix this warning by using a larger space for adapter->fw_version, and then fall back and continue to use snprintf. CVE-2024-36010 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Disable idle reallow as part of command/gpint execution [Why] Workaroud for a race condition where DMCUB is in the process of committing to IPS1 during the handshake causing us to miss the transition into IPS2 and touch the INBOX1 RPTR causing a HW hang. [How] Disable the reallow to ensure that we have enough of a gap between entry and exit and we're not seeing back-to-back wake_and_executes. CVE-2024-36024 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules rx_create no longer allocates a modify_hdr instance that needs to be cleaned up. The mlx5_modify_header_dealloc call will lead to a NULL pointer dereference. A leak in the rules also previously occurred since there are now two rules populated related to status. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 109907067 P4D 109907067 PUD 116890067 PMD 0 Oops: 0000 [#1] SMP CPU: 1 PID: 484 Comm: ip Not tainted 6.9.0-rc2-rrameshbabu+ #254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:mlx5_modify_header_dealloc+0xd/0x70 <snip> Call Trace: <TASK> ? show_regs+0x60/0x70 ? __die+0x24/0x70 ? page_fault_oops+0x15f/0x430 ? free_to_partial_list.constprop.0+0x79/0x150 ? do_user_addr_fault+0x2c9/0x5c0 ? exc_page_fault+0x63/0x110 ? asm_exc_page_fault+0x27/0x30 ? mlx5_modify_header_dealloc+0xd/0x70 rx_create+0x374/0x590 rx_add_rule+0x3ad/0x500 ? rx_add_rule+0x3ad/0x500 ? mlx5_cmd_exec+0x2c/0x40 ? mlx5_create_ipsec_obj+0xd6/0x200 mlx5e_accel_ipsec_fs_add_rule+0x31/0xf0 mlx5e_xfrm_add_state+0x426/0xc00 <snip> CVE-2024-36281 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer The TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the maximum transfer length and the size of the transfer buffer. As such, it does not account for the 4 bytes of header that prepends the SPI data frame. This can result in out-of-bounds accesses and was confirmed with KASAN. Introduce SPI_HDRSIZE to account for the header and use to allocate the transfer buffer. CVE-2024-36477 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' Writing 'power' and 'submit_queues' concurrently will trigger kernel panic: Test script: modprobe null_blk nr_devices=0 mkdir -p /sys/kernel/config/nullb/nullb0 while true; do echo 1 > submit_queues; echo 4 > submit_queues; done & while true; do echo 1 > power; echo 0 > power; done Test result: BUG: kernel NULL pointer dereference, address: 0000000000000148 Oops: 0000 [#1] PREEMPT SMP RIP: 0010:__lock_acquire+0x41d/0x28f0 Call Trace: <TASK> lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive_removal+0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x79/0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150 This is because del_gendisk() can concurrent with blk_mq_update_nr_hw_queues(): nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // still set while gendisk is deleted return 0 blk_mq_update_nr_hw_queues dev->nullb = NULL Fix this problem by resuing the global mutex to protect nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs. CVE-2024-36478 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: fpga: bridge: add owner module and take its refcount The current implementation of the fpga bridge assumes that the low-level module registers a driver for the parent device and uses its owner pointer to take the module's refcount. This approach is problematic since it can lead to a null pointer dereference while attempting to get the bridge if the parent device does not have a driver. To address this problem, add a module owner pointer to the fpga_bridge struct and use it to take the module's refcount. Modify the function for registering a bridge to take an additional owner module parameter and rename it to avoid conflicts. Use the old function name for a helper macro that automatically sets the module that registers the bridge as the owner. This ensures compatibility with existing low-level control modules and reduces the chances of registering a bridge without setting the owner. Also, update the documentation to keep it consistent with the new interface for registering an fpga bridge. Other changes: opportunistically move put_device() from __fpga_bridge_get() to fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since the bridge device is taken in these functions. CVE-2024-36479 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_nxt is properly initialized on connect Christoph reported a splat hinting at a corrupted snd_una: WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 Modules linked in: CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8 8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe <0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9 RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4 RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000 R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000 FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0 Call Trace: <TASK> __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline] mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline] __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615 mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767 process_one_work+0x1e0/0x560 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x3c7/0x640 kernel/workqueue.c:3416 kthread+0x121/0x170 kernel/kthread.c:388 ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 </TASK> When fallback to TCP happens early on a client socket, snd_nxt is not yet initialized and any incoming ack will copy such value into snd_una. If the mptcp worker (dumbly) tries mptcp-level re-injection after such ack, that would unconditionally trigger a send buffer cleanup using 'bad' snd_una values. We could easily disable re-injection for fallback sockets, but such dumb behavior already helped catching a few subtle issues and a very low to zero impact in practice. Instead address the issue always initializing snd_nxt (and write_seq, for consistency) at connect time. CVE-2024-36889 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-36901 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() syzbot is able to trigger the following crash [1], caused by unsafe ip6_dst_idev() use. Indeed ip6_dst_idev() can return NULL, and must always be checked. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline] RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267 Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700 RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760 RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000 R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00 FS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317 fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108 ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline] ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649 ip6_route_output include/net/ip6_route.h:93 [inline] ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120 ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250 sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326 sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455 sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662 sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099 __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-36902 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's sk_refcnt after putting it into ehash and releasing the bucket lock. Thus, there is a small race window where other threads could try to reuse the port during connect() and call sock_hold() in tcp_twsk_unique() for the TIME-WAIT socket with zero refcnt. If that happens, the refcnt taken by tcp_twsk_unique() is overwritten and sock_put() will cause underflow, triggering a real use-after-free somewhere else. To avoid the use-after-free, we need to use refcount_inc_not_zero() in tcp_twsk_unique() and give up on reusing the port if it returns false. [0]: refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1 Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023 RIP: 0010:refcount_warn_saturate+0xe5/0x110 Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8 RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027 RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0 RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84 R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <TASK> ? refcount_warn_saturate+0xe5/0x110 ? __warn+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110 ? report_bug+0x171/0x1a0 ? refcount_warn_saturate+0xe5/0x110 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_established+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_established+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0x83/0x170 entry_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7f62c11a885d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0 </TASK> CVE-2024-36904 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The VMBus ring buffer code could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the struct vmbus_gpadl for the ring buffers to decide whether to free the memory. CVE-2024-36909 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The VMBus device UIO driver could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl to decide whether to free the memory. CVE-2024-36910 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The netvsc driver could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl to decide whether to free the memory. CVE-2024-36911 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. In order to make sure callers of vmbus_establish_gpadl() and vmbus_teardown_gpadl() don't return decrypted/shared pages to allocators, add a field in struct vmbus_gpadl to keep track of the decryption status of the buffers. This will allow the callers to know if they should free or leak the pages. CVE-2024-36912 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. VMBus code could free decrypted pages if set_memory_encrypted()/decrypted() fails. Leak the pages if this happens. CVE-2024-36913 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: block: fix overflow in blk_ioctl_discard() There is no check for overflow of 'start + len' in blk_ioctl_discard(). Hung task occurs if submit an discard ioctl with the following param: start = 0x80000000000ff000, len = 0x8000000000fff000; Add the overflow validation now. CVE-2024-36917 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload The session resources are used by FW and driver when session is offloaded, once session is uploaded these resources are not used. The lock is not required as these fields won't be used any longer. The offload and upload calls are sequential, hence lock is not required. This will suppress following BUG_ON(): [ 449.843143] ------------[ cut here ]------------ [ 449.848302] kernel BUG at mm/vmalloc.c:2727! [ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1 Rebooting. [ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016 [ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc] [ 449.882910] RIP: 0010:vunmap+0x2e/0x30 [ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41 [ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206 [ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005 [ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000 [ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf [ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000 [ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0 [ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000 [ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0 [ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 449.993028] Call Trace: [ 449.995756] __iommu_dma_free+0x96/0x100 [ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc] [ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc] [ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc] [ 450.018136] fc_rport_work+0x103/0x5b0 [libfc] [ 450.023103] process_one_work+0x1e8/0x3c0 [ 450.027581] worker_thread+0x50/0x3b0 [ 450.031669] ? rescuer_thread+0x370/0x370 [ 450.036143] kthread+0x149/0x170 [ 450.039744] ? set_kthread_struct+0x40/0x40 [ 450.044411] ret_from_fork+0x22/0x30 [ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls [ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler [ 450.159753] ---[ end trace 712de2c57c64abc8 ]--- CVE-2024-36919 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: read txq->read_ptr under lock If we read txq->read_ptr without lock, we can read the same value twice, then obtain the lock, and reclaim from there to two different places, but crucially reclaim the same entry twice, resulting in the WARN_ONCE() a little later. Fix that by reading txq->read_ptr under lock. CVE-2024-36922 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-36923 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() lpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the hbalock. Thus, lpfc_worker_wake_up() should not be called while holding the hbalock to avoid potential deadlock. CVE-2024-36924 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: LPAR panics during boot up with a frozen PE At the time of LPAR boot up, partition firmware provides Open Firmware property ibm,dma-window for the PE. This property is provided on the PCI bus the PE is attached to. There are execptions where the partition firmware might not provide this property for the PE at the time of LPAR boot up. One of the scenario is where the firmware has frozen the PE due to some error condition. This PE is frozen for 24 hours or unless the whole system is reinitialized. Within this time frame, if the LPAR is booted, the frozen PE will be presented to the LPAR but ibm,dma-window property could be missing. Today, under these circumstances, the LPAR oopses with NULL pointer dereference, when configuring the PCI bus the PE is attached to. BUG: Kernel NULL pointer dereference on read at 0x000000c8 Faulting instruction address: 0xc0000000001024c0 Oops: Kernel access of bad area, sig: 7 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: Supported: Yes CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.4.0-150600.9-default #1 Hardware name: IBM,9043-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_023) hv:phyp pSeries NIP: c0000000001024c0 LR: c0000000001024b0 CTR: c000000000102450 REGS: c0000000037db5c0 TRAP: 0300 Not tainted (6.4.0-150600.9-default) MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 28000822 XER: 00000000 CFAR: c00000000010254c DAR: 00000000000000c8 DSISR: 00080000 IRQMASK: 0 ... NIP [c0000000001024c0] pci_dma_bus_setup_pSeriesLP+0x70/0x2a0 LR [c0000000001024b0] pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 Call Trace: pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 (unreliable) pcibios_setup_bus_self+0x1c0/0x370 __of_scan_bus+0x2f8/0x330 pcibios_scan_phb+0x280/0x3d0 pcibios_init+0x88/0x12c do_one_initcall+0x60/0x320 kernel_init_freeable+0x344/0x3e4 kernel_init+0x34/0x1d0 ret_from_kernel_user_thread+0x14/0x1c CVE-2024-36926 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: fix null pointer dereference within spi_sync If spi_sync() is called with the non-empty queue and the same spi_message is then reused, the complete callback for the message remains set while the context is cleared, leading to a null pointer dereference when the callback is invoked from spi_finalize_current_message(). With function inlining disabled, the call stack might look like this: _raw_spin_lock_irqsave from complete_with_flags+0x18/0x58 complete_with_flags from spi_complete+0x8/0xc spi_complete from spi_finalize_current_message+0xec/0x184 spi_finalize_current_message from spi_transfer_one_message+0x2a8/0x474 spi_transfer_one_message from __spi_pump_transfer_message+0x104/0x230 __spi_pump_transfer_message from __spi_transfer_message_noqueue+0x30/0xc4 __spi_transfer_message_noqueue from __spi_sync+0x204/0x248 __spi_sync from spi_sync+0x24/0x3c spi_sync from mcp251xfd_regmap_crc_read+0x124/0x28c [mcp251xfd] mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+0xf8/0x154 _regmap_raw_read from _regmap_bus_read+0x44/0x70 _regmap_bus_read from _regmap_read+0x60/0xd8 _regmap_read from regmap_read+0x3c/0x5c regmap_read from mcp251xfd_alloc_can_err_skb+0x1c/0x54 [mcp251xfd] mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+0x194/0xe70 [mcp251xfd] mcp251xfd_irq [mcp251xfd] from irq_thread_fn+0x1c/0x78 irq_thread_fn from irq_thread+0x118/0x1f4 irq_thread from kthread+0xd8/0xf4 kthread from ret_from_fork+0x14/0x28 Fix this by also setting message->complete to NULL when the transfer is complete. CVE-2024-36930 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: core: delete incorrect free in pinctrl_enable() The "pctldev" struct is allocated in devm_pinctrl_register_and_init(). It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(), so freeing it in pinctrl_enable() will lead to a double free. The devm_pinctrl_dev_release() function frees the pindescs and destroys the mutex as well. CVE-2024-36940 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: don't free NULL coalescing rule If the parsing fails, we can dereference a NULL pointer here. CVE-2024-36941 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-36942 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: Reapply "drm/qxl: simplify qxl_fence_wait" This reverts commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea. Stephen Rostedt reports: "I went to run my tests on my VMs and the tests hung on boot up. Unfortunately, the most I ever got out was: [ 93.607888] Testing event system initcall: OK [ 93.667730] Running tests on all trace events: [ 93.669757] Testing all events: OK [ 95.631064] ------------[ cut here ]------------ Timed out after 60 seconds" and further debugging points to a possible circular locking dependency between the console_owner locking and the worker pool locking. Reverting the commit allows Steve's VM to boot to completion again. [ This may obviously result in the "[TTM] Buffer eviction failed" messages again, which was the reason for that original revert. But at this point this seems preferable to a non-booting system... ] CVE-2024-36944 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: fix neighbour and rtable leak in smc_ib_find_route() In smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable resolved by ip_route_output_flow() are not released or put before return. It may cause the refcount leak, so