SUSE-IU-2024:873-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:873-1 Interim 1 1 2025-03-13T12:36:24Z current 2024-08-08T01:00:00Z 2024-08-08T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:873-1 / google/sles-15-sp3-sap-v20240808-x86-64 This image update for google/sles-15-sp3-sap-v20240808-x86-64 contains the following changes: Package HANA-Firewall was updated: - HANA-Firewall creates insufficient configuration. (bsc#1221231) Package SAPHanaSR was updated: - Version bump to 0.162.4 * unify global.ini examples * add demo script SAPHanaSR-upgrade-to-angi-demo * update man pages: SAPHanaSR_basic_cluster.7 SAPHanaSR_maintenance_examples.7 SAPHanaSR_upgrade_to_angi.7 SAPHanaSR-manageProvider.8 SAPHanaSR-upgrade-to-angi-demo.8 SAPHanaSR.py.7 - Version bump to 0.162.3 * Fix the hexdump log for empty node states * catch monitor calls for non-cloned resources and report them as unsupported instead of 'command not found' (bsc#1218333) * fix scope of variable 'site' to be global (bsc#1219194) * susChkSrv.py - relocate function logTimestamp() * update man pages: SAPHanaSR.7 ocf_suse_SAPHana.7 SAPHanaSR_maintenance_examples.7 SAPHanaSR.py.7 SAPHanaSR-showAttr.8 - Version bump to 0.162.2 * inside SAPHanaSR-hookHelper use the full path for the cibadmin command to support non root users in special user environments (bsc#1216484) * if the SAPHanaSR.py hook has successfully reported a SR event to the cluster a still existing fall-back state file will be removed to prevent an override of an already reported SR state. (bsc#1215693) * improve supportability by providing the current process ID of the RA, which is logged in the RA outputs, to HANA tracefiles too. This allows a mapping of the SAP related command invocations from the RA and the HANA executions which might have a delay in between. (bsc#1214613) * avoid explicid and implicid usage of /tmp filesystem to keep the SAPHanaSR resource agents working even in situations with /tmp filesystem full. (bsc#1210728) * update man pages: SAPHanaSR.7 SAPHanaSR_basic_cluster.7 SAPHanaSR_maintenance_examples.7 ocf_suse_SAPHana.7 ocf_suse_SAPHanaTopology.7 susCostOpt.py.7 SAPHanaSR-monitor.8 SAPHanaSR-showAttr.8 * add improvements from SAP to the RA scripts, part II (jsc#PED-1739, jsc#PED-2608) Package aaa_base was updated: - modify git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch to also fix the typo to set JAVA_BINDIR in the csh variant of the alljava profile script (bsc#1221361) - modify git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch drop the stderr redirection for csh (bsc#1221361) - add git-49-3f8f26123d91f70c644677a323134fc79318c818.patch drop sysctl.d/50-default-s390.conf (bsc#1211721) - add aaa_base-preinstall.patch make sure the script does not exit with 1 if a file with content is found (bsc#1222547) - add patch git-48-477bc3c05fcdabf9319e84278a1cba2c12c9ed5a.patch home and end button not working from ssh client (bsc#1221407) - use autosetup in prep stage of specfile - silence the output in the case of broken symlinks (bsc#1218232) - fix git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch to actually apply - replace git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch by git-47-056fc66c699a8544c7692a03c905fca568f5390b.patch * fix the issues from bsc#1107342 and bsc#1215434 and just use the settings from update-alternatives to set JAVA_HOME Package autofs was updated: - autofs-5.1.6-remove-intr-hosts-map-mount-option.patch Don't use the intr option on NFS mounts by default, it's been ignored by the kernel for a long time now. (bsc#1225130) - autofs-5.1.8-dont-use-initgroups-at-spawn.patch Don't use initgroups at spawn (bsc#1214710, bsc#1221181) Package bind was updated: - Security Fixes: * It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-types-per-name option. (CVE-2024-1737) [bsc#1228256, bind-9.16-CVE-2024-1737.patch] * Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975) [bsc#1228257, bind-9.16-CVE-2024-1975.patch] - Security Fixes: * Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387) [bsc#1219823, bind-CVE-2023-50387-CVE-2023-50868.patch] * Preparing an NSEC3 closest encloser proof could cause excessiv CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50868) [bsc#1219826, bind-CVE-2023-50387-CVE-2023-50868.patch] * Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. (CVE-2023-4408) [bsc#1219851, bind-CVE-2023-4408.patch] * Specific queries could cause named to crash with an assertion failure when nxdomain-redirect was enabled. This has been fixed. (CVE-2023-5517) [bsc#1219852, bind-CVE-2023-5517.patch] * Query patterns that continuously triggered cache database maintenance could cause an excessive amount of memory to be allocated, exceeding max-cache-size and potentially leading to all available memory on the host running named being exhausted This has been fixed. (CVE-2023-6516) [bsc#1219854, bind-CVE-2023-6516.patch] Package ca-certificates was updated: - Update to version 2+git20240416.98ae794 (bsc#1221184): * Use flock to serialize calls (boo#1188500) * Make certbundle.run container friendly * Create /var/lib/ca-certificates if needed Package catatonit was updated: - Update to catatonit v0.2.0. * Change license to GPL-2.0-or-later. - Remove upstreamed patches: - 99bb9048f.patch Package chrony was updated: - Use make quickcheck instead of make check to avoid &gt;1h build times and failures due to timeouts. This was the default before 3.2 but it changed to make tests more reliable. Here a seed is already set to get deterministic execution. - Use shorter NTS-KE retry interval when network is down (bsc#1213551, chrony-burst_total_samples_to_go.patch, chrony-retry_interval_ke_start.patch). Package cloud-netconfig was updated: - Update to version 1.14 + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757) - Add version settings to Provides/Obsoletes - Update to version 1.12 (bsc#1221202) + If token access succeeds using IPv4 do not use the IPv6 endpoint only use the IPv6 IMDS endpoint if IPv4 access fails. - Add Provides/Obsoletes for dropped cloud-netconfig-nm - Install dispatcher script into /etc/NetworkManager/dispatcher.d on older distributions - Add BuildReqires: NetworkManager to avoid owning dispatcher.d parent directory - Update to version 1.11: + Revert address metadata lookup in GCE to local lookup (bsc#1219454) + Fix hang on warning log messages + Check whether getting IPv4 addresses from metadata failed and abort if true + Only delete policy rules if they exist + Skip adding/removing IPv4 ranges if metdata lookup failed + Improve error handling and logging in Azure + Set SCRIPTDIR when installing netconfig wrapper - Update to version 1.10: + Drop cloud-netconfig-nm sub package and include NM dispatcher script in main packages (bsc#1219007) + Spec file cleanup - Update to version 1.9: + Drop package dependency on sysconfig-netconfig + Improve log level handling + Support IPv6 IMDS endpoint in EC2 (bsc#1218069) Package cloud-regionsrv-client was updated: - Update to version 10.1.7 (bsc#1220164, bsc#1220165) + Fix the failover path to a new target update server. At present a new server is not found since credential validation fails. We targeted the server detected in down condition to verify the credentials instead of the replacement server. - Update EC2 plugin to 1.0.4 (bsc#1219156, bsc#1219159) + Fix the algorithm to determine the region from the availability zone information retrieved from IMDS. - Update to version 10.1.6 + Support specifying an IPv6 address for a manually configured target update server. - Update to version 10.1.5 (bsc#1217583) + Fix fallback path when IPv6 network path is not usable + Enable an IPv6 fallback path in IMDS access if it cannot be accessed over IPv4 + Enable IMDS access over IPv6 - Update to version 10.1.4 (bsc#1217451) + Fetch cert for new update server during failover Package kernel-default was updated: - Update patches.suse/0020-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch (git-fixes CVE-2021-47600 bsc#1226575). - Update patches.suse/0022-block-Fix-wrong-offset-in-bio_truncate.patch (git-fixes CVE-2022-48747 bsc#1226643). - Update patches.suse/ARM-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch (git-fixes CVE-2021-47618 bsc#1226644). - Update patches.suse/ASoC-max9759-fix-underflow-in-speaker_gain_control_p.patch (git-fixes CVE-2022-48717 bsc#1226679). - Update patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_-4cf28e9ae6e2.patch (git-fixes CVE-2022-48736 bsc#1226721). - Update patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_-4f1e50d6a9cf.patch (git-fixes CVE-2022-48737 bsc#1226762). - Update patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_.patch (git-fixes CVE-2022-48738 bsc#1226674). - Update patches.suse/Bluetooth-refactor-malicious-adv-data-check.patch (git-fixes CVE-2021-47620 bsc#1226669). - Update patches.suse/IB-hfi1-Fix-AIP-early-init-panic.patch (jsc#SLE-13208 CVE-2022-48728 bsc#1226691). - Update patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch (git-fixes CVE-2021-47617 bsc#1226614). - Update patches.suse/RDMA-ucma-Protect-mc-during-concurrent-multicast-lea.patch (bsc#1181147 CVE-2022-48726 bsc#1226686). - Update patches.suse/ceph-properly-put-ceph_string-reference-after-async-create-attempt.patch (bsc#1195798 CVE-2022-48767 bsc#1226715). - Update patches.suse/dma-buf-heaps-Fix-potential-spectre-v1-gadget.patch (git-fixes CVE-2022-48730 bsc#1226713). - Update patches.suse/drm-msm-dpu-invalid-parameter-check-in-dpu_setup_dsp.patch (git-fixes CVE-2022-48749 bsc#1226650). - Update patches.suse/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch (git-fixes CVE-2022-48756 bsc#1226698). - Update patches.suse/drm-nouveau-fix-off-by-one-in-BIOS-boundary-checking.patch (git-fixes CVE-2022-48732 bsc#1226716). - Update patches.suse/firmware-arm_scpi-Fix-string-overflow-in-SCPI-genpd-.patch (git-fixes CVE-2021-47609 bsc#1226562). - Update patches.suse/i40e-Fix-queues-reservation-for-XDP.patch (git-fixes CVE-2021-47619 bsc#1226645). - Update patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch (git-fixes CVE-2021-47589 bsc#1226557). - Update patches.suse/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping (git-fixes CVE-2022-48724 bsc#1226624). - Update patches.suse/mac80211-track-only-QoS-data-frames-for-admission-co.patch (git-fixes CVE-2021-47602 bsc#1226554). - Update patches.suse/mac80211-validate-extended-element-ID-is-present.patch (git-fixes CVE-2021-47611 bsc#1226583). - Update patches.suse/net-bridge-vlan-fix-memory-leak-in-__allowed_ingress.patch (bsc#1176447 CVE-2022-48748 bsc#1226647). - Update patches.suse/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch (jsc#SLE-14777 CVE-2021-47596 bsc#1226558). - Update patches.suse/net-ieee802154-ca8210-Stop-leaking-skb-s.patch (git-fixes CVE-2022-48722 bsc#1226619). - Update patches.suse/net-mlx5e-Fix-handling-of-wrong-devices-during-bond-.patch (jsc#SLE-15172 CVE-2022-48746 bsc#1226703). - Update patches.suse/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch (bsc#1176774 CVE-2021-47595 bsc#1226552). - Update patches.suse/nfc-fix-segfault-in-nfc_genl_dump_devices_done.patch (git-fixes CVE-2021-47612 bsc#1226585). - Update patches.suse/phylib-fix-potential-use-after-free.patch (git-fixes CVE-2022-48754 bsc#1226692). - Update patches.suse/powerpc-perf-Fix-power_pmu_disable-to-call-clear_pmi.patch (bsc#1156395 CVE-2022-48752 bsc#1226709). - Update patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ctr.patch (git-fixes CVE-2022-48759 bsc#1226711). - Update patches.suse/scsi-bnx2fc-Flush-destroy_work-queue-before-calling-bnx2fc_interface_put (git-fixes CVE-2022-48758 bsc#1226708). - Update patches.suse/scsi-bnx2fc-Make-bnx2fc_recv_frame-mp-safe (git-fixes CVE-2022-48715 bsc#1226621). - Update patches.suse/scsi-scsi_debug-Sanity-check-block-descriptor-length-in-resp_mode_select.patch (git-fixes CVE-2021-47576 bsc#1226537). - Update patches.suse/smb-client-set-correct-id-uid-and-cruid-for-multiuser-automounts.patch (git-fixes CVE-2024-26822 bsc#1223011). - Update patches.suse/tracing-histogram-Fix-a-potential-memory-leak-for-kstrdup.patch (git-fixes CVE-2022-48768 bsc#1226720). - commit 3239c2b - Update patches.suse/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch (CVE-2022-22942 bsc#1195065 CVE-2022-48771 bsc#1226732). - Update patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-.patch (CVE-2021-43389 CVE-2021-3896 bsc#1191958 git-fixes CVE-2021-4439 bsc#1226670). - Update patches.suse/media-mxl111sf-change-mutex_init-location.patch (git-fixes CVE-2021-47583 bsc#1226563). - Update patches.suse/of-module-prevent-NULL-pointer-dereference-in-vsnprintf.patch (bsc#1226587 CVE-2024-38541 CVE-2024-35878 bsc#1224671). - Update patches.suse/tipc-improve-size-validations-for-received-domain-re.patch (bsc#1195254 CVE-2022-0435 CVE-2022-48711 bsc#1226672). - commit 4e385ef - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique() (CVE-2024-36904 bsc#1225732). - commit 80f0f47 - tcp: do not accept ACK of bytes we never sent (CVE-2023-52881 bsc#1225611). - commit 874a2d3 - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs (bsc#1222015 bsc#1226962). - commit c8cabcf - USB: core: Fix hang in usb_kill_urb by adding memory barriers (CVE-2022-48760 bsc#1226712). - commit da8ec3e - scsi: qedf: Ensure the copied buf is NUL terminated (bsc#1226758 CVE-2024-38559). - scsi: bfa: Ensure the copied buf is NUL terminated (bsc#1226786 CVE-2024-38560). - commit 0e33f69 - Update References tag patches.suse/Bluetooth-Disconnect-if-E0-is-used-for-Level-4.patch (bsc#1171988 CVE-2020-10135 bsc#1218148 CVE-2023-24023). - commit 906dfa6 - RDMA/hns: Fix UAF for cq async event (bsc#1226595 CVE-2024-38545) - commit d57d06d - of: module: prevent NULL pointer dereference in vsnprintf() (bsc#1226587 CVE-2024-38541) - commit c381bb4 - of: module: add buffer overflow check in of_modalias() (bsc#1226587 CVE-2024-38541) - commit 212b607 - net/mlx5e: Fix use-after-free of encap entry in neigh update handler (bsc#1224865 CVE-2021-47247). - commit 91cae43 - net: qcom/emac: fix UAF in emac_remove (bsc#1225010 CVE-2021-47311). - commit 5533443 - NFS: avoid infinite loop in pnfs_update_layout (bsc#1219633 bsc#1226226). - commit 1b48f4e - net: macb: fix use after free on rmmod (CVE-2021-47372 bsc#1225184). - commit c9f62c2 - ocfs2: fix sparse warnings (bsc#1219224). - ocfs2: speed up chain-list searching (bsc#1219224). - ocfs2: adjust enabling place for la window (bsc#1219224). - ocfs2: improve write IO performance when fragmentation is high (bsc#1219224). - commit 124c57b - smb: client: fix potential UAF in smb2_is_network_name_deleted() (bsc#1224764, CVE-2024-35862). - commit 8a40236 - smb: client: fix potential UAF in smb2_is_valid_lease_break() (bsc#1224765, CVE-2024-35864). - commit 8030dd8 - smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() (bsc#1224766, CVE-2024-35861). - commit d1384a0 - smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (bsc#1225487, CVE-2023-52752). - commit c058f4e - blacklist.conf: bsc#1225047 CVE-2021-47328 breaks kABI and does not apply - commit 8d10b79 - blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd (CVE-2021-47379 bsc#1225203). - commit af72a45 - wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes (CVE-2024-35789 bsc#1224749). - commit 7707dc6 - fs/9p: only translate RWX permissions for plain 9P2000 (bsc#1225866 CVE-2024-36964). - commit c4d4f4c - pinctrl: core: delete incorrect free in pinctrl_enable() (CVE-2024-36940 bsc#1225840). - commit 6932105 - staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() (CVE-2021-47571 bsc#1225518). - commit b52b9d0 - enetc: Fix illegal access when reading affinity_hint (CVE-2021-47368 bsc#1225161). - commit cde762c - Bluetooth: Add more enc key size check (bsc#1218148 CVE-2023-24023). - commit 529bf5d - Bluetooth: Normalize HCI_OP_READ_ENC_KEY_SIZE cmdcmplt (bsc#1218148 CVE-2023-24023). - commit 4ac624b - blacklist.conf: Add 1971d13ffa84a &quot;af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().&quot; - commit 1f2871b - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete (CVE-2024-36894 bsc#1225749). - commit 99fc30d - net: preserve kabi for sk_buff (CVE-2024-26921 bsc#1223138). - commit 62989dd - inet: inet_defrag: prevent sk release while still in use (CVE-2024-26921 bsc#1223138). - commit 599b2eb - drm/client: Fully protect modes with dev-&gt;mode_config.mutex (CVE-2024-35950 bsc#1224703). - commit f5de9d8 - smb: client: set correct id, uid and cruid for multiuser automounts (git-fixes). - commit 548a1f6 - smb: client: fix dfs link mount against w2k8 (git-fixes). - commit ffabd7c - cifs: use tcon allocation functions even for dummy tcon (bsc#1213476). - commit 8a18c8c - cifs: avoid race conditions with parallel reconnects (bsc#1213476). - commit 0156937 - cifs: check only tcon status on tcon related functions (bsc#1213476). - commit 3ee757c - cifs: return DFS root session id in DebugData (bsc#1213476). - commit 40d8689 - cifs: fix use-after-free bug in refresh_cache_worker() (bsc#1213476). - Refresh patches.suse/cifs-avoid-dup-prefix-path-in-dfs_get_automount_devname-.patch. - commit efddc92 - cifs: set DFS root session in cifs_get_smb_ses() (bsc#1213476). - commit 249b33f - cifs: reuse cifs_match_ipaddr for comparison of dstaddr too (bsc#1213476). - commit c221add - cifs: match even the scope id for ipv6 addresses (bsc#1213476). - commit 376b929 - cifs: get rid of dns resolve worker (bsc#1213476). - commit 36fdff3 - nvme-rdma: destroy cm id before destroy qp to avoid use after free (CVE-2021-47378 bsc#1225201). - commit 132f56c - net/tls: Fix flipped sign in tls_err_abort() calls (CVE-2021-47496 bsc#1225354) - commit c2b236a - net: sched: flower: protect fl_walk() with rcu (CVE-2021-47402 bsc#1225301) - commit 5275989 - Update patches.suse/0001-x86-ioremap-Map-efi_mem_reserve-memory-as-encrypted-.patch (bsc#1186885 bsc#1224826 CVE-2021-47228). - Update patches.suse/0002-bcache-avoid-oversized-read-request-in-cache-miss.patch (bsc#1187357 bsc#1185570 bsc#1184631 bsc#1224965 CVE-2021-47275). - Update patches.suse/0002-ocfs2-fix-race-between-searching-chunks-and-release-.patch (bsc#1199304 bsc#1225439 CVE-2021-47493). - Update patches.suse/0003-drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch (bsc#1152472 bsc#1222838 CVE-2021-47200). - Update patches.suse/0015-dm-btree-remove-assign-new_root-only-when-removal-su.patch (git-fixes bsc#1225155 CVE-2021-47343). - Update patches.suse/0019-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch (git-fixes bsc#1225247 CVE-2021-47435). - Update patches.suse/ACPI-fix-NULL-pointer-dereference.patch (git-fixes bsc#1224984 CVE-2021-47289). - Update patches.suse/ALSA-pcm-oss-Limit-the-period-size-to-16MB.patch (git-fixes bsc#1225409 CVE-2021-47509). - Update patches.suse/ALSA-seq-Fix-race-of-snd_seq_timer_open.patch (git-fixes bsc#1224983 CVE-2021-47281). - Update patches.suse/ALSA-usx2y-Don-t-call-free_pages_exact-with-NULL-add.patch (git-fixes bsc#1225091 CVE-2021-47332). - Update patches.suse/ASoC-SOF-Fix-DSP-oops-stack-dump-output-contents.patch (git-fixes bsc#1225206 CVE-2021-47381). - Update patches.suse/ASoC-codecs-wcd934x-handle-channel-mappping-list-cor.patch (git-fixes bsc#1225369 CVE-2021-47502). - Update patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch (git-fixes bsc#1225303 CVE-2021-47404). - Update patches.suse/HID-bigbenff-prevent-null-pointer-dereference.patch (CVE-2022-20132 bsc#1200619 bsc#1225437 CVE-2021-47522). - Update patches.suse/HID-usbhid-free-raw_report-buffers-in-usbhid_stop.patch (git-fixes bsc#1225238 CVE-2021-47405). - Update patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch (git-fixes bsc#1225438 CVE-2021-47523). - Update patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch (CVE-2021-47485 bsc#1224904 bsc#1220960 CVE-2021-47104). - Update patches.suse/KVM-PPC-Book3S-HV-Fix-stack-handling-in-idle_kvm_sta.patch (bko#206669 bsc#1174585 bsc#1192107 CVE-2021-43056 bsc#1225341 CVE-2021-47465). - Update patches.suse/KVM-mmio-Fix-use-after-free-Read-in-kvm_vm_ioctl_unr.patch (git-fixes bsc#1224923 CVE-2021-47341). - Update patches.suse/KVM-x86-Immediately-reset-the-MMU-context-when-the-S.patch (git-fixes bsc#1224853 CVE-2021-47230). - Update patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_in_s.patch (git-fixes bsc#1225263 CVE-2021-47442). - Update patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_tg_l.patch (git-fixes bsc#1225262 CVE-2021-47443). - Update patches.suse/NFS-Fix-use-after-free-in-nfs4_init_client.patch (git-fixes bsc#1224953 CVE-2021-47259). - Update patches.suse/RDMA-Verify-port-when-creating-flow-rule.patch (git-fixes bsc#1224957 CVE-2021-47265). - Update patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch (git-fixes bsc#1210629 CVE-2023-2176 bsc#1225318 CVE-2021-47391). - Update patches.suse/RDMA-cma-Fix-listener-leak-in-rdma_cma_listen_on_all.patch (bsc#1181147 bsc#1225320 CVE-2021-47392). - Update patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch (CVE-2021-39698 bsc#1196956 bsc#1225400 CVE-2021-47505). - Update patches.suse/audit-fix-possible-null-pointer-dereference-in-audit.patch (git-fixes bsc#1225393 CVE-2021-47464). - Update patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch (bsc#1191452 bsc#1225193 CVE-2021-47375). - Update patches.suse/bpf-s390-Fix-potential-memory-leak-about-jit_data.patch (git-fixes bsc#1225370 CVE-2021-47426). - Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch (git-fixes bsc#1225256 CVE-2021-47456). - Update patches.suse/can-sja1000-fix-use-after-free-in-ems_pcmcia_add_car.patch (git-fixes bsc#1225435 CVE-2021-47521). - Update patches.suse/cfg80211-fix-management-registrations-locking.patch (git-fixes bsc#1225450 CVE-2021-47494). - Update patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch (bsc#1185902 bsc#1224961 CVE-2021-47307). - Update patches.suse/cpufreq-schedutil-Use-kobject-release-method-to-free.patch (git-fixes bsc#1225316 CVE-2021-47387). - Update patches.suse/dm-rq-don-t-queue-request-to-blk-mq-during-DM-suspen.patch (bsc#1221113 bsc#1225357 CVE-2021-47498). - Update patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch (git-fixes bsc#1224968 CVE-2021-47305). - Update patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch (git-fixes bsc#1224982 CVE-2021-47280). - Update patches.suse/drm-amd-display-Avoid-HDCP-over-read-and-corruption.patch (git-fixes bsc#1225178 CVE-2021-47348). - Update patches.suse/drm-amd-display-Fix-potential-memory-leak-in-DMUB-hw.patch (git-fixes bsc#1224886 CVE-2021-47253). - Update patches.suse/drm-amdgpu-fix-gart.bo-pin_count-leak.patch (git-fixes bsc#1225390 CVE-2021-47431). - Update patches.suse/drm-edid-In-connector_bad_edid-cap-num_of_ext-by-num.patch (git-fixes bsc#1225243 CVE-2021-47444). - Update patches.suse/drm-msm-Fix-null-pointer-dereference-on-pointer-edp.patch (git-fixes bsc#1225261 CVE-2021-47445). - Update patches.suse/drm-msm-a6xx-Allocate-enough-space-for-GMU-registers.patch (git-fixes bsc#1225446 CVE-2021-47535). - Update patches.suse/drm-nouveau-avoid-a-use-after-free-when-BO-init-fail.patch (bsc#1152472 bsc#1224816 CVE-2020-36788). - Update patches.suse/drm-nouveau-debugfs-fix-file-release-memory-leak.patch (git-fixes bsc#1225366 CVE-2021-47423). - Update patches.suse/drm-nouveau-kms-nv50-fix-file-release-memory-leak.patch (git-fixes bsc#1225233 CVE-2021-47422). - Update patches.suse/drm-radeon-fix-a-possible-null-pointer-dereference.patch (git-fixes bsc#1225230 CVE-2022-48710). - Update patches.suse/drm-sched-Avoid-data-corruptions.patch (git-fixes bsc#1225140 CVE-2021-47354). - Update patches.suse/ethtool-strset-fix-message-length-calculation.patch (bsc#1176447 bsc#1224842 CVE-2021-47241). - Update patches.suse/fbmem-Do-not-delete-the-mode-that-is-still-in-use.patch (git-fixes bsc#1224924 CVE-2021-47338). - Update patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch (git-fixes bsc#1224966 CVE-2021-47276). - Update patches.suse/gpio-wcd934x-Fix-shift-out-of-bounds-error.patch (git-fixes bsc#1224955 CVE-2021-47263). - Update patches.suse/hwmon-mlxreg-fan-Return-non-zero-value-when-fan-curr.patch (git-fixes bsc#1225321 CVE-2021-47393). - Update patches.suse/i2c-acpi-fix-resource-leak-in-reconfiguration-device.patch (git-fixes bsc#1225223 CVE-2021-47425). - Update patches.suse/i40e-Fix-NULL-pointer-dereference-in-i40e_dbg_dump_d.patch (git-fixes bsc#1225361 CVE-2021-47501). - Update patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch (git-fixes bsc#1225367 CVE-2021-47424). - Update patches.suse/ice-avoid-bpf_prog-refcount-underflow.patch (jsc#SLE-7926 bsc#1225500 CVE-2021-47563). - Update patches.suse/ice-fix-vsi-txq_map-sizing.patch (jsc#SLE-7926 bsc#1225499 CVE-2021-47562). - Update patches.suse/igb-Fix-use-after-free-error-during-reset.patch (git-fixes bsc#1224916 CVE-2021-47301). - Update patches.suse/igc-Fix-use-after-free-error-during-reset.patch (git-fixes bsc#1224917 CVE-2021-47302). - Update patches.suse/iio-accel-kxcjk-1013-Fix-possible-memory-leak-in-pro.patch (git-fixes bsc#1225358 CVE-2021-47499). - Update patches.suse/isdn-mISDN-Fix-sleeping-function-called-from-invalid.patch (git-fixes bsc#1225346 CVE-2021-47468). - Update patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch (git-fixes bsc#1224987 CVE-2021-47284). - Update patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch (bsc#1194591 bsc#1225198 CVE-2021-47478). - Update patches.suse/ixgbe-Fix-NULL-pointer-dereference-in-ixgbe_xdp_setu.patch (git-fixes bsc#1225328 CVE-2021-47399). - Update patches.suse/jfs-fix-GPF-in-diFree.patch (bsc#1203389 bsc#1225148 CVE-2021-47340). - Update patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch (git-fixes bsc#1225143 CVE-2021-47356). - Update patches.suse/mac80211-fix-use-after-free-in-CCMP-GCMP-RX.patch (git-fixes bsc#1225214 CVE-2021-47388). - Update patches.suse/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch (git-fixes bsc#1225327 CVE-2021-47396). - Update patches.suse/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch (git-fixes bsc#1225326 CVE-2021-47395). - Update patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch (git-fixes bsc#1224922 CVE-2021-47344). - Update patches.suse/misc-alcor_pci-fix-null-ptr-deref-when-there-is-no-P.patch (git-fixes bsc#1225113 CVE-2021-47333). - Update patches.suse/misc-libmasm-module-Fix-two-use-after-free-in-ibmasm.patch (git-fixes bsc#1225112 CVE-2021-47334). - Update patches.suse/mlxsw-thermal-Fix-out-of-bounds-memory-accesses.patch (git-fixes bsc#1225224 CVE-2021-47441). - Update patches.suse/mt76-mt7915-fix-NULL-pointer-dereference-in-mt7915_g.patch (git-fixes bsc#1225386 CVE-2021-47540). - Update patches.suse/net-batman-adv-fix-error-handling.patch (git-fixes bsc#1224909 CVE-2021-47482). - Update patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch (git-fixes bsc#1224844 CVE-2021-47235). - Update patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch (CVE-2022-1195 bsc#1198029 bsc#1224830 CVE-2021-47237). - Update patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch (git-fixes bsc#1225453 CVE-2021-47541). - Update patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch (git-fixes bsc#1224981 CVE-2021-47285). - Update patches.suse/net-qlogic-qlcnic-Fix-a-NULL-pointer-dereference-in-.patch (git-fixes bsc#1225455 CVE-2021-47542). - Update patches.suse/net-sched-fq_pie-prevent-dismantle-issue.patch (jsc#SLE-15172 bsc#1225424 CVE-2021-47512). - Update patches.suse/net-sched-sch_ets-don-t-peek-at-classes-beyond-nband.patch (bsc#1176774 bsc#1225468 CVE-2021-47557). - Update patches.suse/net-smc-fix-wrong-list_del-in-smc_lgr_cleanup_early (git-fixes bsc#1225447 CVE-2021-47536). - Update patches.suse/netfilter-xt_IDLETIMER-fix-panic-that-occurs-when-ti.patch (bsc#1176447 bsc#1225237 CVE-2021-47451). - Update patches.suse/nfc-fix-potential-NULL-pointer-deref-in-nfc_genl_dum.patch (git-fixes bsc#1225372 CVE-2021-47518). - Update patches.suse/nfp-Fix-memory-leak-in-nfp_cpp_area_cache_add.patch (git-fixes bsc#1225427 CVE-2021-47516). - Update patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch (git-fixes bsc#1225058 CVE-2021-47320). - Update patches.suse/nfsd-Fix-nsfd-startup-race-again.patch (git-fixes bsc#1225405 CVE-2021-47507). - Update patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch (git-fixes bsc#1225404 CVE-2021-47506). - Update patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch (bsc#1190795 bsc#1225251 CVE-2021-47460). - Update patches.suse/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch (bsc#1197760 bsc#1225252 CVE-2021-47458). - Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes bsc#1225336 CVE-2021-47416). - Update patches.suse/powerpc-64s-fix-program-check-interrupt-emergency-st.patch (bsc#1156395 bsc#1225387 CVE-2021-47428). - Update patches.suse/powerpc-mm-Fix-lockup-on-kernel-exec-fault.patch (bsc#1156395 bsc#1225181 CVE-2021-47350). - Update patches.suse/regmap-Fix-possible-double-free-in-regcache_rbtree_e.patch (git-fixes bsc#1224907 CVE-2021-47483). - Update patches.suse/rxrpc-Fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch (bsc#1154353 bnc#1151927 5.3.9 bsc#1225448 CVE-2021-47538). - Update patches.suse/s390-dasd-fix-Oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup (git-fixes bsc#1223512 CVE-2022-48636). - Update patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list (git-fixes bsc#1225164 CVE-2021-47369). - Update patches.suse/s390-qeth-fix-deadlock-during-failing-recovery (git-fixes bsc#1225207 CVE-2021-47382). - Update patches.suse/sata_fsl-fix-UAF-in-sata_fsl_port_stop-when-rmmod-sa.patch (git-fixes bsc#1225508 CVE-2021-47549). - Update patches.suse/scsi-core-Fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid.patch (git-fixes bsc#1224926 CVE-2021-47337). - Update patches.suse/scsi-core-Fix-error-handling-of-scsi_host_alloc.patch (git-fixes bsc#1224899 CVE-2021-47258). - Update patches.suse/scsi-core-Put-LLD-module-refcnt-after-SCSI-device-is-released.patch (git-fixes bsc#1225322 CVE-2021-47480). - Update patches.suse/scsi-core-sysfs-Fix-hang-when-device-state-is-set-via-sysfs.patch (git-fixes bsc#1222867 CVE-2021-47192). - Update patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch (bsc#1188616 bsc#1224963 CVE-2021-47308). - Update patches.suse/scsi-megaraid_sas-Fix-resource-leak-in-case-of-probe-failure.patch (git-fixes bsc#1225083 CVE-2021-47329). - Update patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test (git-fixes bsc#1225384 CVE-2021-47565). - Update patches.suse/scsi-pm80xx-Do-not-call-scsi_remove_host-in-pm8001_alloc (git-fixes bsc#1225374 CVE-2021-47503). - Update patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els (git-fixes bsc#1225192 CVE-2021-47473). - Update patches.suse/serial-core-fix-transmit-buffer-reset-and-memleak.patch (git-fixes bsc#1194288 CVE-2021-47527). - Update patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch (git-fixes bsc#1224990 CVE-2021-47274). - Update patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch (bsc#1222619 CVE-2023-52880). - Update patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch (git-fixes bsc#1225084 CVE-2021-47330). - Update patches.suse/udf-Fix-NULL-pointer-dereference-in-udf_symlink-func.patch (bsc#1206646 bsc#1225128 CVE-2021-47353). - Update patches.suse/usb-chipidea-ci_hdrc_imx-Also-search-for-phys-phandl.patch (git-fixes bsc#1225333 CVE-2021-47413). - Update patches.suse/usb-dwc2-check-return-value-after-calling-platform_g.patch (git-fixes bsc#1225330 CVE-2021-47409). - Update patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch (git-fixes bsc#1224996 CVE-2021-47269). - Update patches.suse/usb-fix-various-gadget-panics-on-10gbps-cabling.patch (git-fixes bsc#1224993 CVE-2021-47267). - Update patches.suse/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cab.patch (git-fixes bsc#1224997 CVE-2021-47270). - Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch (git-fixes bsc#1225244 CVE-2021-47436). - Update patches.suse/usbnet-sanity-check-for-maxpacket.patch (git-fixes bsc#1225351 CVE-2021-47495). - Update patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch (git-fixes bsc#1225060 CVE-2021-47321). - Update patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch (git-fixes bsc#1225030 CVE-2021-47324). - Update patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch (git-fixes bsc#1225026 CVE-2021-47323). - Update patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch (git-fixes bsc#1225177 CVE-2021-47347). - Update patches.suse/x86-fpu-prevent-state-corruption-in-_fpu__restore_sig.patch (bsc#1178134 bsc#1224852 CVE-2021-47227). - Update patches.suse/xhci-Fix-command-ring-pointer-corruption-while-abort.patch (git-fixes bsc#1225232 CVE-2021-47434). - commit 0b290f8 - Update patches.suse/0002-bcache-avoid-oversized-read-request-in-cache-miss.patch (bsc#1184631 bsc#1224965 CVE-2021-47275). - Update patches.suse/ACPI-fix-NULL-pointer-dereference.patch (git-fixes bsc#1224984 CVE-2021-47289). - Update patches.suse/ALSA-usx2y-Don-t-call-free_pages_exact-with-NULL-add.patch (git-fixes bsc#1225091 CVE-2021-47332). - Update patches.suse/ASoC-SOF-Fix-DSP-oops-stack-dump-output-contents.patch (git-fixes bsc#1225206 CVE-2021-47381). - Update patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch (git-fixes bsc#1225303 CVE-2021-47404). - Update patches.suse/HID-bigbenff-prevent-null-pointer-dereference.patch (CVE-2022-20132 bsc#1200619 bsc#1225437 CVE-2021-47522). - Update patches.suse/HID-usbhid-free-raw_report-buffers-in-usbhid_stop.patch (git-fixes bsc#1225238 CVE-2021-47405). - Update patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch (CVE-2021-47485 bsc#1224904 bsc#1220960 CVE-2021-47104). - Update patches.suse/KVM-PPC-Book3S-HV-Fix-stack-handling-in-idle_kvm_sta.patch (bko#206669 bsc#1174585 bsc#1192107 CVE-2021-43056 bsc#1225341 CVE-2021-47465). - Update patches.suse/KVM-mmio-Fix-use-after-free-Read-in-kvm_vm_ioctl_unr.patch (git-fixes bsc#1224923 CVE-2021-47341). - Update patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_in_s.patch (git-fixes bsc#1225263 CVE-2021-47442). - Update patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_tg_l.patch (git-fixes bsc#1225262 CVE-2021-47443). - Update patches.suse/NFS-Fix-use-after-free-in-nfs4_init_client.patch (git-fixes bsc#1224953 CVE-2021-47259). - Update patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch (bsc#1210629 CVE-2023-2176 bsc#1225318 CVE-2021-47391). - Update patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch (CVE-2021-39698 bsc#1196956 bsc#1225400 CVE-2021-47505). - Update patches.suse/audit-fix-possible-null-pointer-dereference-in-audit.patch (git-fixes bsc#1225393 CVE-2021-47464). - Update patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch (bsc#1191452 bsc#1225193 CVE-2021-47375). - Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch (git-fixes bsc#1225256 CVE-2021-47456). - Update patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch (bsc#1185902 bsc#1224961 CVE-2021-47307). - Update patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch (git-fixes bsc#1224968 CVE-2021-47305). - Update patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch (git-fixes bsc#1224982 CVE-2021-47280). - Update patches.suse/drm-amdgpu-fix-gart.bo-pin_count-leak.patch (git-fixes bsc#1225390 CVE-2021-47431). - Update patches.suse/drm-msm-Fix-null-pointer-dereference-on-pointer-edp.patch (git-fixes bsc#1225261 CVE-2021-47445). - Update patches.suse/drm-nouveau-debugfs-fix-file-release-memory-leak.patch (git-fixes bsc#1225366 CVE-2021-47423). - Update patches.suse/drm-sched-Avoid-data-corruptions.patch (git-fixes bsc#1225140 CVE-2021-47354). - Update patches.suse/fbmem-Do-not-delete-the-mode-that-is-still-in-use.patch (git-fixes bsc#1224924 CVE-2021-47338). - Update patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch (git-fixes bsc#1224966 CVE-2021-47276). - Update patches.suse/hwmon-mlxreg-fan-Return-non-zero-value-when-fan-curr.patch (git-fixes bsc#1225321 CVE-2021-47393). - Update patches.suse/i2c-acpi-fix-resource-leak-in-reconfiguration-device.patch (git-fixes bsc#1225223 CVE-2021-47425). - Update patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch (git-fixes bsc#1225367 CVE-2021-47424). - Update patches.suse/ice-avoid-bpf_prog-refcount-underflow.patch (jsc#SLE-7926 bsc#1225500 CVE-2021-47563). - Update patches.suse/ice-fix-vsi-txq_map-sizing.patch (jsc#SLE-7926 bsc#1225499 CVE-2021-47562). - Update patches.suse/igb-Fix-use-after-free-error-during-reset.patch (git-fixes bsc#1224916 CVE-2021-47301). - Update patches.suse/igc-Fix-use-after-free-error-during-reset.patch (git-fixes bsc#1224917 CVE-2021-47302). - Update patches.suse/isdn-mISDN-Fix-sleeping-function-called-from-invalid.patch (git-fixes bsc#1225346 CVE-2021-47468). - Update patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch (git-fixes bsc#1224987 CVE-2021-47284). - Update patches.suse/ixgbe-Fix-NULL-pointer-dereference-in-ixgbe_xdp_setu.patch (git-fixes bsc#1225328 CVE-2021-47399). - Update patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch (git-fixes bsc#1225143 CVE-2021-47356). - Update patches.suse/mac80211-fix-use-after-free-in-CCMP-GCMP-RX.patch (git-fixes bsc#1225214 CVE-2021-47388). - Update patches.suse/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch (git-fixes bsc#1225327 CVE-2021-47396). - Update patches.suse/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch (git-fixes bsc#1225326 CVE-2021-47395). - Update patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch (git-fixes bsc#1224922 CVE-2021-47344). - Update patches.suse/misc-alcor_pci-fix-null-ptr-deref-when-there-is-no-P.patch (git-fixes bsc#1225113 CVE-2021-47333). - Update patches.suse/misc-libmasm-module-Fix-two-use-after-free-in-ibmasm.patch (git-fixes bsc#1225112 CVE-2021-47334). - Update patches.suse/mlxsw-thermal-Fix-out-of-bounds-memory-accesses.patch (git-fixes bsc#1225224 CVE-2021-47441). - Update patches.suse/net-batman-adv-fix-error-handling.patch (git-fixes bsc#1224909 CVE-2021-47482). - Update patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch (git-fixes bsc#1225453 CVE-2021-47541). - Update patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch (git-fixes bsc#1224981 CVE-2021-47285). - Update patches.suse/net-qlogic-qlcnic-Fix-a-NULL-pointer-dereference-in-.patch (git-fixes bsc#1225455 CVE-2021-47542). - Update patches.suse/nfp-Fix-memory-leak-in-nfp_cpp_area_cache_add.patch (git-fixes bsc#1225427 CVE-2021-47516). - Update patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch (git-fixes bsc#1225058 CVE-2021-47320). - Update patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch (bsc#1190795 bsc#1225251 CVE-2021-47460). - Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes bsc#1225336 CVE-2021-47416). - Update patches.suse/powerpc-mm-Fix-lockup-on-kernel-exec-fault.patch (bsc#1156395 bsc#1225181 CVE-2021-47350). - Update patches.suse/regmap-Fix-possible-double-free-in-regcache_rbtree_e.patch (git-fixes bsc#1224907 CVE-2021-47483). - Update patches.suse/rxrpc-Fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch (bsc#1154353 bnc#1151927 5.3.9 bsc#1225448 CVE-2021-47538). - Update patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list (git-fixes bsc#1225164 CVE-2021-47369). - Update patches.suse/s390-qeth-fix-deadlock-during-failing-recovery (git-fixes bsc#1225207 CVE-2021-47382). - Update patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch (bsc#1188616 bsc#1224963 CVE-2021-47308). - Update patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test (git-fixes bsc#1225384 CVE-2021-47565). - Update patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els (git-fixes bsc#1225192 CVE-2021-47473). - Update patches.suse/serial-core-fix-transmit-buffer-reset-and-memleak.patch (git-fixes bsc#1194288 CVE-2021-47527). - Update patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch (git-fixes bsc#1224990 CVE-2021-47274). - Update patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch (bsc#1222619 CVE-2023-52880). - Update patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch (git-fixes bsc#1225084 CVE-2021-47330). - Update patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch (git-fixes bsc#1224996 CVE-2021-47269). - Update patches.suse/usb-fix-various-gadget-panics-on-10gbps-cabling.patch (git-fixes bsc#1224993 CVE-2021-47267). - Update patches.suse/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cab.patch (git-fixes bsc#1224997 CVE-2021-47270). - Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch (git-fixes bsc#1225244 CVE-2021-47436). - Update patches.suse/usbnet-sanity-check-for-maxpacket.patch (git-fixes bsc#1225351 CVE-2021-47495). - Update patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch (git-fixes bsc#1225060 CVE-2021-47321). - Update patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch (git-fixes bsc#1225030 CVE-2021-47324). - Update patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch (git-fixes bsc#1225026 CVE-2021-47323). - Update patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch (git-fixes bsc#1225177 CVE-2021-47347). - Update patches.suse/xhci-Fix-command-ring-pointer-corruption-while-abort.patch (git-fixes bsc#1225232 CVE-2021-47434). - commit 37dba5a - net/smc: kABI workarounds for struct smc_link (CVE-2022-48673 bsc#1223934). - net/smc: Fix possible access to freed memory in link clear (CVE-2022-48673 bsc#1223934). - commit 0f509bf - soc: qcom: llcc: Handle a second device without data corruption (bsc#1225534 CVE-2023-52871) - commit f6adad8 - x86/xen: Drop USERGS_SYSRET64 paravirt call (git-fixes). - Refresh patches.suse/x86-entry_64-Add-VERW-just-before-userspace-transition.patch. - Refresh patches.suse/x86-xen-add-xenpv_restore_regs_and_return_to_usermode.patch. - commit fa16bf8 - cifs: fix underflow in parse_server_interfaces() (bsc#1223084, CVE-2024-26828). - commit 8a48c12 - nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells (bsc#1225355 CVE-2021-47497). - commit 33cab00 - Refresh patches.suse/firmware-raspberrypi-introduce-vl805-init-routine.patch. - Refresh patches.suse/pci-brcmstb-wait-for-raspberry-pi-s-firmware-when-present.patch. - Refresh patches.suse/usb-pci-quirks-add-raspberry-pi-4-quirk.patch. - Rename to patches.suse/soc-bcm2835-add-notify-xhci-reset-property.patch. Add upstream references, sync with upstream and move to the sorted section. 