fix it. CVE-2024-36945 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: phonet: fix rtm_phonet_notify() skb allocation fill_route() stores three components in the skb: - struct rtmsg - RTA_DST (u8) - RTA_OIF (u32) Therefore, rtm_phonet_notify() should use NLMSG_ALIGN(sizeof(struct rtmsg)) + nla_total_size(1) + nla_total_size(4) CVE-2024-36946 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: qibfs: fix dentry leak simple_recursive_removal() drops the pinning references to all positives in subtree. For the cases when its argument has been kept alive by the pinning alone that's exactly the right thing to do, but here the argument comes from dcache lookup, that needs to be balanced by explicit dput(). Fucked-up-by: Al Viro <viro@zeniv.linux.org.uk> CVE-2024-36947 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: sync all devices to wait all processes being evicted If there are more than one device doing reset in parallel, the first device will call kfd_suspend_all_processes() to evict all processes on all devices, this call takes time to finish. other device will start reset and recover without waiting. if the process has not been evicted before doing recover, it will be restored, then caused page fault. CVE-2024-36949 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: firewire: ohci: mask bus reset interrupts between ISR and bottom half In the FireWire OHCI interrupt handler, if a bus reset interrupt has occurred, mask bus reset interrupts until bus_reset_work has serviced and cleared the interrupt. Normally, we always leave bus reset interrupts masked. We infer the bus reset from the self-ID interrupt that happens shortly thereafter. A scenario where we unmask bus reset interrupts was introduced in 2008 in a007bb857e0b26f5d8b73c2ff90782d9c0972620: If OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we will unmask bus reset interrupts so we can log them. irq_handler logs the bus reset interrupt. However, we can't clear the bus reset event flag in irq_handler, because we won't service the event until later. irq_handler exits with the event flag still set. If the corresponding interrupt is still unmasked, the first bus reset will usually freeze the system due to irq_handler being called again each time it exits. This freeze can be reproduced by loading firewire_ohci with "modprobe firewire_ohci debug=-1" (to enable all debugging output). Apparently there are also some cases where bus_reset_work will get called soon enough to clear the event, and operation will continue normally. This freeze was first reported a few months after a007bb85 was committed, but until now it was never fixed. The debug level could safely be set to -1 through sysfs after the module was loaded, but this would be ineffectual in logging bus reset interrupts since they were only unmasked during initialization. irq_handler will now leave the event flag set but mask bus reset interrupts, so irq_handler won't be called again and there will be no freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will unmask the interrupt after servicing the event, so future interrupts will be caught as desired. As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be enabled through sysfs in addition to during initial module loading. However, when enabled through sysfs, logging of bus reset interrupts will be effective only starting with the second bus reset, after bus_reset_work has executed. CVE-2024-36950 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: range check cp bad op exception interrupts Due to a CP interrupt bug, bad packet garbage exception codes are raised. Do a range check so that the debugger and runtime do not receive garbage codes. Update the user api to guard exception code type checking as well. CVE-2024-36951 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Move NPIV's transport unregistration to after resource clean up There are cases after NPIV deletion where the fabric switch still believes the NPIV is logged into the fabric. This occurs when a vport is unregistered before the Remove All DA_ID CT and LOGO ELS are sent to the fabric. Currently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including the fabric D_ID, removes the last ndlp reference and frees the ndlp rport object. This sometimes causes the race condition where the final DA_ID and LOGO are skipped from being sent to the fabric switch. Fix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID and LOGO are sent. CVE-2024-36952 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node() The documentation for device_get_named_child_node() mentions this important point: " The caller is responsible for calling fwnode_handle_put() on the returned fwnode pointer. " Add fwnode_handle_put() to avoid a leaked reference. CVE-2024-36955 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() If we fail to allocate propname buffer, we need to drop the reference count we just took. Because the pinctrl_dt_free_maps() includes the droping operation, here we call it directly. CVE-2024-36959 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix invalid reads in fence signaled events Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads. CVE-2024-36960 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs Currently the driver uses local_bh_disable()/local_bh_enable() in its IRQ handler to avoid triggering net_rx_action() softirq on exit from netif_rx(). The net_rx_action() could trigger this driver .start_xmit callback, which is protected by the same lock as the IRQ handler, so calling the .start_xmit from netif_rx() from the IRQ handler critical section protected by the lock could lead to an attempt to claim the already claimed lock, and a hang. The local_bh_disable()/local_bh_enable() approach works only in case the IRQ handler is protected by a spinlock, but does not work if the IRQ handler is protected by mutex, i.e. this works for KS8851 with Parallel bus interface, but not for KS8851 with SPI bus interface. Remove the BH manipulation and instead of calling netif_rx() inside the IRQ handler code protected by the lock, queue all the received SKBs in the IRQ handler into a queue first, and once the IRQ handler exits the critical section protected by the lock, dequeue all the queued SKBs and push them all into netif_rx(). At this point, it is safe to trigger the net_rx_action() softirq, since the netif_rx() call is outside of the lock that protects the IRQ handler. CVE-2024-36962 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u. CVE-2024-36964 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: remoteproc: mediatek: Make sure IPI buffer fits in L2TCM The IPI buffer location is read from the firmware that we load to the System Companion Processor, and it's not granted that both the SRAM (L2TCM) size that is defined in the devicetree node is large enough for that, and while this is especially true for multi-core SCP, it's still useful to check on single-core variants as well. Failing to perform this check may make this driver perform R/W operations out of the L2TCM boundary, resulting (at best) in a kernel panic. To fix that, check that the IPI buffer fits, otherwise return a failure and refuse to boot the relevant SCP core (or the SCP at all, if this is single core). CVE-2024-36965 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak in tpm2_key_encode() 'scratch' is never freed. Fix this by calling kfree() in the success, and in the error case. CVE-2024-36967 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix division by zero in setup_dsc_config When slice_height is 0, the division by slice_height in the calculation of the number of slices will cause a division by zero driver crash. This leaves the kernel in a state that requires a reboot. This patch adds a check to avoid the division by zero. The stack trace below is for the 6.8.4 Kernel. I reproduced the issue on a Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor connected via Thunderbolt. The amdgpu driver crashed with this exception when I rebooted the system with the monitor connected. kernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447) kernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2)) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu After applying this patch, the driver no longer crashes when the monitor is connected and the system is rebooted. I believe this is the same issue reported for 3113. CVE-2024-36969 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. CVE-2024-36971 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: misc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe() When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), callback function gp_auxiliary_device_release() calls ida_free() and kfree(aux_device_wrapper) to free memory. We should't call them again in the error handling path. Fix this by skipping the redundant cleanup functions. CVE-2024-36973 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided, taprio_parse_mqprio_opt() must validate it, or userspace can inject arbitrary data to the kernel, the second time taprio_change() is called. First call (with valid attributes) sets dev->num_tc to a non zero value. Second call (with arbitrary mqprio attributes) returns early from taprio_parse_mqprio_opt() and bad things can happen. CVE-2024-36974 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Do not use WARN when encode fails When asn1_encode_sequence() fails, WARN is not the correct solution. 1. asn1_encode_sequence() is not an internal function (located in lib/asn1_encode.c). 2. Location is known, which makes the stack trace useless. 3. Results a crash if panic_on_warn is set. It is also noteworthy that the use of WARN is undocumented, and it should be avoided unless there is a carefully considered rationale to use it. Replace WARN with pr_err, and print the return value instead, which is only useful piece of information. CVE-2024-36975 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Wait unconditionally after issuing EndXfer command Currently all controller IP/revisions except DWC3_usb3 >= 310a wait 1ms unconditionally for ENDXFER completion when IOC is not set. This is because DWC_usb3 controller revisions >= 3.10a supports GUCTL2[14: Rst_actbitlater] bit which allows polling CMDACT bit to know whether ENDXFER command is completed. Consider a case where an IN request was queued, and parallelly soft_disconnect was called (due to ffs_epfile_release). This eventually calls stop_active_transfer with IOC cleared, hence send_gadget_ep_cmd() skips waiting for CMDACT cleared during EndXfer. For DWC3 controllers with revisions >= 310a, we don't forcefully wait for 1ms either, and we proceed by unmapping the requests. If ENDXFER didn't complete by this time, it leads to SMMU faults since the controller would still be accessing those requests. Fix this by ensuring ENDXFER completion by adding 1ms delay in __dwc3_stop_active_transfer() unconditionally. CVE-2024-36977 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur. CVE-2024-36978 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: fpga: manager: add owner module and take its refcount The current implementation of the fpga manager assumes that the low-level module registers a driver for the parent device and uses its owner pointer to take the module's refcount. This approach is problematic since it can lead to a null pointer dereference while attempting to get the manager if the parent device does not have a driver. To address this problem, add a module owner pointer to the fpga_manager struct and use it to take the module's refcount. Modify the functions for registering the manager to take an additional owner module parameter and rename them to avoid conflicts. Use the old function names for helper macros that automatically set the module that registers the manager as the owner. This ensures compatibility with existing low-level control modules and reduces the chances of registering a manager without setting the owner. Also, update the documentation to keep it consistent with the new interface for registering an fpga manager. Other changes: opportunistically move put_device() from __fpga_mgr_get() to fpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the manager device is taken in these functions. CVE-2024-37021 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential kernel bug due to lack of writeback flag waiting Destructive writes to a block device on which nilfs2 is mounted can cause a kernel bug in the folio/page writeback start routine or writeback end routine (__folio_start_writeback in the log below): kernel BUG at mm/page-writeback.c:3070! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI ... RIP: 0010:__folio_start_writeback+0xbaa/0x10e0 Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f> 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00 ... Call Trace: <TASK> nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2] nilfs_segctor_construct+0x181/0x6b0 [nilfs2] nilfs_segctor_thread+0x548/0x11c0 [nilfs2] kthread+0x2f0/0x390 ret_from_fork+0x4b/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> This is because when the log writer starts a writeback for segment summary blocks or a super root block that use the backing device's page cache, it does not wait for the ongoing folio/page writeback, resulting in an inconsistent writeback state. Fix this issue by waiting for ongoing writebacks when putting folios/pages on the backing device into writeback state. CVE-2024-37078 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-37353 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix crash on racing fsync and size-extending write into prealloc We have been seeing crashes on duplicate keys in btrfs_set_item_key_safe(): BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192) ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:2620! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs] With the following stack trace: #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4) #1 btrfs_drop_extents (fs/btrfs/file.c:411:4) #2 log_one_extent (fs/btrfs/tree-log.c:4732:9) #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9) #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9) #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8) #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8) #7 btrfs_sync_file (fs/btrfs/file.c:1933:8) #8 vfs_fsync_range (fs/sync.c:188:9) #9 vfs_fsync (fs/sync.c:202:9) #10 do_fsync (fs/sync.c:212:9) #11 __do_sys_fdatasync (fs/sync.c:225:9) #12 __se_sys_fdatasync (fs/sync.c:223:1) #13 __x64_sys_fdatasync (fs/sync.c:223:1) #14 do_syscall_x64 (arch/x86/entry/common.c:52:14) #15 do_syscall_64 (arch/x86/entry/common.c:83:7) #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121) So we're logging a changed extent from fsync, which is splitting an extent in the log tree. But this split part already exists in the tree, triggering the BUG(). This is the state of the log tree at the time of the crash, dumped with drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py) to get more details than btrfs_print_leaf() gives us: >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"]) leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610 leaf 33439744 flags 0x100000000000000 fs uuid e5bd3946-400c-4223-8923-190ef1f18677 chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 7 transid 9 size 8192 nbytes 8473563889606862198 block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 sequence 204 flags 0x10(PREALLOC) atime 1716417703.220000000 (2024-05-22 15:41:43) ctime 1716417704.983333333 (2024-05-22 15:41:44) mtime 1716417704.983333333 (2024-05-22 15:41:44) otime 17592186044416.000000000 (559444-03-08 01:40:16) item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13 index 195 namelen 3 name: 193 item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37 location key (0 UNKNOWN.0 0) type XATTR transid 7 data_len 1 name_len 6 name: user.a data a item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53 generation 9 type 1 (regular) extent data disk byte 303144960 nr 12288 extent data offset 0 nr 4096 ram 12288 extent compression 0 (none) item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 4096 nr 8192 item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 8192 nr 4096 ... So the real problem happened earlier: notice that items 4 (4k-12k) and 5 (8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and item 5 starts at i_size. Here is the state of ---truncated--- CVE-2024-37354 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations. CVE-2024-37891 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:python3-urllib3-1.25.10-150300.4.12.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in nci_rx_work syzbot reported the following uninit-value access issue [1] nci_rx_work() parses received packet from ndev->rx_q. It should be validated header size, payload size and total packet size before processing the packet. If an invalid packet is detected, it should be silently discarded. CVE-2024-38381 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix list corruption from reorder of WRITE ->lqueued __blkcg_rstat_flush() can be run anytime, especially when blk_cgroup_bio_start is being executed. If WRITE of `->lqueued` is re-ordered with READ of 'bisc->lnode.next' in the loop of __blkcg_rstat_flush(), `next_bisc` can be assigned with one stat instance being added in blk_cgroup_bio_start(), then the local list in __blkcg_rstat_flush() could be corrupted. Fix the issue by adding one barrier. CVE-2024-38384 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after() irq_find_at_or_after() dereferences the interrupt descriptor which is returned by mt_find() while neither holding sparse_irq_lock nor RCU read lock, which means the descriptor can be freed between mt_find() and the dereference: CPU0 CPU1 desc = mt_find() delayed_free_desc(desc) irq_desc_get_irq(desc) The use-after-free is reported by KASAN: Call trace: irq_get_next_irq+0x58/0x84 show_stat+0x638/0x824 seq_read_iter+0x158/0x4ec proc_reg_read_iter+0x94/0x12c vfs_read+0x1e0/0x2c8 Freed by task 4471: slab_free_freelist_hook+0x174/0x1e0 __kmem_cache_free+0xa4/0x1dc kfree+0x64/0x128 irq_kobj_release+0x28/0x3c kobject_put+0xcc/0x1e0 delayed_free_desc+0x14/0x2c rcu_do_batch+0x214/0x720 Guard the access with a RCU read lock section. CVE-2024-38385 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/cs_dsp_ctl: Use private_free for control cleanup Use the control private_free callback to free the associated data block. This ensures that the memory won't leak, whatever way the control gets destroyed. The original implementation didn't actually remove the ALSA controls in hda_cs_dsp_control_remove(). It only freed the internal tracking structure. This meant it was possible to remove/unload the amp driver while leaving its ALSA controls still present in the soundcard. Obviously attempting to access them could cause segfaults or at least dereferencing stale pointers. CVE-2024-38388 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails Calling a6xx_destroy() before adreno_gpu_init() leads to a null pointer dereference on: msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL); as gpu->pdev is only assigned in: a6xx_gpu_init() |_ adreno_gpu_init |_ msm_gpu_init() Instead of relying on handwavy null checks down the cleanup chain, explicitly de-allocate the LLC data and free a6xx_gpu instead. Patchwork: https://patchwork.freedesktop.org/patch/588919/ CVE-2024-38390 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-38391 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw When running blktests nvme/rdma, the following kmemleak issue will appear. kmemleak: Kernel memory leak detector initialized (mempool available:36041) kmemleak: Automatic memory scanning thread started kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 8 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 17 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak) unreferenced object 0xffff88855da53400 (size 192): comm "rdma", pid 10630, jiffies 4296575922 hex dump (first 32 bytes): 37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00 7............... 10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff .4.].....4.].... backtrace (crc 47f66721): [<ffffffff911251bd>] kmalloc_trace+0x30d/0x3b0 [<ffffffffc2640ff7>] alloc_gid_entry+0x47/0x380 [ib_core] [<ffffffffc2642206>] add_modify_gid+0x166/0x930 [ib_core] [<ffffffffc2643468>] ib_cache_update.part.0+0x6d8/0x910 [ib_core] [<ffffffffc2644e1a>] ib_cache_setup_one+0x24a/0x350 [ib_core] [<ffffffffc263949e>] ib_register_device+0x9e/0x3a0 [ib_core] [<ffffffffc2a3d389>] 0xffffffffc2a3d389 [<ffffffffc2688cd8>] nldev_newlink+0x2b8/0x520 [ib_core] [<ffffffffc2645fe3>] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core] [<ffffffffc264648c>] rdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core] [<ffffffff9270e7b5>] netlink_unicast+0x445/0x710 [<ffffffff9270f1f1>] netlink_sendmsg+0x761/0xc40 [<ffffffff9249db29>] __sys_sendto+0x3a9/0x420 [<ffffffff9249dc8c>] __x64_sys_sendto+0xdc/0x1b0 [<ffffffff92db0ad3>] do_syscall_64+0x93/0x180 [<ffffffff92e00126>] entry_SYSCALL_64_after_hwframe+0x71/0x79 The root cause: rdma_put_gid_attr is not called when sgid_attr is set to ERR_PTR(-ENODEV). CVE-2024-38539 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is documented as undefined for 0. Fix it in the one caller that had this combination. The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec __roundup_pow_of_two+0x25/0x35 [bnxt_re] bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kmalloc+0x1b6/0x4f0 ? create_qp.part.0+0x128/0x1c0 [ib_core] ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] create_qp.part.0+0x128/0x1c0 [ib_core] ib_create_qp_kernel+0x50/0xd0 [ib_core] create_mad_qp+0x8e/0xe0 [ib_core] ? __pfx_qp_event_handler+0x10/0x10 [ib_core] ib_mad_init_device+0x2be/0x680 [ib_core] add_client_context+0x10d/0x1a0 [ib_core] enable_device_and_get+0xe0/0x1d0 [ib_core] ib_register_device+0x53c/0x630 [ib_core] ? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50 [bnxt_re] ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] auxiliary_bus_probe+0x49/0x80 ? driver_sysfs_add+0x57/0xc0 really_probe+0xde/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220 driver_register+0x72/0xd0 __auxiliary_driver_register+0x6e/0xd0 ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250 init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0 __x64_sys_finit_module+0x5e/0xb0 do_syscall_64+0x82/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode_prepare+0x149/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x75/0x230 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x8e/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? __count_memcg_events+0x69/0x100 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events.constprop.0+0x1a/0x30 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1f0/0x300 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x34e/0x640 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 </TASK> ---[ end trace ]--- CVE-2024-38540 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). CVE-2024-38541 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure The kcalloc() in dmirror_device_evict_chunk() will return null if the physical memory has run out. As a result, if src_pfns or dst_pfns is dereferenced, the null pointer dereference bug will happen. Moreover, the device is going away. If the kcalloc() fails, the pages mapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in kcalloc(). Finally, as there is no need to have physically contiguous memory, Switch kcalloc() to kvcalloc() in order to avoid failing allocations. CVE-2024-38543 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the resp_pkts queue and then a decision is made whether to run the completer task inline or schedule it. Finally the skb is dereferenced to bump a 'hw' performance counter. This is wrong because if the completer task is already running in a separate thread it may have already processed the skb and freed it which can cause a seg fault. This has been observed infrequently in testing at high scale. This patch fixes this by changing the order of enqueuing the packet until after the counter is accessed. CVE-2024-38544 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix UAF for cq async event The refcount of CQ is not protected by locks. When CQ asynchronous events and CQ destruction are concurrent, CQ may have been released, which will cause UAF. Use the xa_lock() to protect the CQ refcount. CVE-2024-38545 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: vc4: Fix possible null pointer dereference In vc4_hdmi_audio_init() of_get_address() may return NULL which is later dereferenced. Fix this bug by adding NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-38546 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries The allocation failure of mycs->yuv_scaler_binary in load_video_binaries() is followed with a dereference of mycs->yuv_scaler_binary after the following call chain: sh_css_pipe_load_binaries() |-> load_video_binaries(mycs->yuv_scaler_binary == NULL) | |-> sh_css_pipe_unload_binaries() |-> unload_video_binaries() In unload_video_binaries(), it calls to ia_css_binary_unload with argument &pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer dereference is triggered. CVE-2024-38547 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is assigned to mhdp_state->current_mode, and there is a dereference of it in drm_mode_set_name(), which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Fix this bug add a check of mhdp_state->current_mode. CVE-2024-38548 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Add 0 size check to mtk_drm_gem_obj Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object of 0 bytes. Currently, no such check exists and the kernel will panic if a userspace application attempts to allocate a 0x0 GBM buffer. Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and verifying that we now return EINVAL. CVE-2024-38549 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: kirkwood: Fix potential NULL dereference In kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if CONFIG_PLAT_ORION macro is not defined. Fix this bug by adding NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-38550 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: Assign dummy when codec not specified for a DAI link MediaTek sound card drivers are checking whether a DAI link is present and used on a board to assign the correct parameters and this is done by checking the codec DAI names at probe time. If no real codec is present, assign the dummy codec to the DAI link to avoid NULL pointer during string comparison. CVE-2024-38551 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix potential index out of bounds in color transformation function Fixes index out of bounds issue in the color transformation function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, an error message is logged and the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max CVE-2024-38552 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndo_poll_controller to avoid deadlocks There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoid deadlocks"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed. CVE-2024-38553 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issue of net_device There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. CVE-2024-38554 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Discard command completions in internal error Fix use after free when FW completion arrives while device is in internal error state. Avoid calling completion handler in this case, since the device will flush the command interface and trigger all completions manually. Kernel log: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. ... RIP: 0010:refcount_warn_saturate+0xd8/0xe0 ... Call Trace: <IRQ> ? __warn+0x79/0x120 ? refcount_warn_saturate+0xd8/0xe0 ? report_bug+0x17c/0x190 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xd8/0xe0 cmd_ent_put+0x13b/0x160 [mlx5_core] mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core] cmd_comp_notifier+0x1f/0x30 [mlx5_core] notifier_call_chain+0x35/0xb0 atomic_notifier_call_chain+0x16/0x20 mlx5_eq_async_int+0xf6/0x290 [mlx5_core] notifier_call_chain+0x35/0xb0 atomic_notifier_call_chain+0x16/0x20 irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x4b/0x160 handle_irq_event+0x2e/0x80 handle_edge_irq+0x98/0x230 __common_interrupt+0x3b/0xa0 common_interrupt+0x7b/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 CVE-2024-38555 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Add a timeout to acquire the command queue semaphore Prevent forced completion handling on an entry that has not yet been assigned an index, causing an out of bounds access on idx = -22. Instead of waiting indefinitely for the sem, blocking flow now waits for index to be allocated or a sem acquisition timeout before beginning the timer for FW completion. Kernel log example: mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion CVE-2024-38556 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Reload only IB representors upon lag disable/enable On lag disable, the bond IB device along with all of its representors are destroyed, and then the slaves' representors get reloaded. In case the slave IB representor load fails, the eswitch error flow unloads all representors, including ethernet representors, where the netdevs get detached and removed from lag bond. Such flow is inaccurate as the lag driver is not responsible for loading/unloading ethernet representors. Furthermore, the flow described above begins by holding lag lock to prevent bond changes during disable flow. However, when reaching the ethernet representors detachment from lag, the lag lock is required again, triggering the following deadlock: Call trace: __switch_to+0xf4/0x148 __schedule+0x2c8/0x7d0 schedule+0x50/0xe0 schedule_preempt_disabled+0x18/0x28 __mutex_lock.isra.13+0x2b8/0x570 __mutex_lock_slowpath+0x1c/0x28 mutex_lock+0x4c/0x68 mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core] mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core] mlx5e_detach_netdev+0x6c/0xb0 [mlx5_core] mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core] mlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core] mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core] mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core] mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core] mlx5_disable_lag+0x130/0x138 [mlx5_core] mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock mlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core] devlink_nl_cmd_eswitch_set_doit+0xdc/0x180 genl_family_rcv_msg_doit.isra.17+0xe8/0x138 genl_rcv_msg+0xe4/0x220 netlink_rcv_skb+0x44/0x108 genl_rcv+0x40/0x58 netlink_unicast+0x198/0x268 netlink_sendmsg+0x1d4/0x418 sock_sendmsg+0x54/0x60 __sys_sendto+0xf4/0x120 __arm64_sys_sendto+0x30/0x40 el0_svc_common+0x8c/0x120 do_el0_svc+0x30/0xa0 el0_svc+0x20/0x30 el0_sync_handler+0x90/0xb8 el0_sync+0x160/0x180 Thus, upon lag enable/disable, load and unload only the IB representors of the slaves preventing the deadlock mentioned above. While at it, refactor the mlx5_esw_offloads_rep_load() function to have a static helper method for its internal logic, in symmetry with the representor unload design. CVE-2024-38557 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix overwriting ct original tuple for ICMPv6 OVS_PACKET_CMD_EXECUTE has 3 main attributes: - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. - OVS_PACKET_ATTR_PACKET - Binary packet content. - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet. OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure with the metadata like conntrack state, input port, recirculation id, etc. Then the packet itself gets parsed to populate the rest of the keys from the packet headers. Whenever the packet parsing code starts parsing the ICMPv6 header, it first zeroes out fields in the key corresponding to Neighbor Discovery information even if it is not an ND packet. It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares the space between 'nd' and 'ct_orig' that holds the original tuple conntrack metadata parsed from the OVS_PACKET_ATTR_KEY. ND packets should not normally have conntrack state, so it's fine to share the space, but normal ICMPv6 Echo packets or maybe other types of ICMPv6 can have the state attached and it should not be overwritten. The issue results in all but the last 4 bytes of the destination address being wiped from the original conntrack tuple leading to incorrect packet matching and potentially executing wrong actions in case this packet recirculates within the datapath or goes back to userspace. ND fields should not be accessed in non-ND packets, so not clearing them should be fine. Executing memset() only for actual ND packets to avoid the issue. Initializing the whole thing before parsing is needed because ND packet may not contain all the options. The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't affect packets entering OVS datapath from network interfaces, because in this case CT metadata is populated from skb after the packet is already parsed. CVE-2024-38558 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Ensure the copied buf is NUL terminated Currently, we allocate a count-sized kernel buffer and copy count from userspace to that buffer. Later, we use kstrtouint on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using kstrtouint. Fix this issue by using memdup_user_nul instead of memdup_user. CVE-2024-38559 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. CVE-2024-38560 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: Avoid address calculations via out of bounds array indexing Before request->channels[] can be used, request->n_channels must be set. Additionally, address calculations for memory after the "channels" array need to be calculated from the allocation base ("request") rather than via the first "out of bounds" index of "channels", otherwise run-time bounds checking will throw a warning. CVE-2024-38562 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE bpf_prog_attach uses attach_type_to_prog_type to enforce proper attach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses bpf_prog_get and relies on bpf_prog_attach_check_attach_type to properly verify prog_type <> attach_type association. Add missing attach_type enforcement for the link_create case. Otherwise, it's currently possible to attach cgroup_skb prog types to other cgroup hooks. CVE-2024-38564 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: wifi: ar5523: enable proper endpoint verification Syzkaller reports [1] hitting a warning about an endpoint in use not having an expected type to it. Fix the issue by checking for the existence of all proper endpoints with their according types intact. Sadly, this patch has not been tested on real hardware. [1] Syzkaller report: ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275 ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline] ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline] ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655 usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x249/0xb90 drivers/base/dd.c:639 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 device_add+0xbd9/0x1e90 drivers/base/core.c:3517 usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x249/0xb90 drivers/base/dd.c:639 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 device_add+0xbd9/0x1e90 drivers/base/core.c:3517 usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573 hub_port_connect drivers/usb/core/hub.c:5353 [inline] hub_port_connect_change drivers/usb/core/hub.c:5497 [inline] port_event drivers/usb/core/hub.c:5653 [inline] hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> CVE-2024-38565 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix verifier assumptions about socket->sk The verifier assumes that 'sk' field in 'struct socket' is valid and non-NULL when 'socket' pointer itself is trusted and non-NULL. That may not be the case when socket was just created and passed to LSM socket_accept hook. Fix this verifier assumption and adjust tests. CVE-2024-38566 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: add a proper sanity check for endpoints Syzkaller reports [1] hitting a warning which is caused by presence of a wrong endpoint type at the URB sumbitting stage. While there was a check for a specific 4th endpoint, since it can switch types between bulk and interrupt, other endpoints are trusted implicitly. Similar warning is triggered in a couple of other syzbot issues [2]. Fix the issue by doing a comprehensive check of all endpoints taking into account difference between high- and full-speed configuration. [1] Syzkaller report: ... WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> [2] Related syzkaller crashes: CVE-2024-38567 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of bounds when writing data to the event_group array. If the number of events in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, the memory write overflow of event_group array occurs. Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds. There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/} CVE-2024-38568 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of bounds when writing data to the event_group array. If the number of events in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write overflow of event_group array occurs. Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds. There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}' CVE-2024-38569 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead. CVE-2024-38570 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/tsens: Fix null pointer dereference compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c) as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null pointer dereference (if DEBUG or DYNAMIC_DEBUG set). Fix this bug by adding null pointer check. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-38571 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix out-of-bound access of qmi_invoke_handler() Currently, there is no terminator entry for ath12k_qmi_msg_handlers hence facing below KASAN warning, ================================================================== BUG: KASAN: global-out-of-bounds in qmi_invoke_handler+0xa4/0x148 Read of size 8 at addr ffffffd00a6428d8 by task kworker/u8:2/1273 CPU: 0 PID: 1273 Comm: kworker/u8:2 Not tainted 5.4.213 #0 Workqueue: qmi_msg_handler qmi_data_ready_work Call trace: dump_backtrace+0x0/0x20c show_stack+0x14/0x1c dump_stack+0xe0/0x138 print_address_description.isra.5+0x30/0x330 __kasan_report+0x16c/0x1bc kasan_report+0xc/0x14 __asan_load8+0xa8/0xb0 qmi_invoke_handler+0xa4/0x148 qmi_handle_message+0x18c/0x1bc qmi_data_ready_work+0x4ec/0x528 process_one_work+0x2c0/0x440 worker_thread+0x324/0x4b8 kthread+0x210/0x228 ret_from_fork+0x10/0x18 The address belongs to the variable: ath12k_mac_mon_status_filter_default+0x4bd8/0xfffffffffffe2300 [ath12k] [...] ================================================================== Add a dummy terminator entry at the end to assist the qmi_invoke_handler() in traversing up to the terminator entry without accessing an out-of-boundary index. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 CVE-2024-38572 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: cppc_cpufreq: Fix possible null pointer dereference cppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from different places with various parameters. So cpufreq_cpu_get() can return null as 'policy' in some circumstances. Fix this bug by adding null return check. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-38573 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: pcie: handle randbuf allocation failure The kzalloc() in brcmf_pcie_download_fw_nvram() will return null if the physical memory has run out. As a result, if we use get_random_bytes() to generate random bytes in the randbuf, the null pointer dereference bug will happen. In order to prevent allocation failure, this patch adds a separate function using buffer on kernel stack to generate random bytes in the randbuf, which could prevent the kernel stack from overflow. CVE-2024-38575 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ecryptfs: Fix buffer size for tag 66 packet The 'TAG 66 Packet Format' description is missing the cipher code and checksum fields that are packed into the message packet. As a result, the buffer allocated for the packet is 3 bytes too small and write_tag_66_packet() will write up to 3 bytes past the end of the buffer. Fix this by increasing the size of the allocation so the whole packet will always fit in the buffer. This fixes the below kasan slab-out-of-bounds bug: BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0 Write of size 1 at addr ffff88800afbb2a5 by task touch/181 CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4c/0x70 print_report+0xc5/0x610 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? kasan_complete_mode_report_info+0x44/0x210 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 kasan_report+0xc2/0x110 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 __asan_store1+0x62/0x80 ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10 ? __alloc_pages+0x2e2/0x540 ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d] ? dentry_open+0x8f/0xd0 ecryptfs_write_metadata+0x30a/0x550 ? __pfx_ecryptfs_write_metadata+0x10/0x10 ? ecryptfs_get_lower_file+0x6b/0x190 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 path_openat+0x17cf/0x1ba0 ? __pfx_path_openat+0x10/0x10 do_filp_open+0x15e/0x290 ? __pfx_do_filp_open+0x10/0x10 ? __kasan_check_write+0x18/0x30 ? _raw_spin_lock+0x86/0xf0 ? __pfx__raw_spin_lock+0x10/0x10 ? __kasan_check_write+0x18/0x30 ? alloc_fd+0xf4/0x330 do_sys_openat2+0x122/0x160 ? __pfx_do_sys_openat2+0x10/0x10 __x64_sys_openat+0xef/0x170 ? __pfx___x64_sys_openat+0x10/0x10 do_syscall_64+0x60/0xd0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f00a703fd67 Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67 RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000 R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040 </TASK> Allocated by task 181: kasan_save_stack+0x2f/0x60 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x25/0x40 __kasan_kmalloc+0xc5/0xd0 __kmalloc+0x66/0x160 ecryptfs_generate_key_packet_set+0x6d2/0xde0 ecryptfs_write_metadata+0x30a/0x550 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 path_openat+0x17cf/0x1ba0 do_filp_open+0x15e/0x290 do_sys_openat2+0x122/0x160 __x64_sys_openat+0xef/0x170 do_syscall_64+0x60/0xd0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 CVE-2024-38578 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: bcm - Fix pointer arithmetic In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-38579 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: epoll: be better about file lifetimes epoll can call out to vfs_poll() with a file pointer that may race with the last 'fput()'. That would make f_count go down to zero, and while the ep->mtx locking means that the resulting file pointer tear-down will be blocked until the poll returns, it means that f_count is already dead, and any use of it won't actually get a reference to the file any more: it's dead regardless. Make sure we have a valid ref on the file pointer before we call down to vfs_poll() from the epoll routines. CVE-2024-38580 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/mes: fix use-after-free issue Delete fence fallback timer to fix the ramdom use-after-free issue. v2: move to amdgpu_mes.c CVE-2024-38581 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential hang in nilfs_detach_log_writer() Syzbot has reported a potential hang in nilfs_detach_log_writer() called during nilfs2 unmount. Analysis revealed that this is because nilfs_segctor_sync(), which synchronizes with the log writer thread, can be called after nilfs_segctor_destroy() terminates that thread, as shown in the call trace below: nilfs_detach_log_writer nilfs_segctor_destroy nilfs_segctor_kill_thread --> Shut down log writer thread flush_work nilfs_iput_work_func nilfs_dispose_list iput nilfs_evict_inode nilfs_transaction_commit nilfs_construct_segment (if inode needs sync) nilfs_segctor_sync --> Attempt to synchronize with log writer thread *** DEADLOCK *** Fix this issue by changing nilfs_segctor_sync() so that the log writer thread returns normally without synchronizing after it terminates, and by forcing tasks that are already waiting to complete once after the thread terminates. The skipped inode metadata flushout will then be processed together in the subsequent cleanup work in nilfs_segctor_destroy(). CVE-2024-38582 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free of timer for log writer thread Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive. CVE-2024-38583 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: r8169: Fix possible ring buffer corruption on fragmented Tx packets. An issue was found on the RTL8125b when transmitting small fragmented packets, whereby invalid entries were inserted into the transmit ring buffer, subsequently leading to calls to dma_unmap_single() with a null address. This was caused by rtl8169_start_xmit() not noticing changes to nr_frags which may occur when small packets are padded (to work around hardware quirks) in rtl8169_tso_csum_v2(). To fix this, postpone inspecting nr_frags until after any padding has been applied. CVE-2024-38586 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: speakup: Fix sizeof() vs ARRAY_SIZE() bug The "buf" pointer is an array of u16 values. This code should be using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), otherwise it can the still got out of bounds. CVE-2024-38587 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix possible use-after-free issue in ftrace_location() KASAN reports a bug: BUG: KASAN: use-after-free in ftrace_location+0x90/0x120 Read of size 8 at addr ffff888141d40010 by task insmod/424 CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+ [...] Call Trace: <TASK> dump_stack_lvl+0x68/0xa0 print_report+0xcf/0x610 kasan_report+0xb5/0xe0 ftrace_location+0x90/0x120 register_kprobe+0x14b/0xa40 kprobe_init+0x2d/0xff0 [kprobe_example] do_one_initcall+0x8f/0x2d0 do_init_module+0x13a/0x3c0 load_module+0x3082/0x33d0 init_module_from_file+0xd2/0x130 __x64_sys_finit_module+0x306/0x440 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79 The root cause is that, in lookup_rec(), ftrace record of some address is being searched in ftrace pages of some module, but those ftrace pages at the same time is being freed in ftrace_release_mod() as the corresponding module is being deleted: CPU1 | CPU2 register_kprobes() { | delete_module() { check_kprobe_address_safe() { | arch_check_ftrace_location() { | ftrace_location() { | lookup_rec() // USE! | ftrace_release_mod() // Free! To fix this issue: 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range(); 2. Use ftrace_location_range() instead of lookup_rec() in ftrace_location(); 3. Call synchronize_rcu() before freeing any ftrace pages both in ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem(). CVE-2024-38588 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Modify the print level of CQE error Too much print may lead to a panic in kernel. Change ibdev_err() to ibdev_err_ratelimited(), and change the printing level of cqe dump to debug level. CVE-2024-38590 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix deadlock on SRQ async events. xa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/ xa_erase_irq() to avoid deadlock. CVE-2024-38591 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Init `ddp_comp` with devm_kcalloc() In the case where `conn_routes` is true we allocate an extra slot in the `ddp_comp` array but mtk_drm_crtc_create() never seemed to initialize it in the test case I ran. For me, this caused a later crash when we looped through the array in mtk_drm_crtc_mode_valid(). This showed up for me when I booted with `slub_debug=FZPUA` which poisons the memory initially. Without `slub_debug` I couldn't reproduce, presumably because the later code handles the value being NULL and in most cases (not guaranteed in all cases) the memory the allocator returned started out as 0. It really doesn't hurt to initialize the array with devm_kcalloc() since the array is small and the overhead of initting a handful of elements to 0 is small. In general initting memory to zero is a safer practice and usually it's suggested to only use the non-initting alloc functions if you really need to. Let's switch the function to use an allocation function that zeros the memory. For me, this avoids the crash. CVE-2024-38592 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: stmmac: move the EST lock to struct stmmac_priv Reinitialize the whole EST structure would also reset the mutex lock which is embedded in the EST structure, and then trigger the following warning. To address this, move the lock to struct stmmac_priv. We also need to reacquire the mutex lock when doing this initialization. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068 Modules linked in: CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29 Hardware name: NXP i.MX8MPlus EVK board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mutex_lock+0xd84/0x1068 lr : __mutex_lock+0xd84/0x1068 sp : ffffffc0864e3570 x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003 x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000 x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8 x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698 x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001 x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027 x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: __mutex_lock+0xd84/0x1068 mutex_lock_nested+0x28/0x34 tc_setup_taprio+0x118/0x68c stmmac_setup_tc+0x50/0xf0 taprio_change+0x868/0xc9c CVE-2024-38594 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix peer devlink set for SF representor devlink port The cited patch change register devlink flow, and neglect to reflect the changes for peer devlink set logic. Peer devlink set is triggering a call trace if done after devl_register.[1] Hence, align peer devlink set logic with register devlink flow. [1] WARNING: CPU: 4 PID: 3394 at net/devlink/core.c:155 devlink_rel_nested_in_add+0x177/0x180 CPU: 4 PID: 3394 Comm: kworker/u40:1 Not tainted 6.9.0-rc4_for_linust_min_debug_2024_04_16_14_08 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_vhca_event0 mlx5_vhca_state_work_handler [mlx5_core] RIP: 0010:devlink_rel_nested_in_add+0x177/0x180 Call Trace: <TASK> ? __warn+0x78/0x120 ? devlink_rel_nested_in_add+0x177/0x180 ? report_bug+0x16d/0x180 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? devlink_port_init+0x30/0x30 ? devlink_port_type_clear+0x50/0x50 ? devlink_rel_nested_in_add+0x177/0x180 ? devlink_rel_nested_in_add+0xdd/0x180 mlx5_sf_mdev_event+0x74/0xb0 [mlx5_core] notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_sf_dev_probe+0x185/0x3e0 [mlx5_core] auxiliary_bus_probe+0x38/0x80 ? driver_sysfs_add+0x51/0x80 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x64f/0x860 __auxiliary_device_add+0x3b/0xa0 mlx5_sf_dev_add+0x139/0x330 [mlx5_core] mlx5_sf_dev_state_change_handler+0x1e4/0x250 [mlx5_core] notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_vhca_state_work_handler+0x151/0x200 [mlx5_core] process_one_work+0x13f/0x2e0 worker_thread+0x2bd/0x3c0 ? rescuer_thread+0x410/0x410 kthread+0xc4/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x2d/0x50 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK> CVE-2024-38595 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: eth: sungem: remove .ndo_poll_controller to avoid deadlocks Erhard reports netpoll warnings from sungem: netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398) WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c gem_poll_controller() disables interrupts, which may sleep. We can't sleep in netpoll, it has interrupts disabled completely. Strangely, gem_poll_controller() doesn't even poll the completions, and instead acts as if an interrupt has fired so it just schedules NAPI and exits. None of this has been necessary for years, since netpoll invokes NAPI directly. CVE-2024-38597 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: md: fix resync softlockup when bitmap size is less than array size Is is reported that for dm-raid10, lvextend + lvchange --syncaction will trigger following softlockup: kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976] CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1 RIP: 0010:_raw_spin_unlock_irq+0x13/0x30 Call Trace: <TASK> md_bitmap_start_sync+0x6b/0xf0 raid10_sync_request+0x25c/0x1b40 [raid10] md_do_sync+0x64b/0x1020 md_thread+0xa7/0x170 kthread+0xcf/0x100 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1a/0x30 And the detailed process is as follows: md_do_sync j = mddev->resync_min while (j < max_sectors) sectors = raid10_sync_request(mddev, j, &skipped) if (!md_bitmap_start_sync(..., &sync_blocks)) // md_bitmap_start_sync set sync_blocks to 0 return sync_blocks + sectors_skippe; // sectors = 0; j += sectors; // j never change Root cause is that commit 301867b1c168 ("md/raid10: check slab-out-of-bounds in md_bitmap_get_counter") return early from md_bitmap_get_counter(), without setting returned blocks. Fix this problem by always set returned blocks from md_bitmap_get_counter"(), as it used to be. Noted that this patch just fix the softlockup problem in kernel, the case that bitmap size doesn't match array size still need to be fixed. CVE-2024-38598 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike the usual inode nodes, the xattr nodes aren't split into parts and spread across multiple eraseblocks, which means that a xattr node must not occupy more than one eraseblock. If the requested xattr value is too large, the xattr node can spill onto the next eraseblock, overwriting the nodes and causing errors such as: jffs2: argh. node added in wrong place at 0x0000b050(2) jffs2: nextblock 0x0000a000, expected at 0000b00c jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: Node at 0x0000000c with length 0x00001044 would run over the end of the erase block jffs2: Perhaps the file system was created with the wrong erase size? jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x1044 instead This breaks the filesystem and can lead to KASAN crashes such as: BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 Read of size 4 at addr ffff88802c31e914 by task repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2024-38599 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: ALSA: Fix deadlocks with kctl removals at disconnection In snd_card_disconnect(), we set card->shutdown flag at the beginning, call callbacks and do sync for card->power_ref_sleep waiters at the end. The callback may delete a kctl element, and this can lead to a deadlock when the device was in the suspended state. Namely: * A process waits for the power up at snd_power_ref_and_wait() in snd_ctl_info() or read/write() inside card->controls_rwsem. * The system gets disconnected meanwhile, and the driver tries to delete a kctl via snd_ctl_remove*(); it tries to take card->controls_rwsem