3 of these patches were later reverted, but only because they were replaced by a different implementation, not because they were wrong. Add the reverts to blacklist.conf. - commit ebed050 - iio: mma8452: Fix trigger reference couting (bsc#1225360 CVE-2021-47500). - commit 8ee9c73 - efi/capsule-loader: fix incorrect allocation size (bsc#1224438 CVE-2024-27413). - commit 66f7463 - tty: Fix out-of-bound vmalloc access in imageblit (CVE-2021-47383 bsc#1225208). - commit aa2473d - ALSA: pcm: oss: Fix negative period/buffer sizes (CVE-2021-47511 bsc#1225411). - commit 094796a - Update tags in patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch. And move to the sorted section of series.conf. - commit dc0df73 - Refresh patches.suse/x86-cpu-amd-add-a-zenbleed-fix.patch. - Refresh patches.suse/x86-cpu-amd-move-the-errata-checking-functionality-up.patch. Move 2 upstream arch-specific patches to the sorted section. - commit d5f36cd - Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() (CVE-2023-52840 bsc#1224928). - commit 3a1b2ed - IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() (CVE-2021-47485 bsc#1224904) - commit 7e99b42 - af_unix: annote lockless accesses to unix_tot_inflight &amp; gc_in_progress (bsc#1223384). - Refresh patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch. - commit 03fbb54 - IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields (CVE-2021-47485 bsc#1224904) - commit c9482fe - IB/mlx5: Fix initializing CQ fragments buffer (bsc#1224954 CVE-2021-47261) - commit 77cbada - Move powerpc patches to their specific section They are apparently not going upstream. - commit eea93a0 - Move upstream patches to the sorted section - commit 757eb5a - Update patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch (bsc#1209657 CVE-2023-0160 CVE-2024-35895 bsc#1224511). - Update patches.suse/nfsd-Fix-error-cleanup-path-in-nfsd_rename.patch (bsc#1221044 CVE-2023-52591 CVE-2024-35914 bsc#1224482). - Update patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch (CVE-2023-47233 bsc#1216702 CVE-2024-35811 bsc#1224592). - commit e0bcd81 - Update patches.suse/KVM-PPC-Fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch (bsc#1156395 CVE-2021-47296 bsc#1224891). - Update patches.suse/NFS-Fix-a-potential-NULL-dereference-in-nfs_get_clie.patch (git-fixes CVE-2021-47260 bsc#1224834). - Update patches.suse/PCI-aardvark-Fix-kernel-panic-during-PIO-transfer.patch (git-fixes CVE-2021-47229 bsc#1224854). - Update patches.suse/batman-adv-Avoid-WARN_ON-timing-related-checks.patch (git-fixes CVE-2021-47252 bsc#1224882). - Update patches.suse/can-mcba_usb-fix-memory-leak-in-mcba_usb.patch (git-fixes CVE-2021-47231 bsc#1224849). - Update patches.suse/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch (bsc#1188772 CVE-2021-47255 bsc#1224832). - Update patches.suse/media-ngene-Fix-out-of-bounds-bug-in-ngene_command_c.patch (git-fixes CVE-2021-47288 bsc#1224889). - Update patches.suse/memory-fsl_ifc-fix-leak-of-IO-mapping-on-probe-failu.patch (git-fixes CVE-2021-47315 bsc#1224892). - Update patches.suse/memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch (git-fixes CVE-2021-47314 bsc#1224893). - Update patches.suse/net-cdc_eem-fix-tx-fixup-skb-leak.patch (git-fixes CVE-2021-47236 bsc#1224841). - Update patches.suse/net-mlx5e-Fix-page-reclaim-for-dead-peer-hairpin.patch (git-fixes CVE-2021-47246 bsc#1224831). - Update patches.suse/net-qrtr-fix-OOB-Read-in-qrtr_endpoint_post.patch (CVE-2021-3743 bsc#1189883 CVE-2021-47240 bsc#1224843). - Update patches.suse/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch (git-fixes CVE-2021-47239 bsc#1224846). - Update patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch (git-fixes CVE-2021-47220 bsc#1224859). - commit 5376688 - gfs2: Fix use-after-free in gfs2_glock_shrink_scan (bsc#1224888 CVE-2021-47254). - commit bf82ce3 - btrfs: do not start relocation until in progress drops are done (bsc#1222251). - commit a41ddb4 - btrfs: do not start relocation until in progress drops are done (bsc#1222251). - commit 0f3d5ec - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout (bsc#1224174 CVE-2024-27398). - commit 2d99726 - af_unix: Fix garbage collector racing against connect() (CVE-2024-26923 bsc#1223384). - af_unix: Replace BUG_ON() with WARN_ON_ONCE() (bsc#1223384). - af_unix: Do not use atomic ops for unix_sk(sk)-&gt;inflight (bsc#1223384). - commit 9a2eeaf - blacklist.conf: Fix for code not present (CVE-2024-26929) - commit 3d9e5d9 - Refresh patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch. - Refresh patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch. - Refresh patches.suse/rpadlpar_io-Add-MODULE_DESCRIPTION-entries-to-kernel.patch. Adjust headers to minimize merge conflicts. - commit 0300a69 - Refresh patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch. Swap headers to avoid a conflict when merging into consumer branches. - commit 1510229 - Refresh patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch. Update Patch-mainline tag and move to sorted section. - commit 81abd64 - Refresh patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch. Add upstream commit ID and move to sorted section. - commit 5c72346 - Refresh patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch. Update Patch-mainline tag and move to sorted section. - commit 684103a - Refresh patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch. Update Patch-mainline tag and move to sorted section. - commit a75fb60 - Refresh patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch. Driver was deleted upstream so this fix will stay out-of-tree forever. Move to the appropriate section. - commit bce6652 - Refresh patches.suse/media-dvb-core-Fix-UAF-due-to-refcount-races-at-rele.patch. Add upstream commit ID and move to sorted section. - commit 39ecedd - Refresh patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch. Add upstream commit ID and move to sorted section. - commit 6754ecb - Refresh patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch. Add upstream commit ID and move to sorted section. - commit 92fa4c5 - Refresh patches.suse/SUNRPC-auth-async-tasks-mustn-t-block-waiting-for-me.patch. - Refresh patches.suse/SUNRPC-call_alloc-async-tasks-mustn-t-block-waiting-.patch. - Refresh patches.suse/SUNRPC-improve-swap-handling-scheduling-and-PF_MEMAL.patch. - Refresh patches.suse/SUNRPC-remove-scheduling-boost-for-SWAPPER-tasks.patch. - Refresh patches.suse/SUNRPC-xprt-async-tasks-mustn-t-block-waiting-for-me.patch. Add upstream commit IDs and move to sorted section. - commit 245a308 - Refresh patches.suse/NFS-change-nfs_access_get_cached-to-only-report-the-.patch. - Refresh patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch. - Refresh patches.suse/NFS-pass-cred-explicitly-for-access-tests.patch. Add upstream commit IDs and move to sorted section. - commit 8f85449 - Refresh patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch. Add upstream commit ID and move to sorted section. - commit 0e0054f - NFC: nxp: add NXP1002 (bsc#1185589). Add upstream commit ID and subject, and move to sorted section. - commit 01c3222 - series.conf: Move block-genhd-use-atomic_t-for-disk_event-block.patch Patch was never accepted upstream and was dropped from later products as it had problematic side effects. Move it to the appropriate out-of-tree section. - commit 9199401 - PCI: rpaphp: Add MODULE_DESCRIPTION (bsc#1176869 ltc#188243). Add upstream commit ID and subject, and move to sorted section. - commit 4630de9 - Refresh patches.suse/drivers-base-memory.c-cache-blocks-in-radix-tree-to-.patch. Document why this commit will never go upstream and move it to its specific section. - commit f30bed3 - Refresh patches.suse/x86-boot-Ignore-relocations-in-.notes-sections-in-walk_rel.patch. Move to sorted section. - commit 9bdf9d5 - blacklist.conf: add fix for code not present (CVE-2024-26930) - commit 19f6175 - Update patches.suse/netfilter-nf_tables-mark-set-as-dead-when-unbinding-.patch (git-fixes CVE-2024-26643 bsc#1221829). - Update patches.suse/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch (git-fixes CVE-2024-26925 bsc#1223390). - Update patches.suse/netfilter-nft_set_rbtree-skip-end-interval-element-f.patch (git-fixes CVE-2024-26581 bsc#1220144). - commit 5b5ef95 - Update patches.suse/io_uring-af_unix-disable-sending-io_uring-over-socke.patch (bsc#1220754 CVE-2023-6531 CVE-2023-52654 bsc#1224099). - Update patches.suse/netfilter-nf_tables-fix-memleak-when-more-than-255-e.patch (git-fixes CVE-2023-52581 bsc#1220877). - Update patches.suse/netfilter-nft_set_rbtree-skip-sync-GC-for-new-elemen.patch (git-fixes CVE-2023-52433 bsc#1220137). - commit ab7595e - blacklist.conf: Add 9474c62ab65f net/sched: Add module alias for sch_fq_pie - commit 0f0d88e - usb: aqc111: check packet for fixup for true limit (bsc#1217169 CVE-2023-52655). - commit 1678228 - Update patches.suse/drm-radeon-add-a-force-flush-to-delay-work-when-rade.patch (git-fixes CVE-2022-48704 bsc#1223932). - commit d602686 - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path (git-fixes). - commit 453d60a - netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout (git-fixes). - commit a3b6f2c - netfilter: nft_set_rbtree: skip end interval element from gc (git-fixes). - commit f941d80 - netfilter: nf_tables: skip dead set elements in netlink dump (git-fixes). - commit 11672cf - netfilter: nf_tables: mark newset as dead on transaction abort (git-fixes). - commit deeefa0 - blacklist.conf: update blacklist - commit d111502 - blacklist.conf: update blacklist - commit c053707 - netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure (git-fixes). - commit 787a388 - Refresh patches.kabi/netfilter-preserve-nf_tables-kabi.patch. - commit f69dce7 - netfilter: nf_tables: fix memleak when more than 255 elements expired (git-fixes). - commit 55db444 - blacklist.conf: update blacklist - commit 3075338 - netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration (git-fixes). - commit bc13e9b - netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention (git-fixes). - commit 9ed8e71 - netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction (git-fixes). - commit 0d564a0 - netfilter: nf_tables: defer gc run if previous batch is still pending (git-fixes). - commit 1cb21d0 - netfilter: nf_tables: use correct lock to protect gc_list (git-fixes). - commit f315c4c - netfilter: nf_tables: GC transaction race with abort path (git-fixes). - commit ce0642f - netfilter: nf_tables: GC transaction race with netns dismantle (git-fixes). - commit d9e442c - blacklist.conf: update blacklist - commit 51055c8 - netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path (git-fixes). - commit eacca32 - netfilter: nf_tables: fix kdoc warnings after gc rework (git-fixes). - commit f86c22d - Update patches.suse/scsi-mpt3sas-Fix-use-after-free-warning.patch (git-fixes CVE-2022-48695 bsc#1223941). - commit 033821b - Update patches.suse/ALSA-emu10k1-Fix-out-of-bounds-access-in-snd_emu10k1.patch (git-fixes CVE-2022-48702 bsc#1223923). - commit c521d4a - Update patches.suse/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch (git-fixes CVE-2022-48672 bsc#1223931). - commit e3fefd5 - cachefiles: fix memory leak in cachefiles_add_cache() (bsc#1222976 CVE-2024-26840). - commit aa1fa99 - netfilter: nf_tables: adapt set backend to use GC transaction API (bsc#1215420 CVE-2023-4244). - commit 2a5fb01 - btrfs: abort in rename_exchange if we fail to insert the second ref (CVE-2021-47113 bsc#1221543) Refresh patches.suse/btrfs-prevent-rename2-from-exchanging-a-subvol-with-a-directory-from-different-parents.patch - commit cc57e15 - Update patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch references (CVE-2024-26739 bsc#1222559, drop incorrect references). - commit 8b3f599 - net/tls: Remove the context from the list in tls_device_down (bsc#1221545). - commit aca4b2e - blacklist.conf: add 94ce3b64c62d Blacklist commit 94ce3b64c62d (&quot;net/tls: Use RCU API to access tls_ctx-&gt;netdev&quot;). This is a follow-up to c55dcdd435aa which addresses an issue which is rather theoretical and the backport would be quite intrusive. - commit 64bbcaf - tls: Fix context leak on tls_device_down (bsc#1221545). - commit 23bab3f - Update patches.suse/nvme-tcp-fix-uaf-when-detecting-digest-errors.patch (bsc#1200313 bsc#1201489 CVE-2022-48686 bsc#1223948). - commit 5e5f9fe - Update patches.suse/ALSA-usb-audio-Fix-an-out-of-bounds-bug-in-__snd_usb.patch (git-fixes CVE-2022-48701 bsc#1223921). - commit 5de225e - Update patches.suse/soc-brcmstb-pm-arm-Fix-refcount-leak-and-__iomem-lea.patch (git-fixes CVE-2022-48693 bsc#1223963). - commit 0e4cd62 - kabi: hide new member of struct tls_context (CVE-2021-47131 bsc#1221545). - net/tls: Fix use-after-free after the TLS device goes down and up (CVE-2021-47131 bsc#1221545). - commit c19ff47 - Update patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch (bsc#1211592 CVE-2023-2860 CVE-2022-48687 bsc#1223952). - commit 94a1c44 - net/ipv6: avoid possible UAF in ip6_route_mpath_notify() (CVE-2024-26852 bsc#1223057). - commit f51e744 - openvswitch: fix stack OOB read while fragmenting IPv4 packets (CVE-2021-46955 bsc#1220513). - commit 37faff4 - packet: annotate data-races around ignore_outgoing (CVE-2024-26862 bsc#1223111). - commit 9b14c5d - sctp: fix potential deadlock on &amp;net-&gt;sctp.addr_wq_lock (CVE-2024-0639 bsc#1218917). - commit c0f421c - netfilter: preserve nf_tables kabi (bsc#1215420 CVE-2023-424). - commit e6ab556 - media: edia: dvbdev: fix a use-after-free (CVE-2024-27043 bsc#1223824). - commit 1c01fe0 - ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth &gt; 0 (bsc#1223475 CVE-2022-48631). - commit 911e181 - md/raid5: fix atomicity violation in raid5_cache_count (bsc#1219169, CVE-2024-23307). - commit b804891 - Update patches.suse/cgroup-cgroup_get_from_id-must-check-the-looked-up-kn-is-a-directory.patch (bsc#1203906 CVE-2022-48638 bsc#1223522). - commit 3bd7c2d - netfilter: nf_tables: GC transaction API to avoid race with control plane (bsc#1215420 CVE-2023-4244). - commit 361e5a0 - netfilter: nf_tables: don't skip expired elements during walk (bsc#1215420 CVE-2023-4244). - commit 47ee234 - Update patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch (bsc#1203935 CVE-2022-48650 bsc#1223509). - commit c5c2590 - Update patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch (bsc#1204614 CVE-2022-48654 bsc#1223482). - commit 1221e0a - netfilter: nft_set_rbtree: fix overlap expiration walk (git-fixes). - commit 90d7112 - netfilter: nft_set_rbtree: fix null deref on element insertion (git-fixes). - commit f25e27c - netfilter: nft_set_rbtree: skip elements in transaction from garbage collection (git-fixes). - commit 845bbc6 - netfilter: nft_set_rbtree: Switch to node list walk for overlap detection (git-fixes). - commit bd48625 - netfilter: nft_set_rbtree: overlap detection with element re-addition after deletion (git-fixes). - commit d362ed4 - netfilter: nft_set_rbtree: Detect partial overlap with start endpoint match (git-fixes). - commit 4970ce9 - netfilter: nft_set_rbtree: Handle outcomes of tree rotations in overlap detection (git-fixes). - commit bc0387c - netfilter: nft_set_rbtree: Don't account for expired elements on insertion (git-fixes). - commit c90c848 - netfilter: nft_set_rbtree: Add missing expired checks (git-fixes). - commit 0d65e63 - netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion (git-fixes). - commit a64c352 - netfilter: nft_set_rbtree: Detect partial overlaps on insertion (git-fixes). - commit 39167a3 - netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start() (git-fixes). - commit 9b991e8 - netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets (git-fixes). - commit 1a2cbfc - ipvlan: Fix out-of-bound bugs caused by unset skb-&gt;mac_header (bsc#1223513 CVE-2022-48651). - commit 0325bf2 - x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (bsc#1223202 CVE-2024-26906). - commit 4dcafb9 - x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h (bsc#1223202 CVE-2024-26906). - commit 4e61cac - x86/boot: Ignore relocations in .notes sections in walk_relocs() too (bsc#1222624 CVE-2024-26816). - commit 8d2e301 - x86, relocs: Ignore relocations in .notes section (bsc#1222624 CVE-2024-26816). - commit b1ed209 - Update patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch (bsc#1219264 CVE-2024-0841 CVE-2024-26688 bsc#1222482). - Update patches.suse/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch (bsc#1219170 CVE-2024-22099 CVE-2024-26903 bsc#1223187). - Update patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch (CVE-2024-26733 bsc#1222585 CVE-2024-26739 bsc#1222559). - commit edcb3fa - Update patches.suse/ALSA-gus-fix-null-pointer-dereference-on-pointer-blo.patch (git-fixes CVE-2021-47207 bsc#1222790). - Update patches.suse/cfg80211-call-cfg80211_stop_ap-when-switch-from-P2P_.patch (git-fixes CVE-2021-47194 bsc#1222829). - Update patches.suse/i40e-Fix-NULL-ptr-dereference-on-VSI-filter-sync.patch (git-fixes CVE-2021-47184 bsc#1222666). - Update patches.suse/iavf-free-q_vectors-before-queues-in-iavf_disable_vf.patch (git-fixes CVE-2021-47201 bsc#1222792). - Update patches.suse/net-mlx5-Update-error-handler-for-UCTX-and-UMEM.patch (git-fixes CVE-2021-47212 bsc#1222709). - Update patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch (bsc#1190576 CVE-2021-47203 bsc#1222881). - Update patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch (bsc#1192145 CVE-2021-47198 bsc#1222883). - Update patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch (git-fixes CVE-2021-47185 bsc#1222669). - Update patches.suse/usb-host-ohci-tmio-check-return-value-after-calling-.patch (git-fixes CVE-2021-47206 bsc#1222894). - commit 8d3f18a - Update patches.suse/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch (bsc#1218562 CVE-2023-6270 CVE-2024-26898 bsc#1223016). - commit 8d6a724 - Update patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch (git-fixes CVE-2021-47216 bsc#1222876). - commit 1856476 - wifi: iwlwifi: fix a memory corruption (CVE-2024-26610 bsc#1221299). - commit cceba2c - Update patches.suse/arp-Prevent-overflow-in-arp_req_get.patch - fix build warning - commit d969104 - ceph: prevent use-after-free in encode_cap_msg() (CVE-2024-26689 bsc#1222503). - commit c431df1 - Update patches.suse/thermal-Fix-NULL-pointer-dereferences-in-of_thermal_.patch (git-fixes CVE-2021-47202 bsc#1222878) - commit 94c254a - nvme-tcp: can't set sk_user_data without write_lock (CVE-2021-47041 bsc#1220755). - commit c3bc01a - nvme-loop: fix memory leak in nvme_loop_create_ctrl() (CVE-2021-47074 bsc#1220854). - nvme-loop: don't put ctrl on nvme_init_ctrl error (CVE-2021-47074 bsc#1220854). - commit 8101361 - nvmet-tcp: fix incorrect locking in state_change sk callback (CVE-2021-47041 bsc#1220755). - commit ee0c72d - RDMA/srpt: Support specifying the srpt_service_guid parameter (bsc#1222449 CVE-2024-26744) - commit 12241af - Refresh patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch. - commit ea3cbb2 - Update patches.suse/bpf-Fix-integer-overflow-involving-bucket_size.patch Fix CVE refence format. - commit 86e8797 - Update patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch (git-fixes CVE-2021-47189 bsc#1222706). - commit ed3e4bc - Update patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch (git-fixes CVE-2021-47185). - commit 972d0f6 - Update patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch (bsc#1192145 CVE-2021-47183 bsc#1222664). - commit add99e0 - Update patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch (git-fixes CVE-2021-47181 bsc#1222660). - commit 87eb148 - tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc (bsc#1222619). - commit 7db5139 - arp: Prevent overflow in arp_req_get() (CVE-2024-26733 bsc#1222585). - commit 0a4c958 - net/sched: act_mirred: don't override retval if we already lost the skb (CVE-2024-26733 bsc#1222585). - commit cc1339b - ext4: fix double-free of blocks due to wrong extents moved_len (bsc#1222422 CVE-2024-26704). - commit d1a6e8f - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super (bsc#1219264). - commit bc51f7b - nfsd: Fix error cleanup path in nfsd_rename() (bsc#1221044 CVE-2023-52591). - commit 24c2d2e - Update patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch (bsc#1214842 CVE-2023-52508 bsc#1221015). - Update patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch (git-fixes CVE-2023-52575 bsc#1220871). - commit 61a8300 - Update patches.suse/Bluetooth-avoid-deadlock-between-hci_dev-lock-and-so.patch (git-fixes CVE-2021-47038 bsc#1220753). - Update patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch (git-fixes CVE-2021-47097 bsc#1220982). - Update patches.suse/KEYS-trusted-Fix-TPM-reservation-for-seal-unseal.patch (git-fixes CVE-2021-46922 bsc#1220475). - Update patches.suse/KEYS-trusted-Fix-memory-leak-on-object-td.patch (git-fixes CVE-2021-47009 bsc#1220733). - Update patches.suse/RDMA-rtrs-clt-destroy-sysfs-after-removing-session-f.patch (jsc#SLE-15176 CVE-2021-47026 bsc#1220685). - Update patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch (git-fixes CVE-2021-47101 bsc#1220987). - Update patches.suse/ath10k-Fix-a-use-after-free-in-ath10k_htc_send_bundl.patch (git-fixes CVE-2021-47017 bsc#1220678). - Update patches.suse/ch_ktls-Fix-kernel-panic.patch (jsc#SLE-15131 CVE-2021-46911 bsc#1220400). - Update patches.suse/dmaengine-idxd-Fix-clobbering-of-SWERR-overflow-bit-.patch (git-fixes CVE-2021-46920 bsc#1220426). - Update patches.suse/dmaengine-idxd-Fix-potential-null-dereference-on-poi.patch (git-fixes CVE-2021-47003 bsc#1220677). - Update patches.suse/dmaengine-idxd-clear-MSIX-permission-entry-on-shutdo.patch (git-fixes CVE-2021-46918 bsc#1220429). - Update patches.suse/dmaengine-idxd-fix-wq-cleanup-of-WQCFG-registers.patch (git-fixes CVE-2021-46917 bsc#1220432). - Update patches.suse/dmaengine-idxd-fix-wq-size-store-permission-state.patch (git-fixes CVE-2021-46919 bsc#1220414). - Update patches.suse/drm-amd-display-Fix-off-by-one-in-hdmi_14_process_tr.patch (git-fixes CVE-2021-47046 bsc#1220758). - Update patches.suse/drm-i915-Fix-crash-in-auto_retire.patch (git-fixes CVE-2021-46976 bsc#1220621). - Update patches.suse/iommu-vt-d-remove-wo-permissions-on-second-level-paging-entries (bsc#1187346 CVE-2021-47035 bsc#1220688). - Update patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch (git-fixes CVE-2021-47100 bsc#1220985). - Update patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch (git-fixes CVE-2021-47095 bsc#1220979). - Update patches.suse/ixgbe-fix-unbalanced-device-enable-disable-in-suspen.patch (jsc#SLE-13706 CVE-2021-46914 bsc#1220465). - Update patches.suse/net-dsa-mt7530-fix-VLAN-traffic-leaks.patch (git-fixes CVE-2021-47160 bsc#1221974). - Update patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch (git-fixes CVE-2021-47150 bsc#1221973). - Update patches.suse/net-lantiq-fix-memory-corruption-in-RX-ring.patch (git-fixes CVE-2021-47137 bsc#1221932). - Update patches.suse/net-mlx5e-Fix-null-deref-accessing-lag-dev.patch (jsc#SLE-15172 CVE-2021-47164 bsc#1221978). - Update patches.suse/net-mlx5e-Wrap-the-tx-reporter-dump-callback-to-extr.patch (jsc#SLE-15172 CVE-2021-46931 bsc#1220486). - Update patches.suse/net-sched-act_ct-fix-wild-memory-access-when-clearin.patch (bsc#1176447 CVE-2021-47014 bsc#1220630). - Update patches.suse/net-sched-fq_pie-fix-OOB-access-in-the-traffic-path.patch (jsc#SLE-15172 CVE-2021-47175 bsc#1222003). - Update patches.suse/netfilter-nft_set_pipapo_avx2-Add-irq_fpu_usable-che.patch (bsc#1176447 CVE-2021-47174 bsc#1221990). - Update patches.suse/nvmet-fix-freeing-unallocated-p2pmem.patch (git-fixes CVE-2021-47130 bsc#1221552). - Update patches.suse/nvmet-rdma-Fix-NULL-deref-when-SEND-is-completed-wit.patch (git-fixes CVE-2021-46983 bsc#1220639). - Update patches.suse/s390-dasd-add-missing-discipline-function (bsc#1188130 ltc#193581 CVE-2021-47176 bsc331221996 bsc#1221996). - Update patches.suse/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak (git-fixes CVE-2021-46968 bsc#1220689). - Update patches.suse/sched-fair-Fix-shift-out-of-bounds-in-load_balance.patch (git fixes (sched) CVE-2021-47044 bsc#1220759). - Update patches.suse/spi-Fix-use-after-free-with-devm_spi_alloc_.patch (git-fixes CVE-2021-46959 bsc#1220734). - Update patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch (git-fixes CVE-2021-47087 bsc#1220954). - Update patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch (git-fixes CVE-2021-46933 bsc#1220487). - Update patches.suse/usb-typec-ucsi-Retrieve-all-the-PDOs-instead-of-just.patch (git-fixes CVE-2021-46980 bsc#1220663). - Update patches.suse/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch (bsc#1185558 CVE-2021-46956 bsc#1220516). - Update patches.suse/xprtrdma-Fix-cwnd-update-ordering.patch (git-fixes CVE-2021-47001 bsc#1220670). - commit d6fc0df - Update patches.suse/i2c-imx-fix-reference-leak-when-pm_runtime_get_sync-.patch (git-fixes CVE-2020-36781 bsc#1220557). - commit c903cb8 - Update patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch (CVE-2023-4881 bsc#1215221 CVE-2023-52628 bsc#1222117). - Update patches.suse/scsi-pm80xx-Avoid-leaking-tags-when-processing-OPC_INB_SET_CONTROLLER_CONFIG-command.patch (bsc#1220883 CVE-2023-52500). - commit 81ec1ab - scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command (bsc#1220883 cve-2023-52500). - commit a52992b - Fixup NULL ptr dereference due to mistake in backporting in patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch. - commit f07130b - bpf, sockmap: Prevent lock inversion deadlock in map delete elem (bsc#1209657 CVE-2023-0160). - commit 299921b - blacklist.conf: omit reverted sockmap deadlock fix - commit 66facc4 - netfilter: nf_tables: disallow anonymous set with timeout flag (CVE-2024-26642 bsc#1221830). - commit ca89796 - netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192 bsc#1218479). - commit c40a2c4 - README.BRANCH: Remove copy of branch name - commit 27396e8 - README.BRANCH: Remove copy of branch name - commit 757f48f - Update patches.suse/net-zero-initialize-tc-skb-extension-on-allocation.patch (bsc#1176447 CVE-2021-47136 bsc#1221931). - commit adea53b - ipv6: init the accept_queue's spinlocks in inet6_create (bsc#1221293 CVE-2024-26614). - commit 0cf80b2 - tcp: make sure init the accept_queue's spinlocks once (bsc#1221293 CVE-2024-26614). - commit d27abbc - userfaultfd: release page in error path to avoid BUG_ON (CVE-2021-46988 bsc#1220706). - commit 37b27a1 - powerpc/mm: Fix null-pointer dereference in pgtable_cache_add (CVE-2023-52607 bsc#1221061). - commit 37ce65f - perf/core: Fix unconditional security_locked_down() call (bsc#1220697, CVE-2021-46971). - commit b2c4fe7 - Update patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread-.patch (bsc#1208995 CVE-2023-1192 CVE-2023-52572 bsc#1220946). - Update patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356 CVE-2023-52454 bsc#1220320). - Update patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch (bsc#1221044 CVE-2023-52591 CVE-2023-52590 bsc#1221088). - Update patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch (bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836). - Update patches.suse/usb-hub-Guard-against-accesses-to-uninitialized-BOS-.patch (git-fixes CVE-2023-52477 bsc#1220790). - commit 807fa36 - Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch (bsc#1194516 CVE-2022-0487 CVE-2022-48626 bsc#1220366). - commit 32e1ae4 - Update patches.suse/0005-dm-rq-fix-double-free-of-blk_mq_tag_set-in-dev-remov.patch (git-fixes CVE-2021-46938 bsc#1220554). - Update patches.suse/0005-drm-bridge-panel-Cleanup-connector-on-bridge-detach.patch (bsc#1152489 CVE-2021-47063 bsc#1220777). - Update patches.suse/0006-nbd-Fix-NULL-pointer-in-flush_workqueue.patch (git-fixes CVE-2021-46981 bsc#1220611). - Update patches.suse/ARM-9064-1-hw_breakpoint-Do-not-directly-check-the-event-s-overflow_handler-hook.patch (git-fixes CVE-2021-47006 bsc#1220751). - Update patches.suse/ARM-footbridge-fix-PCI-interrupt-mapping.patch (git-fixes CVE-2021-46909 bsc#1220442). - Update patches.suse/HID-magicmouse-fix-NULL-deref-on-disconnect.patch (git-fixes CVE-2021-47120 bsc#1221606). - Update patches.suse/KVM-Destroy-I-O-bus-devices-on-unregister-failure-_a.patch (bsc#git-fixes CVE-2021-47061 bsc#1220745). - Update patches.suse/NFC-nci-fix-memory-leak-in-nci_allocate_device.patch (git-fixes CVE-2021-47180 bsc#1221999). - Update patches.suse/NFS-Don-t-corrupt-the-value-of-pg_bytes_written-in-n.patch (git-fixes CVE-2021-47166 bsc#1221998). - Update patches.suse/NFS-Fix-an-Oopsable-condition-in-__nfs_pageio_add_re.patch (git-fixes CVE-2021-47167 bsc#1221991). - Update patches.suse/NFS-fix-an-incorrect-limit-in-filelayout_decode_layo.patch (git-fixes CVE-2021-47168 bsc#1222002). - Update patches.suse/NFSv4-Fix-a-NULL-pointer-dereference-in-pnfs_mark_ma.patch (git-fixes CVE-2021-47179 bsc#1222001). - Update patches.suse/USB-usbfs-Don-t-WARN-about-excessively-large-memory-.patch (git-fixes CVE-2021-47170 bsc#1222004). - Update patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch (git-fixes CVE-2021-47015 bsc#1220794). - Update patches.suse/btrfs-fix-race-between-transaction-aborts-and-fsyncs.patch (bsc#1186441 CVE-2021-46958 bsc#1220521). - Update patches.suse/ceph-fix-inode-leak-on-getattr-error-in-_fh_to_dentry.patch (bsc#1186501 CVE-2021-47000 bsc#1220669). - Update patches.suse/cifs-Return-correct-error-code-from-smb2_get_enc_key.patch (git-fixes CVE-2021-46960 bsc#1220528). - Update patches.suse/crypto-qat-ADF_STATUS_PF_RUNNING-should-be-set-after.patch (git-fixes CVE-2021-47056 bsc#1220769). - Update patches.suse/cxgb4-avoid-accessing-registers-when-clearing-filter.patch (git-fixes CVE-2021-47138 bsc#1221934). - Update patches.suse/drm-amd-amdgpu-fix-refcount-leak.patch (git-fixes CVE-2021-47144 bsc#1221989). - Update patches.suse/drm-amdgpu-Fix-a-use-after-free.patch (git-fixes CVE-2021-47142 bsc#1221952). - Update patches.suse/drm-meson-fix-shutdown-crash-when-component-not-prob.patch (git-fixes CVE-2021-47165 bsc#1221965). - Update patches.suse/ethernet-enic-Fix-a-use-after-free-bug-in-enic_hard_.patch (git-fixes CVE-2021-46998 bsc#1220625). - Update patches.suse/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_spli.patch (bsc#1187408 CVE-2021-47117 bsc#1221575). - Update patches.suse/ext4-fix-memory-leak-in-ext4_fill_super.patch (bsc#1187409 CVE-2021-47119 bsc#1221608). - Update patches.suse/gve-Add-NULL-pointer-checks-when-freeing-irqs.patch (git-fixes CVE-2021-47141 bsc#1221949). - Update patches.suse/i2c-i801-Don-t-generate-an-interrupt-on-bus-reset.patch (git-fixes CVE-2021-47153 bsc#1221969). - Update patches.suse/i40e-Fix-use-after-free-in-i40e_client_subtask.patch (git-fixes CVE-2021-46991 bsc#1220575). - Update patches.suse/iio-adc-ad7124-Fix-potential-overflow-due-to-non-seq.patch (git-fixes CVE-2021-47172 bsc#1221992). - Update patches.suse/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu (bsc#1189218 CVE-2021-47177 bsc#1221997). - Update patches.suse/ipc-mqueue-msg-sem-Avoid-relying-on-a-stack-reference.patch (bsc#1185988 bsc1220826 CVE-2021-47069 bsc#1220826). - Update patches.suse/kyber-fix-out-of-bounds-access-when-preempted.patch (bsc#1187403 CVE-2021-46984 bsc#1220631). - Update patches.suse/locking-qrwlock-Fix-ordering-in-queued_write_lock_sl.patch (bsc#1185041 CVE-2021-46921 bsc#1220468). - Update patches.suse/md-raid1-properly-indicate-failure-when-ending-a-fai.patch (bsc#1185680 CVE-2021-46950 bsc#1220662). - Update patches.suse/media-staging-intel-ipu3-Fix-memory-leak-in-imu_fmt.patch (git-fixes CVE-2021-46944 bsc#1220566). - Update patches.suse/media-staging-intel-ipu3-Fix-set_fmt-error-handling.patch (git-fixes CVE-2021-46943 bsc#1220583). - Update patches.suse/misc-uss720-fix-memory-leak-in-uss720_probe.patch (git-fixes CVE-2021-47173 bsc#1221993). - Update patches.suse/mmc-uniphier-sd-Fix-a-resource-leak-in-the-remove-fu.patch (git-fixes CVE-2021-46962 bsc#1220532). - Update patches.suse/msft-hv-2305-Drivers-hv-vmbus-Use-after-free-in-__vmbus_open.patch (git-fixes CVE-2021-47049 bsc#1220692). - Update patches.suse/msft-hv-2316-uio_hv_generic-Fix-a-memory-leak-in-error-handling-p.patch (git-fixes CVE-2021-47071 bsc#1220846). - Update patches.suse/msft-hv-2317-uio_hv_generic-Fix-another-memory-leak-in-error-hand.patch (git-fixes CVE-2021-47070 bsc#1220829). - Update patches.suse/mtd-require-write-permissions-for-locking-and-badblo.patch (git-fixes CVE-2021-47055 bsc#1220768). - Update patches.suse/net-hns3-put-off-calling-register_netdev-until-clien.patch (bsc#1154353 CVE-2021-47139 bsc#1221935). - Update patches.suse/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch (CVE-2021-23134 bsc#1186060 CVE-2021-47068 bsc#1220739). - Update patches.suse/net-usb-fix-memory-leak-in-smsc75xx_bind.patch (git-fixes CVE-2021-47171 bsc#1221994). - Update patches.suse/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch (CVE-2021-47013 bsc#1220641 CVE-2021-46992 bsc#1220638). - Update patches.suse/ocfs2-fix-data-corruption-by-fallocate.patch (bsc#1187412 CVE-2021-47114 bsc#1221548). - Update patches.suse/pid-take-a-reference-when-initializing-cad_pid.patch (bsc#1152489 CVE-2021-47118 bsc#1221605). - Update patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch (git-fixes CVE-2021-47073 bsc#1220850). - Update patches.suse/powerpc-64s-Fix-crashes-when-toggling-entry-flush-ba.patch (bsc#1177666 git-fixes bsc#1186460 ltc#192531 CVE-2021-46990 bsc#1220743). - Update patches.suse/powerpc-64s-Fix-pte-update-for-kernel-memory-on-radi.patch (bsc#1055117 git-fixes CVE-2021-47034 bsc#1220687). - Update patches.suse/regmap-set-debugfs_name-to-NULL-after-it-is-freed.patch (git-fixes CVE-2021-47058 bsc#1220779). - Update patches.suse/rtw88-Fix-array-overrun-in-rtw_get_tx_power_params.patch (git-fixes CVE-2021-47065 bsc#1220749). - Update patches.suse/scsi-lpfc-Fix-null-pointer-dereference-in-lpfc_prep_.patch (bsc#1182574 CVE-2021-47045 bsc#1220640). - Update patches.suse/scsi-qedf-Add-pointer-checks-in-qedf_update_link_speed (git-fixes CVE-2021-47077 bsc#1220861). - Update patches.suse/scsi-qla2xxx-Fix-crash-in-qla2xxx_mqueuecommand.patch (bsc#1185491 CVE-2021-46963 bsc#1220536). - Update patches.suse/serial-rp2-use-request_firmware-instead-of-request_f.patch (git-fixes CVE-2021-47169 bsc#1222000). - Update patches.suse/soundwire-stream-fix-memory-leak-in-stream-config-er.patch (git-fixes CVE-2021-47020 bsc#1220785). - Update patches.suse/spi-fsl-lpspi-Fix-PM-reference-leak-in-lpspi_prepare.patch (git-fixes CVE-2021-47051 bsc#1220764). - Update patches.suse/spi-spi-fsl-dspi-Fix-a-resource-leak-in-an-error-han.patch (git-fixes CVE-2021-47161 bsc#1221966). - Update patches.suse/tpm-efi-Use-local-variable-for-calculating-final-log.patch (git-fixes CVE-2021-46951 bsc#1220615). - Update patches.suse/tracing-Restructure-trace_clock_global-to-never-block.patch (git-fixes CVE-2021-46939 bsc#1220580). - Update patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch (bsc#1209635 CVE-2022-4744 CVE-2021-47082 bsc#1220969). - Update patches.suse/x86-kvm-Disable-kvmclock-on-all-CPUs-on-shutdown.patch (bsc#1185308 CVE-2021-47110 bsc#1221532). - Update patches.suse/x86-kvm-Teardown-PV-features-on-boot-CPU-as-well.patch (bsc#1185308 CVE-2021-47112 bsc#1221541). - commit 563b877 - Update patches.suse/i2c-img-scb-fix-reference-leak-when-pm_runtime_get_s.patch (git-fixes CVE-2020-36783 bsc#1220561). - Update patches.suse/i2c-imx-lpi2c-fix-reference-leak-when-pm_runtime_get.patch (git-fixes CVE-2020-36782 bsc#1220560). - Update patches.suse/i2c-sprd-fix-reference-leak-when-pm_runtime_get_sync.patch (git-fixes CVE-2020-36780 bsc#1220556). - commit 33b0d9d - IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests (bsc#1220445 CVE-2023-52474) - commit bdb2e0c - Update patches.suse/s390-dasd-add-missing-discipline-function (bsc#1188130 ltc#193581 CVE-2021-47176 bsc331221996). - commit d918596 - wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (bsc#1218336 CVE-2023-7042). - commit 22d99d7 - dmaengine: fix NULL pointer in channel unregistration function (bsc#1221276 CVE-2023-52492) - commit b24663f - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security (bsc#1219170 CVE-2024-22099). - commit b8c2f38 - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts (bsc#1218562 CVE-2023-6270). - commit 0e87477 - fs: no need to check source (bsc#1221044 CVE-2023-52591). - commit df2f811 - rename(): avoid a deadlock in the case of parents having no common ancestor (bsc#1221044 CVE-2023-52591). - commit faa6432 - kill lock_two_inodes() (bsc#1221044 CVE-2023-52591). - commit d6f6371 - rename(): fix the locking of subdirectories (bsc#1221044 CVE-2023-52591). - commit 063df0d - f2fs: Avoid reading renamed directory if parent does not change (bsc#1221044 CVE-2023-52591). - commit 4dfa62d - ext4: don't access the source subdirectory content on same-directory rename (bsc#1221044 CVE-2023-52591). - commit 80ff66b - ext2: Avoid reading renamed directory if parent does not change (bsc#1221044 CVE-2023-52591). - commit 03d3930 - udf_rename(): only access the child content on cross-directory rename (bsc#1221044 CVE-2023-52591). - commit 4bff17c - ocfs2: Avoid touching renamed directory if parent does not change (bsc#1221044 CVE-2023-52591). - commit 74fc5ec - reiserfs: Avoid touching renamed directory if parent does not change (git-fixes bsc#1221044 CVE-2023-52591). Refresh patches.suse/reiserfs-add-check-to-detect-corrupted-directory-entry.patch Refresh patches.suse/reiserfs-don-t-panic-on-bad-directory-entries.patch - commit f392df9 - fs: don't assume arguments are non-NULL (bsc#1221044 CVE-2023-52591). - commit a11eadd - fs: Restrict lock_two_nondirectories() to non-directory inodes (bsc#1221044 CVE-2023-52591). - commit 6ad8632 - fs: ocfs2: check status values (bsc#1221044 CVE-2023-52591). - commit 696c231 - fs: Lock moved directories (bsc#1221044 CVE-2023-52591). - commit c14fbaa - fs: Establish locking order for unrelated directories (bsc#1221044 CVE-2023-52591). - commit b424ded - fs: introduce lock_rename_child() helper (bsc#1221044 CVE-2023-52591). - commit 02e4cc0 - dm: rearrange core declarations for extended use from dm-zone.c (bsc#1221113). - Refresh patches.kabi/kABI-dm-fix-deadlock-when-swapping-to-encrypted-device.patch. - commit 741eac7 - perf/x86/lbr: Filter vsyscall addresses (bsc#1220703, CVE-2023-52476). - commit c46d003 - dm rq: don't queue request to blk-mq during DM suspend (bsc#1221113). - commit b77fc22 - neighbour: allow NUD_NOARP entries to be forced GCed (bsc#1221534 CVE-2021-47109). - commit d36f6ec - net/sched: Add module alias for sch_fq_pie (bsc#1210335 CVE-2023-1829). - commit d985f7c - net/sched: Remove alias of sch_clsact (bsc#1210335 CVE-2023-1829). - net/sched: Load modules via their alias (bsc#1210335 CVE-2023-1829). - net/sched: Add module aliases for cls_,sch_,act_ modules (bsc#1210335 CVE-2023-1829). - net/sched: Add helper macros with module names (bsc#1210335 CVE-2023-1829). - net/sched: Remove alias of sch_clsact (bsc#1210335 CVE-2023-1829). - net/sched: Load modules via their alias (bsc#1210335 CVE-2023-1829). - net/sched: Add module aliases for cls_,sch_,act_ modules (bsc#1210335 CVE-2023-1829). - net/sched: Add helper macros with module names (bsc#1210335 CVE-2023-1829). - commit 6a5afc3 - x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set (bsc#1213456 CVE-2023-28746). - commit 15a7f43 - Sort already upstream patches - Refresh patches.suse/Documentation-hw-vuln-Add-documentation-for-RFDS.patch. - Refresh patches.suse/KVM-VMX-Move-VERW-closer-to-VMentry-for-MDS-mitigation.patch. - Refresh patches.suse/KVM-VMX-Use-BT-JNC-i.e.-EFLAGS.CF-to-select-VMRESUME-vs.-V.patch. - Refresh patches.suse/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch. - Refresh patches.suse/x86-bugs-Add-asm-helpers-for-executing-VERW.patch. - Refresh patches.suse/x86-bugs-Use-ALTERNATIVE-instead-of-mds_user_clear-static-.patch. - Refresh patches.suse/x86-entry_32-Add-VERW-just-before-userspace-transition.patch. - Refresh patches.suse/x86-entry_64-Add-VERW-just-before-userspace-transition.patch. - Refresh patches.suse/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch. - commit 851bcbe - perf/core: Fix unconditional security_locked_down() call (bsc#1220697, CVE-2021-46971). - commit 0b7f805 - io_uring/af_unix: disable sending io_uring over sockets (bsc#1220754 CVE-2023-6531). - commit a0d28a2 - usb: mtu3: fix list_head check warning (bsc#1220484 CVE-2021-46930). - commit b548734 - Refresh patches.kabi/team-Hide-new-member-header-ops.patch. Fix for kABI workaround. - commit ff68767 - ceph: fix deadlock or deadcode of misusing dget() (bsc#1221058 CVE-2023-52583). - commit 5c7a950 - usb: hub: Guard against accesses to uninitialized BOS descriptors (git-fixes). Altered because 5.3 does not do SSP - commit 6d423f3 - Update patches.suse/scsi-qla2xxx-Fix-SRB-leak-on-switch-command-timeout.patch added CVE reference to: (jsc#SLE-9714 jsc#SLE-10327 jsc#SLE-10334 bnc#1151927 5.3.17 cve-2021-46963). - commit bac1eb3 - Update reference of bpf-Use-correct-permission-flag-for-mixed-signed-bou.patch (bsc#1184942 bsc#1220425 CVE-2021-29155 CVE-2021-46908). - commit 787c408 - drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() (bsc#1220413 CVE-2023-52470). - commit d61356a - drivers/amd/pm: fix a use-after-free in kv_parse_power_table (bsc#1220411 CVE-2023-52469). - commit 10972e5 - irqchip/gic-v3: Do not enable irqs when handling spurious interrups (bsc#1220529,CVE-2021-46961) - commit 83fe0b1 - group-source-files.pl: Quote filenames (boo#1221077). The kernel source now contains a file with a space in the name. Add quotes in group-source-files.pl to avoid splitting the filename. Also use -print0 / -0 when updating timestamps. - commit a005e42 - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (bsc#1220340,CVE-2024-26600) - commit c4890bf - mm: fix gup_pud_range (bsc#1220824). - commit d0caaa5 - RDMA/rxe: Clear all QP fields if creation failed (bsc#1220863 CVE-2021-47078) - commit 23bba26 - RDMA/rxe: Return CQE error if invalid lkey was supplied (bsc#1220860 CVE-2021-47076) - commit 1171085 - ACPI: extlog: fix NULL pointer dereference check (bsc#1221039 CVE-2023-52605). - commit a37794c - Update patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch (bsc#1220416 bsc#1220418 CVE-2021-46904 CVE-2021-46905). Added second CVE reference - commit 6b7d257 - Update patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch (bsc#1220416 CVE-2021-46904). - Update patches.suse/net-hso-fix-null-ptr-deref-during-tty-device-unregis.patch (bsc#1220416 CVE-2021-46904). Added CVE references - commit ce2a61e - kernel-binary: Fix i386 build Fixes: 89eaf4cdce05 (&quot;rpm templates: Move macro definitions below buildrequires&quot;) - commit f7c6351 - KVM: x86: Export RFDS_NO and RFDS_CLEAR to guests (bsc#1213456 CVE-2023-28746). - commit d0c95ff - x86/rfds: Mitigate Register File Data Sampling (RFDS) (bsc#1213456 CVE-2023-28746). - commit 7725a96 - net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() (CVE-2023-52502 bsc#1220831). - commit 3983469 - btrfs: remove BUG() after failure to insert delayed dir index item (bsc#1220918 CVE-2023-52569). - commit ff844fd - btrfs: improve error message after failure to add delayed dir index item (bsc#1220918 CVE-2023-52569). - commit f310611 - Documentation/hw-vuln: Add documentation for RFDS (bsc#1213456 CVE-2023-28746). - commit bff3e02 - x86/srso: Add SRSO mitigation for Hygon processors (bsc#1220735 CVE-2023-52482). - commit 1f25b34 - KVM: s390: fix setting of fpc register (bsc#1221040 CVE-2023-52597). - commit 8155006 - vt: fix memory overlapping when deleting chars in the buffer (bsc#1220845 CVE-2022-48627). - commit b8e8505 - kernel-binary: vdso: fix filelist for non-usrmerged kernel Fixes: a6ad8af207e6 (&quot;rpm templates: Always define usrmerged&quot;) - commit fb3f221 - kabi: team: Hide new member header_ops (bsc#1220870 CVE-2023-52574). - commit 04e32d4 - i2c: validate user data in compat ioctl (git-fixes bsc#1220469 CVE-2021-46934). - commit 554cd35 - ravb: Fix use-after-free issue in ravb_tx_timeout_work() (bsc#1212514 CVE-2023-35827). - net: mana: Fix TX CQE error handling (bsc#1220932 CVE-2023-52532). - team: fix null-ptr-deref when team device type is changed (bsc#1220870 CVE-2023-52574). - commit 5631a0c - Update reference of bpf-Fix-masking-negation-logic-upon-negative-dst-reg.patch (bsc#1155518 bsc#1220700 CVE-2021-46974). - commit 5f6c988 - wifi: mac80211: fix potential key use-after-free (CVE-2023-52530 bsc#1220930). - wifi: iwlwifi: mvm: Fix a memory corruption issue (CVE-2023-52531 bsc#1220931). - commit 7072ac0 - pinctrl: mediatek: fix global-out-of-bounds issue (CVE-2021-47083 bsc#1220917). - commit f54296c - drm/bridge: sii902x: Fix probing race issue (bsc#1220736 CVE-2024-26607). - commit 470c611 - KVM: Destroy target device if coalesced MMIO unregistration fails (git-fixes). - commit c99d976 - KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio (git-fixes). - commit f7f8d3b - bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS (bsc#1220255 CVE-2024-26589). - commit 84782c1 - PCI: endpoint: Fix NULL pointer dereference for -&gt;get_features() (bsc#1220660 CVE-2021-47005). - commit 4cda383 - tls: fix race between tx work scheduling and socket close (CVE-2024-26585 bsc#1220187). - commit 7207999 - kabi: restore return type of dst_ops::gc() callback (CVE-2023-52340 bsc#1219295). - ipv6: remove max_size check inline with ipv4 (CVE-2023-52340 bsc#1219295). - commit 077e12d - netfilter: nf_tables: fix 64-bit load issue in nft_byteorder_eval() (CVE-2024-0607 bsc#1218915). - netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() (CVE-2024-0607 bsc#1218915). - commit b02bdeb - netfilter: nf_tables: fix 64-bit load issue in nft_byteorder_eval() (CVE-2024-0607 bsc#1218915). - netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() (CVE-2024-0607 bsc#1218915). - commit 67cfeec - Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch (CVE-2022-20154 CVE-2021-46929 bsc#1200599 bsc#1220482). - commit 8d1b35f - Update patches.suse/scsi-qla2xxx-Reserve-extra-IRQ-vectors.patch (bsc#1184436 bsc#1186286 bsc#1220538 CVE-2021-46964). - commit e5c6db2 - KVM: Stop looking for coalesced MMIO zones if the bus is destroyed (bsc#1220742 CVE-2021-47060). - commit 7287801 - netfilter: nft_set_pipapo: skip inactive elements during set walk (CVE-2023-6817 bsc#1218195). - commit ba8530f - tomoyo: fix UAF write bug in tomoyo_write_control() (bsc#1220825 CVE-2024-26622). - commit 6d24f8e - Update patches.suse/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak (git-fixes CVE-2021-46968). - commit a63feba - doc/README.SUSE: Update information about module support status (jsc#PED-5759) Following the code change in SLE15-SP6 to have externally supported modules no longer taint the kernel, update the respective documentation in README.SUSE: * Describe that support status can be obtained at runtime for each module from /sys/module/$MODULE/supported and for the entire system from /sys/kernel/supported. This provides a way how to now check that the kernel has any externally supported modules loaded. * Remove a mention that externally supported modules taint the kernel, but keep the information about bit 16 (X) and add a note that it is still tracked per module and can be read from /sys/module/$MODULE/taint. This per-module information also appears in Oopses. - commit 9ed8107 - powerpc/pseries/memhp: Fix access beyond end of drmem array (bsc#1220250,CVE-2023-52451). - commit 9865154 - Input: appletouch - initialize work before device registration (CVE-2021-46932 bsc#1220444). - commit 8f106a8 - Update patches.suse/ipc-mqueue-msg-sem-Avoid-relying-on-a-stack-reference.patch (bsc#1185988, bsc1220826, CVE-2021-47069). - commit f01183e - Update References patches.suse/ACPI-GTDT-Don-t-corrupt-interrupt-mappings-on-watchd.patch (git-fixes bsc#1220599 CVE-2021-46953). - commit 5b10499 - Update References patches.suse/ACPI-custom_method-fix-potential-use-after-free-issu.patch (git-fixes bsc#1220572 CVE-2021-46966). - commit 8eecec3 - efivarfs: force RO when remounting if SetVariable is not supported (bsc#1220328 CVE-2023-52463). - commit 0c76724 - RDMA/siw: Fix a use after free in siw_alloc_mr (bsc#1220627 CVE-2021-47012). - commit 96f4478 - mtd: Fix gluebi NULL pointer dereference caused by ftl notifier (bsc#1220238 CVE-2023-52449). - commit d23e49b - Input: powermate - fix use-after-free in powermate_config_complete (CVE-2023-52475 bsc#1220649). - HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect (CVE-2023-52478 bsc#1220796). - commit 92ea315 - hfsplus: prevent corruption in shrinking truncate (bsc#1220737 CVE-2021-46989). - commit cc37c78 - Update patch reference for qcom bus fix (CVE-2021-47054 bsc#1220767) - commit 024411a - netfilter: nft_limit: avoid possible divide error in nft_limit_init (bsc#1220436 CVE-2021-46915). - commit 291b0ff - NFC: st21nfca: Fix memory leak in device probe and remove (CVE-2021-46924 bsc#1220459). - commit 2b46faa - Update patch reference for HID fix (CVE-2021-46906 bsc#1220421) - commit 89e5504 - i2c: Fix a potential use after free (bsc#1220409 CVE-2019-25162). - commit 6421697 - i2c: cadence: fix reference leak when pm_runtime_get_sync fails (bsc#1220570 CVE-2020-36784). - commit 5fa02fa - KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU (bsc#git-fixes, CVE-2021-47061). - commit b2a896d - Update patch reference for media usb fix (CVE-2020-36777 bsc#1220526) - commit f0fcd0d - media: pvrusb2: fix use after free on context disconnection (CVE-2023-52445 bsc#1220241). - commit 3f02f88 - nfc: nci: fix possible NULL pointer dereference in send_acknowledge() (bsc#1219125 CVE-2023-46343). - commit 9371a32 - uio: Fix use-after-free in uio_open (bsc#1220140 CVE-2023-52439). - commit 758615f - apparmor: avoid crash when parsed profile name is empty (CVE-2023-52443 bsc#1220240). - commit 9d07817 - sched/membarrier: reduce the ability to hammer on sys_membarrier (git-fixes, bsc#1220398, CVE-2024-26602). - commit b645222 - i2c: i801: Fix block process call transactions (bsc#1220009 CVE-2024-26593). - commit c348c97 - netfilter: nftables: avoid overflows in nft_hash_buckets() (CVE-2021-47013 bsc#1220641). - commit f0d286e - net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send (CVE-2021-47013 bsc#1220641). - commit 378bb67 - mlxsw: spectrum_acl_tcam: Fix stack corruption (bsc#1220243 CVE-2024-26586). - mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path (bsc#1220344 CVE-2024-26595). - commit 76ed3a3 - EDAC/thunderx: Fix possible out-of-bounds string access (bsc#1220330) - commit 5f2e003 - gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump (bsc#1220253 