again, but this is already locked by the above. Since the sleeper isn't woken up, this deadlocks. An easy fix is to wake up sleepers before processing the driver disconnect callbacks but right after setting the card->shutdown flag. Then all sleepers will abort immediately, and the code flows again. So, basically this patch moves the wait_event() call at the right timing. While we're at it, just to be sure, call wait_event_all() instead of wait_event(), although we don't use exclusive events on this queue for now. CVE-2024-38600 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks The reader code in rb_get_reader_page() swaps a new reader page into the ring buffer by doing cmpxchg on old->list.prev->next to point it to the new page. Following that, if the operation is successful, old->list.next->prev gets updated too. This means the underlying doubly-linked list is temporarily inconsistent, page->prev->next or page->next->prev might not be equal back to page for some page in the ring buffer. The resize operation in ring_buffer_resize() can be invoked in parallel. It calls rb_check_pages() which can detect the described inconsistency and stop further tracing: [ 190.271762] ------------[ cut here ]------------ [ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 [ 190.271789] Modules linked in: [...] [ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 [ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f [ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 [ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 [ 190.272023] Code: [...] [ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 [ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 [ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 [ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 [ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 [ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 [ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 [ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 [ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 190.272077] Call Trace: [ 190.272098] <TASK> [ 190.272189] ring_buffer_resize+0x2ab/0x460 [ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 [ 190.272206] tracing_resize_ring_buffer+0x65/0x90 [ 190.272216] tracing_entries_write+0x74/0xc0 [ 190.272225] vfs_write+0xf5/0x420 [ 190.272248] ksys_write+0x67/0xe0 [ 190.272256] do_syscall_64+0x82/0x170 [ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 190.272373] RIP: 0033:0x7f1bd657d263 [ 190.272381] Code: [...] [ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 [ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 [ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 [ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 [ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 [ 190.272412] </TASK> [ 190.272414] ---[ end trace 0000000000000000 ]--- Note that ring_buffer_resize() calls rb_check_pages() only if the parent trace_buffer has recording disabled. Recent commit d78ab792705c ("tracing: Stop current tracer when resizing buffer") causes that it is now always the case which makes it more likely to experience this issue. The window to hit this race is nonetheless very small. To help reproducing it, one can add a delay loop in rb_get_reader_page(): ret = rb_head_page_replace(reader, cpu_buffer->reader_page); if (!ret) goto spin; for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ __asm__ __volatile__ ("" : : : "memory"); rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; .. ---truncated--- CVE-2024-38601 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object "ax25_dev". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object "ax25_dev" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list. CVE-2024-38602 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() pci_alloc_irq_vectors() allocates an irq vector. When devm_add_action() fails, the irq vector is not freed, which leads to a memory leak. Replace the devm_add_action with devm_add_action_or_reset to ensure the irq vector can be destroyed when it fails. CVE-2024-38603 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: block: refine the EOF check in blkdev_iomap_begin blkdev_iomap_begin rounds down the offset to the logical block size before stashing it in iomap->offset and checking that it still is inside the inode size. Check the i_size check to the raw pos value so that we don't try a zero size write if iter->pos is unaligned. CVE-2024-38604 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: core: Fix NULL module pointer assignment at card init The commit 81033c6b584b ("ALSA: core: Warn on empty module") introduced a WARN_ON() for a NULL module pointer passed at snd_card object creation, and it also wraps the code around it with '#ifdef MODULE'. This works in most cases, but the devils are always in details. "MODULE" is defined when the target code (i.e. the sound core) is built as a module; but this doesn't mean that the caller is also built-in or not. Namely, when only the sound core is built-in (CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m), the passed module pointer is ignored even if it's non-NULL, and card->module remains as NULL. This would result in the missing module reference up/down at the device open/close, leading to a race with the code execution after the module removal. For addressing the bug, move the assignment of card->module again out of ifdef. The WARN_ON() is still wrapped with ifdef because the module can be really NULL when all sound drivers are built-in. Note that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would lead to a false-positive NULL module check. Admittedly it won't catch perfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no real problem as it's only for debugging, and the condition is pretty rare. CVE-2024-38605 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix netif state handling mlx5e_suspend cleans resources only if netif_device_present() returns true. However, mlx5e_resume changes the state of netif, via mlx5e_nic_enable, only if reg_state == NETREG_REGISTERED. In the below case, the above leads to NULL-ptr Oops[1] and memory leaks: mlx5e_probe _mlx5e_resume mlx5e_attach_netdev mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach() register_netdev <-- failed for some reason. ERROR_FLOW: _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :( Hence, clean resources in this case as well. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at0xffffffffffffffd6. RSP: 0018:ffff888178aaf758 EFLAGS: 00010246 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x14c/0x3c0 ? exc_page_fault+0x75/0x140 ? asm_exc_page_fault+0x22/0x30 notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core] mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib] mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib] __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe1/0x210 [mlx5_ib] ? auxiliary_match_id+0x6a/0x90 auxiliary_bus_probe+0x38/0x80 ? driver_sysfs_add+0x51/0x80 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x637/0x840 __auxiliary_device_add+0x3b/0xa0 add_adev+0xc9/0x140 [mlx5_core] mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core] mlx5_register_device+0x53/0xa0 [mlx5_core] mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core] mlx5_init_one+0x3b/0x60 [mlx5_core] probe_one+0x44c/0x730 [mlx5_core] local_pci_probe+0x3e/0x90 pci_device_probe+0xbf/0x210 ? kernfs_create_link+0x5d/0xa0 ? sysfs_do_create_link_sd+0x60/0xc0 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 pci_bus_add_device+0x54/0x80 pci_iov_add_virtfn+0x2e6/0x320 sriov_enable+0x208/0x420 mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core] sriov_numvfs_store+0xae/0x1a0 kernfs_fop_write_iter+0x10c/0x1a0 vfs_write+0x291/0x3c0 ksys_write+0x5f/0xe0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- CVE-2024-38608 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() Patch series "mm: follow_pte() improvements and acrn follow_pte() fixes". Patch #1 fixes a bunch of issues I spotted in the acrn driver. It compiles, that's all I know. I'll appreciate some review and testing from acrn folks. Patch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding more sanity checks, and improving the documentation. Gave it a quick test on x86-64 using VM_PAT that ends up using follow_pte(). This patch (of 3): We currently miss handling various cases, resulting in a dangerous follow_pte() (previously follow_pfn()) usage. (1) We're not checking PTE write permissions. Maybe we should simply always require pte_write() like we do for pin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for ACRN_MEM_ACCESS_WRITE for now. (2) We're not rejecting refcounted pages. As we are not using MMU notifiers, messing with refcounted pages is dangerous and can result in use-after-free. Let's make sure to reject them. (3) We are only looking at the first PTE of a bigger range. We only lookup a single PTE, but memmap->len may span a larger area. Let's loop over all involved PTEs and make sure the PFN range is actually contiguous. Reject everything else: it couldn't have worked either way, and rather made use access PFNs we shouldn't be accessing. CVE-2024-38610 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: media: i2c: et8ek8: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text) CVE-2024-38611 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: cpufreq: exit() callback is optional The exit() callback is optional and shouldn't be called without checking a valid pointer first. Also, we must clear freq_table pointer even if the exit() callback isn't present. CVE-2024-38615 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: re-fix fortified-memset warning The carl9170_tx_release() function sometimes triggers a fortified-memset warning in my randconfig builds: In file included from include/linux/string.h:254, from drivers/net/wireless/ath/carl9170/tx.c:40: In function 'fortify_memset_chk', inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2, inlined from 'kref_put' at include/linux/kref.h:65:3, inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9: include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] 493 | __write_overflow_field(p_size_field, size); Kees previously tried to avoid this by using memset_after(), but it seems this does not fully address the problem. I noticed that the memset_after() here is done on a different part of the union (status) than the original cast was from (rate_driver_data), which may confuse the compiler. Unfortunately, the memset_after() trick does not work on driver_rates[] because that is part of an anonymous struct, and I could not get struct_group() to do this either. Using two separate memset() calls on the two members does address the warning though. CVE-2024-38616 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: kunit/fortify: Fix mismatched kvalloc()/vfree() usage The kv*() family of tests were accidentally freeing with vfree() instead of kvfree(). Use kvfree() instead. CVE-2024-38617 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Set lower bound of start tick time Currently ALSA timer doesn't have the lower limit of the start tick time, and it allows a very small size, e.g. 1 tick with 1ns resolution for hrtimer. Such a situation may lead to an unexpected RCU stall, where the callback repeatedly queuing the expire update, as reported by fuzzer. This patch introduces a sanity check of the timer start tick time, so that the system returns an error when a too small start size is set. As of this patch, the lower limit is hard-coded to 100us, which is small enough but can still work somehow. CVE-2024-38618 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Check whether the media is initialized The member "uzonesize" of struct alauda_info will remain 0 if alauda_init_media() fails, potentially causing divide errors in alauda_read_data() and alauda_write_lba(). - Add a member "media_initialized" to struct alauda_info. - Change a condition in alauda_check_media() to ensure the first initialization. - Add an error check for the return value of alauda_init_media(). CVE-2024-38619 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: stk1160: fix bounds checking in stk1160_copy_video() The subtract in this condition is reversed. The ->length is the length of the buffer. The ->bytesused is how many bytes we have copied thus far. When the condition is reversed that means the result of the subtraction is always negative but since it's unsigned then the result is a very high positive value. That means the overflow check is never true. Additionally, the ->bytesused doesn't actually work for this purpose because we're not writing to "buf->mem + buf->bytesused". Instead, the math to calculate the destination where we are writing is a bit involved. You calculate the number of full lines already written, multiply by two, skip a line if necessary so that we start on an odd numbered line, and add the offset into the line. To fix this buffer overflow, just take the actual destination where we are writing, if the offset is already out of bounds print an error and return. Otherwise, write up to buf->length bytes. CVE-2024-38621 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add callback function pointer check before its call In dpu_core_irq_callback_handler() callback function pointer is compared to NULL, but then callback function is unconditionally called by this pointer. Fix this bug by adding conditional return. Found by Linux Verification Center (linuxtesting.org) with SVACE. Patchwork: https://patchwork.freedesktop.org/patch/588237/ CVE-2024-38622 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: stm class: Fix a double free in stm_register_device() The put_device(&stm->dev) call will trigger stm_device_release() which frees "stm" so the vfree(stm) on the next line is a double free. CVE-2024-38627 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind. Hang on to the control IDs instead of pointers since those are correctly handled with locks. CVE-2024-38628 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Avoid unnecessary destruction of file_ida file_ida is allocated during cdev open and is freed accordingly during cdev release. This sequence is guaranteed by driver file operations. Therefore, there is no need to destroy an already empty file_ida when the WQ cdev is removed. Worse, ida_free() in cdev release may happen after destruction of file_ida per WQ cdev. This can lead to accessing an id in file_ida after it has been destroyed, resulting in a kernel panic. Remove ida_destroy(&file_ida) to address these issues. CVE-2024-38629 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released. CVE-2024-38630 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: max3100: Update uart_driver_registered on driver removal The removal of the last MAX3100 device triggers the removal of the driver. However, code doesn't update the respective global variable and after insmod - rmmod - insmod cycle the kernel oopses: max3100 spi-PRP0001:01: max3100_probe: adding port 0 BUG: kernel NULL pointer dereference, address: 0000000000000408 ... RIP: 0010:serial_core_register_port+0xa0/0x840 ... max3100_probe+0x1b6/0x280 [max3100] spi_probe+0x8d/0xb0 Update the actual state so next time UART driver will be registered again. Hugo also noticed, that the error path in the probe also affected by having the variable set, and not cleared. Instead of clearing it move the assignment after the successfull uart_register_driver() call. CVE-2024-38633 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: max3100: Lock port->lock when calling uart_handle_cts_change() uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100] CVE-2024-38634 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: soundwire: cadence: fix invalid PDI offset For some reason, we add an offset to the PDI, presumably to skip the PDI0 and PDI1 which are reserved for BPT. This code is however completely wrong and leads to an out-of-bounds access. We were just lucky so far since we used only a couple of PDIs and remained within the PDI array bounds. A Fixes: tag is not provided since there are no known platforms where the out-of-bounds would be accessed, and the initial code had problems as well. A follow-up patch completely removes this useless offset. CVE-2024-38635 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: f2fs: multidev: fix to recognize valid zero block address As reported by Yi Zhang in mailing list [1], kernel warning was catched during zbd/010 test as below: ./check zbd/010 zbd/010 (test gap zone support with F2FS) [failed] runtime ... 