CVE-2023-52448). - commit a731316 - rpm templates: Always define usrmerged usrmerged is now defined in kernel-spec-macros and not the distribution. Only check if it's defined in kernel-spec-macros, not everywhere where it's used. - commit a6ad8af - KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes). - commit fda6073 - blacklist.conf: Blacklist a clang fix - commit 6540830 - rpm templates: Move macro definitions below buildrequires Many of the rpm macros defined in the kernel packages depend directly or indirectly on script execution. OBS cannot execute scripts which means values of these macros cannot be used in tags that are required for OBS to see such as package name, buildrequires or buildarch. Accumulate macro definitions that are not directly expanded by mkspec below buildrequires and buildarch to make this distinction clear. - commit 89eaf4c - net: openvswitch: limit the number of recursions from action sets (bsc#1219835 CVE-2024-1151). - commit 5a5045f - rpm/check-for-config-changes: add GCC_ASM_GOTO_OUTPUT_WORKAROUND to IGNORED_CONFIGS_RE Introduced by commit 68fb3ca0e408 (&quot;update workarounds for gcc &quot;asm goto&quot; issue&quot;). - commit be1bdab - compute-PATCHVERSION: Do not produce output when awk fails compute-PATCHVERSION uses awk to produce a shell script that is subsequently executed to update shell variables which are then printed as the patchversion. Some versions of awk, most notably bysybox-gawk do not understand the awk program and fail to run. This results in no script generated as output, and printing the initial values of the shell variables as the patchversion. When the awk program fails to run produce 'exit 1' as the shell script to run instead. That prevents printing the stale values, generates no output, and generates invalid rpm spec file down the line. Then the problem is flagged early and should be easier to diagnose. - commit 8ef8383 - x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (git-fixes). - commit 6d2e676 - KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (git-fixes). - commit 1f3dbeb - KVM: x86: synthesize CPUID leaf 0x80000021h if useful (git-fixes). - commit 2581a0e - KVM: x86: add support for CPUID leaf 0x80000021 (git-fixes). - commit 79ab1f6 - x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix (git-fixes). - commit 26d80bf - KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes). - KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes). - x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes). Also add the removed mds_user_clear symbol to kABI severities as it is exposed just for KVM module and is generally a core kernel component so removing it is low risk. - x86/entry_32: Add VERW just before userspace transition (git-fixes). - x86/entry_64: Add VERW just before userspace transition (git-fixes). - x86/bugs: Add asm helpers for executing VERW (git-fixes). - commit 8f33ff8 - mbcache: Fixup kABI of mb_cache_entry (bsc#1207653 bsc#1219915). - commit 52b181f - ext4: fix deadlock due to mbcache entry corruption (bsc#1207653 bsc#1219915). - commit 14e0a9c - net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv (bsc#1219127 CVE-2024-23849). - commit 75b4a5b - cifs: fix missing unload_nls() in smb2_reconnect() (bsc#1213476). - commit 7236d05 - cifs: fix status checks in cifs_tree_connect (bsc#1213476). - commit a4a76da - smb: client: fix null auth (bsc#1213476). - commit 08d9d59 - kernel-binary: Move build script to the end All other spec templates have the build script at the end, only kernel-binary has it in the middle. Align with the other templates. - commit 98cbdd0 - rpm templates: Aggregate subpackage descriptions While in some cases the package tags, description, scriptlets and filelist are located together in other cases they are all across the spec file. Aggregate the information related to a subpackage in one place. - commit 8eeb08c - rpm templates: sort rpm tags The rpm tags in kernel spec files are sorted at random. Make the order of rpm tags somewhat more consistent across rpm spec templates. - commit 8875c35 - Update to add CVE-2024-23851 tag, patches.suse/dm-limit-the-number-of-targets-and-parameter-size-ar.patch (bsc#1219827, bsc#1219146, CVE-2023-52429, CVE-2024-23851). - commit ef15d5e - dm: limit the number of targets and parameter size area (bsc#1219827, bsc#1219146, CVE-2023-52429). - commit 2431307 - vhost: use kzalloc() instead of kmalloc() followed by memset() (CVE-2024-0340, bsc#1218689). - commit aa86ef0 - kernel-binary: certs: Avoid trailing space - commit bc7dc31 - rpm/kernel-binary.spec.in: install scripts/gdb when enabled in config (bsc#1219653) They are put into -devel subpackage. And a proper link to /usr/share/gdb/auto-load/ is created. - commit 1dccf2a - Refresh patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread-.patch. Add the upstream commit ID. - commit d9857fd - netfilter: nf_tables: reject QUEUE/DROP verdict parameters (CVE-2024-1086 bsc#1219434). - commit 33a2cdd - drm/amdgpu: Fix potential fence use-after-free v2 (bsc#1219128 CVE-2023-51042). - commit 2e8464f - rpm/mkspec: sort entries in _multibuild Otherwise it creates unnecessary diffs when tar-up-ing. It's of course due to readdir() using &quot;random&quot; order as served by the underlying filesystem. See for example: https://build.opensuse.org/request/show/1144457/changes - commit d1155de - atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780 bsc#1218730). - commit 6405c59 - xen-netback: don't produce zero-size SKB frags (CVE-2023-46838, XSA-448, bsc#1218836). - commit 7d3a106 - ext4: fix kernel BUG in 'ext4_write_inline_data_end()' (CVE-2021-33631 bsc#1219412). - commit 792d624 - kernel-source: Fix description typo - commit 8abff35 - nvmet-tcp: Fix the H2C expected PDU len calculation (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - nvmet-tcp: remove boilerplate code (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - nvmet-tcp: fix a crash in nvmet_req_complete() (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - commit e2033e6 - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach (CVE-2023-47233 bsc#1216702). - commit 6452010 - rpm/constraints.in: set jobs for riscv to 8 The same workers are used for x86 and riscv and the riscv builds take ages. So align the riscv jobs count to x86. - commit b2c82b9 - x86/entry/ia32: Ensure s32 is sign extended to s64 (bsc#1193285). - commit 8395685 - net: sched: sch_qfq: Use non-work-conserving warning handler (CVE-2023-4921 bsc#1215275). - commit aabd893 - mkspec: Use variant in constraints template Constraints are not applied consistently with kernel package variants. Add variant to the constraints template as appropriate, and expand it in mkspec. - commit cc68ab9 - rpm/constraints.in: add static multibuild packages Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for constraints on multibuild) added &quot;kernel-source:&quot; prefix to the dynamically generated kernels. But there are also static ones like kernel-docs. Those fail to build as the constraints are still not applied. So add the prefix also to the static ones. Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it will ever be multibuilt... - commit c2e0681 - drm/atomic: Fix potential use-after-free in nonblocking commits (bsc#1219120 CVE-2023-51043). - commit 1f381b4 - Revert &quot;Limit kernel-source build to architectures for which the kernel binary&quot; This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132. The fix for bsc#1108281 directly causes bsc#1218768, revert. - commit 2943b8a - mkspec: Include constraints for both multibuild and plain package always There is no need to check for multibuild flag, the constraints can be always generated for both cases. - commit 308ea09 - rpm/mkspec: use kernel-source: prefix for constraints on multibuild Otherwise the constraints are not applied with multibuild enabled. - commit 841012b - rpm/kernel-source.rpmlintrc: add action-ebpf Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf plugin) added this precompiled binary blob. Adapt rpmlintrc for kernel-source. - commit b5ccb33 - ext4: improve error recovery code paths in __ext4_remount() (bsc#1219053 CVE-2024-0775). - commit f053871 - scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old The previous change added the manual entry from kernel-sources.change.old to old_changelog.txt unnecessarily. Let's fix it. - commit fb033e8 - rpm/kernel-docs.spec.in: fix build with 6.8 Since upstream commit f061c9f7d058 (Documentation: Document each netlink family), the build needs python yaml. - commit 6a7ece3 - smb: client: fix OOB in receive_encrypted_standard() (bsc#1218832 CVE-2024-0565). - commit 59d97af - ida: Fix crash in ida_free when the bitmap is empty (bsc#1218804 CVE-2023-6915). - commit e0cf5bf - netfilter: nf_tables: Reject tables of unsupported family (bsc#1218752 CVE-2023-6040). - commit 9fd7b64 - net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782 bsc#1218757). - commit 1ba2d82 - powerpc/powernv: Add a null pointer check in opal_event_init() (bsc#1065729 CVE-2023-52686). - commit 0f57a9b - Store the old kernel changelog entries in kernel-docs package (bsc#1218713) The old entries are found in kernel-docs/old_changelog.txt in docdir. rpm/old_changelog.txt can be an optional file that stores the similar info like rpm/kernel-sources.changes.old. It can specify the commit range that have been truncated. scripts/tar-up.sh expands from the git log accordingly. - commit c9a2566 - smb: client: fix potential OOB in smb2_dump_detail() (bsc#1217946 CVE-2023-6610). - commit 838930f - Limit kernel-source build to architectures for which the kernel binary is built (bsc#1108281). - commit 08a9e44 - Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg (CVE-2023-51779 bsc#1218559). - commit 10b8efc - clocksource: Suspend the watchdog temporarily when high read latency detected (bsc#1218105). - commit 683a4c2 - clocksource: Avoid accidental unstable marking of clocksources (bsc#1218105). - commit 0d50b3e - mkspec: Add multibuild support (JSC-SLE#5501, boo#1211226, bsc#1218184) When MULTIBUILD option in config.sh is enabled generate a _multibuild file listing all spec files. - commit f734347 - Build in the correct KOTD repository with multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184) With multibuild setting repository flags is no longer supported for individual spec files - see https://github.com/openSUSE/open-build-service/issues/3574 Add ExclusiveArch conditional that depends on a macro set up by bs-upload-kernel instead. With that each package should build only in one repository - either standard or QA. Note: bs-upload-kernel does not interpret rpm conditionals, and only uses the first ExclusiveArch line to determine the architectures to enable. - commit aa5424d - Bluetooth: avoid memcmp() out of bounds warning (bsc#1215237 CVE-2020-26555). - Bluetooth: hci_event: Fix coding style (bsc#1215237 CVE-2020-26555). - Bluetooth: hci_event: Fix using memcmp when comparing keys (bsc#1215237 CVE-2020-26555). - commit bb86106 - Bluetooth: Reject connection with the device which has same BD_ADDR (bsc#1215237 CVE-2020-26555). - commit 360840a - Bluetooth: hci_event: Ignore NULL link key (bsc#1215237 CVE-2020-26555). - commit 13b41ce - perf: Fix perf_event_validate_size() lockdep splat (CVE-2023-6931 bsc#1218258). - perf: Fix perf_event_validate_size() (CVE-2023-6931 bsc#1218258). - commit e551d3d - smb: client: fix OOB in smbCalcSize() (bsc#1217947 CVE-2023-6606). - commit bba90ea - ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet (bsc#1218253 CVE-2023-6932). - commit 1240db6 - io_uring: fix 32-bit compatability with sendmsg/recvmsg (bsc#1217709). This was originally blacklisted for no good reason. Since now we have an actual bug report that breaks LTP, drop from blacklist and backport. - commit 8a7380f - efi/mokvar: Reserve the table only if it is in boot services data (bsc#1215375). - commit 2c6d22d - nvmet: nul-terminate the NQNs passed in the connect command (bsc#1217250 CVE-2023-6121). - commit 3b11907 - kernel-source: Remove config-options.changes (jsc#PED-5021) The file doc/config-options.changes was used in the past to document kernel config changes. It was introduced in 2010 but haven't received any updates on any branch since 2015. The file is renamed by tar-up.sh to config-options.changes.txt and shipped in the kernel-source RPM package under /usr/share/doc. As its content now only contains outdated information, retaining it can lead to confusion for users encountering this file. Config changes are nowadays described in associated Git commit messages, which get automatically collected and are incorporated into changelogs of kernel RPM packages. Drop then this obsolete file, starting with its packaging logic. For branch maintainers: Upon merging this commit on your branch, please correspondingly delete the file doc/config-options.changes. - commit adedbd2 - doc/README.SUSE: Simplify the list of references (jsc#PED-5021) Reduce indentation in the list of references, make the style consistent with README.md. - commit 70e3c33 - doc/README.SUSE: Add how to update the config for module signing (jsc#PED-5021) Configuration files for SUSE kernels include settings to integrate with signing support provided by the Open Build Service. This creates problems if someone tries to use such a configuration file to build a &quot;standalone&quot; kernel as described in doc/README.SUSE: * Default configuration files available in the kernel-source repository unset CONFIG_MODULE_SIG_ALL to leave module signing to pesign-obs-integration. In case of a &quot;standalone&quot; build, this integration is not available and the modules don't get signed. * The kernel spec file overrides CONFIG_MODULE_SIG_KEY to &quot;.kernel_signing_key.pem&quot; which is a file populated by certificates provided by OBS but otherwise not available. The value ends up in /boot/config-$VERSION-$RELEASE-$FLAVOR and /proc/config.gz. If someone decides to use one of these files as their base configuration then the build fails with an error because the specified module signing key is missing. Add information on how to enable module signing and where to find the relevant upstream documentation. - commit a699dc3 - doc/README.SUSE: Remove how to build modules using kernel-source (jsc#PED-5021) Remove the first method how to build kernel modules from the readme. It describes a process consisting of the kernel-source installation, configuring this kernel and then performing an ad-hoc module build. This method is not ideal as no modversion data is involved in the process. It results in a module with no symbol CRCs which can be wrongly loaded on an incompatible kernel. Removing the method also simplifies the readme because only two main methods how to build the modules are then described, either doing an ad-hoc build using kernel-devel, or creating a proper Kernel Module Package. - commit 9285bb8 Package containerd was updated: - Revert noarch for devel subpackage Switching to noarch causes issues on SLES maintenance updates, reverting it fixes our image builds - Update to containerd v1.7.17. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.17&gt; - Switch back to using tar_scm service. Aside from obs_scm using more bandwidth and storage than a locally-compressed tar.xz, it seems there's some weird issue with paths in obscpio that break our SLE-12-only patch. - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.16. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.16&gt; CVE-2023-45288 bsc#1221400 - Use obs_scm service instead of tar_scm - Removed patch 0002-shim-Create-pid-file-with-0644-permissions.patch (merged upstream at &lt;https://github.com/containerd/containerd/pull/9571&gt;) - Update to containerd v1.7.15. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.15&gt; - Update to containerd v1.7.14. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.14&gt; - Update to containerd v1.7.13. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.13&gt; - Update to containerd v1.7.12. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.12&gt; - Update to containerd v1.7.11. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.11&gt; GHSA-jq35-85cj-fj4p bsc#1224323 - Use %patch -P N instead of deprecated %patchN. - Enable manpage generation - Make devel package noarch - adjust rpmlint filters - Add patch for bsc#1217952: + 0002-shim-Create-pid-file-with-0644-permissions.patch - Update to containerd v1.7.10. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.10&gt; - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package coreutils was updated: - coreutils-ls-avoid-triggering-automounts.patch ls: avoid triggering automounts (bsc#1221632) Package cpio was updated: - Fix cpio not working after the fix in bsc#1218571, fixes bsc#1219238 * fix-bsc1219238.patch - Fix CVE-2023-7207, path traversal vulnerability (bsc#1218571) * fix-CVE-2023-7207.patch Package samba was updated: Package cups was updated: - Require the exact matching version-release of all libcups* sub-packages (bsc#1226192) - cups-2.2.7-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5) to behave backward compatible for CUPS 2.2.7 in SLE15 and openSUSE Leap 15 to fix CVE-2024-35235 &quot;cupsd Listen port arbitrary chmod 0140777&quot; without the more secure but backward-incompatible behaviour of the upstream patch for CUPS 2.5 that ignores domain sockets specified in 'Listen' entries in /etc/cups/cupsd.conf when cupsd is lauched via systemd (in particular when launched on-demand by systemd) https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f bsc#1225365 - cups-2.2.7-web-ui-kerberos-authentication.patch, update patch to handle local 'Negotiate' authentication response for cli clients. (bsc#1223179). - Remove '--enable-debug-printfs' from configure options, see https://github.com/OpenPrinting/cups/issues/875 (bsc#1217119). Package curl was updated: - regression fix [bsc#1219273] https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325 - added patches + curl-CVE-2023-27534-tilde-back.patch - Security fix: [bsc#1221667, CVE-2024-2398] * curl: HTTP/2 push headers memory-leak * Add curl-CVE-2024-2398.patch - Fix: libssh: Implement SFTP packet size limit (bsc#1216987) * Add curl-libssh_Implement_SFTP_packet_size_limit.patch Package desktop-data-SLE was updated: - Fix typo in the desktop files for some of the wallpapers (bsc#1222146). Package docker was updated: [NOTE: This update was only ever released in SLES and Leap.]- Update to Docker 25.0.6-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2506&gt; - This update includes a fix for CVE-2024-41110. bsc#1228324 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch * 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Fix BuildKit's symlink resolution logic to correctly handle non-lexical symlinks. Backport of &lt;https://github.com/moby/buildkit/pull/4896&gt; and &lt;https://github.com/moby/buildkit/pull/5060&gt;. bsc#1221916 + 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch - Write volume options atomically so sudden system crashes won't result in future Docker starts failing due to empty files. Backport of &lt;https://github.com/moby/moby/pull/48034&gt;. bsc#1214855 + 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch [NOTE: This update was only ever released in SLES and Leap.] - Update to Docker 25.0.5-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2505&gt; bsc#1223409 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Remove upstreamed patches: - 0007-daemon-overlay2-remove-world-writable-permission-fro.patch - Update --add-runtime to point to correct binary path. [NOTE: This update was only ever released in SLES and Leap.] - Add patch to fix bsc#1220339 * 0007-daemon-overlay2-remove-world-writable-permission-fro.patch - rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch - Allow to disable apparmor support (ALP supports only SELinux) - Update to Docker 25.0.3-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2503&gt; - Fixes: * bsc#1219267 - CVE-2024-23651 * bsc#1219268 - CVE-2024-23652 * bsc#1219438 - CVE-2024-23653 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Remove upstreamed patches: - 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch - Vendor latest buildkit v0.11: Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that vendors in the latest v0.11 buildkit branch including bugfixes for the following: * bsc#1219438: CVE-2024-23653 * bsc#1219268: CVE-2024-23652 * bsc#1219267: CVE-2024-23651 - rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - switch from %patchN to %patch -PN syntax - remove unused rpmlint filters and add filters to silence pointless bash &amp; zsh completion warnings - Update to Docker 24.0.7-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/24.0/#2407&gt;. bsc#1217513 * Deny containers access to /sys/devices/virtual/powercap by default. - CVE-2020-8694 bsc#1170415 - CVE-2020-8695 bsc#1170446 - CVE-2020-12912 bsc#1178760 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Add a patch to fix apparmor on SLE-12, reverting the upstream removal of version-specific templating for the default apparmor profile. bsc#1213500 + 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Update to Docker 24.0.6-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/24.0/#2406&gt;. bsc#1215323 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Switch from disabledrun to manualrun in _service. - Add a docker.socket unit file, but with socket activation effectively disabled to ensure that Docker will always run even if you start the socket individually. Users should probably just ignore this unit file. bsc#1210141 Package fence-agents was updated: - L3: fence_vmware_rest : monitoring is not detecting problems accessing the fence device (bsc#1218718) o Add upstream patch: 0001-fence_vmware_rest-monitoring-action-is-not-detecting.patch Package gdk-pixbuf was updated: - Add CVE-2022-48622.patch: ANI: Reject files with multiple anih chunks(bsc#1219276, CVE-2022-48622, glgo#GNOME/gdk-pixbuf#202). Package glib2 was updated: - Add patches to fix CVE-2024-34397 (boo#1224044): glib2-allocate-SignalSubscriber-structs-individually.patch glib2-CVE-2024-34397.patch (glgo#GNOME/glib#3268). glib2-fix-ibus-regression.patch (glgo#GNOME/glib#3353) Package glibc was updated: - nscd-netgroup-cache-timeout.patch: Use time_t for return type of addgetnetgrentX (CVE-2024-33602, bsc#1223425) - ulp-prologue-into-asm-functions.patch: Avoid creating ULP prologue for _start routine (bsc#1221940) - glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch: nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599, bsc#1223423, BZ #31677) - glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch: nscd: Avoid null pointer crashes after notfound response (CVE-2024-33600, bsc#1223424, BZ #31678) - glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch: nscd: Do not send missing not-found response in addgetnetgrentX (CVE-2024-33600, bsc#1223424, BZ #31678) - glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch: netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, CVE-2024-33602, bsc#1223425, BZ #31680) - iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961, bsc#1222992) - duplocale-global-locale.patch: duplocale: protect use of global locale (bsc#1220441, BZ #23970) - qsort-invalid-cmp.patch: qsort: handle degenerated compare function (bsc#1218866) - getaddrinfo-eai-memory.patch: getaddrinfo: translate ENOMEM to EAI_MEMORY (bsc#1217589, BZ #31163) - aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr (bsc#1217445, BZ #31113) Package gnutls was updated: - Security fix: [bsc#1218865, CVE-2024-0553] * Incomplete fix for CVE-2023-5981. * The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. * Add gnutls-CVE-2024-0553.patch - Security fix: [bsc#1217277, CVE-2023-5981] * Fix timing side-channel inside RSA-PSK key exchange. * auth/rsa_psk: side-step potential side-channel * Add curl-CVE-2023-5981.patch Package google-cloud-sap-agent was updated: - Update to version 3.4 (bsc#1227134, bsc#1227135) * Adding project to exclusion list * Add machine type to configure instance proto for WLM metric collection. * Add test channel for Guest Actions. Make default channel the registered channel. * Set backup object's customTime field as part of backint backups * Add workload discovery to configure command * Add multiple workers support in parallelreader for parallel downloading during restore. * `configureinstance` with `overrideVersion` set should log a warning and continue. * Minor log change in balanceirq * Add common function to parse parameters for guest action handlers * BalanceIRQ OTE added to Agent for SAP * Remove output from stdout for DIAGNOSE * Small hyperThreading change for configureinstance * Add initial steps to initialize the SystemDiscovery OTE in IIOTE and command mode. * Adding single worker support in parallelreader for download. * Read encryption key from file if specified in parameters file * Run configureinstance OTE only on supported instances during WLM metric collection. * Add instance ID to user agent string for SAP Agent. * Return `UsageError` as exit status instead of `Failure` in case of invalid parameters * Bumping up the agent version * Use json marshalling instead of manually parsing from map in configure handler * Move metric override modules to metricoverrides.go for general use * Updating the gcbdr proto * Updating param names to make it more clear in performance diagnostics * Add DiskSizeGb to Disk for disk creation. * Add Demo Metrics for Process Metrics * Add warning message for configureinstance overrideVersion * Add 3.3 to configureinstance versioning * Fix log message in configureinstance * Rename scope and param file to type and backint-param-file to avoid confusion * Add new OTE structure for SystemDiscovery. * Allows SAP system data to be read from an override file instead of discovered from the system. Useful for testing. * Refactor buildSupportBundleCommand by marshalling command parameters * Remove cluster member check for cluster collection * Add connectParameters as a function parameter in restoreFile function to have multiple bucket handles in parallelreader for parallel downloading. * Enable auto discovery of disks and make datadiskname and zone optional parameters * Add support for performancediagnostics OTE guest action handler * Add override version flag to configureinstance * Rename LVM volume group of restored disk to that of the target disk. * Sleep during TestCommunicateWithUAP to only execute intended code path once instead of many times. * Update grub configuration for X4 configureinstance * Extend result-bucket support to support bundle guest action * Add provisioned-iops and provisioned-throughput labels to snapshots and extract them during restore. * Configureinstance updates for SAP ECS * Add sequential in parallel download functionality for restore to SAP Agent. * Implement hanadiskbackup guest action handler * Add operation_id to UAP status labels. * Add user agent overrides for cloud monitoring * Updating generated protobufs * Update sanity check for fast collector metric * Reliability Metrics - Use the usage metrics instead of internal cloud monitoring metrics * Fix restoreFromGroupSnapshot and restoreFromSingleSnapshot logic * Implement support bundle handler. This CL follows a pattern for implementing handler which was developed in cl/636640791 * Move timeseries.go and cloudmonitoring.go to shared/ * Only stop HANA monitoring if successive errors are auth related * Use flag names for command parameters in configureHandler * Add check and apply finished metrics to configureinstance * Add snapshot / group backup name to success log message * Better handling of experimental flag in hanamonitoring * Return error if physical device is empty * Added an experiemntal flag to control role based awareness in hana monitoring * Adding role based awareness logic in HANA Monitoring * Add upload feature to support bundle * Add context to onetime logging functions * Fix logging and make confirm-data-snapshot-after-create true by default * Add debug logs for hanabackup to help troubleshoot issues. * Remove HDB User requirement when HDBUserstore key is passed for hanadiskbackup * Append labels to detached disk in hanadiskrestore * Add placeholder for parallel reader in Backint * Modify restore handlers to be able to restore from either source snapshot or group snapshot. * Modify checking preconditions and adding fakes for group snapshot restore. * Add initial support for restoring from group snapshot. * Add UAP Communication to startdaemon (gated by a configuration). * Fixing the commands in perfdiag * Refactor handleAgentCommand with guestActionsHandlers map * Add replication sites to system component proto * Build updated to use -mod=vendor during build * Updated go.mod and go.sum with dependencies for safetext, using go mod vendor for github action * Adding changes for target based config in hana monitoring * Overriding the user agent for Cloud Logging API calls * Fix typo in guestactions.proto * WLM Hana Full Backup Validation Metric collection * Add configure command to guest actions. Establish how the new proto format will be used in message handling. * Add ping check to HANA monitoring * [commandlineexecutor] Add the ability to directly pass data into Stdin, avoiding the need for intermediary piping commands, such as &quot;echo 'data' | my_app&quot;. - Update to version 3.3 (bsc#1225166, bsc#1225558) * Build updated to use -mod=vendor during build * Updated go.mod and go.sum with dependencies for safetext, using go mod vendor for github action * Add actual values and comments to usagemetrics.go to ensure that error and action codes are only appended to the end of the list. * Remove usage metrics from configureinstance.go * Add a hard Disable for reliability metrics collection until the namespace is created and tested. * Adding metrics for time taken by each query * Add SHA224 of labels as a new label. * Remove collect_reliability_metrics from configuration.json * Small tweaks to backint log and inquire path generation * Fix for unmarshalling backint configuration. * Implementation of instant snapshot group backup workflow * Backint changes around shorten_folder_path * Rename max_diagnose_size_gb to diagnose_file_max_size_gb * Adding start and finish logs in performance diagnostics * Validate that all disks mapped to /hana/data belong to the same consistency group. * Rename backint monitoring metrics parameter * Trim folder prefix for Backint INQUIRE output. * Add the ability to test the database connection * Reduce log level of some storage messages to debug. * Finalize guest action request and response format. * Backint dashboard fix logs * Add scorecards to backint dashboard * Making proto changes for HANA Monitoring support for multiple tennats and ha setup * Add total upload/download time to log. * Add HANA indexserver.ini metrics to WLM metric collection. * Add Netweaver role metrics as part of process metrics * Rotate old support bundles. * Update the default value of confirm-data-snapshot-after-create to false. and add to usage() * Add option to confirm HANA snapshot as successful before disk snapshot is uploaded. * Change log level from warn to info for non-critical messages. * Add diagnose_folder parameter to Backint * Add a 1 GB buffer to needed bytes for diagnostic * Add labels to group snapshot backup. * Enable the show status and restart agent functions for Windows. * Add WLM metric collection for num_completion_queues and num_submit_queues. * Collect support bundle on Backint errors. * Adding usage metrics to performance diagnostics * Collect agent-only support bundle on failure of backint and hanadiskbackup. * Minor Backint improvements * Add ability collect only agent logs using agent-logs-only flag to supportbundle * Bump version to 3.3 * Add Backint metrics dashboard * DO NOT remove log files on uninstall * Adding more unit tests * Changing location of zipped file to within the final folder identified by unique timestamp. * Minor refactorings and improvements with increasing code coverage * Make sure DB instance number is recorded in System data. * Change configuration.json to 0664 to ensure world cannot write. * Add Netweaver Java discovery to SAP Agent. * Add a new version of functions to read cloud properties from metadata server. * Updating generated protos to proc-gen-go v1.34.1 * Updating runConfigureInstance method and adding unit tests for covering configure instance ote invocation * Zip the final bundle and add upload functionality * Record database SID alongside tenant DB SIDs * Reduce log severity in discovery * Add HANA version to product version data * Fix race condition in tests * Read disk mapping from instance info if source disk is not provided to hanadiskbackup * Add option to shorten the folder path in the bucket. * Add SSL support for cmdline-based querying and some bugfixes * Move recovery package to shared directory. * Update protoc-gen-go version to v1.34.0 in multiple protos * Adding FIO commands to performance diagnostics * Remove error logs when errors are being returned * Adding perfdiag to performance diagnostics * Add AppInstance data to discovery data uploads. * Introduce protos for guestactions messages and responses. Support multiple commands per message. * Update wording for HANA Insights rules. * Configureinstance updates. * Adding a check for retention policy before performing backup operation. * Remove the unused loglevel flag from logusage OTE * Change the language around the default parameters being optimized for performance in backint * Add instance role to SAP System properties * Increase wait time for index server to stop. * Integrating backint OTE into performancediagnostics * Update wording around configureinstance unsupported machine type. * Pass the right disk name to check if disk is attached * Integrating new DB Handle and hdbuserstore key support with remaining HANA DB dependant workflows * Refactor HANA and filesystems specific code to a common hanabackup package * Bumps x/net dependency to v0.23 * Append HANA Insights rule to WLM fake metrics file in script to generate WLM rule. * Integrating configure instance ote in performance diagnostics * Update disk backup OTE to parse paths even with /dev/mapper in the middle of path, not necessarily as a prefix * Adding a few missing labels to wlm-fake-metrics.yaml * Changing loglevel for onetime.Init() calls * Refactor change - Move PD related functions to gce.go * Fix agentcommunication import replace statements * Update replace functions for new open source dependencies. * Set up scaffolding for guest actions handling in SAP Agent along with UAP library code * Backint upload/download metrics sent to cloud monitoring. * Cleaning up the performance diagntics file wth recent changes * Fixes to usage strings in OTEs for optional params * Integrating new database connector with HANA Monitoring and adding support for HDBUserstore Key * Implement hdbsql commandline result parsing * SAP Discovery - Add SAP Instance Numbers to instance properties * Updating OTEs to include params for when OTE is invoked internally * Modifying flags to follow design changes * Create fake WLM metric overrides for testing * Implement constructors and query functions for querying HANA DB via hdbuserstore using cmdline * Skeleton for querying HANA DB via hdbuserstore using cmdline * Parameterize Backint Diagnose max file size. * Metadata parameter added to Backint. * Adding initial layout for performance diagnostics OTE * Create a new API CreateClient() in shared logging which returns an error in case of failures * Backint no longer writes ERROR if temporary chunk failed to delete. * Create onetime.Init() to condense reused code. * Fixing a typo in a process metrics retry logic comment * Rename workload_validation param with workload_evaluation in configure OTE * Send agent version in Write Insight requests * Ensuring /sap/cluster/resources covers all the nodes. - Update to version 3.2 (bsc#1222215, bsc#1222216) * Remove internal gensupport package. * Restore additional error handling and response checking to internal data warehouse client. * Updating the aggregate function in HANA insight rules * Remove a leftover debug log * Allow multipart uploads for PIPE file types. * Update go-hdb version to v1.8.0 * Perform log restores in serial rather than parallel. * Add sample usage examples to commandlineexecutor * Small update to configureinstance OTE * Add nil check in backup and restore flows to protect against panics. * Close http response body in WriteInsight() and soap.go * Record topology type. * Initialize usagemetrics for OTEs * Add Instance Number to SAP System instance properties * Set `min_version` for WLM `os_settings` system metric. * Increase timeout for saptune re-apply commands. * Adding handling for encrypted snapshots in backup and restore * Change the version check comparisons to account for versions older than those listed in SAP Note. * Skip the Netweaver metrics that need dpmon on NW kernels affected by SAP Note: 3366597 * Fix imports * No public description * Use internal data warehouse client. * Fix disp+work command invocation for Netweaver Kernel version discovery. * Add note about default parameter values to installbackint. * Add mutex in multipart writer for potential data races. * Update go.mod and go.sum * Skip XFS freeze by default unless user passes a parameter to do it explicitly * configureinstance minor updates. * Add safety check for usage metrics on BMS * Storage Class parameter added to Backint. * Update configureinstance's X4 saptune conf. * XML Multipart Write() and Close() methods completed. * Fixes the vmmanager policies for sles12 and sles15 used in the cloud console removes the individual cloud console policies and consolidates them into one Adds a general gcloud command line policy * Standardize logging for workloadmanager package. * Multipart XML API Uploads for Backint. * Add database system SID to database properties. * Fix NW HA node identification for RedHat deployments. * Add workload properties to discovery object returned by discoverSAPSystems * Add ASCS instance number to application data * Add Workload Manager validation rule for checking OS settings. * Enable WLM metric collection by default, disable submission of data to Cloud Monitoring. * Decoupling primary executable command and providing an alternative to lsof * Added HANA version in support bundle collection * Add WorkloadProperties to merged system details and to WLM Insights * Replace the link placeholder with the actual link * Add instance number to SAP discovery data * Tranche 12: HRE Rules * Minor typo fix in workloadmanager's hana metrics module * Add pacemaker metrics with SID labels to process metrics * updating the regex for backup and backint files to take care of log rotation in support bundle * Add support for disk snapshot labels for easy lifecycle management of snapshots * Added new OTE for changedisktype workflow * Add WorkloadProperties to SapSystemDetails for apps_discovery * Testing the timeseries in unit tests instead of just checking the count * Record Netweaver kernel version. * Tranche 12: HRE Rules * Testing the timeseries in unit tests instead of just checking the count * Testing the timeseries in unit tests instead of just checking the count * Relocating pacemaker collection related packages to internal/pacemaker for common use between process metrics and WLM * Use results from latest round of discovery for the collection of process metrics. * Handling zero rows returned case better in HANA insights * Adding docstrings to workloadmanager package * Adding docstring to configure OTE * adding docstrings to methods in support bundle * Add X4 specific configurations to configureinstance OTE. * Add helper functions to configureinstance OTE. * Display updates for HANA Insights WLM rules rollout. * configureinstance OTE * We expect the command to return a non-zero exit code and we should not be returning an error. Execute treats non-zero exit code as error. * Removing the sap control process command line params * Revert &quot;Fixing system replication status code being returned&quot; * configureinstance OTE * We expect the command to return a non-zero exit code and we should not be returning an error. Execute treats non-zero exit code as error. * Removing the sap control process command line params * Fixing system replication status code being returned * Wait for hdbindex server to stop after HANA is stopped * Log error to console in cases where LVM is not being used * Adding JournalCTL logs to support bunddle * hanadiskbckup - Add missing params to the Usage string * Move usagemetrics package into shared folder * Fixed data race error in TestCollectAndSendSlowMovingMetrics() * Disk backup/restore - Enable send-metrics-to-monitoring by default - Update to version 3.1 (bsc#1220010, bsc#1220111) * Fixing system replication status code being returned * Reduce disk snapshot wait durations * Fix test flakes in workloadcollector test. * adding metrics for db freeze time and total workflow time * Fix for SAP System discovery adding the current host to all components. * Restore default WLM metric collection settings. * change description of validate OTE * fix a typo in the command name and add a delay before we try the unmount * Use underscore as separator for flags in place of hyphens * Enable host_metrics and disable reliability_metrics by default in configure OTE * Collect reliability metrics in the free namespace * Remove user from cmd params for HANA Replication * Enable workload manager metric collection by default. * Add support configuration flag to enable legacy WLM metric data submission workflow. * Lowers the log level of discovery to info * Fix for HANA Replication Config * Add additional instance-id parameter for users who do not want to provide port number * Use _ instead of - for parameters in configurebackint * Implementing panic recovery to HANA Monitoring: CreateWorkerPool * Fix issue with process metrics subroutine starting. * Add a flag to enable or disable workload discovery. * Reduce logs in sapdiscovery to debug, these are now run a lot more frequently and are flooding the logs * Use bucket `cloudsapdeploystaging` for staging environment. * Updates default value handling for system discovery flag. * Added default values to some frequency flags in configure OTE * force a sync before unmounting to clear out stale file handles * Retain recoverable routine in process metrics. * Ensures slow metrics workers stop on context cancellation. * Log lsof output if unmount fails during restore * SAP Discovery - Discover R3trans data * Add panic recovery to collectiondefinition update routine * configurebackint OTE. * Adding panic recovery to remote.go * Prevent host metrics from restarting the daily metrics report if it has already been started. * Add panic recovery to agent metrics * Implementing panic recovery for hana monitoring: logging action daily * Routines now use their own context and cancel in the event of a panic recovery. * Add panic recovery to host metrics routines * Removed -path flag and fixed usage string * Add workload properties to the SAP System definition. * Add panic recovery to collectMetricsFromConfig routines. * Add panic recovery to fast metric collection routine. * Reduces the log severity to debug for the exponential backoff policy * Add panic recovery to heartbeat routine. * Updating configuration.json file to remove deprecated sap_discovery field * Use protojson instead of custom function for snake_case marshaling * Add panic recovery to WLM metrics collection * HANA Insights rules tranche 11: Create unit tests and add to auto push * Add panic recovery to workload collector daily usage metrics. * Processmetrics - suppress Error and Warn logs that really need to be debug * Formatting the output of messages printed by configure OTE * Changing flag names of configure OTE to align better with configuration.json fields * Add automatic panic recovery to slow metrics collection * Add panic recovery to goroutine collectAndSend * Add panic recovery to goroutine * Retain recoverable routines beyond function scope. * Implement recovery handler for SAP System discovery package * Tranche 11: HRE Rules * Update github build * Adds generic panic recovery to SAP System discovery package * Initialize the sidadm env to ensure restore can be run as root user * not pacaking gcbdr scripts till launch of the feature * Change datatype of frequency flags from string to int * Breaking down --frequency flag into separate flags for different features for better isolation * Fix configuration.json file from being written in camelCase to snake_case * Tranche 6,7,8,9,10: HRE Rules * Suppress pacemaker related log from Error to Debug * creating the OTE for GCBDR discovery * Update HA node identification * Tranche 10: HRE Rules * Update file permissions and ownership for installbackint when running as root. * Adding newline after version print. * Exposing HANA Logical volumes availability metrics * Make workloadmanager parameters test more robust. * Fix panic in cloud discovery * Tranche 10: HRE Rules * Add recovery_folder_prefix parameter to Backint. * Mark process_metrics_send_frequency as deprecated * Add snapshot-type param to hanadiskbackup with default as STANDARD type. Users can override to ARCHIVE type if needed. * Add new folder_prefix parameter to Backint. * Add HANA new HANA insight rules to BUILD file and embed sources * Tranche 10a: HRE Rules * Tranche 6b: HRE Rules * Tranche 8b: HRE Rules * Fix for sending isABAP value * Updating logusage command line flags - Update to version 3.0 (bsc#1218736, bsc#1218737) * Suppress packemaker command error to debug to avoid log flooding * Expand load balancing cluster discovery. * Log success messages in OTEs to STDOUT instead of STDERR used by log.Print * Use bash always to avoid variation of behavior across OS/Shell types * Minor updates to installbackint. * Backint compose step properly saves metadata. * Fix issue with discovery on ASCS instances. * hanadiskrestore - fix the format of disktype string for disk create API * Fix issue with PCS cluster address discovery. * Update transform to insight * Rename HANA backup/restore OTEs to reflect they are supported for all disks and not just persistent disk * Increase the timeout for HDB stop to account for busy DBs * Adding project sap-ecs-testing to the list. * PD Restore - Support provisioned-iops and provisioned-throughput * Integration test for configure OTE * Added precondition in hana pd backup for stripped LVM * Add a precondition check to verify user has passed a valid snapshot name that is present in the current project * Update the usage to reflect additional required param * Minor path update for supportbundle OTE. * Fixing bug in slow moving metrics partial collection scenarios * Adding check for agent status after restart. * Ensure Backint ComposeChunks has a valid bucket handle * Discover whether a Netweaver instance is ABAP or Java * Replace standard slices package with third party version * WLM HANA metric `ha_in_same_zone` now reports instance names for HA nodes in the same zone * Fix data race condition for Backint Backup with new client connections * Make -new-disk-name a required parameter to avoid the 63 char limit in the name length due to auto-generated names * Fix command for collecting Corosync metric `two_node_runtime` * Make snapshot name similar to disk name * Bump golang.org/x/crypto from 0.15.0 to 0.17.0 * Enable Discovery config flag controls submission to Data Warehouse and Cloud Logging * Create new clients for each operation in Backint * Add `client_endpoint` to Backint proto. * Getting the build number into the version for display * Backint config name change: service_account to service_account_key * Add HANA HA metrics to collection definition. * Fix sorting bug in a diff in apps_discovery_test.go * Add discoverHANATenantDBs to main code path * Change PIPE filemode to WRONLY to allow us to detect broken pipes * Deprecate `sap_system_discovery` config field in favor of `enable_discovery` * Move the validation of whether user passed correct PD, before stopping HANA * Add a placeholder for public doc link with next steps after hanapdrestore workflow has completed * Fix executable path for HDB version command * Add optional param `new-disk-name` to hanapdrestore for users that wish to override the default * Sort the skipmetrics in unit test to avoid order related flakes * Generalizing configure OTE * Discover Netweaver kernel version * Fix Sprintf call * Use SAP System data to determine if HANA HA nodes share the same zone. * hanapdrestore - do not delete PDs in case of failures * Create discoverHANATenantDBs method to support multiple SIDs for HANA tenant DBs * Send additional fields in Data Warehouse WriteInsightRequest * Updating the username parameters for hana pd backup and restore * Retrieve Reliability data every 2 hours instead of 24 * Discover HANA version * Fix import for GitHub build * Add instance properties, and topology information to system data * Keep the device nam and disk name same after restore * Move sapdiscovery package into system package * Changer the default name of the disk created by restore workflow * Updates the generated protobuf go for system.proto * Update generated system proto * Update go.yml * Add topology and instance properties info to SAP System data * Add a check to verify the disk is attached to instance, fail if disk is not attached * Add application and database software properties to system representation * Fix race condition in heartbeat test case * Add error handling to restore workflow to try and keep the HANA system in a clean state on failures * Enable LogToCloud by default for both OTE and Daemon modes * Bump Agent version to 3.0 * Reliability OTE added to SAP Agent * Declare public Get interface for SAP System discovery data * Integration testing for Networkstats Package * Adding project sap-ecs-testing to the list * Adding one time execution for enabling/disabling of features * Change to using custom retries for initial bucket connection * Default collection definition to be fetched from GCS * Add a 2 minute context timeout for initial bucket connection * Add `collection_config_version` as a WLM system metric * Make project, host param optional for hanapdbackup, in addition make user param optional for hanapdrestore * Fix potential nil dereference WLM metrics collection * Add force-stop-hana to restore workflow to forcefully stop HANA when the param is passed * Rename the HANA PD snapshot and restore workflows * Add unit tests for GetProvisionIOps and GetProvisionedThoughput * Remove the TestCollect unit test which relies on nc command which can be flaky in unit tests * Increase Backint timeout for PIPE files to 3 minutes * Add XFS freeze and unfreeze to PD based snapshot - Update to version 2.8 (bsc#1217373, bsc#1217374) * Bump agent version to 2.8 to support C3/M3 certification * Update go.yml to use go 1.21 * Switch from &quot;slices&quot; to &quot;go_exp.../slices&quot; for go version dependency * Use newly refactored discovery packages. * Fixes issue with diskname from source or device name * Adds extreme disk type IOps and Throughput for host metrics * Add `INTEGRATION` target config environment for collection definition testing * Add project number to SAP System proto * Add a cache to discovered resources. This reduces the number of API calls needed to perform System Discovery * Replace windows wmic hardware queries with PowerShell wmi queries * Fix test flakiness * Improve development process for collection definition configuration * HANA PD based snapshot and restore - changes to add wait for uploading * Fix for kokoro build issue in processmetrics/networkstats * GCBDR SAPCoreAPP Package in Agent for SAP * Add version tracking for WLM validation config * Send workload validation config to remote instances for use during remote collection * Add flag for passing in workload validation config into remote collection OTE * Bump google.golang.org/grpc from 1.58.2 to 1.58.3 - from version 2.7 * Added ote for hma dashboards migration * Increase Max backoff in storage package to 300 seconds * Added subpaths for collection of required TCP metrics * Add more debug logs and increase the wait-time for PD operations in restore * No public description * Add 30 second timeout to read/write from the local file system for Backint * No public description * Adds RHEL 9 VM Manager policy * Extract cloud-related discovery functions into separate file * Adding timeout to systemReplication.py command execution * Allow download attempts without verifying connection to bucket * Invoke `collectiondefinition.Start` when starting the agent in daemon mode * SAP Agent CLI - usability improvements for flags and help menu * Add host project information to HANA DB component discovery data. * Use proto names for default configuration during Backint installation * Extending logging capabilities to all packages of the agent * Added a feature for exposing TCP connection metrics * Migrating context logging logic to all packages of SAP Agent * Add an ifthisthenthatlint to ensure new script is kept in sync with rule proto * (collectiondefition) - Discard unknown fields and remove breaking metrics * Moving commandlineexecutor from internal to shared for sqlserveragent * Define startup function for collectiondefinition package * Check error on close of destFile in backint restore * Allow trailing zeros for millisecond timestamps in Backint * Add pid to all agent logs * Bump SAP Agent version to 2.7 (placeholder release version) * Separate collection definition validation functionality into a separate file * Add datetime to migration folder for Backint installation * Add symlink for Backint log file to install directory * Set a deadline for the final flush to cloud logging * Increase chunk retry deadline in storage package * Fix order dependent tests in sapagent/internal/storage * Change support bundle feature to collect the OTE logs from new path * Usage logging for remote WLM validation metrics collection from the collector instance * Extract discovery functions performed on the host to a separate file * Improve agent shutdown experience in daemon mode * Fix Backint restoring incorrect file * Google Events - rule proto initial submission * Move gce package to shared folder for use by SQL Server agent * Add GCS integration into collectiondefinition package * Standardize import aliases * go mod updates * Fixing go/gotsan data race error in processmetrics_test * Add Backint support for Inquire line: `#EBID &lt;external_backup_id&gt;` * Chown Backint install directories to user/group of the opt/ folder * Create OTE logs under a subdir under /var/log as /var/log is only writable by root * Will not create an empty log file for logusage logs and one time execution logs will have 0666 file mode * Setting the log file created to world read+write permission * Bump golang.org/x/net from 0.15.0 to 0.17.0 * Add recovery_bucket parameter to Backint * Extract SAP related discovery functions to a separate file * Fix Backint install directory * Fix Backint parallel uploads * Move maintenance collector to beta API * Pruning batches to prevent time series duplication * Added a logger for incorporating service context keys in logs * Encode the DB password string to handle passwords with special characters * Handling non error scenarios better in netweaver.go * Internal change * fixes typo on backint install * Allow all users to execute google_cloud_sap_agent * Fix hdbbackint script. * Subdirs for Backint DIAGNOSE temporary files * Report zero-value metrics for upcoming maintenance * Clean up gcealpha functionality * Fix default configuration values in daemon and backint * Update the comment in proto to reflect that the metric path in skip list should start with /sap * Implemented separation of context of different services - Update to version 2.6 (bsc#1215672, bsc#1215673) * Rolling back previous change for storing Project Number, Project ID is sufficient, no need to add complexity * Determine location of HANA global.ini using SAP system discovery logic * Add numeric project ID prefix to object name for ReadMetrics * Discovery now looks up and stores project number with discovery data * ReadMetrics updates for IAM permissions and bucket object names * fixing the bug in backoff logic, using separate policies for each collector and adding some logs * Backint migration from the old agent and supporting legacy parameters * adding new backoff policies for process metrics and fixing the bug in process metrics sapservice collector * Bump SAP Agent version to 2.6 * Fix an issue where HANA hosts may not be discovered properly if hostname differs from instance name * Use Go 1.20 friendly sorting solution * adding retries in process metrics logic with backoffs * Fix parsing of instance (host/VM) name in Pacemaker pcmk_delay_max metric * Add the collection definition changes for the SAP HANA Topology metrics * Template for Cloud Monitoring Alerts for Backint errors * adding backoff to InstanceProperties to each collector * Reduced the number of parameters of startXX functions by consolidating them into respective structs * completing TODO (b/298315981): Create a map from skipped list metrics and pass it to collectors. * Proto package name changes to reflect the current path * Use instance_name instead of instance_id for baremetal systems * Decode encryption keys for Backint. * Moving hareplication metric to fast moving metrics * Added backoffs package in process metrics to keep the backoff policies and retry policies separately and make it reusable acrosss process metrics * Install Backint OTE * Adding skip list logic to process metrics * Separating fastmoving metrics into a separate file from other process metrics * Update remote collection to use collected instance's Cloud Properties * ReadMetrics upload to bucket and send status to monitoring * Remove local implementation of DW API in favor of using generated third_party version * ReadMetrics read input file and write results to local filesystem * Clean up command line executions to collect SAP Control metrics * Adding new OTE structure for ReadMetrics * Add the SUSE specific spec file to keep upstream changes and SUSE packaging in sync * Collect and report upcoming maintenance * Add basepath override and gcealpha functionality * Making proto changes for process metrics re-arch * Changes for generating HANA Insights locally into a markdown file * Delay feature specific daily action logs by 24 hours to avoid noise created by startup failures * Update to the rule &quot;maximum_invalid_connect_attempts&quot; * Add some missing related resources * Fix rate limiting for compression enabled uploads/downloads * Optional User-Agent parameter added to storage package client connection * Relocate gcealpha to /internal * Fix parse_test error * Retries added for opening files in Backint * Make processmetrics unit tests hermetic * Remove if-this-then-that requirement from WLM validation rule * Fix WriteInsight JSON encoding, and add missing elements * Add configuration value to change API endpoint for Data Warehouse calls * Storage package progress messages based off of read/writes directly to the bucket * Make Collect DB Metrics as NO-OP when metrics are being read from override file * Remove unused field from backint proto * Custom retries for the storage package with exponential backoff and MaxRetries setting - Update to version 2.5 + No upstream changelog provided Package google-guest-agent was updated: - Update to version 20240314.00 (bsc#1221900, bsc#1221901) * NetworkManager: only set secondary interfaces as up (#378) * address manager: make sure we check for oldMetadata (#375) * network: early setup network (#374) * NetworkManager: fix ipv6 and ipv4 mode attribute (#373) * Network Manager: make sure we clean up ifcfg files (#371) * metadata script runner: fix script download (#370) * oslogin: avoid adding extra empty line at the end of /etc/security/group.conf (#369) * Dynamic vlan (#361) * Check for nil response (#366) * Create NetworkManager implementation (#362) * Skip interface manager on Windows (#363) * network: remove ignore setup (#360) * Create wicked network service implementation and its respective unit (#356) * Update metadata script runner, add tests (#357) * Refactor guest-agent to use common retry util (#355) * Flush logs before exiting #358 (#359) - Refresh patches for new version * dont_overwrite_ifcfg.patch - No need for double %setup. - Use %patch -P N instead of deprecated %patchN. - Update to version 20240213.00 * Create systemd-networkd unit tests (#354) - from version 20240209.00 * Update network manager unit tests (#351) - from version 20240207.02 * Implement retry util (#350) - from version 20240207.01 * Refactor utils package to not dump everything unrelated into one file (#352) - from version 20240207.00 * Set version on metadata script runner (#353) * Implement cleanup of deprecated configuration directives (#348) * Ignore DHCP offered routes only for secondary nics (#347) * Deprecate DHClient in favor of systemd-networkd (#342) * Generate windows and linux licenses (#346) - from version 20240122.00 * Remove quintonamore from OWNERS (#345) - from version 20240111.00 * Delete integration tests (#343) - from version 20240109.00 * Update licenses with dependencies of go-winio (#339) * Add github.com/Microsoft/go-winio to third party licensing (#337) - Add explicit versioned dependency on google-guest-oslogin (bsc#1219642) - Refresh patches for new version * dont_overwrite_ifcfg.patch - Update to version 20231214.00 * Fix snapshot test failure (#336) - from version 20231212.00 * Implement json-based command messaging system for guest-agent (#326) - from version 20231118.00 * sshca: Remove certificate caching (#334) - from version 20231115.00 * revert: 3ddd9d4a496f7a9c591ded58c3f541fd9cc7e317 (#333) * Update script runner to use common cfg package (#331) - Update to version 20231110.00 * Update Google UEFI variable (#329) * Update owners (#328) - from version 20231103.00 * Make config parsing order consistent (#327) - Update to version 20231031.01 (bsc#1216547, bsc#1216751) * Add prefix to scheduler logs (#325) - from version 20231030.00 * Test configuration files are loaded in the documented order. Fix initial integration test. (#324) * Enable mTLS by default (#323) - from version 20231026.00 * Rotate MDS root certificate (#322) - from version 20231020.00 * Update response struct, add tests (#315) * Don't try to schedule mTLS job twice (#317) - from version 20231019.00 * snapshot: Add context cancellation handling (#318) - Bump the golang compiler version to 1.21 (bsc#1216546) - Update to version 20231016.00 * instance setup: trust/rely on metadata package's retry (#316) - from version 20231013.01 * Update known cert dirs for updaters (#314) - from version 20231011.00 * Verify cert refresher is enabled before running (#312) - from version 20231009.00 * Add support for the SSH key options (#296) - from version 20231006.01 * Events interface improvement (#290) - from version 20231006.00 * Refactor script runner to use common metadata package (#311) * Schedule MTLS job before notifying systemd (#310) * Refactor authorized keys to use metadata package (#300) - from version 20231005.00 * docs update: add configuration and event manager's docs. (#309) - from version 20231004.01 * Fix license header (#301) * packaging(deb): add epoch to oslogin dep declaration (#308) - from version 20231004.00 * packaging(deb): ignore suffix of version (#306) * packaging: force epoch and ignore suffix of version (#305) - from version 20231003.01 * oslogin: declare explicitly dependency (#304) * oslogin: remove Unstable.pamless_auth_stack feature flag (#303) - from version 20231003.00 * oslogin: resort ssh configuration keys (#299) - from version 20230925.00 * oslogin: introduce a feature flag to cert auth (#298) - from version 20230923.00 * gitignore: unify ignore in the root dir (#297) - from version 20230921.01 * managers: we accidentally disabled addressMgr, bring it back (#295) * cfg: fix typos (#294) * cfg: config typos (#293) * cfg: introduce a configuration management package (#288) - from version 20230921.00 * mtls: bring it back (#292) - from version 20230920.01 * Fix permissions on file created by SaferWriteFile() (#291) - from version 20230920.00 * sshca: re-enable the event watcher &amp; handler (#289) - from version 20230919.01 * oslogin: add PAMless Authorization Stack configuration (#285) - from version 20230919.00 * Preparing it for review (#287) * sshca: make sure to restore SELinux context of the pipe (#286) * remove deprecated usage, fix warnings (#282) * Update system store (#278) * Update workload certificate endpoints, use metadata package (#275) * metadata: use url package to form metadata URLs (#284) - from version 20230913.00 * release prep: disable ssh trusted ca module (#281) - from version 20230912.00 * New Guest Agent Release (#280) - from version 20230909.00 * Revert &quot;service: remove the use of the service library (#273)&quot; (#276) * service: remove the use of the service library (#273) - from version 20230906.01 * Store keys to machine keyset (#272) - from version 20230905.00 * restorecon: first try to determine if it's installed (#271) * run: change all commands to use CommandContext (#268) * Notify systemd after scheduling required jobs (#270) * Store certs in ProgramData instead of Program Files (#269) * metadata watcher: remove local retry &amp; implement unit tests (#267) * run: split command running utilities into its own package (#265) - Update to version 20230828.00 * snapshot: Use main context rather than create its own (#266) - from version 20230825.01 * Verify if cert was successfully added to certpool (#264) - from version 20230825.00 * Find previous cert for cleanup using one stored on disk (#263) - from version 20230823.00 * Revert &quot;sshtrustedca: configure selinux context for sshtrustedca pipe (#256)&quot; (#262) * Update credentials directory on Linux (#260) - from version 20230821.00 * Update owners (#261) - from version 20230819.00 * Revert &quot;guest-agent: prepare for public release (#258)&quot; (#259) - from version 20230817.00 * guest-agent: prepare for public release (#258) - from version 20230816.01 * Enable telemetry collection by default (#253) - from version 20230816.00 * Add pkcs12 license and update retry logic (#257) * sshtrustedca: Configure selinux context for sshtrustedca pipe (#256) * Store windows certs in certstore (#255) * events: Multiplex event watchers (#250) * Scheduler fixes (#254) * Update license files (#251) * Run telemetry every 24 hours, record pretty name on linux (#248) - Update to version 20230811.00 * sshca: move the event handler to its own package (#247) - from version 20230809.02 * Move scheduler package to google_guest_agent (#249) - from version 20230809.01 * Add scheduler utility to run jobs at interval (#244) - from version 20230809.00 * sshca: transform the format from json to openssh (#246) - from version 20230803.00 * Add support for reading UEFI variables on windows (#243) - from version 20230801.03 * sshtrustedca watcher: fix concurrency error (#242) - from version 20230801.02 * metadata: add a delta between http client timeout and hang (#241) - from version 20230801.00 * metadata: properly set request config (#240) * main: bring back the mds client initialization (#239) * metadata: don't try to use metadata before agentInit() is done (#238) * Add (disabled) telemetry logic to GuestAgent (#219) * metadata event handler: updates and bug fixes (#235) * Verify client credentials are signed by root CA before writing on disk (#236) * metadata: properly handle context cancelation (#234) * metadata: fix context cancelation error check (#233) * metadata: remove the sleep around metadata in instance setup (#232) * metadata: implement backoff strategy (#231) * Decrypt and store client credentials on disk (#230) * Upgrade Go version 1.20 (#228) * Fetch guest credentials and add MDS response proto (#226) * metadata: pass main context to WriteGuestAttributes() (#227) * Support for reading &amp; writing Root CA cert from UEFI variable (#225) * ssh_trusted_ca: enable the feature (#224) * sshTrustedCA: add pipe event handler (#222) * events: start using events layer (#223) - from version 20230726.00 * events: introducing a events handling subsystem (#221) - from version 20230725.00 * metadata: add metadata client interface (#220) - from version 20230711.00 * metadata: moving to its own package (#218) - from version 20230707.00 * snapshot: fix request handling error (#217) - Bump Go API version to 1.20 Package google-guest-configs was updated: - Update to version 20240307.00 (bsc#1221146, bsc#1221900, bsc#1221901) * Support dot in NVMe device ids (#68) - from version 20240304.00 * google_set_hostname: Extract rsyslog service name with a regexp for valid systemd unit names (#67) - from version 20240228.00 * Remove quintonamore from OWNERS (#64) - from version 20240119.00 * Setup smp affinity for IRQs and XPS on A3+ VMs (#63) - Update to version 20231214.00 * set multiqueue: A3 check set timeout the MDS call in 1s (#62) - from version 20231103.00 * Update owners (#61) * Update owners (#58) - Update to version 20230929.00 * Update multinic filter to pick only pci devices (#59) Package google-guest-oslogin was updated: - Fix file permissions for google_authorized_principals binary (bsc#1222171) - Update to version 20240311.00 (bsc#1218548, bsc#1221900, bsc#1221901) * pam: Bring back pam's account management implementation (#133) * Change error messages when checking login policy (#129) * Remove quintonamore from OWNERS (#128) - Add explicit versioned dependency on google-guest-agent (bsc#1219642) - Update to version 20231116.00 * build: Fix DESTDIR concatenation (#124) - from version 20231113.00 * build: Fix clang build (#122) - from version 20231103.00 * Update owners (#121) - Update to version 20231101.00 (bsc#1216548, bsc#1216750) * Fix HTTP calls retry logic (#117) - Update to version 20231004 * packaging: Make the dependency explicit (#120) - update to 20230926.00: * fix suse build * selinux: fix selinux build (#114) * test: align CXX Flags * sshca: Make the implementation more C++ like * sshca: Add a SysLog wrapper * oslogin_utils: introduce AuthorizeUser() API * sshca: move it out of pam dir * pam: start disabling the use of oslogin_sshca * sshca: consider sshca API to assume a cert only * authorized principals: introduce the new command * authorize keys: update to use new APIs * pam modules: remove pam_*_admin and update pam_*_login * cache_refresh: should be catching by reference. - Update to version 20230823.00 * selinux: Add sshd_key_t type enforcement to trusted user ca (#113) - from version 20230822.00 * sshca: Add tests with fingerprint and multiple extensions (#111) - from version 20230821.01 * sshca: Support method token and handle multi line (#109) - from version 20230821.00 * Update owners (#110) - Update to version 20230808.00 * byoid: extract and apply the ca fingerprint to policy call (#106) - Update to version 20230502.00 * Improve the URL in 2fa prompt (#104) - from version 20230406.02 * Check open files (#101) - from version 20230406.01 * Initialize variables (#100) * Fix formatting (#102) - from version 20230406.00 * PAM cleanup: remove duplicates (#97) - from version 20230405.00 * NSS cleanup (#98) - from version 20230403.01 * Cleanup Makefiles (#95) - from version 20230403.00 * Add anandadalton to the owners list (#96) - Update to version 20230217.00 * Update OWNERS (#91) - from version 20230202.00 * Update owners file (#89) Package google-osconfig-agent was updated: - Update to version 20240320.00 (bsc#1221900, bsc#1221901) * Enable OSConfig agent to read GPG keys files with multiple entities (#537) - from version 20240314.00 * Update OWNERS file to replace mahmoudn GitHub username by personal email GitHub username (#534) - from version 20240313.01 * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 in /e2e_tests (#535) - from version 20240313.00 * Adds a console and gcloud example policies (#533) - from version 20240228.00 * GuestPolicies e2e: Remove ed package if exist for zypper startup_script in recipe-steps tests (#532) - from version 20240126.00 * Fix Enterprise Linux Recipe-Steps tests to install info dependency package in the startup-script (#530) - from version 20240125.01 * Fix SUSE pkg-update and pkg-no-update e2e tests (#529) - from version 20240125.00 * Fix zypper patch info parser to consider conflicts-pkgs float versions (#528) - from version 20240123.01 * Fix SUSE package update e2e tests to use another existing package (#527) - from version 20240123.00 * Update cis-exclude-check-once-a-day.yaml (#526) - Update to version 20231219.00 * Bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#524) - from version 20231207.01 * Some change to create an agent release (#523) - from version 20231207.00 * Some change to create an agent release (#522) - from version 20231205.00 * Some change to create an agent release (#521) - from version 20231130.02 * Merge pull request #519 from Gulio/just-release * Merge branch 'master' into just-release * Some change to create an agent release * Some change to create an agent release - from version 20231130.00 * Some change to create an agent release (#518) - from version 20231129.00 * Fix parse yum updates to consider the packages under installing-dependencies keyword (#502) * Update feature names in the README file (#517) - from version 20231128.00 * Updating owners (#508) - from version 20231127.00 * Move OS policy CIS examples under the console folder (#514) - from version 20231123.01 * Adds three more OS Policy examples to CIS folder (#509) * Added ekrementeskii and MahmoudNada0 to OWNERS (#505) - from version 20231123.00 * docs(osconfig):add OS policy examples for CIS scanning (#503) - from version 20231121.02 * Added SCODE to Windows error description (#504) - from version 20231121.01 * Update OWNERS (#501) * Update go version to 1.21 (#507) - from version 20231121.00 * Call fqdn (#481) - from version 20231116.00 * Removing obsolete MS Windows 2019 images (#500) - from version 20231107.00 * Update owners. (#498) - from version 20231103.02 * Increasing test timeouts (#499) * Update OWNERS (#497) - from version 20231103.01 * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 in /e2e_tests (#493) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#494) - from version 20231103.00 * Removing deprecated Win for containers OSs (#496) - from version 20231027.00 * Shortening the reported image names (#495) - from version 20231025.00 * Merge pull request #492 from GoogleCloudPlatform/michaljankowiak-patch-1 * Merge branch 'master' into michaljankowiak-patch-1 * Fixing name changes * Fixing rename issue * Fixed formatting * Fixed formatting * Fixing formatting * Removing support for RHEL 6, adding RHEL 9 * Removing support for RHEL 6, adding for RHEL 9 * Removing support for RHEL 6 and adding for RHEL 9 * Removing step needed for RHEL 6 * Fixing build issues * Removing nonexistent images and adding new ones - from version 20231024.00 * Removing obsolete OS images and adding new ones (#491) - from version 20231020.00 * Change debug messages when parsing zypper patch output (#490) - from version 20231013.00 * Bump golang.org/x/net from 0.7.0 to 0.17.0 (#489) - from version 20231010.00 * Revert &quot;Added [main] section with gpgcheck to the agent-managed repo file (#484)&quot; (#488) - from version 20231003.00 * Bump google.golang.org/grpc from 1.42.0 to 1.53.0 in /e2e_tests (#478) - from version 20230920.00 * Update OWNERS (#485) - from version 20230912.00 * Added [main] section with gpgcheck to the agent-managed repo file (#484) * Migrate empty interface to any (#483) - Bump the golang compiler version to 1.21 (bsc#1216546) - Update to version 20230829.00 * Added burov, dowgird, paulinakania and Gulio to OWNERS (#482) &gt;&gt;&gt;&gt;&gt;&gt;&gt; ./google-osconfig-agent.changes.new Package growpart-rootgrow was updated: - Update to version 1.0.7 (bsc#1219941) + Support root to be in a btrfs snapshot + 1.0.6 had different implementation for btrfs in snapshot support Package hawk2 was updated: - Update to version 2.6.4+git.1708604510.dc8c081f: * Enable ACL (bsc#1214396,bsc#1219548) - Update to version 2.6.4+git.1702030539.5fb7d91b: * Enable HttpOnly secure flag by default (bsc#1216508) * Enforce CSRF in errors_controller.rb (bsc#1216571) * Fix mime type issue in MS windows (bsc#1215438) * Parametrize CORS Access-Control-Allow-Origin header (bsc#1213454) * Tests: upgrate tests for ruby3.2 (tumbleweed) (bsc#1215976) * Upgrade for ruby3.2 (tumbleweed) (bsc#1215976) * Forbid special symbols in the category (bsc#1206217) * Fix the sass-rails version on ~5.0 (bsc#1208533) * Don't delete the private key if the public key is missing (bsc#1207930) * make-sle155-compatible.patch . No bsc, it's for backwards compatibility. Package krb5 was updated: - Fix vulnerabilities in GSS message token handling, add patch 0013-Fix-vulnerabilities-in-GSS-message-token-handling.patch * CVE-2024-37370, bsc#1227186 * CVE-2024-37371, bsc#1227187 - Fix memory leaks, add patch 0012-Fix-two-unlikely-memory-leaks.patch * CVE-2024-26458, bsc#1220770 * CVE-2024-26461, bsc#1220771 Package resource-agents was updated: - Azure-lb fails if IPv6 disabled (bsc#1223554) Add upstream patch: Add a new parameter: listen This parameter can have following walues: default: Neither -4 nor -6 will be used. The default behavior of socat and nc will be used. socat: Listen only on IPv4 addresses nc: If net.ipv6.bindv6only = 0 =&gt; Listen on both IPv4 and IP6 addresses If net.ipv6.bindv6only = 1 =&gt; Listen only on IPv4 addresses ipv4only: Listen only on IPv4 addresses. ipv6enable: Enable TCP6 support. nc: Listen only on IPv6 adresses independent of net.ipv6.bindv6only socat: If net.ipv6.bindv6only = 0 =&gt; Listen on both IPv4 and IP6 addresses. If net.ipv6.bindv6only = 1 =&gt; Listen only on IPv6 adresses. Add patch: 0001-Azure-lb-fails-if-IPv6-disabled.patch - resource-agents:azure-lb IPv6 support (bsc#1220997) Add patch: 0001-Support-IPv6-with-Azure-load-balncer.patch Package less was updated: - Fix CVE-2024-32487, mishandling of \n character in paths when LESSOPEN is set leads to OS command execution (CVE-2024-32487, bsc#1222849) * CVE-2024-32487.patch - Fix CVE-2022-48624, LESSCLOSE handling in less does not quote shell metacharacters, bsc#1219901 * CVE-2022-48624.patch Package gcc13 was updated: - Update to GCC 13.3 release - Update to gcc-13 branch head, b7a2697733d19a093cbdd0e200, git8761 - Removed gcc13-pr111731.patch now included upstream - Add gcc13-amdgcn-remove-fiji.patch removing Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18. - Add gcc13-pr101523.patch to avoid combine spending too much compile-time and memory doing nothing on s390x. [boo#1188441] - Make requirement to lld version specific to avoid requiring the meta-package. - Add gcc13-pr111731.patch to fix unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [boo#1220724] - Fix libgccjit-devel dependency, a newer shared library is OK. - Fix libgccjit dependency, the corresponding compiler isn't required. - Use %patch -P N instead of %patchN. - Add gcc13-sanitizer-remove-crypt-interception.patch to remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520] - Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285 - Add gcc13-pr88345-min-func-alignment.diff to add support for - fmin-function-alignment. [bsc#1214934] - Use %{_target_cpu} to determine host and build. - Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250 * Includes fix for building TVM. [boo#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [boo#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [boo#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. - Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205 - Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109 * Includes fix for building mariadb on i686. [bsc#1217667] * Remove pr111411.patch contained in the update. - Avoid update-alternatives dependency for accelerator crosses. - Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence. - Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450] Package avahi was updated: - Add avahi-CVE-2023-38472.patch: Fix reachable assertion in avahi_rdata_parse (bsc#1216853, CVE-2023-38472). - Add avahi-CVE-2023-38471.patch: Extract host name using avahi_unescape_label (bsc#1216594, CVE-2023-38471). - Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource records (bsc#1216598, CVE-2023-38469). - Add avahi-CVE-2023-38470.patch: Ensure each label is at least one byte long (bsc#1215947, CVE-2023-38470). - Add avahi-CVE-2023-38473.patch: derive alternative host name from its unescaped version (bsc#1216419 CVE-2023-38473). Package util-linux was updated: - fix Xen virtualization type misidentification bsc#1215918 lscpu-fix-parameter-order-for-ul_prefix_fopen.patch - Properly neutralize escape sequences in wall (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085, and its prerequisites: util-linux-fputs_careful1.patch, util-linux-wall-migrate-to-memstream.patch util-linux-fputs_careful2.patch). - Add upstream patch util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch bsc#1207987 gh#util-linux/util-linux@1d98827edde4 Package c-ares was updated: - CVE-2024-25629.patch: fix out of bounds read in ares__read_line() (bsc#1220279, CVE-2024-25629) Package libxcrypt was updated: - fix variable name for datamember in 'struct crypt_data' [bsc#1215496]- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2 + libxcrypt-man-fix-variable-name.patch Package libfastjson was updated: - fix CVE-2020-12762 integer overflow and out-of-bounds write via a large JSON file (bsc#1171479) add 0001-Fix-CVE-2020-12762.patch Package mozilla-nss was updated: - Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh depends on it and will create a broken, empty config, if sed is missing (bsc#1227918) - update to NSS 3.101.2 * bmo#1905691 - ChaChaXor to return after the function - Added nss-fips-safe-memset.patch, fixing bsc#1222811. - Removed some dead code from nss-fips-constructor-self-tests.patch. - Rebased nss-fips-approved-crypto-non-ec.patch on above changes. - Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830. - Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118. - Updated nss-fips-approved-crypto-non-ec.patch and nss-fips-constructor-self-tests.patch, fixing bsc#1222807, bsc#1222828, bsc#1222834. - Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116. - update to NSS 3.101.1 * bmo#1901932 - missing sqlite header. * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. - update to NSS 3.101 * bmo#1900413 - add diagnostic assertions for SFTKObject refcount. * bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed * bmo#1899883 - fix formatting issues. * bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS. * bmo#1899593 - remove invalid acvp fuzz test vectors. * bmo#1898830 - pad short P-384 and P-521 signatures gtests. * bmo#1898627 - remove unused FreeBL ECC code. * bmo#1898830 - pad short P-384 and P-521 signatures. * bmo#1898825 - be less strict about ECDSA private key length. * bmo#1854439 - Integrate HACL* P-521. * bmo#1854438 - Integrate HACL* P-384. * bmo#1898074 - memory leak in create_objects_from_handles. * bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy * bmo#1748105 - clean up escape handling * bmo#1896353 - Use lib::pkix as default validator instead of the old-one * bmo#1827444 - Need to add high level support for PQ signing. * bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy * bmo#1893404 - Allow for non-full length ecdsa signature when using softoken * bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects * bmo#1793811 - Implement support for PBMAC1 in PKCS#12 * bmo#1897487 - disable VLA warnings for fuzz builds. * bmo#1895032 - remove redundant AllocItem implementation. * bmo#1893334 - add PK11_ReadDistrustAfterAttribute. * bmo#215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update * bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure * bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile. * bmo#1830415 - Switch to the mozillareleases/image_builder image - Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain) - Remove part of nss-fips-zeroization.patch that got removed upstream - update to NSS 3.100 - bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations. - bmo#1893752 - remove ckcapi. - bmo#1893162 - avoid a potential PK11GenericObject memory leak. - bmo#671060 - Remove incomplete ESDH code. - bmo#215997 - Decrypt RSA OAEP encrypted messages. - bmo#1887996 - Fix certutil CRLDP URI code. - bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys. - bmo#676118 - Add ability to encrypt and decrypt CMS messages using ECDH. - bmo#676100 - Correct Templates for key agreement in smime/cmsasn.c. - bmo#1548723 - Moving the decodedCert allocation to NSS. - bmo#1885404 - Allow developers to speed up repeated local execution of NSS tests that depend on certificates. - update to NSS 3.99 * Removing check for message len in ed25519 (bmo#1325335) * add ed25519 to SECU_ecName2params. (bmo#1884276) * add EdDSA wycheproof tests. (bmo#1325335) * nss/lib layer code for EDDSA. (bmo#1325335) * Adding EdDSA implementation. (bmo#1325335) * Exporting Certificate Compression types (bmo#1881027) * Updating ACVP docker to rust 1.74 (bmo#1880857) * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335) * Add NSS_CMSRecipient_IsSupported. (bmo#1877730) - update to NSS 3.98 * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS * bmo#1879513 - Certificate Compression: enabling the check that the compression was advertised * bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha * bmo#1879945 - Remove Email trust bit from OISTE WISeKey Global Root GC CA * bmo#1877344 - Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss` * bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression * bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation * bmo#1875356 - Add valgrind annotations to freebl kyber operations for constant-time execution tests * bmo#1870673 - Set nssckbi version number to 2.66 * bmo#1874017 - Add Telekom Security roots * bmo#1873095 - Add D-Trust 2022 S/MIME roots * bmo#1865450 - Remove expired Security Communication RootCA1 root * bmo#1876179 - move keys to a slot that supports concatenation in PK11_ConcatSymKeys * bmo#1876800 - remove unmaintained tls-interop tests * bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim flags * bmo#1874937 - bogo: add support for the -curves shim flag and update Kyber expectations * bmo#1874937 - bogo: adjust expectation for a key usage bit test * bmo#1757758 - mozpkix: add option to ignore invalid subject alternative names * bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value * bmo#1876390 - take ownership of ecckilla shims * bmo#1874458 - add valgrind annotations to freebl/ec.c * bmo#864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip * bmo#1875965 - Update zlib to 1.3.1 - Use %patch -P N instead of deprecated %patchN. - update to NSS 3.97 * bmo#1875506 - make Xyber768d00 opt-in by policy * bmo#1871631 - add libssl support for xyber768d00 * bmo#1871630 - add PK11_ConcatSymKeys * bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken * bmo#1871152 - add a FreeBL API for Kyber * bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff * bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo * bmo#1835828 - Removing the calls to RSA Blind from loader.* * bmo#1874111 - fix worker type for level3 mac tasks * bmo#1835828 - RSA Blind implementation * bmo#1869642 - Remove DSA selftests * bmo#1873296 - read KWP testvectors from JSON * bmo#1822450 - Backed out changeset dcb174139e4f * bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation * bmo#1871219 - Wrap CC shell commands in gyp expansions - update to NSS 3.96.1 * bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh * bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups) * bmo#1867408 - add a defensive check for large ssl_DefSend return values * bmo#1869378 - Add dependency to the taskcluster script for Darwin * bmo#1869378 - Upgrade version of the MacOS worker for the CI - add nss-allow-slow-tests-s390x.patch: &quot;certutil dump keys with explicit default trust flags&quot; test needs longer than the allowed 6 seconds on s390x - update to NSS 3.95 * bmo#1842932 - Bump builtins version number. * bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert. * bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates * bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS. * bmo#1850982 - Remove Camerfirma root certificates from NSS. * bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional Certificate. * bmo#1860670 - Add four Commscope root certificates to NSS. * bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates. * bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL* * bmo#1861728 - Include P-256 Scalar Validation from HACL*. * bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level * bmo#1837987 - Add means to provide library parameters to C_Initialize * bmo#1573097 - clang format * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection. * bmo#1858241 - Typo in ssl3_AppendHandshakeNumber * bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber * bmo#1573097 - Fix Invalid casts in instance.c - update to NSS 3.94 * bmo#1853737 - Updated code and commit ID for HACL* * bmo#1840510 - update ACVP fuzzed test vector: refuzzed with current NSS * bmo#1827303 - Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants * bmo#1774659 - NSS needs a database tool that can dump the low level representation of the database * bmo#1852179 - declare string literals using char in pkixnames_tests.cpp * bmo#1852179 - avoid implicit conversion for ByteString * bmo#1818766 - update rust version for acvp docker * bmo#1852011 - Moving the init function of the mpi_ints before clean-up in ec.c * bmo#1615555 - P-256 ECDH and ECDSA from HACL* * bmo#1840510 - Add ACVP test vectors to the repository * bmo#1849077 - Stop relying on std::basic_string&lt;uint8_t&gt; * bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp - rebased patches - added nss-fips-test.patch to fix broken test - Update to NSS 3.93: * bmo#1849471 - Update zlib in NSS to 1.3. * bmo#1848183 - softoken: iterate hashUpdate calls for long inputs. * bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980). - Rebase nss-fips-pct-pubkeys.patch. - update to NSS 3.92 * bmo#1822935 - Set nssckbi version number to 2.62 * bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS * bmo#1839992 - Add 4 SSL.com Root CA certificates * bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates * bmo#1840437 - Add LAWtrust Root CA2 (4096) * bmo#1822936 - Remove E-Tugra Certification Authority root * bmo#1827224 - Remove Camerfirma Chambers of Commerce Root. * bmo#1840505 - Remove Hongkong Post Root CA 1 * bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3 * bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux - update to NSS 3.91 * bmo#1837431 - Implementation of the HW support check for ADX instruction * bmo#1836925 - Removing the support of Curve25519 * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData * bmo#1839327 - Adding args to enable-legacy-db build * bmo#1835357 - dbtests.sh failure in &quot;certutil dump keys with explicit default trust flags&quot; * bmo#1837617 - Initialize flags in slot structures * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow * bmo#1829112 - Followup Fixes * bmo#1784253 - avoid processing unexpected inputs by checking for m_exptmod base sign * bmo#1826652 - add a limit check on order_k to avoid infinite loop * bmo#1834851 - Update HACL* to commit 5f6051d2 * bmo#1753026 - add SHA3 to cryptohi and softoken * bmo#1753026 - HACL SHA3 * bmo#1836781 - Disabling ASM C25519 for A but X86_64 - removed upstreamed patch nss-fix-bmo1836925.patch - update to NSS 3.90.3 * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * bmo#1748105 - clean up escape handling. * bmo#1895032 - remove redundant AllocItem implementation. * bmo#1836925 - Disable ASM support for Curve25519. * bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64. - remove upstreamed nss-fix-bmo1836925.patch - Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox when using FIPS-mode (bsc#1223724). - Added &quot;Provides: nss&quot; so other RPMs that require 'nss' can be installed (jira PED-6358). - update to NSS 3.90.2 * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS. (bsc#1216198) * bmo#1867408 - add a defensive check for large ssl_DefSend return values. - update to NSS 3.90.1 * bmo#1813401 - regenerate NameConstraints test certificates. * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection. - Remove nss-fix-bmo1813401.patch which is now upstream. - Add nss-fix-bmo1813401.patch to fix bsc#1214980 Package libgudev was updated: - Update to version 237: + Fix reading double precision floats from sysfs attributes in locales that use comma as a separator + Fix compilation warning + Fix headers to help with build reproducibility + Clarify licensing information - Changes from version 236: + Fix meson project name to match autotools. - Changes from version 235: + Port build system to meson and remove autotools + Fix conversion of sysfs attributes to boolean. - Add meson BuildRequires and macros following upstreams port. - Enable pkgconfig(umockdev-1.0) BuildRequires and test macro. - Update Licence tag to LGPL-2.1-or-later. - update to 234: * Clarify that _get_sysfs_attr() functions are cached * Add functions to get uncached sysfs attributes - Update to version 233: + Require glib 2.38. + Small documentation updates. + Remove gnome-common build dependency. - Use modern macros. - Modernize spec-file by calling spec-cleaner Package jbigkit was updated: - security update- added patches fix CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler + jbigkit-CVE-2022-1210.patch Package ncurses was updated: - Add patch ncurses-6.1-bsc1220061.patch (bsc#1220061, CVE-2023-45918) * Backport from ncurses-6.4-20230615.patch improve checks in convert_string() for corrupt terminfo entry - Add patch bsc1218014-cve-2023-50495.patch * Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry() (bsc#1218014) - Add patch boo1201384.patch * Do not fully reset serial lines Package nghttp2 was updated: - security update- added patches fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks + nghttp2-CVE-2024-28182-1.patch fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks + nghttp2-CVE-2024-28182-2.patch Package openssl-1_1 was updated: - Apply &quot;openssl-CVE-2024-4741.patch&quot; to fix a use-after-free security vulnerability. Calling the function SSL_free_buffers() potentially caused memory to be accessed that was previously freed in some situations and a malicious attacker could attempt to engineer a stituation where this occurs to facilitate a denial-of-service attack. [CVE-2024-4741, bsc#1225551] - Security fix: [bsc#1222548, CVE-2024-2511] * Fix unconstrained session cache growth in TLSv1.3 * Add openssl-CVE-2024-2511.patch - Security fix: [bsc#1219243, CVE-2024-0727] * Add NULL checks where ContentInfo data can be NULL * Add openssl-CVE-2024-0727.patch Package pacemaker was updated: - tools: CIB clients retry signon upon an EAGAIN error (gh#ClusterLabs/pacemaker#3567, bsc#1224183) * bsc#1224183-0002-Fix-tools-CIB-clients-retry-signon-upon-an-EAGAIN-er.patch - libcib: new function cib__signon_attempts() (gh#ClusterLabs/pacemaker#3567, bsc#1224183) * bsc#1224183-0001-Refactor-libcib-new-function-cib__signon_attempts.patch - libcrmcommon: reject ISO 8601 duration without any values (gh#ClusterLabs/pacemaker#3517) * pacemaker#3517-0002-Low-libcrmcommon-reject-ISO-8601-duration-without-an.patch - libstonithd: prevent to free 'op_reply' repeatedly in 'stonith_send_command' (gh#ClusterLabs/pacemaker#3517) * pacemaker#3517-0001-prevent-to-free-op_reply-repeatedly-in-stonith_send_.patch - tools: make crm_mon exit upon loss of the attached pseudo-terminal (bsc#1220229, gh#ClusterLabs/pacemaker#3430) * bsc#1220229-0001-Fix-tools-make-crm_mon-exit-upon-loss-of-the-attache.patch - libcib: Don't incorrectly expand &quot;++&quot; and &quot;+=&quot; in XML attr values (gh#ClusterLabs/pacemaker#3413) * pacemaker#3413-0003-Fix-libcib-Don-t-incorrectly-expand-and-in-XML-attr-.patch - libpacemaker: pcmk__inject_failcount should set an integer value (gh#ClusterLabs/pacemaker#3413) * pacemaker#3413-0001-Low-libpacemaker-pcmk__inject_failcount-should-set-a.patch - scheduler: log unknown nodes in location constraints (gh#ClusterLabs/pacemaker#3409, CLBZ#5415) * pacemaker#3409-0007-Log-scheduler-log-unknown-nodes-in-location-constrai.patch - scheduler: correct lifetime deprecation warning (gh#ClusterLabs/pacemaker#3409) * pacemaker#3409-0006-Log-scheduler-correct-lifetime-deprecation-warning.patch - tools: honor rules when getting utilization attributes with crm_resource (gh#ClusterLabs/pacemaker#3409) * pacemaker#3409-0005-Fix-tools-honor-rules-when-getting-utilization-attri.patch - scheduler: deprecate support for default instance attributes (gh#ClusterLabs/pacemaker#3409) * pacemaker#3409-0004-Low-scheduler-deprecate-support-for-default-instance.patch - scheduler: use default timeout (20s) if user configures 0 (gh#ClusterLabs/pacemaker#3409) * pacemaker#3409-0003-Fix-scheduler-use-default-timeout-20s-if-user-config.patch - tools: crm_resource should ignore resource meta-attribute node expressions (gh#ClusterLabs/pacemaker#3409) * pacemaker#3409-0001-Fix-tools-crm_resource-should-ignore-resource-meta-a.patch - fencer: always format time_t values as long long (gh#ClusterLabs/pacemaker#3407) * pacemaker#3407-0001-Log-fencer-always-format-time_t-values-as-long-long.patch - libcrmcommon: NULL-check strdup() in pcmk__register_message() (gh#ClusterLabs/pacemaker#3394) * pacemaker#3394-0004-Low-libcrmcommon-NULL-check-strdup-in-pcmk__register.patch - libcrmcommon: NULL-check strdup() in pcmk__register_format() (gh#ClusterLabs/pacemaker#3394) * pacemaker#3394-0003-Low-libcrmcommon-NULL-check-strdup-in-pcmk__register.patch - libpacemaker: Correctly free graphs and synapses (gh#ClusterLabs/pacemaker#3394) * pacemaker#3394-0002-Low-libpacemaker-Correctly-free-graphs-and-synapses.patch - libcrmcommon: Initialize some variables (gh#ClusterLabs/pacemaker#3394) * pacemaker#3394-0001-Low-libcrmcommon-Initialize-some-variables.patch - HealthSMART:fix the description of temp_lower_limit (gh#ClusterLabs/pacemaker#3392) * pacemaker#3392-0001-Doc-HealthSMART-fix-the-description-of-temp_lower_li.patch - cibsecret: Use 'ps axww' to avoid truncating issue (gh#ClusterLabs/pacemaker#3384) * pacemaker#3384-0001-Fix-cibsecret-Use-ps-axww-to-avoid-truncating-issue.patch - libcrmcommon: Don't try to parse XML from bad .bz2 file (gh#ClusterLabs/pacemaker#3361) * pacemaker#3361-0001-Low-libcrmcommon-Don-t-try-to-parse-XML-from-bad-.bz.patch - libcrmcommon: use uint32_t for 32-bit magic numbers (gh#ClusterLabs/pacemaker#3381) * pacemaker#3381-0001-Fix-libcrmcommon-use-uint32_t-for-32-bit-magic-numbe.patch - libcrmcommon: Use free_xml in html_free_priv. (gh#ClusterLabs/pacemaker#3380) * pacemaker#3380-0003-Low-libcrmcommon-Use-free_xml-in-html_free_priv.patch - libcrmcommon: Free error strings in html/xml outputters. (gh#ClusterLabs/pacemaker#3380) * pacemaker#3380-0002-Low-libcrmcommon-Free-error-strings-in-html-xml-outp.patch - libcrmcommon: Free text/curses private list data. (gh#ClusterLabs/pacemaker#3380) * pacemaker#3380-0001-Low-libcrmcommon-Free-text-curses-private-list-data.patch - tools: Fix argument validation for crm_attribute update. (gh#ClusterLabs/pacemaker#3379) * pacemaker#3379-0001-Low-tools-Fix-argument-validation-for-crm_attribute-.patch - libcrmcommon: Always output request= in XML output. (gh#ClusterLabs/pacemaker#3362) * pacemaker#3362-0001-Low-libcrmcommon-Always-output-request-in-XML-output.patch - tools: Fix memory leak in crm_mon with HTML output (gh#ClusterLabs/pacemaker#3332) * pacemaker#3332-0001-Low-tools-Fix-memory-leak-in-crm_mon-with-HTML-outpu.patch - attrd: write Pacemaker Remote node attributes even if not in cache (gh#ClusterLabs/pacemaker#3304) * pacemaker#3304-0001-Fix-attrd-write-Pacemaker-Remote-node-attributes-eve.patch - agents: Use attrd_updater dampen delay in SysInfo (gh#ClusterLabs/pacemaker#3286) * pacemaker#3286-0002-Fix-agents-Use-attrd_updater-dampen-delay-in-SysInfo.patch - libcrmcommon: Check correct env vars in pcmk__node_attr_target() (gh#ClusterLabs/pacemaker#3286) * pacemaker#3286-0001-Low-libcrmcommon-Check-correct-env-vars-in-pcmk__nod.patch - scheduler: restore nvpair behavior without id-ref (gh#ClusterLabs/pacemaker#3292) * pacemaker#3292-0004-Low-scheduler-restore-nvpair-behavior-without-id-ref.patch - libcrmcommon: fix NULL dereference in expand_idref() (gh#ClusterLabs/pacemaker#3292) * pacemaker#3292-0002-Low-libcrmcommon-fix-NULL-dereference-in-expand_idre.patch - scheduler: improve logs for invalid id-ref's (gh#ClusterLabs/pacemaker#3292) * pacemaker#3292-0001-Log-scheduler-improve-logs-for-invalid-id-ref-s.patch - pacemaker-attrd,libcrmcluster: avoid use-after-free when remote node in cluster node cache (gh#ClusterLabs/pacemaker#3293) * pacemaker#3293-0002-Fix-pacemaker-attrd-libcrmcluster-avoid-use-after-fr.patch - libcrmcluster: avoid use-after-free in trace log (gh#ClusterLabs/pacemaker#3293) * pacemaker#3293-0001-Low-libcrmcluster-avoid-use-after-free-in-trace-log.patch - HealthSmart: Check the parameter values of check_temperature to avoid error output (gh#ClusterLabs/pacemaker#3289) * pacemaker#3289-0001-Fix-HealthSmart-Check-the-parameter-values-of-check_.patch - agents: handle dampening parameter consistently and correctly * 0001-Fix-agents-handle-dampening-parameter-consistently-a.patch - crm_resource: make --wait wait for pending actions in CIB * 0001-Refactor-crm_resource-make-wait-wait-for-pending-act.patch - agents: HealthCPU - fix the validation of input * 0001-fix-the-validation-of-input.patch - libcrmcommon: wait for reply from appropriate controller commands (bsc#1218312, rh#2225631, rh#2221084) * bsc#1218312-0001-Fix-libcrmcommon-wait-for-reply-from-appropriate-con.patch Package polkit was updated: Package procps was updated: - Submit latest procps 3.3.17 to SLE-15 tree for jira#PED-3244 and jira#PED-6369 - The patches now upstream had been dropped meanwhile * procps-vmstat-1b9ea611.patch (bsc#1185417) - For support up to 2048 CPU as well * bsc1209122-a6c0795d.patch (bnc#1209122) - allow `-´ as leading character to ignore possible errors on systctl entries * patch procps-ng-3.3.9-bsc1121753-Cpus.patch (bsc#1121753) - was a backport of an upstream fix to get the first CPU summary correct - Enable pidof for SLE-15 as this is provided by sysvinit-tools - Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build - Modify patches * procps-ng-3.3.9-w-notruncate.diff * procps-ng-3.3.17-logind.patch to real to not truncate output of w with option -n - procps-ng-3.3.17-logind.patch: Backport from 4.x git, prefer logind over utmp (jsc#PED-3144) Package python3 was updated: - Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448 (CVE-2024-4032) rearranging definition of private v global IP addresses. - Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch fixing bsc#1226447 (CVE-2024-0397) by removing memory race condition in ssl.SSLContext certificate store methods. - Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109, gh#python/cpython!16557) fixes syslog making default &quot;ident&quot; from sys.argv[0]. - Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that it uses features sniffing, not just comparing version number (bsc#1220664, bsc#1219559, bsc#1221563, bsc#1222075). - Remove support-expat-CVE-2022-25236-patched.patch, which was the previous name of this patch. - Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping failing tests. - Refresh patches: - CVE-2023-27043-email-parsing-errors.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch - bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the &quot;quoted-overlap&quot; zipbomb (from gh#python/cpython!110016). - Add bh42369-thread-safety-zipfile-SharedFile.patch (from gh#python/cpython!26974) required by the previous patch. - Add expat-260-test_xml_etree-reparse-deferral.patch to make the interpreter work with patched libexpat in our distros. - Move all patches from locally sourced to the branch opensuse-3.6 branch at GitHub repo, and move all metadata to commits themselves (readable in the headers of each patch). - Add bpo-41675-modernize-siginterrupt.patch to make Python build cleanly even on more recent SPs of SLE-15 (gh#python/cpython#85841). - Remove patches: - bpo36263-Fix_hashlib_scrypt.patch - fix against bug in OpenSSL fixed in 1.1.1c (gh#openssl/openssl!8483), so this patch is redundant on all SUSE-supported distros - python-3.3.0b1-test-posix_fadvise.patch - protection against the kernel issues which has been fixed in gh#torvalds/linux@3d3727cdb07f, which has been included in all our kernels more recent than SLE-11. - python-3.3.3-skip-distutils-test_sysconfig_module.patch - skips a test, which should be relevant only for testing on Mac OS X systems with universal builds. I have no valid record, that this test would be ever problematic on Linux. - bpo-36576-skip_tests_for_OpenSSL-111.patch, which was included already in Python 3.5. - (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory. - Merge together bpo-36576-skip_tests_for_OpenSSL-111.patch into skip_SSL_tests.patch, and make them include all conditionals. - Refresh CVE-2023-27043-email-parsing-errors.patch to gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). Package libqb was updated: - ipc: Retry receiving credentials if the the message is short (gh#ClusterLabs/libqb#476, rh#2111711, bsc#1224183) * bsc#1224183-0001-ipc-Retry-receiving-credentials-if-the-the-message-i.patch Package qrencode was updated: - update to 4.1.1 (jsc#PED-7296): * Some minor bugs in Micro QR Code generation have been fixed. * The data capacity calculations are now correct. These bugs probably did not affect the Micro QR Code generation. - update to 4.1.0: * Command line tool &quot;qrencode&quot; has been improved: * New option &quot;--inline&quot; has been added. (Thanks to @jp-bennett) * New option &quot;--strict-version&quot; has been added. * UTF8 mode now supports ANSI256 color. (Thanks to András Veres- Szentkirályi) * Micro QR Code no longer requires to specify the version number. * 'make check' allows to run the test programs. (Thanks to Jan Tojnar) * Some compile time warnings have been fixed. * Various CMake support improvements. (Thanks to @mgorny and @sdf5) * Some minor bug fixes. (Thanks to Lonnie Abelbeck and Frédéric Wang) * Some documentation/manpage improvements. (Thanks to Dan Jacobson) * Some performance improvements. (Thanks to @4061N and Mika Lindqvist) - remove qrencode-fix-installation.patch (upstream) - Update to version 4.0.2 * Build script fixes. (Thanks to @mgorny) version 4.0.1 * CMake support improved. * New test scripts have been added. * Some compile time warnings have been fixed. - Refreshed qrencode-fix-installation.patch Package libsolv was updated: - add a conflict to older libsolv-tools to libsolv-tools-base - improve updating of installed multiversion packages - fix decision introspection going into an endless loop in some cases - added experimental lua bindings - bump version to 0.7.29 - split libsolv-tools into libsolv-tools-base [jsc#PED-8153] - build for multiple python versions [jsc#PED-6218] - bump version to 0.7.28 - add zstd support for the installcheck tool - add putinowndirpool cache to make file list handling in repo_write much faster - bump version to 0.7.27 - fix evr roundtrip in testcases - do not use deprecated headerUnload with newer rpm versions - bump version to 0.7.26 - support complex deps in SOLVABLE_PREREQ_IGNOREINST - fix minimization not prefering installed packages in some cases - reduce memory usage in repo_updateinfoxml - fix lock-step interfering with architecture selection - fix choice rule handing for package downgrades - fix complex dependencies with an &quot;else&quot; part sometimes leading to unsolved dependencies - bump version to 0.7.25 Package libssh was updated: - Fix regression parsing IPv6 addresses provided as hostname (bsc#1227396) - added libssh-fix-ipv6-hostname-regression.patch - Update to 0.9.8: [jsc#PED-7719, bsc#1218126, CVE-2023-48795] * Rebase 0001-disable-timeout-test-on-slow-buildsystems.patch * Remove patches fixed in the update: - CVE-2019-14889.patch - 0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-A.patch - Update to version 0.9.8 * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209) * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126) * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186) * Allow @ in usernames when parsing from URI composes - Update to version 0.9.7 * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing (bsc#1211188) * Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) * Fix several memory leaks in GSSAPI handling code - Update to version 0.9.6 (bsc#1189608, CVE-2021-3634) * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6 - Add missing BR for openssh needed for tests - update to 0.9.5 (bsc#1174713, CVE-2020-16135): * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232) * Improve handling of library initialization (T222) * Fix parsing of subsecond times in SFTP (T219) * Make the documentation reproducible * Remove deprecated API usage in OpenSSL * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN * Define version in one place (T226) * Prevent invalid free when using different C runtimes than OpenSSL (T229) * Compatibility improvements to testsuite - Update to version 0.9.4 * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/ * Fix possible Denial of Service attack when using AES-CTR-ciphers CVE-2020-1730 (bsc#1168699) Package libssh2_org was updated: - Fix an issue with Encrypt-then-MAC family. [bsc#1221622] * Test the ETM feature in the remote end's configuration when receiving data. Upstream issue: #1331. * Add libssh2_org-ETM-remote.patch - Always add the KEX pseudo-methods &quot;ext-info-c&quot; and &quot;kex-strict-c-v00@openssh.com&quot; when configuring custom method list. [bsc#1218971, CVE-2023-48795] * The strict-kex extension is announced in the list of available KEX methods. However, when the default KEX method list is modified or replaced, the extension is not added back automatically. * Add libssh2_org-CVE-2023-48795-ext.patch - Security fix: [bsc#1218127, CVE-2023-48795] * Add 'strict KEX' to fix CVE-2023-48795 &quot;Terrapin Attack&quot; * Add libssh2_org-CVE-2023-48795.patch Package suseconnect-ng was updated: - Update version to 1.11 - Added uname as collector - Added SAP workload detection - Added detection of container runtimes - Multiple fixes on ARM64 detection - Use `read_values` for the CPU collector on Z - Fixed data collection for ppc64le - Grab the home directory from /etc/passwd if needed (bsc#1226128) - Update version to 1.10.0 * Build zypper-migration and zypper-packages-search as standalone binaries rather then one single binary * Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004) * Include /etc/products.d in directories whose content are backed up and restored if a zypper-migration rollback happens. (bsc#1219004) * Add the ability to upload the system uptime logs, produced by the suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report. (jsc#PED-7982) (jsc#PED-8018) * Add support for third party packages in SUSEConnect * Refactor existing system information collection implementation - Update to version 1.9.0 * Fix certificate import for Yast when using a registration proxy with self-signed SSL certificate (bsc#1223107) - Update to version 1.8.0 * Allow &quot;--rollback&quot; flag to run on readonly filesystem (bsc#1220679) - Update to version 1.7.0 * Allow SUSEConnect on read write transactional systems (bsc#1219425) - Update to version 1.6.0 * Disable EULA display for addons (bsc#1218649 and bsc#1217961) - Update to version 1.5.0 * Configure docker credentials for registry authentication * Feature: Support usage from Agama + Cockpit for ALP Micro system registration (bsc#1218364) * Add --json output option Package tiff was updated: - security update: * CVE-2023-3164 [bsc#1212233] Fix heap buffer overflow in tiffcrop + tiff-CVE-2023-3164.patch - security update: * CVE-2023-40745[bsc#1214687] CVE-2023-41175[bsc#1214686] [bsc#1221187] CVE-2023-38288[bsc#1213590] Fix potential int overflow in raw2tiff.c and tiffcp.c Rename tiff-CVE-2023-38288.patch into tiff-CVE-2023-38288,CVE-2023-40745,CVE-2023-41175.patch - security update: * CVE-2023-52356 [bsc#1219213] Fix segfault in TIFFReadRGBATileExt() + tiff-CVE-2023-52356.patch - security update: * CVE-2023-2731 [bsc#1211478] Fix null pointer deference in LZWDecode() This patch also contains a required commit which is marked to fix CVE-2022-1622 [bsc#1199483] but we are not vulnerable to that CVE because relevant code is not present. + tiff-CVE-2023-2731.patch * CVE-2023-26965 [bsc#1212398] Fix heap-based use after free in loadImage() + tiff-CVE-2023-26965.patch * CVE-2022-40090 [bsc#1214680] Fix infinite loop in TIFFReadDirectory() + tiff-CVE-2022-40090.patch * CVE-2023-1916 [bsc#1210231] Fix out-of-bounds read in extractImageSection() + tiff-CVE-2023-1916.patch Package libvirt was updated: - CVE-2024-2494: remote: check for negative array lengths before allocation 8a3f8d95-CVE-2024-2494.patch, 1b8c1ce7-adapt-libssh2-api.patch bsc#1221815 Package libxml2 was updated: - Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in xmlHTMLPrintFileContext in xmllint.c * Added libxml2-CVE-2024-34459.patch - Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader * Added libxml2-CVE-2024-25062.patch Package libzypp was updated: - zypp-tui: Make sure translated texts use the correct textdomain (fixes #551) - Skip libproxy1 requires for tumbleweed. - version 17.34.1 (34) - don't require libproxy1 on tumbleweed, it is optional now - version 17.34.0 (34) - Fix versioning scheme - version 17.33.4 (35) - add one more missing export for libyui-qt-pkg - Revert eintrSafeCall behavior to setting errno to 0. - version 17.33.3 (34) - fix up requires_eq usage for libsolv-tools-base - add one more missing export for PackageKit - version 17.33.2 - version 17.33.1 (33) - switch to reduced size libsolv-tools-base (jsc#PED-8153) - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - Add ZYPP_API for exported functions and switch to visibility=hidden (jsc#PED-8153) - Dynamically resolve libproxy (jsc#PED-8153) - version 17.33.0 (33) - Fix download from gpgkey URL (bsc#1223430, fixes openSUSE/zypper#546) - version 17.32.6 (32) - Don't try to refresh volatile media as long as raw metadata are present (bsc#1223094) - version 17.32.5 (32) - Fix creation of sibling cache dirs with too restrictive mode (bsc#1222398) Some install workflows in YAST may lead to too restrictive (0700) raw cache directories in case of newly created repos. Later commands running with user privileges may not be able to access these repos. - version 17.32.4 (32) - Update RepoStatus fromCookieFile according to the files mtime (bsc#1222086) - TmpFile: Don't call chmod if makeSibling failed. - version 17.32.3 (32) - Fixup New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) Fixed the name of the keyword to &quot;support_superseded&quot; as it was agreed on in jsc#OBS-301. - version 17.32.2 (32) - Add resolver option 'removeUnneeded' to file weak remove jobs for unneeded packages (bsc#1175678) - version 17.32.1 (32) - Add resolver option 'removeOrphaned' for distupgrade (bsc#1221525) - New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) - Tests: fix vsftpd.conf where SUSE and Fedora use different defaults (fixes #522) - Add default stripe minimum (#529) - Don't expose std::optional where YAST/PK explicitly use c++11. - Digest: Avoid using the deprecated OPENSSL_config. - version 17.32.0 (32) - ProblemSolution::skipsPatchesOnly overload to handout the patches. - Remove https-&gt;http redirection exceptions for download.opensuse.org. - version 17.31.32 (22) - tui: allow to access the underlying ostream of out::Info. - Add MLSep: Helper to produce not-NL-terminated multi line output. - version 17.31.31 (22) - applydeltaprm: Create target directory if it does not exist (bsc#1219442) - Add ProblemSolution::skipsPatchesOnly (for openSUSE/zypper#514) - Fix problems with EINTR in ExternalDataSource::getline (fixes bsc#1215698) - version 17.31.30 (22) - CheckAccessDeleted: fix running_in_container detection (bsc#1218782) - Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831) - Make Wakeup class EINTR safe. - Add a way to cancel media operations on shutdown (openSUSE/zypper#522) This patch adds a mechanism to signal libzypp that a shutdown was requested, usually when CTRL+C was pressed by the user. Currently only the media backend will utilize this, but can be extended to all code paths that use g_poll() to wait for events. - Manually poll fds for curl in MediaCurl. Using curl_easy_perform does not give us the required control on when we want to cancel a download. Switching to the MultiCurl implementation with a external poll() event loop will give us much more freedom and helps us to improve our Ctrl+C handling. - Move reusable curl poll code to curlhelper.h. - version 17.31.29 (22) - Fix to build with libxml 2.12.x (fixes #505) - version 17.31.28 (22) - CheckAccessDeleted: fix 'running in container' filter (bsc#1218291) - version 17.31.27 (22) - Call zypp commit plugins during transactional update (fixes #506) - Add support for loongarch64 (fixes #504) - Teach MediaMultiCurl to download HTTP Multibyte ranges. - Teach zsync downloads to MultiCurl. - Expand RepoVars in URLs downloading a .repo file (bsc#1212160) Convenient and helps documentation as it may refer to a single command for a bunch of distributions. Like e.g. &quot;zypper ar 'https://server.my/$releasever/my.repo'&quot;. - version 17.31.26 (22) - Fix build issue with zchunk build flags (fixes #500) - version 17.31.25 (22) - Open rpmdb just once during execution of %posttrans scripts (bsc#1216412) - Avoid using select() since it does not support fd numbers &gt; 1024 (fixes #447) - tools/DownloadFiles: use standard zypp progress bar (fixes #489) - Revert &quot;Color download progress bar&quot; (fixes #475) Cyan is already used for the output of RPM scriptlets. Avoid this colorific collision between download progress bar and scriptlet output. - Fix ProgressBar's calculation of the printed tag position (fixes #494) - Switch zypp::Digest to Openssl 3.0 Provider API (fixes #144) - Fix usage of deprecated CURL features (fixes #486) - version 17.31.24 (22) - Stop using boost version 1 timer library (fixes #489, bsc#1215294) - version 17.31.23 (22) Package lifecycle-data-sle-module-live-patching was updated: - Added data for 5_14_21-150400_24_119, 5_14_21-150400_24_122, 5_14_21-150500_55_62, 5_14_21-150500_55_65, 5_14_21-150500_55_68, 5_3_18-150200_24_191, 5_3_18-150200_24_194, 5_3_18-150300_59_161, 5_3_18-150300_59_164, 6_4_0-150600_21, 6_4_0-150600_23_7, +kernel-livepatch-5_14_21-150500_13_52-rt,*,+kernel-livepatch-5_14_21-150500_13_55-rt,*,+kernel-livepatch-5_14_21-150500_13_58-rt,*. (bsc#1020320) - Added data for 5_14_21-150400_24_111, 5_14_21-150400_24_116, 5_14_21-150500_55_52, 5_14_21-150500_55_59, 5_3_18-150200_24_183, 5_3_18-150200_24_188, 5_3_18-150300_59_153, 5_3_18-150300_59_158, +kernel-livepatch-5_14_21-150400_15_71-rt,*,+kernel-livepatch-5_14_21-150500_13_38-rt,*,+kernel-livepatch-5_14_21-150500_13_43-rt,*,+kernel-livepatch-5_14_21-150500_13_47-rt,*. (bsc#1020320) - Added data for 4_12_14-150100_197_168, 5_14_21-150400_24_103, 5_14_21-150400_24_108, 5_14_21-150500_55_44, 5_14_21-150500_55_49, 5_3_18-150200_24_175, 5_3_18-150200_24_178, 5_3_18-150300_59_147, 5_3_18-150300_59_150, +kernel-livepatch-5_14_21-150400_15_65-rt,*,+kernel-livepatch-5_14_21-150400_15_68-rt,*,+kernel-livepatch-5_14_21-150500_13_30-rt,*,+kernel-livepatch-5_14_21-150500_13_35-rt,*. (bsc#1020320) - Added data for 4_12_14-150100_197_160, 4_12_14-150100_197_165, 5_14_21-150400_24_100, 5_14_21-150400_24_66, 5_14_21-150400_24_88, 5_14_21-150400_24_92, 5_14_21-150400_24_97, 5_14_21-150500_55_28, 5_14_21-150500_55_31, 5_14_21-150500_55_36, 5_14_21-150500_55_39, 5_3_18-150200_24_166, 5_3_18-150200_24_169, 5_3_18-150200_24_172, 5_3_18-150300_59_138, 5_3_18-150300_59_141, 5_3_18-150300_59_144, +kernel-livepatch-5_14_21-150400_15_53-rt,*,+kernel-livepatch-5_14_21-150400_15_56-rt,*,+kernel-livepatch-5_14_21-150400_15_59-rt,*,+kernel-livepatch-5_14_21-150400_15_62-rt,*,+kernel-livepatch-5_14_21-150500_13_18-rt,*,+kernel-livepatch-5_14_21-150500_13_21-rt,*,+kernel-livepatch-5_14_21-150500_13_24-rt,*,+kernel-livepatch-5_14_21-150500_13_27-rt,*. (bsc#1020320) - Added data for 4_12_14-150100_197_154, 4_12_14-150100_197_157, 5_14_21-150400_24_74, 5_14_21-150400_24_81, 5_14_21-150400_24_84, 5_14_21-150500_55_12, 5_14_21-150500_55_19, 5_14_21-150500_55_22, 5_3_18-150200_24_160, 5_3_18-150200_24_163, 5_3_18-150300_59_130, 5_3_18-150300_59_133, +kernel-livepatch-5_14_21-150400_15_46-rt,*,+kernel-livepatch-5_14_21-150400_15_49-rt,*,+kernel-livepatch-5_14_21-150500_13_11-rt,*,+kernel-livepatch-5_14_21-150500_13_14-rt,*. (bsc#1020320) Package shadow was updated: - bsc#1228770: Fix not copying of skel files Update shadow-CVE-2013-4235.patch - bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition Add shadow-CVE-2013-4235.patch Package netcfg was updated: Package ocfs2-tools was updated: - OCFS2 writes delay on large volumes - slow la window lookup from global_bitmap (bsc#1219224) * bsc1219224-debugfs.ocfs2-support-recording-gd-bg_contig_free_bi.patch - fsck.ocfs2: add the ability to clear jbd2 errno (bsc#1216834) + mounted.ocfs2-use-sys-sysmacros.h-include-for-makede.patch + Fix-build-failure-with-glibc-2.28.patch + bsc1216834-fsck.ocfs2-add-the-ability-to-clear-jbd2-errno.patch Package openssh was updated: - Add patches from upstream to change the default value of UpdateHostKeys to Yes (unless VerifyHostKeyDNS is enabled). This makes ssh update the known_hosts stored keys with all published versions by the server (after it's authenticated with an existing key), which will allow to identify the server with a different key if the existing key is considered insecure at some point in the future (bsc#1222831). * 0001-upstream-enable-UpdateHostkeys-by-default-when-the.patch * 0002-upstream-disable-UpdateHostkeys-by-default-if.patch - Add patches openssh-7.7p1-seccomp_getuid.patch and openssh-bsc1216474-s390-leave-fds-open.patch (bsc#1216474, bsc#1218871) - Fix hostbased ssh login failing occasionally with &quot;signature unverified: incorrect signature&quot; by fixing a typo in patch (bsc#1221123): * openssh-7.8p1-role-mls.patch - Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385). This limits the use of shell metacharacters in host- and user names. - Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795). This mitigates a prefix truncation attack that could be used to undermine channel security. - Enhanced SELinux functionality. Added * openssh-7.8p1-role-mls.patch Proper handling of MLS systems and basis for other SELinux improvements * openssh-6.6p1-privsep-selinux.patch Properly set contexts during privilege separation * openssh-6.6p1-keycat.patch Add ssh-keycat command to allow retrival of authorized_keys on MLS setups with polyinstantiation * openssh-6.6.1p1-selinux-contexts.patch Additional changes to set the proper context during privilege separation * openssh-7.6p1-cleanup-selinux.patch Various changes and putting the pieces together For now we don't ship the ssh-keycat command, but we need the patch for the other SELinux infrastructure This change fixes issues like bsc#1214788, where the ssh daemon needs to act on behalf of a user and needs a proper context for this Package pam-config was updated: - Fix pam_gnome_keyring module for AUTH. [pam-config-fix-pam_gnome_keyring.patch, bsc#1219767] Package pam was updated: - Add missing O_DIRECTORY flag in `protect_dir()` for pam_namespace module. [bsc#1218475, pam-bsc1218475-pam_namespace-O_DIRECTORY-flag.patch] - pam_lastlog: check localtime_r() return value (bsc#1217000) * Added: pam-bsc1217000-pam_lastlog-check-localtime_r-return-value.patch Package perl was updated: - fix space calculation issues in pp_pack.c [bnc#1082216] [CVE-2018-6913] * new patch: perl-pack-overflow.diff - fix heap buffer overflow in regexec.c [bnc#1082233] [CVE-2018-6798] new patch: perl-regexec-heap-overflow.diff - make Net::FTP work with TLS 1.3 [bnc#1213638] new patch: perl-net-ftp-tls13.diff Package python-instance-billing-flavor-check was updated: - Version 0.0.6 (bsc#1218561) Support proxy setup on the client to access the update infrastructure API - Version 0.0.5 Add IPv6 support (bsc#1218739) - Version 0.0.4 Run the command as sudo only (bsc#1217696, bsc#1217695) - Version 0.0.3 Handle exception for Python 3.4 Package python-chardet was updated: Package python-cryptography was updated: - Add CVE-2023-49083.patch to fix A null-pointer-dereference and segfault could occur when loading certificates from a PKCS#7 bundle. bsc#1217592 Package python-idna was updated: - Add CVE-2024-3651.patch, backported from upstream commit gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7 (bsc#1222842, CVE-2024-3651) Package python-pycryptodome was updated: - Add CVE-2023-52323-side_channel-RSA_decrypt.patch (bsc#1218564, CVE-2023-52323) fixing side-channel leakage in RSA decryption. - Add CVE-2023-52323-const_time-decoding.patch (bsc#1218564, CVE-2023-52323) using constant-time (faster) padding decoding also for OAEP. Package python-requests was updated: - Update CVE-2024-35195.patch to allow the usage of &quot;verify&quot; parameter as a directory, bsc#1225912 - Add CVE-2024-35195.patch (CVE-2024-35195, bsc#1224788) - Add httpbin.patch to fix a test failure caused by the previous patch. Package python-urllib3 was updated: Package rubygem-actionpack-5_1 was updated: - modified patches + 0009-CVE-2020-8166.patch (fixed) - rubygem-actionpack-5_1-CVE-2020-8166.patch (renamed) - security update * fix CVE-2020-8166 patch port [bsc#1215707] - security update - added patches fix CVE-2020-8166 [bsc#1172182], Ability to forge per-form CSRF tokens given a global CSRF token + rubygem-actionpack-5_1-CVE-2020-8166.patch Package rubygem-rack was updated: - security update- added patches fix CVE-2024-25126 [bsc#1220239], Denial of Service Vulnerability in Rack Content-Type Parsing + rubygem-rack-CVE-2024-25126.patch fix CVE-2024-26141 [bsc#1220242], Denial of Service Vulnerability in Range request header parsing + rubygem-rack-CVE-2024-26141.patch fix CVE-2024-26146 [bsc#1220248], Denial of Service vulnerability in Rack headers parsing routine + rubygem-rack-CVE-2024-26146.patch Package rubygem-sass was updated: - updated to version 3.7.4 no changelog found - updated to version 3.7.3 no changelog found - updated to version 3.7.2 no changelog found - updated to version 3.6.0 no changelog found - updated to version 3.5.7 no changelog found - updated to version 3.5.6 no changelog found - updated to version 3.5.5 no changelog found Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.13. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.12&gt;. - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch - Backport &lt;https://github.com/opencontainers/runc/pull/3931&gt; to fix a performance issue when running lots of containers, caused by system getting too many mount notifications. bsc#1214960 + 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch - Add upstream patch &lt;https://github.com/opencontainers/runc/pull/4219&gt; to properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050 + 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch + 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch + 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch - Update to runc v1.1.12. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.12&gt;. bsc#1218894 * This release fixes a container breakout vulnerability (CVE-2024-21626). For more details, see the upstream security advisory: &lt;https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv&gt; * Remove upstreamed patches: - CVE-2024-21626.patch * Update runc.keyring to match upstream changes. [ This was only ever released for SLES. ] - Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894 &lt;https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv&gt; + CVE-2024-21626.patch - Update to runc v1.1.11. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.11&gt;. Package sapconf was updated: - version update from 5.0.6 to 5.0.7- add require of package sysctl-logger (jsc#PED-5025) - suppress error message regarding missing systemd service file during posttrans script Package saptune was updated: - update package version of saptune to 3.1.2 * to support setups with saptune monitoring and heavy automation we limited the setting of our saptune lock to commands having the potential to change anything in the system. (bsc#1219500) * fix timestamp in log messages of saptune * remove redundant version information in header comment of note definition files * SAP Note 1656250 updated to Version 63 SAP Note 1771258 updated to Version 8 SAP Note 2382421 updated to Version 45 SAP Note 3024346 updated to Version 10 but without parameter value changes, only house keeping of the version section and comment updates * SAP Note 1984787 updated to Version 42 SAP Note 2578899 updated to Version 47 - add require of package sysctl-logger (jsc#PED-5025) Package sed was updated: - 0001-sed-set-correct-umask-on-temporary-files.patch Fix for bsc#1221218 Package 000release-packages:sle-ha-release was updated: Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-cap-tools-release was updated: Package 000release-packages:sle-module-desktop-applications-release was updated: Package 000release-packages:sle-module-development-tools-release was updated: Package 000release-packages:sle-module-live-patching-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-sap-applications-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package 000release-packages:sle-module-web-scripting-release was updated: Package sudo was updated: - Fix NOPASSWD issue introduced by patches for CVE-2023-42465 [bsc#1221151, bsc#1221134] * Update sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch * Enable running regression selftests during build time. - Security fix: [bsc#1219026, bsc#1220389, CVE-2023-42465] * Try to make sudo less vulnerable to ROWHAMMER attacks. * Add sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch Package supportutils-plugin-ha-sap was updated: - Update to version 0.0.5+git.1709295499.1c8e8cd * adapt documentation links * add support for SAP systemd services regarding SID retrieval * add information about SAP related systemd services * add information about sapcontrol function GetStartProfile * add information from daemon.ini * collect hook script logs (suschksrv and saphanasr_multitarget_hook) * collect logs of sap_suse_cluster_connector and sapstartsrv * Add python version * Check sudoers for srhook configuration Package supportutils-plugin-suse-public-cloud was updated: - Update to version 1.0.9 (bsc#1218762, bsc#1218763) + Remove duplicate data collection for the plugin itself + Collect archive metering data when available + Query billing flavor status Package supportutils was updated: - Changes in version 3.1.30 + Added -V key:value pair option (bsc#1222021, PED-8211) + Avoid getting duplicate kernel verifications in boot.text (pr#193) + Suppress file descriptor leak warnings from lvm commands (pr#192, bsc#1220082) + Includes container log timestamps (pr#197) - Changes to version 3.1.29 + Extended scaling for performance (bsc#1214713) + Fixed kdumptool output error (bsc#1218632) + Corrected podman ID errors (bsc#1218812) + Duplicate non root podman entries removed (bsc#1218814) + Corrected get_sles_ver for SLE Micro (bsc#1219241) + Check nvidida-persistenced state (bsc#1219639) - Additional changes in version 3.1.28 + ipset - List entries for all sets + ipvsadm - Inspect the virtual server table (pr#185) + Correctly detects Xen Dom0 (bsc#1218201) + Fixed smart disk error (bsc#1218282) - Changes in version 3.1.28 + Inhibit the conversion of port numbers to port names for network files (cherry picked from commit 55f5f716638fb15e3eb1315443949ed98723d250) + powerpc: collect rtas_errd.log and lp_diag.log files (pr#175) + Get list of pam.d file (cherry picked from commit eaf35c77fd4bc039fd7e3d779ec1c2c6521283e2) + Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173) + Added missing klp information to kernel-livepatch.txt (bsc#1216390) + Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388) + Provides long listing for /etc/sssd/sssd.conf (bsc#1211547) + Optimize lsof usage (bsc#1183663) + Added mokutil commands for secureboot (pr#179) + Collects chrony or ntp as needed (bsc#1196293) - Changes in version 3.1.27 + Fixed podman display issue (bsc#1217287) + Added nvme-stas configuration to nvme.txt (bsc#1216049) + Added timed command to fs-files.txt (bsc#1216827) + Collects zypp history file issue#166 (bsc#1216522) + Changed -x OPTION to really be exclude only (issue#146) + Collect HA related rpm package versions in ha.txt (pr#169) Package suse-build-key was updated: - added missing ; in shell script (bsc#1227681) - Added new keys of the SLE Micro 6.0 / SLES 16 series, and auto import them. (bsc#1227429) gpg-pubkey-09d9ea69-645b99ce.asc: Main SLE Micro 6/SLES 16 key gpg-pubkey-73f03759-626bd414.asc: Backup SLE Micro 6/SLES 16 key. - Switch container key to be default RSA 4096bit. (jsc#PED-2777) - run rpm commands in import script only when libzypp is not active. bsc#1219189 bsc#1219123 - run import script also in %posttrans section, but only when libzypp is not active. bsc#1219189 bsc#1219123 Package suse-module-tools was updated: - Update to version 15.3.18: * rpm-script: add symlink /boot/.vmlinuz.hmac (bsc#1217775) Package systemd-default-settings was updated: - Import 0.10 5088997 SLE: Disable pids controller limit under user instances (jsc#SLE-10123) - Import 0.9 bb859bf user@.service: Disable controllers by default (jsc#PED-2276) - The usage of drop-ins is now the official way for configuring systemd and its various daemons on Factory/ALP. Hence the early drop-ins SUSE specific &quot;feature&quot; has been abandoned. - Import 0.8 f34372f User priority '26' for SLE-Micro c8b6f0a Revert &quot;Convert more drop-ins into early ones&quot; - Import commit 6b8dde1d4f867aff713af6d6830510a84fad58d2 6b8dde1 Convert more drop-ins into early ones Package systemd-presets-branding-SLE was updated: Package systemd-presets-common-SUSE was updated: - Split hcn-init.service to hcn-init-NetworkManager and hcn-init-wicked (bsc#1200731 ltc#198485 https://github.com/ibm-power-utilities/powerpc-utils/pull/84) Support both the old and new service to avoid complex version interdependency. Package tar was updated: - Fix CVE-2023-39804, Incorrectly handled extension attributes in PAX archives can lead to a crash, bsc#1217969 * fix-CVE-2023-39804.patch Package timezone was updated: - update to 2024a: * Kazakhstan unifies on UTC+5. This affects Asia/Almaty and Asia/Qostanay which together represent the eastern portion of the country that will transition from UTC+6 on 2024-03-01 at 00:00 to join the western portion. (Thanks to Zhanbolat Raimbekov.) * Palestine springs forward a week later than previously predicted in 2024 and 2025. (Thanks to Heba Hamad.) Change spring-forward predictions to the second Saturday after Ramadan, not the first; this also affects other predictions starting in 2039. * Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00. (Thanks to Đoàn Trần Công Danh.) * From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00. (Thanks to Chris Walton.) * In 1911 Miquelon adopted standard time on June 15, not May 15. * The FROM and TO columns of Rule lines can no longer be &quot;minimum&quot; or an abbreviation of &quot;minimum&quot;, because TZif files do not support DST rules that extend into the indefinite past - although these rules were supported when TZif files had only 32-bit data, this stopped working when 64-bit TZif files were introduced in 1995. This should not be a problem for realistic data, since DST was first used in the 20th century. As a transition aid, FROM columns like &quot;minimum&quot; are now diagnosed and then treated as if they were the year 1900; this should suffice for TZif files on old systems with only 32-bit time_t, and it is more compatible with bugs in 2023c-and-earlier localtime.c. (Problem reported by Yoshito Umaoka.) * localtime and related functions no longer mishandle some timestamps that occur about 400 years after a switch to a time zone with a DST schedule. In 2023d data this problem was visible for some timestamps in November 2422, November 2822, etc. in America/Ciudad_Juarez. (Problem reported by Gilmore Davidson.) * strftime %s now uses tm_gmtoff if available. (Problem and draft patch reported by Dag-Erling Smørgrav.) * The strftime man page documents which struct tm members affect which conversion specs, and that tzset is called. (Problems reported by Robert Elz and Steve Summit.) - update to 2023d: * Ittoqqortoormiit, Greenland changes time zones on 2024-03-31. * Vostok, Antarctica changed time zones on 2023-12-18. * Casey, Antarctica changed time zones five times since 2020. * Code and data fixes for Palestine timestamps starting in 2072. * A new data file zonenow.tab for timestamps starting now. * Fix predictions for DST transitions in Palestine in 2072-2075, correcting a typo introduced in 2023a. * Vostok, Antarctica changed to +05 on 2023-12-18. It had been at +07 (not +06) for years. * Change data for Casey, Antarctica to agree with timeanddate.com, by adding five time zone changes since 2020. Casey is now at +08 instead of +11. * Much of Greenland, represented by America/Nuuk, changed its standard time from -03 to -02 on 2023-03-25, not on 2023-10-28. * localtime.c no longer mishandles TZif files that contain a single transition into a DST regime. Previously, it incorrectly assumed DST was in effect before the transition too. * tzselect no longer creates temporary files. * tzselect no longer mishandles the following: * Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION. * TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/. * ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments. * Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension. * zic no longer mishandles data for Palestine after the year 2075. - Refresh tzdata-china.diff Package util-linux-systemd was updated: - Properly neutralize escape sequences in wall (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085, and its prerequisites: util-linux-fputs_careful1.patch, util-linux-wall-migrate-to-memstream.patch util-linux-fputs_careful2.patch). - Add upstream patch util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch bsc#1207987 gh#util-linux/util-linux@1d98827edde4 Package vim was updated: - Updated to version 9.1 with patch level 0330, fixes the following problems * Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1 - refreshed vim-7.3-filetype_spec.patch - refreshed vim-7.3-filetype_ftl.patch - Update spec.skeleton to use autosetup in place of setup macro. - for the complete list of changes see https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330 - Updated to version 9.1 with patch level 0111, fixes the following security problems * Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close() * Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol() * Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command * Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count * Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing * Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number * Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line * Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute * Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c * Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111 Package wget was updated: - Fix mishandled semicolons in the userinfo subcomponent could lead to an insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. [bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch] Package wicked was updated: - Update to version 0.6.76 - compat-suse: warn user and create missing parent config of infiniband children (gh#openSUSE/wicked#1027) - client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125) - ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976) - wireless: add frequency-list in station mode (jsc#PED-8715) - client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664) - man: add supported bonding options to ifcfg-bonding(5) man page (gh#openSUSE/wicked#1021) - arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019) - man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018) - client: warn on interface wait time reached (gh#openSUSE/wicked#1017) - compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces (gh#openSUSE/wicked#1016) - compat-suse: fix infiniband and infiniband child type detection from ifname (gh#openSUSE/wicked#1015) - Removed patches included in the source archive: [- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch] [- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch] - arp: increase arp-send retry value to avoid address configuration failure due to ENOBUF reported by kernel while duplicate address detection with underlying bonding in 802.3ad mode reporting link &quot;up &amp; running&quot; too early (bsc#1218668, gh#openSUSE/wicked#1020, gh#openSUSE/wicked#1020). [+ 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch] - client: fix ifreload to pull UP ports/links again when the config of their master/lower changed (bsc#1224100,gh#openSUSE/wicked#1014). [+ 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch] - Update to version 0.6.75: - cleanup: fix ni_fsm_state_t enum-int-mismatch warnings - cleanup: fix overflow warnings in a socket testcase on i586 - ifcheck: report new and deleted configs as changed (bsc#1218926) - man: improve ARP configuration options in the wicked-config.5 - bond: add ports when master is UP to avoid port MTU revert (bsc#1219108) - cleanup: fix interface dependencies and shutdown order (bsc#1205604) - Remove port arrays from bond,team,bridge,ovs-bridge (redundant) and consistently use config and state info attached to the port interface as in rtnetlink(7). - Cleanup ifcfg parsing, schema configuration and service properties - Migrate ports in xml config and policies already applied in nanny - Remove &quot;missed config&quot; generation from finite state machine, which is completed while parsing the config or while xml config migration. - Issue a warning when &quot;lower&quot; interface (e.g. eth0) config is missed while parsing config depending on it (e.g. eth0.42 vlan). - Resolve ovs master to the effective bridge in config and wickedd - Implement netif-check-state require checks using system relations from wickedd/kernel instead of config relations for ifdown and add linkDown and deleteDevice checks to all master and lower references. - Add a `wicked &lt;ifup|ifdown|ifreload&gt; --dry-run …` option to show the system/config interface hierarchies as notice with +/- marked interfaces to setup and/or shutdown. - Removed patches included in the source archive: [- 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch] [- 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch] [- 0003-move-all-attribute-definitions-to-compiler-h.patch] [- 0004-hide-secrets-in-debug-log-bsc-1221194.patch] [- 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch] - client: do not convert sec to msec twice (bsc#1222105) [+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch] - addrconf: fix fallback-lease drop (bsc#1220996) [+ 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch] - extensions/nbft: use upstream `nvme nbft show` (bsc#1221358) [+ 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch] - hide secrets in debug log (bsc#1221194) [+ 0003-move-all-attribute-definitions-to-compiler-h.patch] [+ 0004-hide-secrets-in-debug-log-bsc-1221194.patch] - update to version 0.6.74 + team: add new options like link_watch_policy (jsc#PED-7183) + Fix memory leaks in dbus variant destroy and fsm free (gh#openSUSE/wicked#1001) + xpath: allow underscore in node identifier (gh#openSUSE/wicked#999) + vxlan: don't format unknown rtnl attrs (bsc#1219751) - removed patches included in the source archive: [- 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch] [- 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch] [- 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch] [- 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch] [- 0005-duid-fix-comment-for-v6time.patch] [- 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch] [- 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch] [- 0002-system-updater-Parse-updater-format-from-XML-configu.patch] [- 0001-fix_arp_notify_loop_and_burst_sending.patch] - ifreload: VLAN changes require device deletion (bsc#1218927) [+ 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch] - ifcheck: fix config changed check (bsc#1218926) [+ 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch] - client: fix exit code for no-carrier status (bsc#1219265) [+ 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch] - dhcp6: omit the SO_REUSEPORT option (bsc#1215692) [+ 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch] - duid: fix comment for v6time (https://github.com/openSUSE/wicked/pull/989) [+ 0005-duid-fix-comment-for-v6time.patch] - rtnl: fix peer address parsing for non ptp-interfaces (https://github.com/openSUSE/wicked/pull/987, https://github.com/openSUSE/wicked/pull/988) [+ 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch] [+ 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch] - system-updater: Parse updater format from XML configuration to ensure install calls can run. (https://github.com/openSUSE/wicked/pull/985) [+ 0002-system-updater-Parse-updater-format-from-XML-configu.patch] Package xen was updated: - bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86 guest IRQ handling (XSA-458) xsa458.patch - bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch History Injection (XSA-456) Corrections to the following patches xsa456-5.patch xsa456-6.patch - bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch History Injection (XSA-456) xsa456-0a.patch xsa456-0b.patch xsa456-0c.patch xsa456-0d.patch xsa456-0e.patch xsa456-0f.patch xsa456-0g.patch xsa456-0h.patch xsa456-0i.patch xsa456-0j.patch xsa456-0k.patch xsa456-0l.patch xsa456-0m.patch xsa456-0n.patch xsa456-0o.patch xsa456-0p.patch xsa456-1.patch xsa456-2.patch xsa456-3.patch xsa456-4.patch xsa456-5.patch xsa456-6.patch xsa456-7.patch - bsc#1221984 - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may trigger Xen bug check (XSA-454) xsa454-1.patch xsa454-2.patch - bsc#1222302 - VUL-0: CVE-2024-31142: xen: x86: Incorrect logic for BTC/SRSO mitigations (XSA-455) xsa455.patch - bsc#1221332 - VUL-0: CVE-2023-28746: xen: x86: Register File Data Sampling (XSA-452) xsa452-1.patch xsa452-2.patch xsa452-3.patch xsa452-4.patch xsa452-5.patch xsa452-6.patch xsa452-7.patch - bsc#1221334 - VUL-0: CVE-2024-2193: xen: GhostRace: Speculative Race Conditions (XSA-453) xsa453-1.patch xsa453-2.patch xsa453-3.patch xsa453-4.patch xsa453-5.patch xsa453-6.patch xsa453-7.patch xsa453-8.patch - Modified xsa451.patch (bsc#1219885) - bsc#1219885 - VUL-0: CVE-2023-46841: xen: x86: shadow stack vs exceptions from emulation stubs (XSA-451) xsa451.patch - bsc#1218851 - VUL-0: CVE-2023-46839: xen: phantom functions assigned to incorrect contexts (XSA-449) xsa449.patch Package xkbcomp was updated: - U_Ignore-xkb_keycodes.maximum-of-255.patch * fix keyboard layouts in XWayland applications when having several keyboard layouts enabled (boo#1219505) Package xterm was updated: - xterm-reset-parsing-state.patch: A bug in the parser for several escape sequences causes the first character following the sequence to be ignored (bsc#1220585). Patch backported from version 335n. Package yast2 was updated: - Reimplemented the hardcoded product mapping to support also the migration from SLE_HPC to SLES SP6+ (with the HPC module) (bsc#1220567) - 4.3.70 Package yast2-network was updated: - Guard secret attributes against leaking to the log (bsc#1221194)- 4.3.89 Package yast2-packager was updated: - Reimplemented the hardcoded product mapping to support also the migration from SLE_HPC to SLES SP6+ (with the HPC module) (bsc#1220567) - 4.3.27 Package yast2-pkg-bindings was updated: - Fixed repository and service probing with libzypp 7.31.26 and newer, fixes broken repository handling (bsc#1218977, bsc#1218399) - 4.3.13 Package yast2-registration was updated: - Set the new product mapping when upgrading SLE_HPC to SLES SP6+ (with the HPC module), use the old product mapping when upgrading from SLE_HPC-SP3 to SLE_HPC-SP4 (bsc#1220567) - 4.3.29 - Adapted to SCC API change 'base' -&gt; 'isbase' (bsc#1217317): Cherry-picked igonzalezsosa's commit 431d937b78c209c0d35 - 4.3.28 Package zypper was updated: - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - BuildRequires: libzypp-devel &gt;= 17.33.0. - Delay zypp lock until command options are parsed (bsc#1223766) - version 1.14.73 - Unify message format(fixes #485) - version 1.14.72 - switch cmake build type to RelWithDebInfo - modernize spec file (remove Authors section, use proper macros, remove redundant clean section, don't mark man pages as doc) - switch to -O2 -fvisibility=hidden -fpie: * PIC is not needed as no shared lib is built * fstack-protector-strong is default on modern dists and would be downgraded by fstack-protector * default visibility hidden allows better optimisation * O2 is reducing inlining bloat - &gt; 18% reduced binary size - remove procps requires (was only for ZMD which is dropped) (jsc#PED-8153) - Do not try to refresh repo metadata as non-root user (bsc#1222086) Instead show refresh stats and hint how to update them. - man: Explain how to protect orphaned packages by collecting them in a plaindir repo. - packages: Add --autoinstalled and --userinstalled options to list them. - Don't print 'reboot required' message if download-only or dry-run (fixes #529) Instead point out that a reboot would be required if the option was not used. - Resepect zypper.conf option `showAlias` search commands (bsc#1221963) Repository::asUserString (or Repository::label) respects the zypper.conf option, while name/alias return the property. - version 1.14.71 - dup: New option --remove-orphaned to remove all orphaned packages in dup (bsc#1221525) - version 1.14.70 - info,summary: Support VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) - BuildRequires: libzypp-devel &gt;= 17.32.0. API cleanup and changes for VendorSupportSuperseded. - Show active dry-run/download-only at the commit propmpt. - patch: Add --skip-not-applicable-patches option (closes #514) - Fix printing detailed solver problem description. The problem description() is one rule out possibly many in completeProblemInfo() the solver has chosen to represent the problem. So either description or completeProblemInfo should be printed, but not both. - Fix bash-completion to work with right adjusted numbers in the 1st column too (closes #505) - Set libzypp shutdown request signal on Ctrl+C (fixes #522) - lr REPO: In the detailed view show all baseurls not just the first one (bsc#1218171) - version 1.14.69 - Fix search/info commands ignoring --ignore-unknown (bsc#1217593) The switch makes search commands return 0 rather than 104 for empty search results. - version 1.14.68 - patch: Make sure reboot-needed is remembered until next boot (bsc#1217873) - version 1.14.67 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp3-sap-v20240808-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 HANA-Firewall-2.0.4-150000.3.9.3 SAPHanaSR-0.162.4-150000.4.44.1 SAPHanaSR-doc-0.162.4-150000.4.44.1 aaa_base-84.87+git20180409.04c9dae-150300.10.20.1 aaa_base-extras-84.87+git20180409.04c9dae-150300.10.20.1 autofs-5.1.3-150000.7.20.1 bind-utils-9.16.6-150300.22.47.1 ca-certificates-2+git20240416.98ae794-150300.4.3.3 catatonit-0.2.0-150300.10.8.1 chrony-4.1-150300.16.14.3 chrony-pool-suse-4.1-150300.16.14.3 cloud-netconfig-gce-1.14-150000.25.23.1 cloud-regionsrv-client-10.1.7-150000.6.108.1 cloud-regionsrv-client-plugin-gce-1.0.0-150000.6.108.1 cluster-md-kmp-default-5.3.18-150300.59.167.1 containerd-1.7.17-150000.114.1 coreutils-8.32-150300.3.8.1 cpio-2.12-150000.3.12.1 ctdb-4.15.13+git.710.7032820fcd-150300.3.66.2 cups-config-2.2.7-150000.3.62.1 curl-7.66.0-150200.4.72.1 desktop-data-SLE-15-150000.4.3.11 dhcp-4.3.6.P1-150000.6.19.1 dhcp-client-4.3.6.P1-150000.6.19.1 dlm-kmp-default-5.3.18-150300.59.167.1 docker-25.0.6_ce-150000.203.1 fence-agents-4.9.0+git.1624456340.8d746be9-150300.3.17.1 gdk-pixbuf-query-loaders-2.40.0-150200.3.12.1 gfs2-kmp-default-5.3.18-150300.59.167.1 glib2-tools-2.62.6-150200.3.18.1 glibc-2.31-150300.83.1 glibc-32bit-2.31-150300.83.1 glibc-i18ndata-2.31-150300.83.1 glibc-locale-2.31-150300.83.1 glibc-locale-base-2.31-150300.83.1 gnutls-3.6.7-150200.14.31.1 google-cloud-sap-agent-3.4-150100.3.35.1 google-guest-agent-20240314.00-150400.1.48.7 google-guest-configs-20240307.00-150000.1.31.1 google-guest-oslogin-20240311.00-150400.1.45.7 google-osconfig-agent-20240320.00-150400.1.35.7 growpart-rootgrow-1.0.7-150400.1.14.7 hawk2-2.6.4+git.1708604510.dc8c081f-150000.3.45.1 kernel-default-5.3.18-150300.59.167.1 krb5-1.19.2-150300.19.1 krb5-client-1.19.2-150300.19.1 ldirectord-4.8.0+git30.d0077df0-150300.8.43.2 less-530-150000.3.9.1 libassuan0-2.5.5-150000.4.7.1 libatomic1-13.3.0+git8781-150000.1.12.1 libavahi-client3-0.7-150100.3.35.1 libavahi-common3-0.7-150100.3.35.1 libbind9-1600-9.16.6-150300.22.47.1 libblkid1-2.36.2-150300.4.44.12 libcares2-1.19.1-150000.3.26.1 libcrypt1-4.4.15-150300.4.7.1 libcups2-2.2.7-150000.3.62.1 libcurl4-7.66.0-150200.4.72.1 libdns1605-9.16.6-150300.22.47.1 libfastjson4-0.99.8-150000.3.3.1 libfdisk1-2.36.2-150300.4.44.12 libfreebl3-3.101.2-150000.3.120.1 libfstrm0-0.6.1-150300.9.5.1 libgcc_s1-13.3.0+git8781-150000.1.12.1 libgdk_pixbuf-2_0-0-2.40.0-150200.3.12.1 libgio-2_0-0-2.62.6-150200.3.18.1 libglib-2_0-0-2.62.6-150200.3.18.1 libgmodule-2_0-0-2.62.6-150200.3.18.1 libgnutls30-3.6.7-150200.14.31.1 libgobject-2_0-0-2.62.6-150200.3.18.1 libgthread-2_0-0-2.62.6-150200.3.18.1 libgudev-1_0-0-237-150300.9.3.1 libirs1601-9.16.6-150300.22.47.1 libisc1606-9.16.6-150300.22.47.1 libisccc1600-9.16.6-150300.22.47.1 libisccfg1600-9.16.6-150300.22.47.1 libjbig2-2.1-150000.3.5.1 libltdl7-2.4.6-150000.3.8.1 libmetalink3-0.1.3-150000.3.2.1 libmount1-2.36.2-150300.4.44.12 libncurses6-6.1-150000.5.24.1 libnghttp2-14-1.40.0-150200.17.1 libns1604-9.16.6-150300.22.47.1 libopenssl1_1-1.1.1d-150200.11.91.1 libpacemaker3-2.0.5+20201202.ba59be712-150300.4.39.2 libpolkit0-0.116-150200.3.12.1 libpython3_6m1_0-3.6.15-150300.10.65.1 libqb100-2.0.2+20201203.def947e-150300.3.9.2 libqrencode4-4.1.1-150000.3.3.1 libsmartcols1-2.36.2-150300.4.44.12 libsnmp40-5.9.4-150300.15.11.1 libsoftokn3-3.101.2-150000.3.120.1 libsolv-tools-0.7.29-150200.34.1 libssh2-1-1.11.0-150200.9.2.1 libssh4-0.9.8-150200.13.6.2 libstdc++6-13.3.0+git8781-150000.1.12.1 libsuseconnect-1.11.0-150100.3.33.2 libtiff5-4.0.9-150000.45.44.1 libuuid1-2.36.2-150300.4.44.12 libuv1-1.18.0-150000.3.2.1 libvirt-client-7.1.0-150300.6.41.1 libvirt-libs-7.1.0-150300.6.41.1 libxcb-glx0-1.13-150000.3.11.1 libxcb-randr0-1.13-150000.3.11.1 libxcb-render0-1.13-150000.3.11.1 libxcb-shape0-1.13-150000.3.11.1 libxcb-shm0-1.13-150000.3.11.1 libxcb-sync1-1.13-150000.3.11.1 libxcb-xfixes0-1.13-150000.3.11.1 libxcb-xinerama0-1.13-150000.3.11.1 libxcb-xinput0-1.13-150000.3.11.1 libxcb-xkb1-1.13-150000.3.11.1 libxcb1-1.13-150000.3.11.1 libxml2-2-2.9.7-150000.3.70.1 libxml2-tools-2.9.7-150000.3.70.1 libyui-ncurses-pkg15-4.1.5-150300.3.12.5 libyui-ncurses15-4.1.5-150300.3.12.4 libyui-qt15-4.1.5-150300.3.12.4 libyui15-4.1.5-150300.3.12.4 libzypp-17.34.1-150200.106.2 lifecycle-data-sle-module-live-patching-15-150000.4.114.2 login_defs-4.8.1-150300.4.18.1 mozilla-nss-3.101.2-150000.3.120.1 mozilla-nss-certs-3.101.2-150000.3.120.1 mozilla-nss-tools-3.101.2-150000.3.120.1 ncurses-utils-6.1-150000.5.24.1 net-snmp-5.9.4-150300.15.11.1 netcfg-11.6-150000.3.6.1 nscd-2.31-150300.83.1 ocfs2-kmp-default-5.3.18-150300.59.167.1 ocfs2-tools-1.8.5-150100.12.20.2 openslp-2.0.0-150000.6.17.1 openssh-8.4p1-150300.3.37.1 openssh-clients-8.4p1-150300.3.37.1 openssh-common-8.4p1-150300.3.37.1 openssh-server-8.4p1-150300.3.37.1 openssl-1_1-1.1.1d-150200.11.91.1 pacemaker-2.0.5+20201202.ba59be712-150300.4.39.2 pacemaker-cli-2.0.5+20201202.ba59be712-150300.4.39.2 pam-1.3.0-150000.6.66.1 pam-config-1.1-150200.3.6.1 perl-5.26.1-150300.17.17.1 perl-SNMP-5.9.4-150300.15.11.1 perl-base-5.26.1-150300.17.17.1 polkit-0.116-150200.3.12.1 procps-3.3.17-150000.7.39.1 python-instance-billing-flavor-check-0.0.6-150400.1.11.7 python3-3.6.15-150300.10.65.2 python3-base-3.6.15-150300.10.65.1 python3-bind-9.16.6-150300.22.47.1 python3-chardet-3.0.4-150000.5.3.1 python3-cryptography-3.3.2-150200.22.1 python3-cssselect-1.0.3-150400.3.7.4 python3-curses-3.6.15-150300.10.65.2 python3-idna-2.6-150000.3.3.1 python3-lxml-4.7.1-150200.3.12.1 python3-pycryptodome-3.9.0-150200.9.1 python3-requests-2.25.1-150300.3.12.2 python3-solv-0.7.29-150200.34.1 python3-urllib3-1.25.10-150300.4.12.1 resource-agents-4.8.0+git30.d0077df0-150300.8.43.2 ruby-solv-0.7.29-150200.34.1 ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.29.1 ruby2.5-rubygem-rack-2.0.8-150000.3.21.2 ruby2.5-rubygem-sass-3.7.4-150000.3.3.1 runc-1.1.13-150000.67.1 samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 samba-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 sapconf-5.0.7-150000.7.30.1 saptune-3.1.2-150100.8.33.1 sed-4.4-150300.13.3.1 shadow-4.8.1-150300.4.18.1 shim-15.8-150300.4.20.2 sle-module-containers-release-15.3-150300.58.3.2 snmp-mibs-5.9.4-150300.15.11.1 sudo-1.9.5p2-150300.3.33.1 supportutils-3.1.30-150300.7.35.30.1 supportutils-plugin-ha-sap-0.0.5+git.1709295499.1c8e8cd-150000.1.15.1 supportutils-plugin-suse-public-cloud-1.0.9-150000.3.20.1 suse-build-key-12.0-150000.8.49.2 suse-module-tools-15.3.18-150300.3.25.1 suseconnect-ng-1.11.0-150100.3.33.2 suseconnect-ruby-bindings-1.11.0-150100.3.33.2 systemd-default-settings-0.10-150300.3.7.1 systemd-default-settings-branding-SLE-0.10-150300.3.7.1 systemd-presets-branding-SLE-15.1-150100.20.14.1 systemd-presets-common-SUSE-15-150100.8.23.1 tar-1.34-150000.3.34.1 terminfo-6.1-150000.5.24.1 terminfo-base-6.1-150000.5.24.1 timezone-2024a-150000.75.28.1 util-linux-2.36.2-150300.4.44.12 util-linux-systemd-2.36.2-150300.4.44.11 uuidd-2.36.2-150300.4.44.11 vim-9.1.0330-150000.5.63.1 vim-data-common-9.1.0330-150000.5.63.1 wget-1.20.3-150000.3.20.1 wicked-0.6.76-150300.4.35.1 wicked-service-0.6.76-150300.4.35.1 xen-libs-4.14.6_16-150300.3.75.1 xkbcomp-1.4.1-150000.3.3.2 xterm-bin-330-150200.11.15.1 yast2-4.3.70-150300.3.23.3 yast2-logs-4.3.70-150300.3.23.3 yast2-network-4.3.89-150300.3.41.1 yast2-packager-4.3.27-150300.3.15.2 yast2-pkg-bindings-4.3.13-150300.3.10.11 yast2-registration-4.3.29-150300.3.23.2 zypper-1.14.73-150200.81.6 HANA-Firewall-2.0.4-150000.3.9.3 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 SAPHanaSR-0.162.4-150000.4.44.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 SAPHanaSR-doc-0.162.4-150000.4.44.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 aaa_base-84.87+git20180409.04c9dae-150300.10.20.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 aaa_base-extras-84.87+git20180409.04c9dae-150300.10.20.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 autofs-5.1.3-150000.7.20.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 bind-utils-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 ca-certificates-2+git20240416.98ae794-150300.4.3.3 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 catatonit-0.2.0-150300.10.8.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 chrony-4.1-150300.16.14.3 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 chrony-pool-suse-4.1-150300.16.14.3 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 cloud-netconfig-gce-1.14-150000.25.23.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 cloud-regionsrv-client-10.1.7-150000.6.108.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 cloud-regionsrv-client-plugin-gce-1.0.0-150000.6.108.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 cluster-md-kmp-default-5.3.18-150300.59.167.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 containerd-1.7.17-150000.114.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 coreutils-8.32-150300.3.8.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 cpio-2.12-150000.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 ctdb-4.15.13+git.710.7032820fcd-150300.3.66.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 cups-config-2.2.7-150000.3.62.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 curl-7.66.0-150200.4.72.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 desktop-data-SLE-15-150000.4.3.11 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 dhcp-4.3.6.P1-150000.6.19.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 dhcp-client-4.3.6.P1-150000.6.19.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 dlm-kmp-default-5.3.18-150300.59.167.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 docker-25.0.6_ce-150000.203.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 fence-agents-4.9.0+git.1624456340.8d746be9-150300.3.17.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 gdk-pixbuf-query-loaders-2.40.0-150200.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 gfs2-kmp-default-5.3.18-150300.59.167.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 glib2-tools-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 glibc-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 glibc-32bit-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 glibc-i18ndata-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 glibc-locale-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 glibc-locale-base-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 gnutls-3.6.7-150200.14.31.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 google-cloud-sap-agent-3.4-150100.3.35.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 google-guest-agent-20240314.00-150400.1.48.7 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 google-guest-configs-20240307.00-150000.1.31.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 google-guest-oslogin-20240311.00-150400.1.45.7 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 google-osconfig-agent-20240320.00-150400.1.35.7 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 growpart-rootgrow-1.0.7-150400.1.14.7 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 hawk2-2.6.4+git.1708604510.dc8c081f-150000.3.45.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 kernel-default-5.3.18-150300.59.167.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 krb5-1.19.2-150300.19.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 krb5-client-1.19.2-150300.19.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 ldirectord-4.8.0+git30.d0077df0-150300.8.43.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 less-530-150000.3.9.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libassuan0-2.5.5-150000.4.7.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libatomic1-13.3.0+git8781-150000.1.12.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libavahi-client3-0.7-150100.3.35.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libavahi-common3-0.7-150100.3.35.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libbind9-1600-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libblkid1-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libcares2-1.19.1-150000.3.26.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libcrypt1-4.4.15-150300.4.7.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libcups2-2.2.7-150000.3.62.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libcurl4-7.66.0-150200.4.72.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libdns1605-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libfastjson4-0.99.8-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libfdisk1-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libfreebl3-3.101.2-150000.3.120.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libfstrm0-0.6.1-150300.9.5.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libgcc_s1-13.3.0+git8781-150000.1.12.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libgdk_pixbuf-2_0-0-2.40.0-150200.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libgio-2_0-0-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libglib-2_0-0-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libgmodule-2_0-0-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libgnutls30-3.6.7-150200.14.31.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libgobject-2_0-0-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libgthread-2_0-0-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libgudev-1_0-0-237-150300.9.3.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libirs1601-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libisc1606-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libisccc1600-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libisccfg1600-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libjbig2-2.1-150000.3.5.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libltdl7-2.4.6-150000.3.8.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libmetalink3-0.1.3-150000.3.2.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libmount1-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libncurses6-6.1-150000.5.24.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libnghttp2-14-1.40.0-150200.17.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libns1604-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libopenssl1_1-1.1.1d-150200.11.91.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libpacemaker3-2.0.5+20201202.ba59be712-150300.4.39.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libpolkit0-0.116-150200.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libpython3_6m1_0-3.6.15-150300.10.65.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libqb100-2.0.2+20201203.def947e-150300.3.9.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libqrencode4-4.1.1-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libsmartcols1-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libsnmp40-5.9.4-150300.15.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libsoftokn3-3.101.2-150000.3.120.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libsolv-tools-0.7.29-150200.34.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libssh2-1-1.11.0-150200.9.2.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libssh4-0.9.8-150200.13.6.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libstdc++6-13.3.0+git8781-150000.1.12.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libsuseconnect-1.11.0-150100.3.33.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libtiff5-4.0.9-150000.45.44.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libuuid1-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libuv1-1.18.0-150000.3.2.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libvirt-client-7.1.0-150300.6.41.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libvirt-libs-7.1.0-150300.6.41.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb-glx0-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb-randr0-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb-render0-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb-shape0-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb-shm0-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb-sync1-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb-xfixes0-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb-xinerama0-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb-xinput0-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb-xkb1-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxcb1-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxml2-2-2.9.7-150000.3.70.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libxml2-tools-2.9.7-150000.3.70.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libyui-ncurses-pkg15-4.1.5-150300.3.12.5 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libyui-ncurses15-4.1.5-150300.3.12.4 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libyui-qt15-4.1.5-150300.3.12.4 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libyui15-4.1.5-150300.3.12.4 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 libzypp-17.34.1-150200.106.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 lifecycle-data-sle-module-live-patching-15-150000.4.114.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 login_defs-4.8.1-150300.4.18.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 mozilla-nss-3.101.2-150000.3.120.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 mozilla-nss-certs-3.101.2-150000.3.120.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 mozilla-nss-tools-3.101.2-150000.3.120.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 ncurses-utils-6.1-150000.5.24.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 net-snmp-5.9.4-150300.15.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 netcfg-11.6-150000.3.6.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 nscd-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 ocfs2-kmp-default-5.3.18-150300.59.167.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 ocfs2-tools-1.8.5-150100.12.20.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 openslp-2.0.0-150000.6.17.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 openssh-8.4p1-150300.3.37.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 openssh-clients-8.4p1-150300.3.37.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 openssh-common-8.4p1-150300.3.37.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 openssh-server-8.4p1-150300.3.37.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 openssl-1_1-1.1.1d-150200.11.91.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 pacemaker-2.0.5+20201202.ba59be712-150300.4.39.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 pacemaker-cli-2.0.5+20201202.ba59be712-150300.4.39.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 pam-1.3.0-150000.6.66.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 pam-config-1.1-150200.3.6.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 perl-5.26.1-150300.17.17.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 perl-SNMP-5.9.4-150300.15.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 perl-base-5.26.1-150300.17.17.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 polkit-0.116-150200.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 procps-3.3.17-150000.7.39.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python-instance-billing-flavor-check-0.0.6-150400.1.11.7 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-3.6.15-150300.10.65.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-base-3.6.15-150300.10.65.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-bind-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-chardet-3.0.4-150000.5.3.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-cryptography-3.3.2-150200.22.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-cssselect-1.0.3-150400.3.7.4 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-curses-3.6.15-150300.10.65.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-idna-2.6-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-lxml-4.7.1-150200.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-pycryptodome-3.9.0-150200.9.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-requests-2.25.1-150300.3.12.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-solv-0.7.29-150200.34.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 python3-urllib3-1.25.10-150300.4.12.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 resource-agents-4.8.0+git30.d0077df0-150300.8.43.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 ruby-solv-0.7.29-150200.34.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.29.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 ruby2.5-rubygem-rack-2.0.8-150000.3.21.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 ruby2.5-rubygem-sass-3.7.4-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 runc-1.1.13-150000.67.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 samba-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 sapconf-5.0.7-150000.7.30.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 saptune-3.1.2-150100.8.33.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 sed-4.4-150300.13.3.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 shadow-4.8.1-150300.4.18.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 shim-15.8-150300.4.20.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 sle-module-containers-release-15.3-150300.58.3.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 snmp-mibs-5.9.4-150300.15.11.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 sudo-1.9.5p2-150300.3.33.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 supportutils-3.1.30-150300.7.35.30.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 supportutils-plugin-ha-sap-0.0.5+git.1709295499.1c8e8cd-150000.1.15.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 supportutils-plugin-suse-public-cloud-1.0.9-150000.3.20.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 suse-build-key-12.0-150000.8.49.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 suse-module-tools-15.3.18-150300.3.25.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 suseconnect-ng-1.11.0-150100.3.33.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 suseconnect-ruby-bindings-1.11.0-150100.3.33.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 systemd-default-settings-0.10-150300.3.7.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 systemd-default-settings-branding-SLE-0.10-150300.3.7.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 systemd-presets-branding-SLE-15.1-150100.20.14.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 systemd-presets-common-SUSE-15-150100.8.23.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 tar-1.34-150000.3.34.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 terminfo-6.1-150000.5.24.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 terminfo-base-6.1-150000.5.24.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 timezone-2024a-150000.75.28.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 util-linux-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 util-linux-systemd-2.36.2-150300.4.44.11 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 uuidd-2.36.2-150300.4.44.11 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 vim-9.1.0330-150000.5.63.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 vim-data-common-9.1.0330-150000.5.63.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 wget-1.20.3-150000.3.20.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 wicked-0.6.76-150300.4.35.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 wicked-service-0.6.76-150300.4.35.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 xen-libs-4.14.6_16-150300.3.75.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 xkbcomp-1.4.1-150000.3.3.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 xterm-bin-330-150200.11.15.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 yast2-4.3.70-150300.3.23.3 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 yast2-logs-4.3.70-150300.3.23.3 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 yast2-network-4.3.89-150300.3.41.1 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 yast2-packager-4.3.27-150300.3.15.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 yast2-pkg-bindings-4.3.13-150300.3.10.11 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 yast2-registration-4.3.29-150300.3.23.2 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 zypper-1.14.73-150200.81.6 as a component of Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64 shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees CVE-2013-4235 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:login_defs-4.8.1-150300.4.18.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:shadow-4.8.1-150300.4.18.1 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure. CVE-2018-6798 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:perl-5.26.1-150300.17.17.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:perl-base-5.26.1-150300.17.17.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count. CVE-2018-6913 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:perl-5.26.1-150300.17.17.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:perl-base-5.26.1-150300.17.17.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target. CVE-2019-14889 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libssh4-0.9.8-150200.13.6.2 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C In the Linux kernel, the following vulnerability has been resolved: i2c: Fix a potential use after free Free the adap structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. [wsa: added comment to the code, added Fixes tag] CVE-2019-25162 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. CVE-2020-10135 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate 4.8 AV:A/AC:L/Au:N/C:P/I:P/A:N json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. CVE-2020-12762 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libfastjson4-0.99.8-150000.3.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access. CVE-2020-12912 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:docker-25.0.6_ce-150000.203.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL. CVE-2020-16135 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libssh4-0.9.8-150200.13.6.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability. CVE-2020-1730 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libssh4-0.9.8-150200.13.6.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN. CVE-2020-26555 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate 4.8 AV:A/AC:L/Au:N/C:P/I:P/A:N In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: Fix memory leak in dvb_media_device_free() dvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn` before setting it to NULL, as documented in include/media/media-device.h: "The media_entity instance itself must be freed explicitly by the driver if required." CVE-2020-36777 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: i2c: sprd: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in sprd_i2c_master_xfer() and sprd_i2c_remove(). However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36780 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: imx: fix reference leak when pm_runtime_get_sync fails In i2c_imx_xfer() and i2c_imx_remove(), the pm reference count is not expected to be incremented on return. However, pm_runtime_get_sync will increment pm reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36781 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in lpi2c_imx_master_enable. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36782 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: img-scb: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions img_i2c_xfer and img_i2c_init. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36783 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: cadence: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions cdns_i2c_master_xfer and cdns_reg_slave. However, pm_runtime_get_sync will increment pm usage counter even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36784 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: avoid a use-after-free when BO init fails nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code back to the caller. On failures, ttm_bo_init() invokes the provided destructor which should de-initialize and free the memory. Thus, when nouveau_bo_init() returns an error the gem object has already been released and the memory freed by nouveau_bo_del_ttm(). CVE-2020-36788 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token. CVE-2020-8166 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.29.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2020-8694 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:docker-25.0.6_ce-150000.203.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. CVE-2020-8695 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:docker-25.0.6_ce-150000.203.