3.752s something found in dmesg: [ 4378.146781] run blktests zbd/010 at 2024-02-18 11:31:13 [ 4378.192349] null_blk: module loaded [ 4378.209860] null_blk: disk nullb0 created [ 4378.413285] scsi_debug:sdebug_driver_probe: scsi_debug: trim poll_queues to 0. poll_q/nr_hw = (0/1) [ 4378.422334] scsi host15: scsi_debug: version 0191 [20210520] dev_size_mb=1024, opts=0x0, submit_queues=1, statistics=0 [ 4378.434922] scsi 15:0:0:0: Direct-Access-ZBC Linux scsi_debug 0191 PQ: 0 ANSI: 7 [ 4378.443343] scsi 15:0:0:0: Power-on or device reset occurred [ 4378.449371] sd 15:0:0:0: Attached scsi generic sg5 type 20 [ 4378.449418] sd 15:0:0:0: [sdf] Host-managed zoned block device ... (See '/mnt/tests/gitlab.com/api/v4/projects/19168116/repository/archive.zip/storage/blktests/blk/blktests/results/nodev/zbd/010.dmesg' WARNING: CPU: 22 PID: 44011 at fs/iomap/iter.c:51 CPU: 22 PID: 44011 Comm: fio Not tainted 6.8.0-rc3+ #1 RIP: 0010:iomap_iter+0x32b/0x350 Call Trace: <TASK> __iomap_dio_rw+0x1df/0x830 f2fs_file_read_iter+0x156/0x3d0 [f2fs] aio_read+0x138/0x210 io_submit_one+0x188/0x8c0 __x64_sys_io_submit+0x8c/0x1a0 do_syscall_64+0x86/0x170 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Shinichiro Kawasaki helps to analyse this issue and proposes a potential fixing patch in [2]. Quoted from reply of Shinichiro Kawasaki: "I confirmed that the trigger commit is dbf8e63f48af as Yi reported. I took a look in the commit, but it looks fine to me. So I thought the cause is not in the commit diff. I found the WARN is printed when the f2fs is set up with multiple devices, and read requests are mapped to the very first block of the second device in the direct read path. In this case, f2fs_map_blocks() and f2fs_map_blocks_cached() modify map->m_pblk as the physical block address from each block device. It becomes zero when it is mapped to the first block of the device. However, f2fs_iomap_begin() assumes that map->m_pblk is the physical block address of the whole f2fs, across the all block devices. It compares map->m_pblk against NULL_ADDR == 0, then go into the unexpected branch and sets the invalid iomap->length. The WARN catches the invalid iomap->length. This WARN is printed even for non-zoned block devices, by following steps. - Create two (non-zoned) null_blk devices memory backed with 128MB size each: nullb0 and nullb1. # mkfs.f2fs /dev/nullb0 -c /dev/nullb1 # mount -t f2fs /dev/nullb0 "${mount_dir}" # dd if=/dev/zero of="${mount_dir}/test.dat" bs=1M count=192 # dd if="${mount_dir}/test.dat" of=/dev/null bs=1M count=192 iflag=direct ..." So, the root cause of this issue is: when multi-devices feature is on, f2fs_map_blocks() may return zero blkaddr in non-primary device, which is a verified valid block address, however, f2fs_iomap_begin() treats it as an invalid block address, and then it triggers the warning in iomap framework code. Finally, as discussed, we decide to use a more simple and direct way that checking (map.m_flags & F2FS_MAP_MAPPED) condition instead of (map.m_pblk != NULL_ADDR) to fix this issue. Thanks a lot for the effort of Yi Zhang and Shinichiro Kawasaki on this issue. [1] https://lore.kernel.org/linux-f2fs-devel/CAHj4cs-kfojYC9i0G73PRkYzcxCTex=-vugRFeP40g_URGvnfQ@mail.gmail.com/ [2] https://lore.kernel.org/linux-f2fs-devel/gngdj77k4picagsfdtiaa7gpgnup6fsgwzsltx6milmhegmjff@iax2n4wvrqye/ CVE-2024-38636 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: enic: Validate length of nl attributes in enic_set_vf_port enic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE is of length PORT_PROFILE_MAX and that the nl attributes IFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX. These attributes are validated (in the function do_setlink in rtnetlink.c) using the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE as NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and IFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation using the policy is for the max size of the attributes and not on exact size so the length of these attributes might be less than the sizes that enic_set_vf_port expects. This might cause an out of bands read access in the memcpys of the data of these attributes in enic_set_vf_port. CVE-2024-38659 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/ap: Fix crash in AP internal function modify_bitmap() A system crash like this Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403 Fault in home space mode while using kernel ASCE. AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d Oops: 0038 ilc:3 [#1] PREEMPT SMP Modules linked in: mlx5_ib ... CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8 Hardware name: IBM 3931 A01 704 (LPAR) Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8 Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a 0000014b75e7b600: 18b2 lr %r11,%r2 #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616 >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13) 0000014b75e7b60c: a7680001 lhi %r6,1 0000014b75e7b610: 187b lr %r7,%r11 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654 0000014b75e7b616: 18e9 lr %r14,%r9 Call Trace: [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8 ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8) [<0000014b75e7b758>] apmask_store+0x68/0x140 [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8 [<0000014b75598524>] vfs_write+0x1b4/0x448 [<0000014b7559894c>] ksys_write+0x74/0x100 [<0000014b7618a440>] __do_syscall+0x268/0x328 [<0000014b761a3558>] system_call+0x70/0x98 INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8 Kernel panic - not syncing: Fatal exception: panic_on_oops occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value (like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX. The fix is simple: use unsigned long values for the internal variables. The correct checks are already in place in the function but a simple int for the internal variables was used with the possibility to overflow. CVE-2024-38661 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix list corruption from resetting io stat Since commit 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()"), each iostat instance is added to blkcg percpu list, so blkcg_reset_stats() can't reset the stat instance by memset(), otherwise the llist may be corrupted. Fix the issue by only resetting the counter part. CVE-2024-38663 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: zynqmp_dpsub: Always register bridge We must always register the DRM bridge, since zynqmp_dp_hpd_work_func calls drm_bridge_hpd_notify, which in turn expects hpd_mutex to be initialized. We do this before zynqmp_dpsub_drm_init since that calls drm_bridge_attach. This fixes the following lockdep warning: [ 19.217084] ------------[ cut here ]------------ [ 19.227530] DEBUG_LOCKS_WARN_ON(lock->magic != lock) [ 19.227768] WARNING: CPU: 0 PID: 140 at kernel/locking/mutex.c:582 __mutex_lock+0x4bc/0x550 [ 19.241696] Modules linked in: [ 19.244937] CPU: 0 PID: 140 Comm: kworker/0:4 Not tainted 6.6.20+ #96 [ 19.252046] Hardware name: xlnx,zynqmp (DT) [ 19.256421] Workqueue: events zynqmp_dp_hpd_work_func [ 19.261795] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 19.269104] pc : __mutex_lock+0x4bc/0x550 [ 19.273364] lr : __mutex_lock+0x4bc/0x550 [ 19.277592] sp : ffffffc085c5bbe0 [ 19.281066] x29: ffffffc085c5bbe0 x28: 0000000000000000 x27: ffffff88009417f8 [ 19.288624] x26: ffffff8800941788 x25: ffffff8800020008 x24: ffffffc082aa3000 [ 19.296227] x23: ffffffc080d90e3c x22: 0000000000000002 x21: 0000000000000000 [ 19.303744] x20: 0000000000000000 x19: ffffff88002f5210 x18: 0000000000000000 [ 19.311295] x17: 6c707369642e3030 x16: 3030613464662072 x15: 0720072007200720 [ 19.318922] x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 0000000000000001 [ 19.326442] x11: 0001ffc085c5b940 x10: 0001ff88003f388b x9 : 0001ff88003f3888 [ 19.334003] x8 : 0001ff88003f3888 x7 : 0000000000000000 x6 : 0000000000000000 [ 19.341537] x5 : 0000000000000000 x4 : 0000000000001668 x3 : 0000000000000000 [ 19.349054] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff88003f3880 [ 19.356581] Call trace: [ 19.359160] __mutex_lock+0x4bc/0x550 [ 19.363032] mutex_lock_nested+0x24/0x30 [ 19.367187] drm_bridge_hpd_notify+0x2c/0x6c [ 19.371698] zynqmp_dp_hpd_work_func+0x44/0x54 [ 19.376364] process_one_work+0x3ac/0x988 [ 19.380660] worker_thread+0x398/0x694 [ 19.384736] kthread+0x1bc/0x1c0 [ 19.388241] ret_from_fork+0x10/0x20 [ 19.392031] irq event stamp: 183 [ 19.395450] hardirqs last enabled at (183): [<ffffffc0800b9278>] finish_task_switch.isra.0+0xa8/0x2d4 [ 19.405140] hardirqs last disabled at (182): [<ffffffc081ad3754>] __schedule+0x714/0xd04 [ 19.413612] softirqs last enabled at (114): [<ffffffc080133de8>] srcu_invoke_callbacks+0x158/0x23c [ 19.423128] softirqs last disabled at (110): [<ffffffc080133de8>] srcu_invoke_callbacks+0x158/0x23c [ 19.432614] ---[ end trace 0000000000000000 ]--- (cherry picked from commit 61ba791c4a7a09a370c45b70a81b8c7d4cf6b2ae) CVE-2024-38664 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-buf/sw-sync: don't enable IRQ from sync_print_obj() Since commit a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from known context") by error replaced spin_unlock_irqrestore() with spin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite sync_print_obj() is called from sync_debugfs_show(), lockdep complains inconsistent lock state warning. Use plain spin_{lock,unlock}() for sync_print_obj(), for sync_debugfs_show() is already using spin_{lock,unlock}_irq(). CVE-2024-38780 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() Syzbot reports a warning as follows: ============================================ WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290 Modules linked in: CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7 RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419 Call Trace: <TASK> ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375 generic_shutdown_super+0x136/0x2d0 fs/super.c:641 kill_block_super+0x44/0x90 fs/super.c:1675 ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327 [...] ============================================ This is because when finding an entry in ext4_xattr_block_cache_find(), if ext4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown in the __entry_find(), won't be put away, and eventually trigger the above issue in mb_cache_destroy() due to reference count leakage. So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix. CVE-2024-39276 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-mapping: benchmark: handle NUMA_NO_NODE correctly cpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark() resulting in the following sanitizer report: UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28 index -1 is out of range for type 'cpumask [64][1]' CPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) ubsan_epilogue (lib/ubsan.c:232) __ubsan_handle_out_of_bounds (lib/ubsan.c:429) cpumask_of_node (arch/x86/include/asm/topology.h:72) [inline] do_map_benchmark (kernel/dma/map_benchmark.c:104) map_benchmark_ioctl (kernel/dma/map_benchmark.c:246) full_proxy_unlocked_ioctl (fs/debugfs/file.c:333) __x64_sys_ioctl (fs/ioctl.c:890) do_syscall_64 (arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Use cpumask_of_node() in place when binding a kernel thread to a cpuset of a particular node. Note that the provided node id is checked inside map_benchmark_ioctl(). It's just a NUMA_NO_NODE case which is not handled properly later. Found by Linux Verification Center (linuxtesting.org). CVE-2024-39277 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode() The function gfx_v9_4_3_init_microcode in gfx_v9_4_3.c was generating about potential truncation of output when using the snprintf function. The issue was due to the size of the buffer 'ucode_prefix' being too small to accommodate the maximum possible length of the string being written into it. The string being written is "amdgpu/%s_mec.bin" or "amdgpu/%s_rlc.bin", where %s is replaced by the value of 'chip_name'. The length of this string without the %s is 16 characters. The warning message indicated that 'chip_name' could be up to 29 characters long, resulting in a total of 45 characters, which exceeds the buffer size of 30 characters. To resolve this issue, the size of the 'ucode_prefix' buffer has been reduced from 30 to 15. This ensures that the maximum possible length of the string being written into the buffer will not exceed its size, thus preventing potential buffer overflow and truncation issues. Fixes the below with gcc W=1: drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c: In function 'gfx_v9_4_3_early_init': drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:52: warning: '%s' directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=] 379 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_rlc.bin", chip_name); | ^~ ...... 439 | r = gfx_v9_4_3_init_rlc_microcode(adev, ucode_prefix); | ~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:9: note: 'snprintf' output between 16 and 45 bytes into a destination of size 30 379 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_rlc.bin", chip_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:52: warning: '%s' directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=] 413 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mec.bin", chip_name); | ^~ ...... 443 | r = gfx_v9_4_3_init_cp_compute_microcode(adev, ucode_prefix); | ~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:9: note: 'snprintf' output between 16 and 45 bytes into a destination of size 30 413 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mec.bin", chip_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CVE-2024-39291 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: bonding: fix oops during rmmod "rmmod bonding" causes an oops ever since commit cc317ea3d927 ("bonding: remove redundant NULL check in debugfs function"). Here are the relevant functions being called: bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); bonding_debug_root = NULL; <--------- SET TO NULL HERE bond_netlink_fini() rtnl_link_unregister() __rtnl_link_unregister() unregister_netdevice_many_notify() bond_uninit() bond_debug_unregister() (commit removed check for bonding_debug_root == NULL) debugfs_remove() simple_recursive_removal() down_write() -> OOPS However, reverting the bad commit does not solve the problem completely because the original code contains a race that could cause the same oops, although it was much less likely to be triggered unintentionally: CPU1 rmmod bonding bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); CPU2 echo -bond0 > /sys/class/net/bonding_masters bond_uninit() bond_debug_unregister() if (!bonding_debug_root) CPU1 bonding_debug_root = NULL; So do NOT revert the bad commit (since the removed checks were racy anyway), and instead change the order of actions taken during module removal. The same oops can also happen if there is an error during module init, so apply the same fix there. CVE-2024-39296 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/9p: fix uninit-value in p9_client_rpc() Syzbot with the help of KMSAN reported the following error: BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline] BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 trace_9p_client_res include/trace/events/9p.h:146 [inline] p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2175 [inline] allocate_slab mm/slub.c:2338 [inline] new_slab+0x2de/0x1400 mm/slub.c:2391 ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slab_alloc_node mm/slub.c:3663 [inline] slab_alloc_node mm/slub.c:3835 [inline] kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852 p9_tag_alloc net/9p/client.c:278 [inline] p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641 p9_client_rpc+0x27e/0x1340 net/9p/client.c:688 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 If p9_check_errors() fails early in p9_client_rpc(), req->rc.tag will not be properly initialized. However, trace_9p_client_res() ends up trying to print it out anyway before p9_client_rpc() finishes. Fix this issue by assigning default values to p9_fcall fields such as 'tag' and (just in case KMSAN unearths something new) 'id' during the tag allocation stage. CVE-2024-39301 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-39362 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring: check for non-NULL file pointer in io_file_can_poll() In earlier kernels, it was possible to trigger a NULL pointer dereference off the forced async preparation path, if no file had been assigned. The trace leading to that looks as follows: BUG: kernel NULL pointer dereference, address: 00000000000000b0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022 RIP: 0010:io_buffer_select+0xc3/0x210 Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246 RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040 RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700 RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020 R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8 R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000 FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x14d/0x420 ? do_user_addr_fault+0x61/0x6a0 ? exc_page_fault+0x6c/0x150 ? asm_exc_page_fault+0x22/0x30 ? io_buffer_select+0xc3/0x210 __io_import_iovec+0xb5/0x120 io_readv_prep_async+0x36/0x70 io_queue_sqe_fallback+0x20/0x260 io_submit_sqes+0x314/0x630 __do_sys_io_uring_enter+0x339/0xbc0 ? __do_sys_io_uring_register+0x11b/0xc50 ? vm_mmap_pgoff+0xce/0x160 do_syscall_64+0x5f/0x180 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x55e0a110a67e Code: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6 because the request is marked forced ASYNC and has a bad file fd, and hence takes the forced async prep path. Current kernels with the request async prep cleaned up can no longer hit this issue, but for ease of backporting, let's add this safety check in here too as it really doesn't hurt. For both cases, this will inevitably end with a CQE posted with -EBADF. CVE-2024-39371 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: 9p: add missing locking around taking dentry fid list Fix a use-after-free on dentry's d_fsdata fid list when a thread looks up a fid through dentry while another thread unlinks it: UAF thread: refcount_t: addition on 0; use-after-free. p9_fid_get linux/./include/net/9p/client.h:262 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248 Freed by: p9_fid_destroy (inlined) p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456 p9_fid_put linux/./include/net/9p/client.h:278 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335 The problem is that d_fsdata was not accessed under d_lock, because d_release() normally is only called once the dentry is otherwise no longer accessible but since we also call it explicitly in v9fs_remove that lock is required: move the hlist out of the dentry under lock then unref its fids once they are no longer accessible. CVE-2024-39463 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/qcom/lmh: Check for SCM availability at probe Up until now, the necessary scm availability check has not been performed, leading to possible null pointer dereferences (which did happen for me on RB1). Fix that. CVE-2024-39466 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix deadlock in smb2_find_smb_tcon() Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such deadlock. CVE-2024-39468 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors The error handling in nilfs_empty_dir() when a directory folio/page read fails is incorrect, as in the old ext2 implementation, and if the folio/page cannot be read or nilfs_check_folio() fails, it will falsely determine the directory as empty and corrupt the file system. In addition, since nilfs_empty_dir() does not immediately return on a failed folio/page read, but continues to loop, this can cause a long loop with I/O if i_size of the directory's inode is also corrupted, causing the log writer thread to wait and hang, as reported by syzbot. Fix these issues by making nilfs_empty_dir() immediately return a false value (0) if it fails to get a directory folio/page. CVE-2024-39469 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add error handle to avoid out-of-bounds if the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should