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. CVE-2021-23134 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. CVE-2021-29155 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N Integer Overflow or Wraparound vulnerability in openEuler kernel on Linux (filesystem modules) allows Forced Integer Overflow.This issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3, from 5.10.0-60.18.0 before 5.10.0-183.0.0. CVE-2021-33631 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange. CVE-2021-3634 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libssh4-0.9.8-150200.13.6.2 low 4 AV:N/AC:L/Au:S/C:N/I:N/A:P An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel. A missing sanity check allows a local attacker to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. CVE-2021-3743 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate 3.6 AV:L/AC:L/Au:N/C:P/I:N/A:P In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel CVE-2021-39698 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C An issue was discovered in the Linux kernel for powerpc before 5.14.15. It allows a malicious KVM guest to crash the host, when the host is running on Power8, due to an arch/powerpc/kvm/book3s_hv_rmhandlers.S implementation bug in the handling of the SRR1 register values. CVE-2021-43056 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c. CVE-2021-43389 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P In the Linux kernel, the following vulnerability has been resolved: isdn: cpai: check ctr->cnr to avoid array index out of bound The cmtp_add_connection() would add a cmtp session to a controller and run a kernel thread to process cmtp. __module_get(THIS_MODULE); session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d", session->num); During this process, the kernel thread would call detach_capi_ctr() to detach a register controller. if the controller was not attached yet, detach_capi_ctr() would trigger an array-index-out-bounds bug. [ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in drivers/isdn/capi/kcapi.c:483:21 [ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]' [ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted 5.15.0-rc2+ #8 [ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 [ 46.870107][ T6479] Call Trace: [ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d [ 46.870974][ T6479] ubsan_epilogue+0x5/0x40 [ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48 [ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0 [ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0 [ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60 [ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120 [ 46.874256][ T6479] kthread+0x147/0x170 [ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40 [ 46.875248][ T6479] ret_from_fork+0x1f/0x30 [ 46.875773][ T6479] CVE-2021-4439 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: hso: fix null-ptr-deref during tty device unregistration Multiple ttys try to claim the same the minor number causing a double unregistration of the same device. The first unregistration succeeds but the next one results in a null-ptr-deref. The get_free_serial_index() function returns an available minor number but doesn't assign it immediately. The assignment is done by the caller later. But before this assignment, calls to get_free_serial_index() would return the same minor number. Fix this by modifying get_free_serial_index to assign the minor number immediately after one is found to be and rename it to obtain_minor() to better reflect what it does. Similary, rename set_serial_by_index() to release_minor() and modify it to free up the minor number of the given hso_serial. Every obtain_minor() should have corresponding release_minor() call. CVE-2021-46904 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl(). CVE-2021-46906 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ARM: footbridge: fix PCI interrupt mapping Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in pci_device_probe()"), the PCI code will call the IRQ mapping function whenever a PCI driver is probed. If these are marked as __init, this causes an oops if a PCI driver is loaded or bound after the kernel has initialised. CVE-2021-46909 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ch_ktls: Fix kernel panic Taking page refcount is not ideal and causes kernel panic sometimes. It's better to take tx_ctx lock for the complete skb transmit, to avoid page cleanup if ACK received in middle. CVE-2021-46911 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix unbalanced device enable/disable in suspend/resume pci_disable_device() called in __ixgbe_shutdown() decreases dev->enable_cnt by 1. pci_enable_device_mem() which increases dev->enable_cnt by 1, was removed from ixgbe_resume() in commit 6f82b2558735 ("ixgbe: use generic power management"). This caused unbalanced increase/decrease. So add pci_enable_device_mem() back. Fix the following call trace. ixgbe 0000:17:00.1: disabling already-disabled device Call Trace: __ixgbe_shutdown+0x10a/0x1e0 [ixgbe] ixgbe_suspend+0x32/0x70 [ixgbe] pci_pm_suspend+0x87/0x160 ? pci_pm_freeze+0xd0/0xd0 dpm_run_callback+0x42/0x170 __device_suspend+0x114/0x460 async_suspend+0x1f/0xa0 async_run_entry_fn+0x3c/0xf0 process_one_work+0x1dd/0x410 worker_thread+0x34/0x3f0 ? cancel_delayed_work+0x90/0x90 kthread+0x14c/0x170 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x30 CVE-2021-46914 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: avoid possible divide error in nft_limit_init div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriate math function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline] RIP: 0010:div_u64 include/linux/math64.h:127 [inline] RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85 Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00 RSP: 0018:ffffc90009447198 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003 RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000 R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline] nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713 nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160 nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-46915 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq cleanup of WQCFG registers A pre-release silicon erratum workaround where wq reset does not clear WQCFG registers was leaked into upstream code. Use wq reset command instead of blasting the MMIO region. This also address an issue where we clobber registers in future devices. CVE-2021-46917 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: clear MSIX permission entry on shutdown Add disabling/clearing of MSIX permission entries on device shutdown to mirror the enabling of the MSIX entries on probe. Current code left the MSIX enabled and the pasid entries still programmed at device shutdown. CVE-2021-46918 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq size store permission state WQ size can only be changed when the device is disabled. Current code allows change when device is enabled but wq is disabled. Change the check to detect device state. CVE-2021-46919 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback Current code blindly writes over the SWERR and the OVERFLOW bits. Write back the bits actually read instead so the driver avoids clobbering the OVERFLOW bit that comes after the register is read. CVE-2021-46920 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader can acquire the lock without holding wait_lock. The writer side loops checking the value with the atomic_cond_read_acquire(), but only truly acquires the lock when the compare-and-exchange is completed successfully which isn't ordered. This exposes the window between the acquire and the cmpxchg to an A-B-A problem which allows reads following the lock acquisition to observe values speculatively before the write lock is truly acquired. We've seen a problem in epoll where the reader does a xchg while holding the read lock, but the writer can see a value change out from under it. Writer | Reader -------------------------------------------------------------------------------- ep_scan_ready_list() | |- write_lock_irq() | |- queued_write_lock_slowpath() | |- atomic_cond_read_acquire() | | read_lock_irqsave(&ep->lock, flags); --> (observes value before unlock) | chain_epi_lockless() | | epi->next = xchg(&ep->ovflist, epi); | | read_unlock_irqrestore(&ep->lock, flags); | | | atomic_cmpxchg_relaxed() | |-- READ_ONCE(ep->ovflist); | A core can order the read of the ovflist ahead of the atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire semantics addresses this issue at which point the atomic_cond_read can be switched to use relaxed semantics. [peterz: use try_cmpxchg()] CVE-2021-46921 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix TPM reservation for seal/unseal The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for seal and unseal operations") was correct on the mailing list: https://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/ But somehow got rebased so that the tpm_try_get_ops() in tpm2_seal_trusted() got lost. This causes an imbalanced put of the TPM ops and causes oopses on TIS based hardware. This fix puts back the lost tpm_try_get_ops() CVE-2021-46922 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: st21nfca: Fix memory leak in device probe and remove 'phy->pending_skb' is alloced when device probe, but forgot to free in the error handling path and remove path, this cause memory leak as follows: unreferenced object 0xffff88800bc06800 (size 512): comm "8", pid 11775, jiffies 4295159829 (age 9.032s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450 [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0 [<000000005fea522c>] __alloc_skb+0x124/0x380 [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2 Fix it by freeing 'pending_skb' in error and remove. CVE-2021-46924 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix list_head check warning This is caused by uninitialization of list_head. BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4 Call trace: dump_backtrace+0x0/0x298 show_stack+0x24/0x34 dump_stack+0x130/0x1a8 print_address_description+0x88/0x56c __kasan_report+0x1b8/0x2a0 kasan_report+0x14/0x20 __asan_load8+0x9c/0xa0 __list_del_entry_valid+0x34/0xe4 mtu3_req_complete+0x4c/0x300 [mtu3] mtu3_gadget_stop+0x168/0x448 [mtu3] usb_gadget_unregister_driver+0x204/0x3a0 unregister_gadget_item+0x44/0xa4 CVE-2021-46930 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Wrap the tx reporter dump callback to extract the sq Function mlx5e_tx_reporter_dump_sq() casts its void * argument to struct mlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actually of type struct mlx5e_tx_timeout_ctx *. mlx5_core 0000:08:00.1 enp8s0f1: TX timeout detected mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ: 0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans: 21565000 BUG: stack guard page was hit at 0000000093f1a2de (stack is 00000000b66ea0dc..000000004d932dae) kernel stack overflow (page fault): 0000 [#1] SMP NOPTI CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE 5.13.0_mlnx #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core] RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180 [mlx5_core] Call Trace: mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core] devlink_health_do_dump.part.91+0x71/0xd0 devlink_health_report+0x157/0x1b0 mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core] ? mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0 [mlx5_core] ? mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core] ? update_load_avg+0x19b/0x550 ? set_next_entity+0x72/0x80 ? pick_next_task_fair+0x227/0x340 ? finish_task_switch+0xa2/0x280 mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core] process_one_work+0x1de/0x3a0 worker_thread+0x2d/0x3c0 ? process_one_work+0x3a0/0x3a0 kthread+0x115/0x130 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x30 --[ end trace 51ccabea504edaff ]--- RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180 PKRU: 55555554 Kernel panic - not syncing: Fatal exception Kernel Offset: disabled end Kernel panic - not syncing: Fatal exception To fix this bug add a wrapper for mlx5e_tx_reporter_dump_sq() which extracts the sq from struct mlx5e_tx_timeout_ctx and set it as the TX-timeout-recovery flow dump callback. CVE-2021-46931 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused by work->func == NULL, which means missing work initialization. This may happen, since input_dev->close() calls cancel_work_sync(&dev->work), but dev->work initalization happens _after_ input_register_device() call. So this patch moves dev->work initialization before registering input device CVE-2021-46932 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. ffs_data_clear is indirectly called from both ffs_fs_kill_sb and ffs_ep0_release, so it ends up being called twice when userland closes ep0 and then unmounts f_fs. If userland provided an eventfd along with function's USB descriptors, it ends up calling eventfd_ctx_put as many times, causing a refcount underflow. NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls. Also, set epfiles to NULL right after de-allocating it, for readability. For completeness, ffs_data_clear actually ends up being called thrice, the last call being before the whole ffs structure gets freed, so when this specific sequence happens there is a second underflow happening (but not being reported): /sys/kernel/debug/tracing# modprobe usb_f_fs /sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter /sys/kernel/debug/tracing# echo function > current_tracer /sys/kernel/debug/tracing# echo 1 > tracing_on (setup gadget, run and kill function userland process, teardown gadget) /sys/kernel/debug/tracing# echo 0 > tracing_on /sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put Warning output corresponding to above trace: [ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c [ 1946.293094] refcount_t: underflow; use-after-free. [ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) [ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1 [ 1946.417950] Hardware name: BCM2835 [ 1946.425442] Backtrace: [ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24) [ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c [ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30) [ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154) [ 1946.482067] r5:c04a948c r4:c0a71dc8 [ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4) [ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 [ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c) [ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 [ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74) [ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) [ 1946.582664] r5:c3b84c00 r4:c2695b00 [ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs]) [ 1946.609608] r5:bf54d014 r4:c2695b00 [ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs]) [ 1946.636217] r7:c0dfcb ---truncated--- CVE-2021-46933 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: validate user data in compat ioctl Wrong user data may cause warning in i2c_transfer(), ex: zero msgs. Userspace should not be able to trigger warnings, so this patch adds validation checks for user data in compact ioctl to prevent reported warnings CVE-2021-46934 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails When loading a device-mapper table for a request-based mapped device, and the allocation/initialization of the blk_mq_tag_set for the device fails, a following device remove will cause a double free. E.g. (dmesg): device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device device-mapper: ioctl: unable to set up device queue for new table. Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0305e098835de000 TEID: 0305e098835de803 Fault in home space mode while using kernel ASCE. AS:000000025efe0007 R3:0000000000000024 Oops: 0038 ilc:3 [#1] SMP Modules linked in: ... lots of modules ... Supported: Yes, External CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G W X 5.3.18-53-default #1 SLE15-SP3 Hardware name: IBM 8561 T01 7I2 (LPAR) Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8 Krnl Code: 000000025e368eb8: c4180041e100 lgrl %r1,25eba50b8 000000025e368ebe: ecba06b93a55 risbg %r11,%r10,6,185,58 #000000025e368ec4: e3b010000008 ag %r11,0(%r1) >000000025e368eca: e310b0080004 lg %r1,8(%r11) 000000025e368ed0: a7110001 tmll %r1,1 000000025e368ed4: a7740129 brc 7,25e369126 000000025e368ed8: e320b0080004 lg %r2,8(%r11) 000000025e368ede: b904001b lgr %r1,%r11 Call Trace: [<000000025e368eca>] kfree+0x42/0x330 [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8 [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod] [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod] [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod] [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod] [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod] [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod] [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0 [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40 [<000000025e8c15ac>] system_call+0xd8/0x2c8 Last Breaking-Event-Address: [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8 Kernel panic - not syncing: Fatal exception: panic_on_oops When allocation/initialization of the blk_mq_tag_set fails in dm_mq_init_request_queue(), it is uninitialized/freed, but the pointer is not reset to NULL; so when dev_remove() later gets into dm_mq_cleanup_mapped_device() it sees the pointer and tries to uninitialize and free it again. Fix this by setting the pointer to NULL in dm_mq_init_request_queue() error-handling. Also set it to NULL in dm_mq_cleanup_mapped_device(). CVE-2021-46938 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Restructure trace_clock_global() to never block It was reported that a fix to the ring buffer recursion detection would cause a hung machine when performing suspend / resume testing. The following backtrace was extracted from debugging that case: Call Trace: trace_clock_global+0x91/0xa0 __rb_reserve_next+0x237/0x460 ring_buffer_lock_reserve+0x12a/0x3f0 trace_buffer_lock_reserve+0x10/0x50 __trace_graph_return+0x1f/0x80 trace_graph_return+0xb7/0xf0 ? trace_clock_global+0x91/0xa0 ftrace_return_to_handler+0x8b/0xf0 ? pv_hash+0xa0/0xa0 return_to_handler+0x15/0x30 ? ftrace_graph_caller+0xa0/0xa0 ? trace_clock_global+0x91/0xa0 ? __rb_reserve_next+0x237/0x460 ? ring_buffer_lock_reserve+0x12a/0x3f0 ? trace_event_buffer_lock_reserve+0x3c/0x120 ? trace_event_buffer_reserve+0x6b/0xc0 ? trace_event_raw_event_device_pm_callback_start+0x125/0x2d0 ? dpm_run_callback+0x3b/0xc0 ? pm_ops_is_empty+0x50/0x50 ? platform_get_irq_byname_optional+0x90/0x90 ? trace_device_pm_callback_start+0x82/0xd0 ? dpm_run_callback+0x49/0xc0 With the following RIP: RIP: 0010:native_queued_spin_lock_slowpath+0x69/0x200 Since the fix to the recursion detection would allow a single recursion to happen while tracing, this lead to the trace_clock_global() taking a spin lock and then trying to take it again: ring_buffer_lock_reserve() { trace_clock_global() { arch_spin_lock() { queued_spin_lock_slowpath() { /* lock taken */ (something else gets traced by function graph tracer) ring_buffer_lock_reserve() { trace_clock_global() { arch_spin_lock() { queued_spin_lock_slowpath() { /* DEAD LOCK! */ Tracing should *never* block, as it can lead to strange lockups like the above. Restructure the trace_clock_global() code to instead of simply taking a lock to update the recorded "prev_time" simply use it, as two events happening on two different CPUs that calls this at the same time, really doesn't matter which one goes first. Use a trylock to grab the lock for updating the prev_time, and if it fails, simply try again the next time. If it failed to be taken, that means something else is already updating it. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212761 CVE-2021-46939 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix set_fmt error handling If there in an error during a set_fmt, do not overwrite the previous sizes with the invalid config. Without this patch, v4l2-compliance ends up allocating 4GiB of RAM and causing the following OOPs [ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes) [ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0 [ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP CVE-2021-46943 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix memory leak in imu_fmt We are losing the reference to an allocated memory if try. Change the order of the check to avoid that. CVE-2021-46944 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid1: properly indicate failure when ending a failed write request This patch addresses a data corruption bug in raid1 arrays using bitmaps. Without this fix, the bitmap bits for the failed I/O end up being cleared. Since we are in the failure leg of raid1_end_write_request, the request either needs to be retried (R1BIO_WriteError) or failed (R1BIO_Degraded). CVE-2021-46950 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: tpm: efi: Use local variable for calculating final log size When tpm_read_log_efi is called multiple times, which happens when one loads and unloads a TPM2 driver multiple times, then the global variable efi_tpm_final_log_size will at some point become a negative number due to the subtraction of final_events_preboot_size occurring each time. Use a local variable to avoid this integer underflow. The following issue is now resolved: Mar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Mar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy] Mar 8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20 Mar 8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 Mar 8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206 Mar 8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f Mar 8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d Mar 8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073 Mar 8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5 Mar 8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018 Mar 8 15:35:12 hibinst kernel: FS: 0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000 Mar 8 15:35:12 hibinst kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Mar 8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0 Mar 8 15:35:12 hibinst kernel: Call Trace: Mar 8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7 Mar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0 Mar 8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260 Mar 8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy] Mar 8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370 Mar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0 Mar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370 CVE-2021-46951 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure When failing the driver probe because of invalid firmware properties, the GTDT driver unmaps the interrupt that it mapped earlier. However, it never checks whether the mapping of the interrupt actially succeeded. Even more, should the firmware report an illegal interrupt number that overlaps with the GIC SGI range, this can result in an IPI being unmapped, and subsequent fireworks (as reported by Dann Frazier). Rework the driver to have a slightly saner behaviour and actually check whether the interrupt has been mapped before unmapping things. CVE-2021-46953 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch] this frame has 2 objects: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovs_fragment(), similarly to what is done for IPv6 few lines below. CVE-2021-46955 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: virtiofs: fix memory leak in virtio_fs_probe() When accidentally passing twice the same tag to qemu, kmemleak ended up reporting a memory leak in virtiofs. Also, looking at the log I saw the following error (that's when I realised the duplicated tag): virtiofs: probe of virtio5 failed with error -17 Here's the kmemleak log for reference: unreferenced object 0xffff888103d47800 (size 1024): comm "systemd-udevd", pid 118, jiffies 4294893780 (age 18.340s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................ backtrace: [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs] [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210 [<000000004d6baf3c>] really_probe+0xea/0x430 [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0 [<00000000196f47a7>] __driver_attach+0x98/0x140 [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0 [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0 [<0000000032b09ba7>] driver_register+0x8f/0xe0 [<00000000cdd55998>] 0xffffffffa002c013 [<000000000ea196a2>] do_one_initcall+0x64/0x2e0 [<0000000008f727ce>] do_init_module+0x5c/0x260 [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120 [<00000000ad2f48c6>] do_syscall_64+0x33/0x40 [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-46956 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between transaction aborts and fsyncs leading to use-after-free There is a race between a task aborting a transaction during a commit, a task doing an fsync and the transaction kthread, which leads to an use-after-free of the log root tree. When this happens, it results in a stack trace like the following: BTRFS info (device dm-0): forced readonly BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5) BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10 BTRFS error (device dm-0): error writing primary super block to device 1 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10 BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers) BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x139/0xa40 Code: c0 74 19 (...) RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002 RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040 R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358 FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __btrfs_handle_fs_error+0xde/0x146 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_file+0x40c/0x580 [btrfs] do_fsync+0x38/0x70 __x64_sys_fsync+0x10/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa9142a55c3 Code: 8b 15 09 (...) RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3 RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340 R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0 Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...) ---[ end trace ee2f1b19327d791d ]--- The steps that lead to this crash are the following: 1) We are at transaction N; 2) We have two tasks with a transaction handle attached to transaction N. Task A and Task B. Task B is doing an fsync; 3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree into a local variable named 'log_root_tree' at the top of btrfs_sync_log(). Task B is about to call write_all_supers(), but before that... 4) Task A calls btrfs_commit_transaction(), and after it sets the transaction state to TRANS_STATE_COMMIT_START, an error happens before it w ---truncated--- CVE-2021-46958 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: Fix use-after-free with devm_spi_alloc_* We can't rely on the contents of the devres list during spi_unregister_controller(), as the list is already torn down at the time we perform devres_find() for devm_spi_release_controller. This causes devices registered with devm_spi_alloc_{master,slave}() to be mistakenly identified as legacy, non-devm managed devices and have their reference counters decremented below 0. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174 [<b0396f04>] (refcount_warn_saturate) from [<b03c56a4>] (kobject_put+0x90/0x98) [<b03c5614>] (kobject_put) from [<b0447b4c>] (put_device+0x20/0x24) r4:b6700140 [<b0447b2c>] (put_device) from [<b07515e8>] (devm_spi_release_controller+0x3c/0x40) [<b07515ac>] (devm_spi_release_controller) from [<b045343c>] (release_nodes+0x84/0xc4) r5:b6700180 r4:b6700100 [<b04533b8>] (release_nodes) from [<b0454160>] (devres_release_all+0x5c/0x60) r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10 [<b0454104>] (devres_release_all) from [<b044e41c>] (__device_release_driver+0x144/0x1ec) r5:b117ad94 r4:b163dc10 [<b044e2d8>] (__device_release_driver) from [<b044f70c>] (device_driver_detach+0x84/0xa0) r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10 [<b044f688>] (device_driver_detach) from [<b044d274>] (unbind_store+0xe4/0xf8) Instead, determine the devm allocation state as a flag on the controller which is guaranteed to be stable during cleanup. CVE-2021-46959 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: Return correct error code from smb2_get_enc_key Avoid a warning if the error percolates back up: [440700.376476] CIFS VFS: \\otters.example.com crypt_message: Could not get encryption key [440700.386947] ------------[ cut here ]------------ [440700.386948] err = 1 [440700.386977] WARNING: CPU: 11 PID: 2733 at /build/linux-hwe-5.4-p6lk6L/linux-hwe-5.4-5.4.0/lib/errseq.c:74 errseq_set+0x5c/0x70 ... [440700.397304] CPU: 11 PID: 2733 Comm: tar Tainted: G OE 5.4.0-70-generic #78~18.04.1-Ubuntu ... [440700.397334] Call Trace: [440700.397346] __filemap_set_wb_err+0x1a/0x70 [440700.397419] cifs_writepages+0x9c7/0xb30 [cifs] [440700.397426] do_writepages+0x4b/0xe0 [440700.397444] __filemap_fdatawrite_range+0xcb/0x100 [440700.397455] filemap_write_and_wait+0x42/0xa0 [440700.397486] cifs_setattr+0x68b/0xf30 [cifs] [440700.397493] notify_change+0x358/0x4a0 [440700.397500] utimes_common+0xe9/0x1c0 [440700.397510] do_utimes+0xc5/0x150 [440700.397520] __x64_sys_utimensat+0x88/0xd0 CVE-2021-46960 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Do not enable irqs when handling spurious interrups We triggered the following error while running our 4.19 kernel with the pseudo-NMI patches backported to it: [ 14.816231] ------------[ cut here ]------------ [ 14.816231] kernel BUG at irq.c:99! [ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP [ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____)) [ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14 [ 14.816233] Hardware name: evb (DT) [ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 14.816234] pc : asm_nmi_enter+0x94/0x98 [ 14.816235] lr : asm_nmi_enter+0x18/0x98 [ 14.816235] sp : ffff000008003c50 [ 14.816235] pmr_save: 00000070 [ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0 [ 14.816238] x27: 0000000000000000 x26: ffff000008004000 [ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000 [ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc [ 14.816241] x21: ffff000008003da0 x20: 0000000000000060 [ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff [ 14.816243] x17: 0000000000000008 x16: 003d090000000000 [ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40 [ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000 [ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5 [ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f [ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e [ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000 [ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000 [ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0 [ 14.816251] Call trace: [ 14.816251] asm_nmi_enter+0x94/0x98 [ 14.816251] el1_irq+0x8c/0x180 (IRQ C) [ 14.816252] gic_handle_irq+0xbc/0x2e4 [ 14.816252] el1_irq+0xcc/0x180 (IRQ B) [ 14.816253] arch_timer_handler_virt+0x38/0x58 [ 14.816253] handle_percpu_devid_irq+0x90/0x240 [ 14.816253] generic_handle_irq+0x34/0x50 [ 14.816254] __handle_domain_irq+0x68/0xc0 [ 14.816254] gic_handle_irq+0xf8/0x2e4 [ 14.816255] el1_irq+0xcc/0x180 (IRQ A) [ 14.816255] arch_cpu_idle+0x34/0x1c8 [ 14.816255] default_idle_call+0x24/0x44 [ 14.816256] do_idle+0x1d0/0x2c8 [ 14.816256] cpu_startup_entry+0x28/0x30 [ 14.816256] rest_init+0xb8/0xc8 [ 14.816257] start_kernel+0x4c8/0x4f4 [ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000) [ 14.816258] Modules linked in: start_dp(O) smeth(O) [ 15.103092] ---[ end trace 701753956cb14aa8 ]--- [ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt [ 15.103099] SMP: stopping secondary CPUs [ 15.103100] Kernel Offset: disabled [ 15.103100] CPU features: 0x36,a2400218 [ 15.103100] Memory Limit: none which is cause by a 'BUG_ON(in_nmi())' in nmi_enter(). From the call trace, we can find three interrupts (noted A, B, C above): interrupt (A) is preempted by (B), which is further interrupted by (C). Subsequent investigations show that (B) results in nmi_enter() being called, but that it actually is a spurious interrupt. Furthermore, interrupts are reenabled in the context of (B), and (C) fires with NMI priority. We end-up with a nested NMI situation, something we definitely do not want to (and cannot) handle. The bug here is that spurious interrupts should never result in any state change, and we should just return to the interrupted context. Moving the handling of spurious interrupts as early as possible in the GICv3 handler fixes this issue. [maz: rewrote commit message, corrected Fixes: tag] CVE-2021-46961 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mmc: uniphier-sd: Fix a resource leak in the remove function A 'tmio_mmc_host_free()' call is missing in the remove function, in order to balance a 'tmio_mmc_host_alloc()' call in the probe. This is done in the error handling path of the probe, but not in the remove function. Add the missing call. CVE-2021-46962 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() RIP: 0010:kmem_cache_free+0xfa/0x1b0 Call Trace: qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx] scsi_queue_rq+0x5e2/0xa40 __blk_mq_try_issue_directly+0x128/0x1d0 blk_mq_request_issue_directly+0x4e/0xb0 Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now allocated by upper layers. This fixes smatch warning of srb unintended free. CVE-2021-46963 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Reserve extra IRQ vectors Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs. That breaks vector allocation assumptions in qla83xx_iospace_config(), qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions computes maximum number of qpairs as: ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default response queue) - 1 (ATIO, in dual or pure target mode) max_qpairs is set to zero in case of two CPUs and initiator mode. The number is then used to allocate ha->queue_pair_map inside qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is left NULL but the driver thinks there are queue pairs available. qla2xxx_queuecommand() tries to find a qpair in the map and crashes: if (ha->mqenable) { uint32_t tag; uint16_t hwq; struct qla_qpair *qpair = NULL; tag = blk_mq_unique_tag(cmd->request); hwq = blk_mq_unique_tag_to_hwq(tag); qpair = ha->queue_pair_map[hwq]; # <- HERE if (qpair) return qla2xxx_mqueuecommand(host, cmd, qpair); } BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc] RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx] Call Trace: scsi_queue_rq+0x58c/0xa60 blk_mq_dispatch_rq_list+0x2b7/0x6f0 ? __sbitmap_get_word+0x2a/0x80 __blk_mq_sched_dispatch_requests+0xb8/0x170 blk_mq_sched_dispatch_requests+0x2b/0x50 __blk_mq_run_hw_queue+0x49/0xb0 __blk_mq_delay_run_hw_queue+0xfb/0x150 blk_mq_sched_insert_request+0xbe/0x110 blk_execute_rq+0x45/0x70 __scsi_execute+0x10e/0x250 scsi_probe_and_add_lun+0x228/0xda0 __scsi_scan_target+0xf4/0x620 ? __pm_runtime_resume+0x4f/0x70 scsi_scan_target+0x100/0x110 fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc] process_one_work+0x1ea/0x3b0 worker_thread+0x28/0x3b0 ? process_one_work+0x3b0/0x3b0 kthread+0x112/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30 The driver should allocate enough vectors to provide every CPU it's own HW queue and still handle reserved (MB, RSP, ATIO) interrupts. The change fixes the crash on dual core VM and prevents unbalanced QP allocation where nr_hw_queues is two less than the number of CPUs. CVE-2021-46964 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: custom_method: fix potential use-after-free issue In cm_write(), buf is always freed when reaching the end of the function. If the requested count is less than table.length, the allocated buffer will be freed but subsequent calls to cm_write() will still try to access it. Remove the unconditional kfree(buf) at the end of the function and set the buf to NULL in the -EINVAL error path to match the rest of function. CVE-2021-46966 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/zcrypt: fix zcard and zqueue hot-unplug memleak Tests with kvm and a kmemdebug kernel showed, that on hot unplug the zcard and zqueue structs for the unplugged card or queue are not properly freed because of a mismatch with get/put for the embedded kref counter. This fix now adjusts the handling of the kref counters. With init the kref counter starts with 1. This initial value needs to drop to zero with the unregister of the card or queue to trigger the release and free the object. CVE-2021-46968 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix unconditional security_locked_down() call Currently, the lockdown state is queried unconditionally, even though its result is used only if the PERF_SAMPLE_REGS_INTR bit is set in attr.sample_type. While that doesn't matter in case of the Lockdown LSM, it causes trouble with the SELinux's lockdown hook implementation. SELinux implements the locked_down hook with a check whether the current task's type has the corresponding "lockdown" class permission ("integrity" or "confidentiality") allowed in the policy. This means that calling the hook when the access control decision would be ignored generates a bogus permission check and audit record. Fix this by checking sample_type first and only calling the hook when its result would be honored. CVE-2021-46971 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: bpf: Fix masking negation logic upon negative dst register The negation logic for the case where the off_reg is sitting in the dst register is not correct given then we cannot just invert the add to a sub or vice versa. As a fix, perform the final bitwise and-op unconditionally into AX from the off_reg, then move the pointer from the src to dst and finally use AX as the source for the original pointer arithmetic operation such that the inversion yields a correct result. The single non-AX mov in between is possible given constant blinding is retaining it as it's not an immediate based operation. CVE-2021-46974 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix crash in auto_retire The retire logic uses the 2 lower bits of the pointer to the retire function to store flags. However, the auto_retire function is not guaranteed to be aligned to a multiple of 4, which causes crashes as we jump to the wrong address, for example like this: 2021-04-24T18:03:53.804300Z WARNING kernel: [ 516.876901] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI 2021-04-24T18:03:53.804310Z WARNING kernel: [ 516.876906] CPU: 7 PID: 146 Comm: kworker/u16:6 Tainted: G U 5.4.105-13595-g3cd84167b2df #1 2021-04-24T18:03:53.804311Z WARNING kernel: [ 516.876907] Hardware name: Google Volteer2/Volteer2, BIOS Google_Volteer2.13672.76.0 02/22/2021 2021-04-24T18:03:53.804312Z WARNING kernel: [ 516.876911] Workqueue: events_unbound active_work 2021-04-24T18:03:53.804313Z WARNING kernel: [ 516.876914] RIP: 0010:auto_retire+0x1/0x20 2021-04-24T18:03:53.804314Z WARNING kernel: [ 516.876916] Code: e8 01 f2 ff ff eb 02 31 db 48 89 d8 5b 5d c3 0f 1f 44 00 00 55 48 89 e5 f0 ff 87 c8 00 00 00 0f 88 ab 47 4a 00 31 c0 5d c3 0f <1f> 44 00 00 55 48 89 e5 f0 ff 8f c8 00 00 00 0f 88 9a 47 4a 00 74 2021-04-24T18:03:53.804319Z WARNING kernel: [ 516.876918] RSP: 0018:ffff9b4d809fbe38 EFLAGS: 00010286 2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876919] RAX: 0000000000000007 RBX: ffff927915079600 RCX: 0000000000000007 2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876921] RDX: ffff9b4d809fbe40 RSI: 0000000000000286 RDI: ffff927915079600 2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876922] RBP: ffff9b4d809fbe68 R08: 8080808080808080 R09: fefefefefefefeff 2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876924] R10: 0000000000000010 R11: ffffffff92e44bd8 R12: ffff9279150796a0 2021-04-24T18:03:53.804322Z WARNING kernel: [ 516.876925] R13: ffff92791c368180 R14: ffff927915079640 R15: 000000001c867605 2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876926] FS: 0000000000000000(0000) GS:ffff92791ffc0000(0000) knlGS:0000000000000000 2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 2021-04-24T18:03:53.804324Z WARNING kernel: [ 516.876929] CR2: 0000239514955000 CR3: 00000007f82da001 CR4: 0000000000760ee0 2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876930] PKRU: 55555554 2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876931] Call Trace: 2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876935] __active_retire+0x77/0xcf 2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876939] process_one_work+0x1da/0x394 2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876941] worker_thread+0x216/0x375 2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876944] kthread+0x147/0x156 2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876946] ? pr_cont_work+0x58/0x58 2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876948] ? kthread_blkcg+0x2e/0x2e 2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876950] ret_from_fork+0x1f/0x40 2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876952] Modules linked in: cdc_mbim cdc_ncm cdc_wdm xt_cgroup rfcomm cmac algif_hash algif_skcipher af_alg xt_MASQUERADE uinput snd_soc_rt5682_sdw snd_soc_rt5682 snd_soc_max98373_sdw snd_soc_max98373 snd_soc_rl6231 regmap_sdw snd_soc_sof_sdw snd_soc_hdac_hdmi snd_soc_dmic snd_hda_codec_hdmi snd_sof_pci snd_sof_intel_hda_common intel_ipu6_psys snd_sof_xtensa_dsp soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core soundwire_bus snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core intel_ipu6_isys videobuf2_dma_contig videobuf2_v4l2 videobuf2_common videobuf2_memops mei_hdcp intel_ipu6 ov2740 ov8856 at24 sx9310 dw9768 v4l2_fwnode cros_ec_typec intel_pmc_mux roles acpi_als typec fuse iio_trig_sysfs cros_ec_light_prox cros_ec_lid_angle cros_ec_sensors cros ---truncated--- CVE-2021-46976 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4 commit 4dbc6a4ef06d ("usb: typec: ucsi: save power data objects in PD mode") introduced retrieval of the PDOs when connected to a PD-capable source. But only the first 4 PDOs are received since that is the maximum number that can be fetched at a time given the MESSAGE_IN length limitation (16 bytes). However, as per the PD spec a connected source may advertise up to a maximum of 7 PDOs. If such a source is connected it's possible the PPM could have negotiated a power contract with one of the PDOs at index greater than 4, and would be reflected in the request data object's (RDO) object position field. This would result in an out-of-bounds access when the rdo_index() is used to index into the src_pdos array in ucsi_psy_get_voltage_now(). With the help of the UBSAN -fsanitize=array-bounds checker enabled this exact issue is revealed when connecting to a PD source adapter that advertise 5 PDOs and the PPM enters a contract having selected the 5th one. [ 151.545106][ T70] Unexpected kernel BRK exception at EL1 [ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP ... [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c [ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328 ... [ 151.545542][ T70] Call trace: [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c [ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0 [ 151.545550][ T70] dev_uevent+0x200/0x384 [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8 [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c [ 151.545562][ T70] process_one_work+0x244/0x6f0 [ 151.545564][ T70] worker_thread+0x3e0/0xa64 We can resolve this by instead retrieving and storing up to the maximum of 7 PDOs in the con->src_pdos array. This would involve two calls to the GET_PDOS command. CVE-2021-46980 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nbd: Fix NULL pointer in flush_workqueue Open /dev/nbdX first, the config_refs will be 1 and the pointers in nbd_device are still null. Disconnect /dev/nbdX, then reference a null recv_workq. The protection by config_refs in nbd_genl_disconnect is useless. [ 656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 656.368943] #PF: supervisor write access in kernel mode [ 656.369844] #PF: error_code(0x0002) - not-present page [ 656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0 [ 656.371693] Oops: 0002 [#1] SMP [ 656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1 [ 656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 656.375904] RIP: 0010:mutex_lock+0x29/0x60 [ 656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 <f0> 48 0f b1 55 d [ 656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246 [ 656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020 [ 656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318 [ 656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40 [ 656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00 [ 656.382166] FS: 00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000 [ 656.382806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0 [ 656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 656.384927] Call Trace: [ 656.385111] flush_workqueue+0x92/0x6c0 [ 656.385395] nbd_disconnect_and_put+0x81/0xd0 [ 656.385716] nbd_genl_disconnect+0x125/0x2a0 [ 656.386034] genl_family_rcv_msg_doit.isra.0+0x102/0x1b0 [ 656.386422] genl_rcv_msg+0xfc/0x2b0 [ 656.386685] ? nbd_ioctl+0x490/0x490 [ 656.386954] ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0 [ 656.387354] netlink_rcv_skb+0x62/0x180 [ 656.387638] genl_rcv+0x34/0x60 [ 656.387874] netlink_unicast+0x26d/0x590 [ 656.388162] netlink_sendmsg+0x398/0x6c0 [ 656.388451] ? netlink_rcv_skb+0x180/0x180 [ 656.388750] ____sys_sendmsg+0x1da/0x320 [ 656.389038] ? ____sys_recvmsg+0x130/0x220 [ 656.389334] ___sys_sendmsg+0x8e/0xf0 [ 656.389605] ? ___sys_recvmsg+0xa2/0xf0 [ 656.389889] ? handle_mm_fault+0x1671/0x21d0 [ 656.390201] __sys_sendmsg+0x6d/0xe0 [ 656.390464] __x64_sys_sendmsg+0x23/0x30 [ 656.390751] do_syscall_64+0x45/0x70 [ 656.391017] entry_SYSCALL_64_after_hwframe+0x44/0xa9 To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put(). CVE-2021-46981 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet-rdma: Fix NULL deref when SEND is completed with error When running some traffic and taking down the link on peer, a retry counter exceeded error is received. This leads to nvmet_rdma_error_comp which tried accessing the cq_context to obtain the queue. The cq_context is no longer valid after the fix to use shared CQ mechanism and should be obtained similar to how it is obtained in other functions from the wc->qp. [ 905.786331] nvmet_rdma: SEND for CQE 0x00000000e3337f90 failed with status transport retry counter exceeded (12). [ 905.832048] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 [ 905.839919] PGD 0 P4D 0 [ 905.842464] Oops: 0000 1 SMP NOPTI [ 905.846144] CPU: 13 PID: 1557 Comm: kworker/13:1H Kdump: loaded Tainted: G OE --------- - - 4.18.0-304.el8.x86_64 #1 [ 905.872135] RIP: 0010:nvmet_rdma_error_comp+0x5/0x1b [nvmet_rdma] [ 905.878259] Code: 19 4f c0 e8 89 b3 a5 f6 e9 5b e0 ff ff 0f b7 75 14 4c 89 ea 48 c7 c7 08 1a 4f c0 e8 71 b3 a5 f6 e9 4b e0 ff ff 0f 1f 44 00 00 <48> 8b 47 48 48 85 c0 74 08 48 89 c7 e9 98 bf 49 00 e9 c3 e3 ff ff [ 905.897135] RSP: 0018:ffffab601c45fe28 EFLAGS: 00010246 [ 905.902387] RAX: 0000000000000065 RBX: ffff9e729ea2f800 RCX: 0000000000000000 [ 905.909558] RDX: 0000000000000000 RSI: ffff9e72df9567c8 RDI: 0000000000000000 [ 905.916731] RBP: ffff9e729ea2b400 R08: 000000000000074d R09: 0000000000000074 [ 905.923903] R10: 0000000000000000 R11: ffffab601c45fcc0 R12: 0000000000000010 [ 905.931074] R13: 0000000000000000 R14: 0000000000000010 R15: ffff9e729ea2f400 [ 905.938247] FS: 0000000000000000(0000) GS:ffff9e72df940000(0000) knlGS:0000000000000000 [ 905.938249] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 905.950067] nvmet_rdma: SEND for CQE 0x00000000c7356cca failed with status transport retry counter exceeded (12). [ 905.961855] CR2: 0000000000000048 CR3: 000000678d010004 CR4: 00000000007706e0 [ 905.961855] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 905.961856] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 905.961857] PKRU: 55555554 [ 906.010315] Call Trace: [ 906.012778] __ib_process_cq+0x89/0x170 [ib_core] [ 906.017509] ib_cq_poll_work+0x26/0x80 [ib_core] [ 906.022152] process_one_work+0x1a7/0x360 [ 906.026182] ? create_worker+0x1a0/0x1a0 [ 906.030123] worker_thread+0x30/0x390 [ 906.033802] ? create_worker+0x1a0/0x1a0 [ 906.037744] kthread+0x116/0x130 [ 906.040988] ? kthread_flush_work_fn+0x10/0x10 [ 906.045456] ret_from_fork+0x1f/0x40 CVE-2021-46983 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: kyber: fix out of bounds access when preempted __blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx for the current CPU again and uses that to get the corresponding Kyber context in the passed hctx. However, the thread may be preempted between the two calls to blk_mq_get_ctx(), and the ctx returned the second time may no longer correspond to the passed hctx. This "works" accidentally most of the time, but it can cause us to read garbage if the second ctx came from an hctx with more ctx's than the first one (i.e., if ctx->index_hw[hctx->type] > hctx->nr_ctx). This manifested as this UBSAN array index out of bounds error reported by Jakub: UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 index 13106 is out of range for type 'long unsigned int [128]' Call Trace: dump_stack+0xa4/0xe5 ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34 queued_spin_lock_slowpath+0x476/0x480 do_raw_spin_lock+0x1c2/0x1d0 kyber_bio_merge+0x112/0x180 blk_mq_submit_bio+0x1f5/0x1100 submit_bio_noacct+0x7b0/0x870 submit_bio+0xc2/0x3a0 btrfs_map_bio+0x4f0/0x9d0 btrfs_submit_data_bio+0x24e/0x310 submit_one_bio+0x7f/0xb0 submit_extent_page+0xc4/0x440 __extent_writepage_io+0x2b8/0x5e0 __extent_writepage+0x28d/0x6e0 extent_write_cache_pages+0x4d7/0x7a0 extent_writepages+0xa2/0x110 do_writepages+0x8f/0x180 __writeback_single_inode+0x99/0x7f0 writeback_sb_inodes+0x34e/0x790 __writeback_inodes_wb+0x9e/0x120 wb_writeback+0x4d2/0x660 wb_workfn+0x64d/0xa10 process_one_work+0x53a/0xa80 worker_thread+0x69/0x5b0 kthread+0x20b/0x240 ret_from_fork+0x1f/0x30 Only Kyber uses the hctx, so fix it by passing the request_queue to ->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can map the queues itself to avoid the mismatch. CVE-2021-46984 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: userfaultfd: release page in error path to avoid BUG_ON Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning. CVE-2021-46988 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfsplus: prevent corruption in shrinking truncate I believe there are some issues introduced by commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() can't be moved to it's previous place since we're dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if it's possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if