be stop to avoid out-of-bounds read, so directly return -EINVAL. CVE-2024-39471 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: xfs: fix log recovery buffer allocation for the legacy h_size fixup Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by mkfs") added a fixup for incorrect h_size values used for the initial umount record in old xfsprogs versions. Later commit 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") cleaned up the log reover buffer calculation, but stoped using the fixed up h_size value to size the log recovery buffer, which can lead to an out of bounds access when the incorrect h_size does not come from the old mkfs tool, but a fuzzer. Fix this by open coding xlog_logrec_hblks and taking the fixed h_size into account for this calculation. CVE-2024-39472 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension If a process module does not have base config extension then the same format applies to all of it's inputs and the process->base_config_ext is NULL, causing NULL dereference when specifically crafted topology and sequences used. CVE-2024-39473 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL commit a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc") includes support for __GFP_NOFAIL, but it presents a conflict with commit dd544141b9eb ("vmalloc: back off when the current task is OOM-killed"). A possible scenario is as follows: process-a __vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL) __vmalloc_area_node() vm_area_alloc_pages() --> oom-killer send SIGKILL to process-a if (fatal_signal_pending(current)) break; --> return NULL; To fix this, do not check fatal_signal_pending() in vm_area_alloc_pages() if __GFP_NOFAIL set. This issue occurred during OPLUS KASAN TEST. Below is part of the log -> oom-killer sends signal to process [65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198 [65731.259685] [T32454] Call trace: [65731.259698] [T32454] dump_backtrace+0xf4/0x118 [65731.259734] [T32454] show_stack+0x18/0x24 [65731.259756] [T32454] dump_stack_lvl+0x60/0x7c [65731.259781] [T32454] dump_stack+0x18/0x38 [65731.259800] [T32454] mrdump_common_die+0x250/0x39c [mrdump] [65731.259936] [T32454] ipanic_die+0x20/0x34 [mrdump] [65731.260019] [T32454] atomic_notifier_call_chain+0xb4/0xfc [65731.260047] [T32454] notify_die+0x114/0x198 [65731.260073] [T32454] die+0xf4/0x5b4 [65731.260098] [T32454] die_kernel_fault+0x80/0x98 [65731.260124] [T32454] __do_kernel_fault+0x160/0x2a8 [65731.260146] [T32454] do_bad_area+0x68/0x148 [65731.260174] [T32454] do_mem_abort+0x151c/0x1b34 [65731.260204] [T32454] el1_abort+0x3c/0x5c [65731.260227] [T32454] el1h_64_sync_handler+0x54/0x90 [65731.260248] [T32454] el1h_64_sync+0x68/0x6c [65731.260269] [T32454] z_erofs_decompress_queue+0x7f0/0x2258 --> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL); kernel panic by NULL pointer dereference. erofs assume kvmalloc with __GFP_NOFAIL never return NULL. [65731.260293] [T32454] z_erofs_runqueue+0xf30/0x104c [65731.260314] [T32454] z_erofs_readahead+0x4f0/0x968 [65731.260339] [T32454] read_pages+0x170/0xadc [65731.260364] [T32454] page_cache_ra_unbounded+0x874/0xf30 [65731.260388] [T32454] page_cache_ra_order+0x24c/0x714 [65731.260411] [T32454] filemap_fault+0xbf0/0x1a74 [65731.260437] [T32454] __do_fault+0xd0/0x33c [65731.260462] [T32454] handle_mm_fault+0xf74/0x3fe0 [65731.260486] [T32454] do_mem_abort+0x54c/0x1b34 [65731.260509] [T32454] el0_da+0x44/0x94 [65731.260531] [T32454] el0t_64_sync_handler+0x98/0xb4 [65731.260553] [T32454] el0t_64_sync+0x198/0x19c CVE-2024-39474 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: savage: Handle err return when savagefb_check_var failed The commit 04e5eac8f3ab("fbdev: savage: Error out if pixclock equals zero") checks the value of pixclock to avoid divide-by-zero error. However the function savagefb_probe doesn't handle the error return of savagefb_check_var. When pixclock is 0, it will cause divide-by-zero error. CVE-2024-39475 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915/hwmon: Get rid of devm When both hwmon and hwmon drvdata (on which hwmon depends) are device managed resources, the expectation, on device unbind, is that hwmon will be released before drvdata. However, in i915 there are two separate code paths, which both release either drvdata or hwmon and either can be released before the other. These code paths (for device unbind) are as follows (see also the bug referenced below): Call Trace: release_nodes+0x11/0x70 devres_release_group+0xb2/0x110 component_unbind_all+0x8d/0xa0 component_del+0xa5/0x140 intel_pxp_tee_component_fini+0x29/0x40 [i915] intel_pxp_fini+0x33/0x80 [i915] i915_driver_remove+0x4c/0x120 [i915] i915_pci_remove+0x19/0x30 [i915] pci_device_remove+0x32/0xa0 device_release_driver_internal+0x19c/0x200 unbind_store+0x9c/0xb0 and Call Trace: release_nodes+0x11/0x70 devres_release_all+0x8a/0xc0 device_unbind_cleanup+0x9/0x70 device_release_driver_internal+0x1c1/0x200 unbind_store+0x9c/0xb0 This means that in i915, if use devm, we cannot gurantee that hwmon will always be released before drvdata. Which means that we have a uaf if hwmon sysfs is accessed when drvdata has been released but hwmon hasn't. The only way out of this seems to be do get rid of devm_ and release/free everything explicitly during device unbind. v2: Change commit message and other minor code changes v3: Cleanup from i915_hwmon_register on error (Armin Wolf) v4: Eliminate potential static analyzer warning (Rodrigo) Eliminate fetch_and_zero (Jani) v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi) CVE-2024-39479 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: mc: Fix graph walk in media_pipeline_start The graph walk tries to follow all links, even if they are not between pads. This causes a crash with, e.g. a MEDIA_LNK_FL_ANCILLARY_LINK link. Fix this by allowing the walk to proceed only for MEDIA_LNK_FL_DATA_LINK links. CVE-2024-39481 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: bcache: fix variable length array abuse in btree_iter btree_iter is used in two ways: either allocated on the stack with a fixed size MAX_BSETS, or from a mempool with a dynamic size based on the specific cache set. Previously, the struct had a fixed-length array of size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized iterators, which causes UBSAN to complain. This patch uses the same approach as in bcachefs's sort_iter and splits the iterator into a btree_iter with a flexible array member and a btree_iter_stack which embeds a btree_iter as well as a fixed-length data array. CVE-2024-39482 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 drivers/net/bonding/bond_options.c:1201 __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156 dev_attr_store+0x54/0x80 drivers/base/core.c:2366 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x96a/0xd80 fs/read_write.c:584 ksys_write+0x122/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b ---[ end trace ]--- Fix it by adding a check of string length before using it. CVE-2024-39487 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix missing sk_buff release in seg6_input_core The seg6_input() function is responsible for adding the SRH into a packet, delegating the operation to the seg6_input_core(). This function uses the skb_cow_head() to ensure that there is sufficient headroom in the sk_buff for accommodating the link-layer header. In the event that the skb_cow_header() function fails, the seg6_input_core() catches the error but it does not release the sk_buff, which will result in a memory leak. This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") and persists even after commit 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"), where the entire seg6_input() code was refactored to deal with netfilter hooks. The proposed patch addresses the identified memory leak by requiring the seg6_input_core() function to release the sk_buff in the event that skb_cow_head() fails. CVE-2024-39490 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead. CVE-2024-39494 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. So if there's a device replace operation happening when we extract the device and that device is the source of the replace operation, we will trigger a use-after-free if before we finish using the device the replace operation finishes and frees the device. Fix this by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section. CVE-2024-39496 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2 [Why] Commit: - commit 5aa1dfcdf0a4 ("drm/mst: Refactor the flow for payload allocation/removement") accidently overwrite the commit - commit 54d217406afe ("drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2") which cause regression. [How] Recover the original NULL fix and remove the unnecessary input parameter 'state' for drm_dp_add_payload_part2(). (cherry picked from commit 4545614c1d8da603e57b60dd66224d81b6ffc305) CVE-2024-39498 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ionic: fix use after netif_napi_del() When queues are started, netif_napi_add() and napi_enable() are called. If there are 4 queues and only 3 queues are used for the current configuration, only 3 queues' napi should be registered and enabled. The ionic_qcq_enable() checks whether the .poll pointer is not NULL for enabling only the using queue' napi. Unused queues' napi will not be registered by netif_napi_add(), so the .poll pointer indicates NULL. But it couldn't distinguish whether the napi was unregistered or not because netif_napi_del() doesn't reset the .poll pointer to NULL. So, ionic_qcq_enable() calls napi_enable() for the queue, which was unregistered by netif_napi_del(). Reproducer: ethtool -L <interface name> rx 1 tx 1 combined 0 ethtool -L <interface name> rx 0 tx 0 combined 1 ethtool -L <interface name> rx 0 tx 0 combined 4 Splat looks like: kernel BUG at net/core/dev.c:6666! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16 Workqueue: events ionic_lif_deferred_work [ionic] RIP: 0010:napi_enable+0x3b/0x40 Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28 RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20 FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? napi_enable+0x3b/0x40 ? do_error_trap+0x83/0xb0 ? napi_enable+0x3b/0x40 ? napi_enable+0x3b/0x40 ? exc_invalid_op+0x4e/0x70 ? napi_enable+0x3b/0x40 ? asm_exc_invalid_op+0x16/0x20 ? napi_enable+0x3b/0x40 ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] process_one_work+0x145/0x360 worker_thread+0x2bb/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 CVE-2024-39502 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: validate mandatory meta and payload Check for mandatory netlink attributes in payload and meta expression when used embedded from the inner expression, otherwise NULL pointer dereference is possible from userspace. CVE-2024-39504 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash problem in concurrent scenario When link status change, the nic driver need to notify the roce driver to handle this event, but at this time, the roce driver may uninit, then cause kernel crash. To fix the problem, when link status change, need to check whether the roce registered, and when uninit, need to wait link update finish. CVE-2024-39507 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur. CVE-2024-39894 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:openssh-9.6p1-150600.6.9.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:openssh-clients-9.6p1-150600.6.9.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:openssh-common-9.6p1-150600.6.9.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:openssh-server-9.6p1-150600.6.9.1 moderate Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-4076 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:bind-utils-9.18.28-150600.3.3.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump: BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965 For full log, please look at [1]. Make the allocation at least the size of sizeof(unsigned long) so that set_bit() and test_bit() have sufficient room for read/write operations without overwriting unallocated memory. [1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/ CVE-2024-40901 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always stop health timer during driver removal Currently, if teardown_hca fails to execute during driver removal, mlx5 does not stop the health timer. Afterwards, mlx5 continue with driver teardown. This may lead to a UAF bug, which results in page fault Oops[1], since the health timer invokes after resources were freed. Hence, stop the health monitor even if teardown_hca fails. [1] mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: cleanup mlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource mlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup BUG: unable to handle page fault for address: ffffa26487064230 PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1 Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020 RIP: 0010:ioread32be+0x34/0x60 RSP: 0018:ffffa26480003e58 EFLAGS: 00010292 RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0 RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230 RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8 R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0 R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0 FS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x175/0x180 ? asm_exc_page_fault+0x26/0x30 ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? ioread32be+0x34/0x60 mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] poll_health+0x42/0x230 [mlx5_core] ? __next_timer_interrupt+0xbc/0x110 ? __pfx_poll_health+0x10/0x10 [mlx5_core] call_timer_fn+0x21/0x130 ? __pfx_poll_health+0x10/0x10 [mlx5_core] __run_timers+0x222/0x2c0 run_timer_softirq+0x1d/0x40 __do_softirq+0xc9/0x2c8 __irq_exit_rcu+0xa6/0xc0 sysvec_apic_timer_interrupt+0x72/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:cpuidle_enter_state+0xcc/0x440 ? cpuidle_enter_state+0xbd/0x440 cpuidle_enter+0x2d/0x40 do_idle+0x20d/0x270 cpu_startup_entry+0x2a/0x30 rest_init+0xd0/0xd0 arch_call_rest_init+0xe/0x30 start_kernel+0x709/0xa90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x96/0xa0 secondary_startup_64_no_verify+0x18f/0x19b ---[ end trace 0000000000000000 ]--- CVE-2024-40906 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Set run context for rawtp test_run callback syzbot reported crash when rawtp program executed through the test_run interface calls bpf_get_attach_cookie helper or any other helper that touches task->bpf_ctx pointer. Setting the run context (task->bpf_ctx pointer) for test_run callback. CVE-2024-40908 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() In case of token is released due to token->state == BNXT_HWRM_DEFERRED, released token (set to NULL) is used in log messages. This issue is expected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But this error code is returned by recent firmware. So some firmware may not return it. This may lead to NULL pointer dereference. Adjust this issue by adding token pointer check. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-40919 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: vmxnet3: disable rx data ring on dma allocation failure When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base, the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset rq->data_ring.desc_size for the data ring that failed, which presumably causes the hypervisor to reference it on packet reception. To fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell the hypervisor to disable this feature. [ 95.436876] kernel BUG at net/core/skbuff.c:207! [ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1 [ 95.441558] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018 [ 95.443481] RIP: 0010:skb_panic+0x4d/0x4f [ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50 ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9 ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24 [ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246 [ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f [ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f [ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60 [ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000 [ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0 [ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000 [ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0 [ 95.459791] Call Trace: [ 95.460515] <IRQ> [ 95.461180] ? __die_body.cold+0x19/0x27 [ 95.462150] ? die+0x2e/0x50 [ 95.462976] ? do_trap+0xca/0x110 [ 95.463973] ? do_error_trap+0x6a/0x90 [ 95.464966] ? skb_panic+0x4d/0x4f [ 95.465901] ? exc_invalid_op+0x50/0x70 [ 95.466849] ? skb_panic+0x4d/0x4f [ 95.467718] ? asm_exc_invalid_op+0x1a/0x20 [ 95.468758] ? skb_panic+0x4d/0x4f [ 95.469655] skb_put.cold+0x10/0x10 [ 95.470573] vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3] [ 95.471853] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3] [ 95.473185] __napi_poll+0x2b/0x160 [ 95.474145] net_rx_action+0x2c6/0x3b0 [ 95.475115] handle_softirqs+0xe7/0x2a0 [ 95.476122] __irq_exit_rcu+0x97/0xb0 [ 95.477109] common_interrupt+0x85/0xa0 [ 95.478102] </IRQ> [ 95.478846] <TASK> [ 95.479603] asm_common_interrupt+0x26/0x40 [ 95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246 [ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000 [ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001 [ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3 [ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260 [ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000 [ 95.495035] acpi_safe_halt+0x14/0x20 [ 95.496127] acpi_idle_do_entry+0x2f/0x50 [ 95.497221] acpi_idle_enter+0x7f/0xd0 [ 95.498272] cpuidle_enter_state+0x81/0x420 [ 95.499375] cpuidle_enter+0x2d/0x40 [ 95.500400] do_idle+0x1e5/0x240 [ 95.501385] cpu_startup_entry+0x29/0x30 [ 95.502422] start_secondary+0x11c/0x140 [ 95.503454] common_startup_64+0x13e/0x141 [ 95.504466] </TASK> [ 95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip ---truncated--- CVE-2024-40923 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: block: fix request.queuelist usage in flush Friedrich Weber reported a kernel crash problem and bisected to commit 81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine"). The root cause is that we use "list_move_tail(&rq->queuelist, pending)" in the PREFLUSH/POSTFLUSH sequences. But rq->queuelist.next == xxx since it's popped out from plug->cached_rq in __blk_mq_alloc_requests_batch(). We don't initialize its queuelist just for this first request, although the queuelist of all later popped requests will be initialized. Fix it by changing to use "list_add_tail(&rq->queuelist, pending)" so rq->queuelist doesn't need to be initialized. It should be ok since rq can't be on any list when PREFLUSH or POSTFLUSH, has no move actually. Please note the commit 81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine") also has another requirement that no drivers would touch rq->queuelist after blk_mq_end_request() since we will reuse it to add rq to the post-flush pending list in POSTFLUSH. If this is not true, we will have to revert that commit IMHO. This updated version adds "list_del_init(&rq->queuelist)" in flush rq callback since the dm layer may submit request of a weird invalid format (REQ_FSEQ_PREFLUSH | REQ_FSEQ_POSTFLUSH), which causes double list_add if without this "list_del_init(&rq->queuelist)". The weird invalid format problem should be fixed in dm layer. CVE-2024-40925 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() Clang static checker (scan-build) warning: net/ethtool/ioctl.c:line 2233, column 2 Called function pointer is null (null dereference). Return '-EOPNOTSUPP' when 'ops->get_ethtool_phy_stats' is NULL to fix this typo error. CVE-2024-40928 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_una is properly initialized on connect This is strictly related to commit fb7a0d334894 ("mptcp: ensure snd_nxt is properly initialized on connect"). It turns out that syzkaller can trigger the retransmit after fallback and before processing any other incoming packet - so that snd_una is still left uninitialized. Address the issue explicitly initializing snd_una together with snd_nxt and write_seq. CVE-2024-40931 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: flush all requests after setting CACHEFILES_DEAD In ondemand mode, when the daemon is processing an open request, if the kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write() will always return -EIO, so the daemon can't pass the copen to the kernel. Then the kernel process that is waiting for the copen triggers a hung_task. Since the DEAD state is irreversible, it can only be exited by closing /dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark the cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to avoid the above hungtask. We may still be able to read some of the cached data before closing the fd of /dev/cachefiles. Note that this relies on the patch that adds reference counting to the req, otherwise it may UAF. CVE-2024-40935 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: gve: Clear napi->skb before dev_kfree_skb_any() gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it is freed with dev_kfree_skb_any(). This can result in a subsequent call to napi_get_frags returning a dangling pointer. Fix this by clearing napi->skb before the skb is freed. CVE-2024-40937 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix tainted pointer delete is case of flow rules creation fail In case of flow rule creation fail in mlx5_lag_create_port_sel_table(), instead of previously created rules, the tainted pointer is deleted deveral times. Fix this bug by using correct flow rules pointers. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-40940 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] CVE-2024-40947 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/page_table_check: fix crash on ZONE_DEVICE Not all pages may apply to pgtable check. One example is ZONE_DEVICE pages: they map PFNs directly, and they don't allocate page_ext at all even if there's struct page around. One may reference devm_memremap_pages(). When both ZONE_DEVICE and page-table-check enabled, then try to map some dax memories, one can trigger kernel bug constantly now when the kernel was trying to inject some pfn maps on the dax device: kernel BUG at mm/page_table_check.c:55! While it's pretty legal to use set_pxx_at() for ZONE_DEVICE pages for page fault resolutions, skip all the checks if page_ext doesn't even exist in pgtable checker, which applies to ZONE_DEVICE but maybe more. CVE-2024-40948 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000 CVE-2024-40953 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL dereference in rt6_probe() syzbot caught a NULL dereference in rt6_probe() [1] Bail out if __in6_dev_get() returns NULL. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f] CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline] RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758 Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19 RSP: 0018:ffffc900034af070 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000 RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000 FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784 nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496 __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825 find_rr_leaf net/ipv6/route.c:853 [inline] rt6_select net/ipv6/route.c:897 [inline] fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195 ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231 pol_lookup_func include/net/ip6_fib.h:616 [inline] fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline] ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651 ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147 ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250 rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898 inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_write_iter+0x4b8/0x5c0 net/socket.c:1160 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x6b6/0x1140 fs/read_write.c:590 ksys_write+0x1f8/0x260 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-40960 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL deref in fib6_nh_init() syzbot reminds us that in6_dev_get() can return NULL. fib6_nh_init() ip6_validate_gw( &idev ) ip6_route_check_nh( idev ) *idev = in6_dev_get(dev); // can be NULL Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606 Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b RSP: 0018:ffffc900032775a0 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000 RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8 RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000 R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8 R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000 FS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809 ip6_route_add+0x28/0x160 net/ipv6/route.c:3853 ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483 inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f940f07cea9 CVE-2024-40961 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tty: add the option to have a tty reject a new ldisc ... and use it to limit the virtual terminals to just N_TTY. They are kind of special, and in particular, the "con_write()" routine violates the "writes cannot sleep" rule that some ldiscs rely on. This avoids the BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659 when N_GSM has been attached to a virtual console, and gsmld_write() calls con_write() while holding a spinlock, and con_write() then tries to get the console lock. CVE-2024-40966 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: Avoid hw_desc array overrun in dw-axi-dmac I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3 segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put() handles the hw_desc considering the descs_allocated, this scenario would result in a kernel panic (hw_desc array will be overrun). To fix this, the proposal is to add a new member to the axi_dma_desc structure, where we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in axi_desc_put() to handle the hw_desc array correctly. Additionally I propose to remove the axi_chan_start_first_queued() call after completing the transfer, since it was identified that unbalance can occur (started descriptors can be interrupted and transfer ignored due to DMA channel not being enabled). CVE-2024-40970 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: do not create EA inode under buffer lock ext4_xattr_set_entry() creates new EA inodes while holding buffer lock on the external xattr block. This is problematic as it nests all the allocation locking (which acquires locks on other buffers) under the buffer lock. This can even deadlock when the filesystem is corrupted and e.g. quota file is setup to contain xattr block as data block. Move the allocation of EA inode out of ext4_xattr_set_entry() into the callers. CVE-2024-40972 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: x86-android-tablets: Unregister devices in reverse order Not all subsystems support a device getting removed while there are still consumers of the device with a reference to the device. One example of this is the regulator subsystem. If a regulator gets unregistered while there are still drivers holding a reference a WARN() at drivers/regulator/core.c:5829 triggers, e.g.: WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015 RIP: 0010:regulator_unregister Call Trace: <TASK> regulator_unregister devres_release_group i2c_device_remove device_release_driver_internal bus_remove_device device_del device_unregister x86_android_tablet_remove On the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides a 5V boost converter output for powering USB devices connected to the micro USB port, the bq24190-charger driver exports this as a Vbus regulator. On the 830 (8") and 1050 ("10") models this regulator is controlled by a platform_device and x86_android_tablet_remove() removes platform_device-s before i2c_clients so the consumer gets removed first. But on the 1380 (13") model there is a lc824206xa micro-USB switch connected over I2C and the extcon driver for that controls the regulator. The bq24190 i2c-client *must* be registered first, because that creates the regulator with the lc824206xa listed as its consumer. If the regulator has not been registered yet the lc824206xa driver will end up getting a dummy regulator. Since in this case both the regulator provider and consumer are I2C devices, the only way to ensure that the consumer is unregistered first is to unregister the I2C devices in reverse order of in which they were created. For consistency and to avoid similar problems in the future change x86_android_tablet_remove() to unregister all device types in reverse order. CVE-2024-40975 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix kernel crash during resume Currently during resume, QMI target memory is not properly handled, resulting in kernel crash in case DMA remap is not supported: BUG: Bad page state in process kworker/u16:54 pfn:36e80 page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80 page dumped because: nonzero _refcount Call Trace: bad_page free_page_is_bad_report __free_pages_ok __free_pages dma_direct_free dma_free_attrs ath12k_qmi_free_target_mem_chunk ath12k_qmi_msg_mem_request_cb The reason is: Once ath12k module is loaded, firmware sends memory request to host. In case DMA remap not supported, ath12k refuses the first request due to failure in allocating with large segment size: ath12k_pci 0000:04:00.0: qmi firmware request memory request ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144 ath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size ath12k_pci 0000:04:00.0: qmi delays mem_request 2 ath12k_pci 0000:04:00.0: qmi firmware request memory request Later firmware comes back with more but small segments and allocation succeeds: ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288 Now ath12k is working. If suspend is triggered, firmware will be reloaded during resume. As same as before, firmware requests two large segments at first. In ath12k_qmi_msg_mem_request_cb() segment count and size are assigned: ab->qmi.mem_seg_count == 2 ab->qmi.target_mem[0].size == 7077888 ab->qmi.target_mem[1].size == 8454144 Then allocation failed like before and ath12k_qmi_free_target_mem_chunk() is called to free all allocated segments. Note the first segment is skipped because its v.addr is cleared due to allocation failure: chunk->v.addr = dma_alloc_coherent() Also note that this leaks that segment because it has not been freed. While freeing the second segment, a size of 8454144 is passed to dma_free_coherent(). However remember that this segment is allocated at the first time firmware is loaded, before suspend. So its real size is 524288, much smaller than 8454144. As a result kernel found we are freeing some memory which is in use and thus cras ---truncated--- CVE-2024-40979 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() In the following concurrency we will access the uninitialized rs->lock: ext4_fill_super ext4_register_sysfs // sysfs registered msg_ratelimit_interval_ms // Other processes modify rs->interval to // non-zero via msg_ratelimit_interval_ms ext4_orphan_cleanup ext4_msg(sb, KERN_INFO, "Errors on filesystem, " __ext4_msg ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state) if (!rs->interval) // do nothing if interval is 0 return 1; raw_spin_trylock_irqsave(&rs->lock, flags) raw_spin_trylock(lock) _raw_spin_trylock __raw_spin_trylock spin_acquire(&lock->dep_map, 0, 1, _RET_IP_) lock_acquire __lock_acquire register_lock_class assign_lock_key dump_stack(); ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10); raw_spin_lock_init(&rs->lock); // init rs->lock here and get the following dump_stack: ========================================================= INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504 [...] Call Trace: dump_stack_lvl+0xc5/0x170 dump_stack+0x18/0x30 register_lock_class+0x740/0x7c0 __lock_acquire+0x69/0x13a0 lock_acquire+0x120/0x450 _raw_spin_trylock+0x98/0xd0 ___ratelimit+0xf6/0x220 __ext4_msg+0x7f/0x160 [ext4] ext4_orphan_cleanup+0x665/0x740 [ext4] __ext4_fill_super+0x21ea/0x2b10 [ext4] ext4_fill_super+0x14d/0x360 [ext4] [...] ========================================================= Normally interval is 0 until s_msg_ratelimit_state is initialized, so ___ratelimit() does nothing. But registering sysfs precedes initializing rs->lock, so it is possible to change rs->interval to a non-zero value via the msg_ratelimit_interval_ms interface of sysfs while rs->lock is uninitialized, and then a call to ext4_msg triggers the problem by accessing an uninitialized rs->lock. Therefore register sysfs after all initializations are complete to avoid such problems. CVE-2024-40998 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ena: Add validation for completion descriptors consistency Validate that `first` flag is set only for the first descriptor in multi-buffer packets. In case of an invalid descriptor, a reset will occur. A new reset reason for RX data corruption has been added. CVE-2024-40999 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 low In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 CVE-2024-41006 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages We don't get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space. CVE-2024-41011 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: xfs: don't walk off the end of a directory data block This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry to make sure don't stray beyond valid memory region. Before patching, the loop simply checks that the start offset of the dup and dep is within the range. So in a crafted image, if last entry is xfs_dir2_data_unused, we can change dup->length to dup->length-1 and leave 1 byte of space. In the next traversal, this space will be considered as dup or dep. We may encounter an out of bound read when accessing the fixed members. In the patch, we make sure that the remaining bytes large enough to hold an unused entry before accessing xfs_dir2_data_unused and xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make sure that the remaining bytes large enough to hold a dirent with a single-byte name before accessing xfs_dir2_data_entry. CVE-2024-41013 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: xfs: add bounds checking to xlog_recover_process_data There is a lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data. We can create a crafted image to trigger an out of bounds read by following these steps: 1) Mount an image of xfs, and do some file operations to leave records 2) Before umounting, copy the image for subsequent steps to simulate abnormal exit. Because umount will ensure that tail_blk and head_blk are the same, which will result in the inability to enter xlog_recover_process_data 3) Write a tool to parse and modify the copied image in step 2 4) Make the end of the xlog_op_header entries only 1 byte away from xlog_rec_header->h_size 5) xlog_rec_header->h_num_logops++ 6) Modify xlog_rec_header->h_crc Fix: Add a check to make sure there is sufficient space to access fixed members of xlog_op_header. CVE-2024-41014 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: don't walk off the end of ealist Add a check before visiting the members of ea to make sure each ea stays within the ealist. CVE-2024-41017 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate In the Linux kernel, the following vulnerability has been resolved: tap: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 CVE-2024-41090 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 important In the Linux kernel, the following vulnerability has been resolved: tun: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP. This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does. CVE: CVE-2024-41091 CVE-2024-41091 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:kernel-default-6.4.0-150600.23.17.1 moderate Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege. CVE-2024-41110 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:docker-25.0.6_ce-150000.203.1 critical Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. CVE-2024-5535 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:libopenssl3-3.1.4-150600.5.10.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:openssl-3-3.1.4-150600.5.10.1 moderate libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances. CVE-2024-6197 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:libcurl4-8.6.0-150600.4.3.1 important libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. CVE-2024-7264 Public Cloud Image google/sles-15-sp6-chost-byos-v20240807-x86-64:libcurl4-8.6.0-150600.4.3.1 moderate