there's no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check. CVE-2021-46989 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix crashes when toggling entry flush barrier The entry flush mitigation can be enabled/disabled at runtime via a debugfs file (entry_flush), which causes the kernel to patch itself to enable/disable the relevant mitigations. However depending on which mitigation we're using, it may not be safe to do that patching while other CPUs are active. For example the following crash: sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20 Shows that we returned to userspace with a corrupted LR that points into the kernel, due to executing the partially patched call to the fallback entry flush (ie. we missed the LR restore). Fix it by doing the patching under stop machine. The CPUs that aren't doing the patching will be spinning in the core of the stop machine logic. That is currently sufficient for our purposes, because none of the patching we do is to that code or anywhere in the vicinity. CVE-2021-46990 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Fix use-after-free in i40e_client_subtask() Currently the call to i40e_client_del_instance frees the object pf->cinst, however pf->cinst->lan_info is being accessed after the free. Fix this by adding the missing return. Addresses-Coverity: ("Read from pointer after free") CVE-2021-46991 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ethernet:enic: Fix a use after free bug in enic_hard_start_xmit In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside enic_queue_wq_skb, if some error happens, the skb will be freed by dev_kfree_skb(skb). But the freed skb is still used in skb_tx_timestamp(skb). My patch makes enic_queue_wq_skb() return error and goto spin_unlock() incase of error. The solution is provided by Govind. See https://lkml.org/lkml/2021/4/30/961. CVE-2021-46998 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: fix inode leak on getattr error in __fh_to_dentry CVE-2021-47000 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Fix cwnd update ordering After a reconnect, the reply handler is opening the cwnd (and thus enabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs() can post enough Receive WRs to receive their replies. This causes an RNR and the new connection is lost immediately. The race is most clearly exposed when KASAN and disconnect injection are enabled. This slows down rpcrdma_rep_create() enough to allow the send side to post a bunch of RPC Calls before the Receive completion handler can invoke ib_post_recv(). CVE-2021-47001 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix potential null dereference on pointer status There are calls to idxd_cmd_exec that pass a null status pointer however a recent commit has added an assignment to *status that can end up with a null pointer dereference. The function expects a null status pointer sometimes as there is a later assignment to *status where status is first null checked. Fix the issue by null checking status before making the assignment. Addresses-Coverity: ("Explicit null dereferenced") CVE-2021-47003 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix NULL pointer dereference for ->get_features() get_features ops of pci_epc_ops may return NULL, causing NULL pointer dereference in pci_epf_test_alloc_space function. Let us add a check for pci_epc_feature pointer in pci_epf_test_bind before we access it to avoid any such NULL pointer dereference and return -ENOTSUPP in case pci_epc_feature is not found. When the patch is not applied and EPC features is not implemented in the platform driver, we see the following dump due to kernel NULL pointer dereference. Call trace: pci_epf_test_bind+0xf4/0x388 pci_epf_bind+0x3c/0x80 pci_epc_epf_link+0xa8/0xcc configfs_symlink+0x1a4/0x48c vfs_symlink+0x104/0x184 do_symlinkat+0x80/0xd4 __arm64_sys_symlinkat+0x1c/0x24 el0_svc_common.constprop.3+0xb8/0x170 el0_svc_handler+0x70/0x88 el0_svc+0x8/0x640 Code: d2800581 b9403ab9 f9404ebb 8b394f60 (f9400400) ---[ end trace a438e3c5a24f9df0 ]--- CVE-2021-47005 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook The commit 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()") set a default event->overflow_handler in perf_event_alloc(), and replace the check event->overflow_handler with is_default_overflow_handler(), but one is missing. Currently, the bp->overflow_handler can not be NULL. As a result, enable_single_step() is always not invoked. Comments from Zhen Lei: https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/ CVE-2021-47006 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak on object td Two error return paths are neglecting to free allocated object td, causing a memory leak. Fix this by returning via the error return path that securely kfree's td. Fixes clang scan-build warning: security/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential memory leak [unix.Malloc] CVE-2021-47009 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix a use after free in siw_alloc_mr Our code analyzer reported a UAF. In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a freed object. After, the execution continue up to the err_out branch of siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr). My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {} section, to avoid the uaf. CVE-2021-47012 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..). If some error happens in emac_tx_fill_tpd(), the skb will be freed via dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd(). But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len). As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len, thus my patch assigns skb->len to 'len' before the possible free and use 'len' instead of skb->len later. CVE-2021-47013 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ct: fix wild memory access when clearing fragments while testing re-assembly/re-fragmentation using act_ct, it's possible to observe a crash like the following one: KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f] CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424 Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0 Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48 RSP: 0018:ffff888c31449db8 EFLAGS: 00010203 RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960 RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350 R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000 R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160 FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> inet_frag_destroy+0xa9/0x150 call_timer_fn+0x2d/0x180 run_timer_softirq+0x4fe/0xe70 __do_softirq+0x197/0x5a0 irq_exit_rcu+0x1de/0x200 sysvec_apic_timer_interrupt+0x6b/0x80 </IRQ> when act_ct temporarily stores an IP fragment, restoring the skb qdisc cb results in putting random data in FRAG_CB(), and this causes those "wild" memory accesses later, when the rbtree is purged. Never overwrite the skb cb in case tcf_ct_handle_fragments() returns -EINPROGRESS. CVE-2021-47014 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RX consumer index logic in the error path. In bnxt_rx_pkt(), the RX buffers are expected to complete in order. If the RX consumer index indicates an out of order buffer completion, it means we are hitting a hardware bug and the driver will abort all remaining RX packets and reset the RX ring. The RX consumer index that we pass to bnxt_discard_rx() is not correct. We should be passing the current index (tmp_raw_cons) instead of the old index (raw_cons). This bug can cause us to be at the wrong index when trying to abort the next RX packet. It can crash like this: #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007 #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232 #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978 #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0 #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24 #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12 #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5 [exception RIP: bnxt_rx_pkt+237] RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000 RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 CVE-2021-47015 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ath10k: Fix a use after free in ath10k_htc_send_bundle In ath10k_htc_send_bundle, the bundle_skb could be freed by dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later by bundle_skb->len. As skb_len = bundle_skb->len, my patch replaces bundle_skb->len to skb_len after the bundle_skb was freed. CVE-2021-47017 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: soundwire: stream: fix memory leak in stream config error path When stream config is failed, master runtime will release all slave runtime in the slave_rt_list, but slave runtime is not added to the list at this time. This patch frees slave runtime in the config error path to fix the memory leak. CVE-2021-47020 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: destroy sysfs after removing session from active list A session can be removed dynamically by sysfs interface "remove_path" that eventually calls rtrs_clt_remove_path_from_sysfs function. The current rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and frees sess->stats object. Second it removes the session from the active list. Therefore some functions could access non-connected session and access the freed sess->stats object even-if they check the session status before accessing the session. For instance rtrs_clt_request and get_next_path_min_inflight check the session status and try to send IO to the session. The session status could be changed when they are trying to send IO but they could not catch the change and update the statistics information in sess->stats object, and generate use-after-free problem. (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats") This patch changes the rtrs_clt_remove_path_from_sysfs to remove the session from the active session list and then destroy the sysfs interfaces. Each function still should check the session status because closing or error recovery paths can change the status. CVE-2021-47026 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix pte update for kernel memory on radix When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radix__set_pte_at() does not do this for performance gains. For non-kernel memory this is not an issue as any faults of this kind are corrected by the page fault handler. For kernel memory these faults are not handled. The current solution is that there is a ptesync in flush_cache_vmap() which should be called when mapping from the vmalloc region. However, map_kernel_page() does not call flush_cache_vmap(). This is troublesome in particular for code patching with Strict RWX on radix. In do_patch_instruction() the page frame that contains the instruction to be patched is mapped and then immediately patched. With no ordering or synchronization between setting up the PTE and writing to the page it is possible for faults. As the code patching is done using __put_user_asm_goto() the resulting fault is obscured - but using a normal store instead it can be seen: BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c Faulting instruction address: 0xc00000000008bd74 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: nop_module(PO+) [last unloaded: nop_module] CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43 NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810 REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 44002884 XER: 00000000 CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1 This results in the kind of issue reported here: https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/ Chris Riedl suggested a reliable way to reproduce the issue: $ mount -t debugfs none /sys/kernel/debug $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) & Turning ftrace on and off does a large amount of code patching which in usually less then 5min will crash giving a trace like: ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000) ------------[ ftrace bug ]------------ ftrace failed to modify [<c000000000bf8e5c>] napi_busy_loop+0xc/0x390 actual: 11:3b:47:4b Setting ftrace call site to call ftrace function ftrace record flags: 80000001 (1) expected tramp: c00000000006c96c ------------[ cut here ]------------ WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8 Modules linked in: nop_module(PO-) [last unloaded: nop_module] CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1 NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0 REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a) MSR: 900000000282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28008848 XER: 20040000 CFAR: c0000000001a9c98 IRQMASK: 0 GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118 GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000 GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008 GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8 GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8 Call T ---truncated--- CVE-2021-47034 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Remove WO permissions on second-level paging entries When the first level page table is used for IOVA translation, it only supports Read-Only and Read-Write permissions. The Write-Only permission is not supported as the PRESENT bit (implying Read permission) should always set. When using second level, we still give separate permissions that allows WriteOnly which seems inconsistent and awkward. We want to have consistent behavior. After moving to 1st level, we don't want things to work sometimes, and break if we use 2nd level for the same mappings. Hence remove this configuration. CVE-2021-47035 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid deadlock between hci_dev->lock and socket lock Commit eab2404ba798 ("Bluetooth: Add BT_PHY socket option") added a dependency between socket lock and hci_dev->lock that could lead to deadlock. It turns out that hci_conn_get_phy() is not in any way relying on hdev being immutable during the runtime of this function, neither does it even look at any of the members of hdev, and as such there is no need to hold that lock. This fixes the lockdep splat below: ====================================================== WARNING: possible circular locking dependency detected 5.12.0-rc1-00026-g73d464503354 #10 Not tainted ------------------------------------------------------ bluetoothd/1118 is trying to acquire lock: ffff8f078383c078 (&hdev->lock){+.+.}-{3:3}, at: hci_conn_get_phy+0x1c/0x150 [bluetooth] but task is already holding lock: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}: lock_sock_nested+0x72/0xa0 l2cap_sock_ready_cb+0x18/0x70 [bluetooth] l2cap_config_rsp+0x27a/0x520 [bluetooth] l2cap_sig_channel+0x658/0x1330 [bluetooth] l2cap_recv_frame+0x1ba/0x310 [bluetooth] hci_rx_work+0x1cc/0x640 [bluetooth] process_one_work+0x244/0x5f0 worker_thread+0x3c/0x380 kthread+0x13e/0x160 ret_from_fork+0x22/0x30 -> #2 (&chan->lock#2/1){+.+.}-{3:3}: __mutex_lock+0xa3/0xa10 l2cap_chan_connect+0x33a/0x940 [bluetooth] l2cap_sock_connect+0x141/0x2a0 [bluetooth] __sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #1 (&conn->chan_lock){+.+.}-{3:3}: __mutex_lock+0xa3/0xa10 l2cap_chan_connect+0x322/0x940 [bluetooth] l2cap_sock_connect+0x141/0x2a0 [bluetooth] __sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #0 (&hdev->lock){+.+.}-{3:3}: __lock_acquire+0x147a/0x1a50 lock_acquire+0x277/0x3d0 __mutex_lock+0xa3/0xa10 hci_conn_get_phy+0x1c/0x150 [bluetooth] l2cap_sock_getsockopt+0x5a9/0x610 [bluetooth] __sys_getsockopt+0xcc/0x200 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae other info that might help us debug this: Chain exists of: &hdev->lock --> &chan->lock#2/1 --> sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock(&chan->lock#2/1); lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock(&hdev->lock); *** DEADLOCK *** 1 lock held by bluetoothd/1118: #0: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 [bluetooth] stack backtrace: CPU: 3 PID: 1118 Comm: bluetoothd Not tainted 5.12.0-rc1-00026-g73d464503354 #10 Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017 Call Trace: dump_stack+0x7f/0xa1 check_noncircular+0x105/0x120 ? __lock_acquire+0x147a/0x1a50 __lock_acquire+0x147a/0x1a50 lock_acquire+0x277/0x3d0 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] ? __lock_acquire+0x2e1/0x1a50 ? lock_is_held_type+0xb4/0x120 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] __mutex_lock+0xa3/0xa10 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] ? lock_acquire+0x277/0x3d0 ? mark_held_locks+0x49/0x70 ? mark_held_locks+0x49/0x70 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] hci_conn_get_phy+0x ---truncated--- CVE-2021-47038 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix incorrect locking in state_change sk callback We are not changing anything in the TCP connection state so we should not take a write_lock but rather a read lock. This caused a deadlock when running nvmet-tcp and nvme-tcp on the same system, where state_change callbacks on the host and on the controller side have causal relationship and made lockdep report on this with blktests: ================================ WARNING: inconsistent lock state 5.12.0-rc3 #1 Tainted: G I -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-R} usage. nvme/1324 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888363151000 (clock-AF_INET){++-?}-{2:2}, at: nvme_tcp_state_change+0x21/0x150 [nvme_tcp] {IN-SOFTIRQ-W} state was registered at: __lock_acquire+0x79b/0x18d0 lock_acquire+0x1ca/0x480 _raw_write_lock_bh+0x39/0x80 nvmet_tcp_state_change+0x21/0x170 [nvmet_tcp] tcp_fin+0x2a8/0x780 tcp_data_queue+0xf94/0x1f20 tcp_rcv_established+0x6ba/0x1f00 tcp_v4_do_rcv+0x502/0x760 tcp_v4_rcv+0x257e/0x3430 ip_protocol_deliver_rcu+0x69/0x6a0 ip_local_deliver_finish+0x1e2/0x2f0 ip_local_deliver+0x1a2/0x420 ip_rcv+0x4fb/0x6b0 __netif_receive_skb_one_core+0x162/0x1b0 process_backlog+0x1ff/0x770 __napi_poll.constprop.0+0xa9/0x5c0 net_rx_action+0x7b3/0xb30 __do_softirq+0x1f0/0x940 do_softirq+0xa1/0xd0 __local_bh_enable_ip+0xd8/0x100 ip_finish_output2+0x6b7/0x18a0 __ip_queue_xmit+0x706/0x1aa0 __tcp_transmit_skb+0x2068/0x2e20 tcp_write_xmit+0xc9e/0x2bb0 __tcp_push_pending_frames+0x92/0x310 inet_shutdown+0x158/0x300 __nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp] nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp] nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp] nvme_do_delete_ctrl+0x100/0x10c [nvme_core] nvme_sysfs_delete.cold+0x8/0xd [nvme_core] kernfs_fop_write_iter+0x2c7/0x460 new_sync_write+0x36c/0x610 vfs_write+0x5c0/0x870 ksys_write+0xf9/0x1d0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae irq event stamp: 10687 hardirqs last enabled at (10687): [<ffffffff9ec376bd>] _raw_spin_unlock_irqrestore+0x2d/0x40 hardirqs last disabled at (10686): [<ffffffff9ec374d8>] _raw_spin_lock_irqsave+0x68/0x90 softirqs last enabled at (10684): [<ffffffff9f000608>] __do_softirq+0x608/0x940 softirqs last disabled at (10649): [<ffffffff9cdedd31>] do_softirq+0xa1/0xd0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(clock-AF_INET); <Interrupt> lock(clock-AF_INET); *** DEADLOCK *** 5 locks held by nvme/1324: #0: ffff8884a01fe470 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0xf9/0x1d0 #1: ffff8886e435c090 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x216/0x460 #2: ffff888104d90c38 (kn->active#255){++++}-{0:0}, at: kernfs_remove_self+0x22d/0x330 #3: ffff8884634538d0 (&queue->queue_lock){+.+.}-{3:3}, at: nvme_tcp_stop_queue+0x52/0xb0 [nvme_tcp] #4: ffff888363150d30 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_shutdown+0x59/0x300 stack backtrace: CPU: 26 PID: 1324 Comm: nvme Tainted: G I 5.12.0-rc3 #1 Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020 Call Trace: dump_stack+0x93/0xc2 mark_lock_irq.cold+0x2c/0xb3 ? verify_lock_unused+0x390/0x390 ? stack_trace_consume_entry+0x160/0x160 ? lock_downgrade+0x100/0x100 ? save_trace+0x88/0x5e0 ? _raw_spin_unlock_irqrestore+0x2d/0x40 mark_lock+0x530/0x1470 ? mark_lock_irq+0x1d10/0x1d10 ? enqueue_timer+0x660/0x660 mark_usage+0x215/0x2a0 __lock_acquire+0x79b/0x18d0 ? tcp_schedule_loss_probe.part.0+0x38c/0x520 lock_acquire+0x1ca/0x480 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? rcu_read_unlock+0x40/0x40 ? tcp_mtu_probe+0x1ae0/0x1ae0 ? kmalloc_reserve+0xa0/0xa0 ? sysfs_file_ops+0x170/0x170 _raw_read_lock+0x3d/0xa0 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? sysfs_file_ops ---truncated--- CVE-2021-47041 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix shift-out-of-bounds in load_balance() Syzbot reported a handful of occurrences where an sd->nr_balance_failed can grow to much higher values than one would expect. A successful load_balance() resets it to 0; a failed one increments it. Once it gets to sd->cache_nice_tries + 3, this *should* trigger an active balance, which will either set it to sd->cache_nice_tries+1 or reset it to 0. However, in case the to-be-active-balanced task is not allowed to run on env->dst_cpu, then the increment is done without any further modification. This could then be repeated ad nauseam, and would explain the absurdly high values reported by syzbot (86, 149). VincentG noted there is value in letting sd->cache_nice_tries grow, so the shift itself should be fixed. That means preventing: """ If the value of the right operand is negative or is greater than or equal to the width of the promoted left operand, the behavior is undefined. """ Thus we need to cap the shift exponent to BITS_PER_TYPE(typeof(lefthand)) - 1. I had a look around for other similar cases via coccinelle: @expr@ position pos; expression E1; expression E2; @@ ( E1 >> E2@pos | E1 >> E2@pos ) @cst depends on expr@ position pos; expression expr.E1; constant cst; @@ ( E1 >> cst@pos | E1 << cst@pos ) @script:python depends on !cst@ pos << expr.pos; exp << expr.E2; @@ # Dirty hack to ignore constexpr if exp.upper() != exp: coccilib.report.print_report(pos[0], "Possible UB shift here") The only other match in kernel/sched is rq_clock_thermal() which employs sched_thermal_decay_shift, and that exponent is already capped to 10, so that one is fine. CVE-2021-47044 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() It is possible to call lpfc_issue_els_plogi() passing a did for which no matching ndlp is found. A call is then made to lpfc_prep_els_iocb() with a null pointer to a lpfc_nodelist structure resulting in a null pointer dereference. Fix by returning an error status if no valid ndlp is found. Fix up comments regarding ndlp reference counting. CVE-2021-47045 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix off by one in hdmi_14_process_transaction() The hdcp_i2c_offsets[] array did not have an entry for HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one read overflow. I added an entry and copied the 0x0 value for the offset from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c. I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX entries. This doesn't change the code, but it's just a belt and suspenders approach to try future proof the code. CVE-2021-47046 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Use after free in __vmbus_open() The "open_info" variable is added to the &vmbus_connection.chn_msg_list, but the error handling frees "open_info" without removing it from the list. This will result in a use after free. First remove it from the list, and then free it. CVE-2021-47049 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2021-47051 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: bus: qcom: Put child node before return Put child node before return to fix potential reference count leak. Generally, the reference count of child is incremented and decremented automatically in the macro for_each_available_child_of_node() and should be decremented manually if the loop is broken in loop body. CVE-2021-47054 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: mtd: require write permissions for locking and badblock ioctls MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require write permission. Depending on the hardware MEMLOCK might even be write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK is always write-once. MEMSETBADBLOCK modifies the bad block table. CVE-2021-47055 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown() before calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the vf2pf_lock is initialized in adf_dev_init(), which can fail and when it fail, the vf2pf_lock is either not initialized or destroyed, a subsequent use of vf2pf_lock will cause issue. To fix this issue, only set this flag if adf_dev_init() returns 0. [ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0 [ 7.180345] Call Trace: [ 7.182576] mutex_lock+0xc9/0xd0 [ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat] [ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat] [ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat] [ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf] CVE-2021-47056 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: regmap: set debugfs_name to NULL after it is freed There is a upstream commit cffa4b2122f5("regmap:debugfs: Fix a memory leak when calling regmap_attach_dev") that adds a if condition when create name for debugfs_name. With below function invoking logical, debugfs_name is freed in regmap_debugfs_exit(), but it is not created again because of the if condition introduced by above commit. regmap_reinit_cache() regmap_debugfs_exit() ... regmap_debugfs_init() So, set debugfs_name to NULL after it is freed. CVE-2021-47058 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: Stop looking for coalesced MMIO zones if the bus is destroyed Abort the walk of coalesced MMIO zones if kvm_io_bus_unregister_dev() fails to allocate memory for the new instance of the bus. If it can't instantiate a new bus, unregister_dev() destroys all devices _except_ the target device. But, it doesn't tell the caller that it obliterated the bus and invoked the destructor for all devices that were on the bus. In the coalesced MMIO case, this can result in a deleted list entry dereference due to attempting to continue iterating on coalesced_zones after future entries (in the walk) have been deleted. Opportunistically add curly braces to the for-loop, which encompasses many lines but sneaks by without braces due to the guts being a single if statement. CVE-2021-47060 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU If allocating a new instance of an I/O bus fails when unregistering a device, wait to destroy the device until after all readers are guaranteed to see the new null bus. Destroying devices before the bus is nullified could lead to use-after-free since readers expect the devices on their reference of the bus to remain valid. CVE-2021-47061 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block CVE-2021-47063 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: rtw88: Fix array overrun in rtw_get_tx_power_params() Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the following array overrun is logged: ================================================================================ UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34 index 5 is out of range for type 'u8 [5]' CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651 Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014 Workqueue: phy0 ieee80211_scan_work [mac80211] Call Trace: dump_stack+0x64/0x7c ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold+0x43/0x48 rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core] ? rtw_pci_read16+0x20/0x20 [rtw_pci] ? check_hw_ready+0x50/0x90 [rtw_core] rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core] rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core] rtw_set_channel+0xab/0x110 [rtw_core] rtw_ops_config+0x87/0xc0 [rtw_core] ieee80211_hw_config+0x9d/0x130 [mac80211] ieee80211_scan_state_set_channel+0x81/0x170 [mac80211] ieee80211_scan_work+0x19f/0x2a0 [mac80211] process_one_work+0x1dd/0x3a0 worker_thread+0x49/0x330 ? rescuer_thread+0x3a0/0x3a0 kthread+0x134/0x150 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x22/0x30 ================================================================================ The statement where an array is being overrun is shown in the following snippet: if (rate <= DESC_RATE11M) tx_power = pwr_idx_2g->cck_base[group]; else ====> tx_power = pwr_idx_2g->bw40_base[group]; The associated arrays are defined in main.h as follows: struct rtw_2g_txpwr_idx { u8 cck_base[6]; u8 bw40_base[5]; struct rtw_2g_1s_pwr_idx_diff ht_1s_diff; struct rtw_2g_ns_pwr_idx_diff ht_2s_diff; struct rtw_2g_ns_pwr_idx_diff ht_3s_diff; struct rtw_2g_ns_pwr_idx_diff ht_4s_diff; }; The problem arises because the value of group is 5 for channel 14. The trivial increase in the dimension of bw40_base fails as this struct must match the layout of efuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set the group for channel 14 to 4 if rate <= DESC_RATE11M. This patch fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines") CVE-2021-47065 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry do_mq_timedreceive calls wq_sleep with a stack local address. The sender (do_mq_timedsend) uses this address to later call pipelined_send. This leads to a very hard to trigger race where a do_mq_timedreceive call might return and leave do_mq_timedsend to rely on an invalid address, causing the following crash: RIP: 0010:wake_q_add_safe+0x13/0x60 Call Trace: __x64_sys_mq_timedsend+0x2a9/0x490 do_syscall_64+0x80/0x680 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f5928e40343 The race occurs as: 1. do_mq_timedreceive calls wq_sleep with the address of `struct ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it holds a valid `struct ext_wait_queue *` as long as the stack has not been overwritten. 2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call __pipelined_op. 3. Sender calls __pipelined_op::smp_store_release(&this->state, STATE_READY). Here is where the race window begins. (`this` is `ewq_addr`.) 4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it will see `state == STATE_READY` and break. 5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's stack. (Although the address may not get overwritten until another function happens to touch it, which means it can persist around for an indefinite time.) 6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a `struct ext_wait_queue *`, and uses it to find a task_struct to pass to the wake_q_add_safe call. In the lucky case where nothing has overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct. In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a bogus address as the receiver's task_struct causing the crash. do_mq_timedsend::__pipelined_op() should not dereference `this` after setting STATE_READY, as the receiver counterpart is now free to return. Change __pipelined_op to call wake_q_add_safe on the receiver's task_struct returned by get_task_struct, instead of dereferencing `this` which sits on the receiver's stack. As Manfred pointed out, the race potentially also exists in ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix those in the same way. CVE-2021-47069 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix another memory leak in error handling paths Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe function is never freed in the error handling path. Add the missing 'vmbus_free_ring()' call. Note that it is already freed in the .remove function. CVE-2021-47070 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix a memory leak in error handling paths If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be updated and 'hv_uio_cleanup()' in the error handling path will not be able to free the corresponding buffer. In such a case, we need to free the buffer explicitly. CVE-2021-47071 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios init_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems where the Dell WMI interface is supported. While exit_dell_smbios_wmi() unregisters it unconditionally, this leads to the following oops: [ 175.722921] ------------[ cut here ]------------ [ 175.722925] Unexpected driver unregister! [ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40 ... [ 175.723089] Call Trace: [ 175.723094] cleanup_module+0x5/0xedd [dell_smbios] ... [ 175.723148] ---[ end trace 064c34e1ad49509d ]--- Make the unregister happen on the same condition the register happens to fix this. CVE-2021-47073 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-loop: fix memory leak in nvme_loop_create_ctrl() When creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl() fails, the loop ctrl should be freed before jumping to the "out" label. CVE-2021-47074 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Return CQE error if invalid lkey was supplied RXE is missing update of WQE status in LOCAL_WRITE failures. This caused the following kernel panic if someone sent an atomic operation with an explicitly wrong lkey. [leonro@vm ~]$ mkt test test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ... WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff RSP: 0018:ffff8880158af090 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652 RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210 RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8 R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0xb11/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_responder+0x5532/0x7620 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0x9c8/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_requester+0x1efd/0x58c0 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_post_send+0x998/0x1860 [rdma_rxe] ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs] ib_uverbs_write+0x847/0xc80 [ib_uverbs] vfs_write+0x1c5/0x840 ksys_write+0x176/0x1d0 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-47076 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Add pointer checks in qedf_update_link_speed() The following trace was observed: [ 14.042059] Call Trace: [ 14.042061] <IRQ> [ 14.042068] qedf_link_update+0x144/0x1f0 [qedf] [ 14.042117] qed_link_update+0x5c/0x80 [qed] [ 14.042135] qed_mcp_handle_link_change+0x2d2/0x410 [qed] [ 14.042155] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042170] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042186] ? qed_rd+0x13/0x40 [qed] [ 14.042205] qed_mcp_handle_events+0x437/0x690 [qed] [ 14.042221] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042239] qed_int_sp_dpc+0x3a6/0x3e0 [qed] [ 14.042245] tasklet_action_common.isra.14+0x5a/0x100 [ 14.042250] __do_softirq+0xe4/0x2f8 [ 14.042253] irq_exit+0xf7/0x100 [ 14.042255] do_IRQ+0x7f/0xd0 [ 14.042257] common_interrupt+0xf/0xf [ 14.042259] </IRQ> API qedf_link_update() is getting called from QED but by that time shost_data is not initialised. This results in a NULL pointer dereference when we try to dereference shost_data while updating supported_speeds. Add a NULL pointer check before dereferencing shost_data. CVE-2021-47077 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Clear all QP fields if creation failed rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly created ones, but in case rxe_qp_from_init() failed it was filled with garbage and caused tot the following error. refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800 R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000 FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805 execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327 rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391 kref_put include/linux/kref.h:65 [inline] rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425 _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline] ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231 ib_create_qp include/rdma/ib_verbs.h:3644 [inline] create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920 ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline] ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092 add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717 enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331 ib_register_device drivers/infiniband/core/device.c:1413 [inline] ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365 rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147 rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247 rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503 rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline] rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250 nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555 rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0 ---truncated--- CVE-2021-47078 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: mediatek: fix global-out-of-bounds issue When eint virtual eint number is greater than gpio number, it maybe produce 'desc[eint_n]' size globle-out-of-bounds issue. CVE-2021-47083 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix incorrect page free bug Pointer to the allocated pages (struct page *page) has already progressed towards the end of allocation. It is incorrect to perform __free_pages(page, order) using this pointer as we would free any arbitrary pages. Fix this by stop modifying the page pointer. CVE-2021-47087 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipmi: ssif: initialize ssif_info->client early During probe ssif_info->client is dereferenced in error path. However, it is set when some of the error checking has already been done. This causes following kernel crash if an error path is taken: [ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present [ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088 ... [ 30.657723][ T674] pc : __dev_printk+0x28/0xa0 [ 30.657732][ T674] lr : _dev_err+0x7c/0xa0 ... [ 30.657772][ T674] Call trace: [ 30.657775][ T674] __dev_printk+0x28/0xa0 [ 30.657778][ T674] _dev_err+0x7c/0xa0 [ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e] [ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0 ... Initialize ssif_info->client before any error path can be taken. Clear i2c_client data in the error path to prevent the dangling pointer from leaking. CVE-2021-47095 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: elantech - fix stack out of bound access in elantech_change_report_id() The array param[] in elantech_change_report_id() must be at least 3 bytes, because elantech_read_reg_params() is calling ps2_command() with PSMOUSE_CMD_GETINFO, that is going to access 3 bytes from param[], but it's defined in the stack as an array of 2 bytes, therefore we have a potential stack out-of-bounds access here, also confirmed by KASAN: [ 6.512374] BUG: KASAN: stack-out-of-bounds in __ps2_command+0x372/0x7e0 [ 6.512397] Read of size 1 at addr ffff8881024d77c2 by task kworker/2:1/118 [ 6.512416] CPU: 2 PID: 118 Comm: kworker/2:1 Not tainted 5.13.0-22-generic #22+arighi20211110 [ 6.512428] Hardware name: LENOVO 20T8000QGE/20T8000QGE, BIOS R1AET32W (1.08 ) 08/14/2020 [ 6.512436] Workqueue: events_long serio_handle_event [ 6.512453] Call Trace: [ 6.512462] show_stack+0x52/0x58 [ 6.512474] dump_stack+0xa1/0xd3 [ 6.512487] print_address_description.constprop.0+0x1d/0x140 [ 6.512502] ? __ps2_command+0x372/0x7e0 [ 6.512516] __kasan_report.cold+0x7d/0x112 [ 6.512527] ? _raw_write_lock_irq+0x20/0xd0 [ 6.512539] ? __ps2_command+0x372/0x7e0 [ 6.512552] kasan_report+0x3c/0x50 [ 6.512564] __asan_load1+0x6a/0x70 [ 6.512575] __ps2_command+0x372/0x7e0 [ 6.512589] ? ps2_drain+0x240/0x240 [ 6.512601] ? dev_printk_emit+0xa2/0xd3 [ 6.512612] ? dev_vprintk_emit+0xc5/0xc5 [ 6.512621] ? __kasan_check_write+0x14/0x20 [ 6.512634] ? mutex_lock+0x8f/0xe0 [ 6.512643] ? __mutex_lock_slowpath+0x20/0x20 [ 6.512655] ps2_command+0x52/0x90 [ 6.512670] elantech_ps2_command+0x4f/0xc0 [psmouse] [ 6.512734] elantech_change_report_id+0x1e6/0x256 [psmouse] [ 6.512799] ? elantech_report_trackpoint.constprop.0.cold+0xd/0xd [psmouse] [ 6.512863] ? ps2_command+0x7f/0x90 [ 6.512877] elantech_query_info.cold+0x6bd/0x9ed [psmouse] [ 6.512943] ? elantech_setup_ps2+0x460/0x460 [psmouse] [ 6.513005] ? psmouse_reset+0x69/0xb0 [psmouse] [ 6.513064] ? psmouse_attr_set_helper+0x2a0/0x2a0 [psmouse] [ 6.513122] ? phys_pmd_init+0x30e/0x521 [ 6.513137] elantech_init+0x8a/0x200 [psmouse] [ 6.513200] ? elantech_init_ps2+0xf0/0xf0 [psmouse] [ 6.513249] ? elantech_query_info+0x440/0x440 [psmouse] [ 6.513296] ? synaptics_send_cmd+0x60/0x60 [psmouse] [ 6.513342] ? elantech_query_info+0x440/0x440 [psmouse] [ 6.513388] ? psmouse_try_protocol+0x11e/0x170 [psmouse] [ 6.513432] psmouse_extensions+0x65d/0x6e0 [psmouse] [ 6.513476] ? psmouse_try_protocol+0x170/0x170 [psmouse] [ 6.513519] ? mutex_unlock+0x22/0x40 [ 6.513526] ? ps2_command+0x7f/0x90 [ 6.513536] ? psmouse_probe+0xa3/0xf0 [psmouse] [ 6.513580] psmouse_switch_protocol+0x27d/0x2e0 [psmouse] [ 6.513624] psmouse_connect+0x272/0x530 [psmouse] [ 6.513669] serio_driver_probe+0x55/0x70 [ 6.513679] really_probe+0x190/0x720 [ 6.513689] driver_probe_device+0x160/0x1f0 [ 6.513697] device_driver_attach+0x119/0x130 [ 6.513705] ? device_driver_attach+0x130/0x130 [ 6.513713] __driver_attach+0xe7/0x1a0 [ 6.513720] ? device_driver_attach+0x130/0x130 [ 6.513728] bus_for_each_dev+0xfb/0x150 [ 6.513738] ? subsys_dev_iter_exit+0x10/0x10 [ 6.513748] ? _raw_write_unlock_bh+0x30/0x30 [ 6.513757] driver_attach+0x2d/0x40 [ 6.513764] serio_handle_event+0x199/0x3d0 [ 6.513775] process_one_work+0x471/0x740 [ 6.513785] worker_thread+0x2d2/0x790 [ 6.513794] ? process_one_work+0x740/0x740 [ 6.513802] kthread+0x1b4/0x1e0 [ 6.513809] ? set_kthread_struct+0x80/0x80 [ 6.513816] ret_from_fork+0x22/0x30 [ 6.513832] The buggy address belongs to the page: [ 6.513838] page:00000000bc35e189 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d7 [ 6.513847] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) [ 6.513860] raw: 0 ---truncated--- CVE-2021-47097 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Hi, When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko, the system crashed. The log as follows: [ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a [ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0 [ 141.087464] Oops: 0010 [#1] SMP NOPTI [ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47 [ 141.088009] Workqueue: events 0xffffffffc09b3a40 [ 141.088009] RIP: 0010:0xffffffffc09b3a5a [ 141.088009] Code: Bad RIP value. [ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246 [ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000 [ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1 [ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700 [ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8 [ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000 [ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0 [ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 141.088009] PKRU: 55555554 [ 141.088009] Call Trace: [ 141.088009] ? process_one_work+0x195/0x390 [ 141.088009] ? worker_thread+0x30/0x390 [ 141.088009] ? process_one_work+0x390/0x390 [ 141.088009] ? kthread+0x10d/0x130 [ 141.088009] ? kthread_flush_work_fn+0x10/0x10 [ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a [ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0 [ 200.223464] Oops: 0010 [#1] SMP NOPTI [ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46 [ 200.224008] Workqueue: events 0xffffffffc0b28a40 [ 200.224008] RIP: 0010:0xffffffffc0b28a5a [ 200.224008] Code: Bad RIP value. [ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246 [ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000 [ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5 [ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700 [ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8 [ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000 [ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0 [ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 200.224008] PKRU: 55555554 [ 200.224008] Call Trace: [ 200.224008] ? process_one_work+0x195/0x390 [ 200.224008] ? worker_thread+0x30/0x390 [ 200.224008] ? process_one_work+0x390/0x390 [ 200.224008] ? kthread+0x10d/0x130 [ 200.224008] ? kthread_flush_work_fn+0x10/0x10 [ 200.224008] ? ret_from_fork+0x35/0x40 [ 200.224008] kernel fault(0x1) notification starting on CPU 63 [ 200.224008] kernel fault(0x1) notification finished on CPU 63 [ 200.224008] CR2: ffffffffc0b28a5a [ 200.224008] ---[ end trace c82a412d93f57412 ]--- The reason is as follows: T1: rmmod ipmi_si. ->ipmi_unregister_smi() -> ipmi_bmc_unregister() -> __ipmi_bmc_unregister() -> kref_put(&bmc->usecount, cleanup_bmc_device); -> schedule_work(&bmc->remove_work); T2: rmmod ipmi_msghandl ---truncated--- CVE-2021-47100 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized. Fail log: BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 CVE-2021-47101 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: neighbour: allow NUD_NOARP entries to be forced GCed IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to fill up the neighbour table with enough entries that it will overflow for valid connections after that. This behaviour is more prevalent after commit 58956317c8de ("neighbor: Improve garbage collection") is applied, as it prevents removal from entries that are not NUD_FAILED, unless they are more than 5s old. CVE-2021-47109 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on shutdown Currenly, we disable kvmclock from machine_shutdown() hook and this only happens for boot CPU. We need to disable it for all CPUs to guard against memory corruption e.g. on restore from hibernate. Note, writing '0' to kvmclock MSR doesn't clear memory location, it just prevents hypervisor from updating the location so for the short while after write and while CPU is still alive, the clock remains usable and correct so we don't need to switch to some other clocksource. CVE-2021-47110 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Teardown PV features on boot CPU as well Various PV features (Async PF, PV EOI, steal time) work through memory shared with hypervisor and when we restore from hibernation we must properly teardown all these features to make sure hypervisor doesn't write to stale locations after we jump to the previously hibernated kernel (which can try to place anything there). For secondary CPUs the job is already done by kvm_cpu_down_prepare(), register syscore ops to do the same for boot CPU. CVE-2021-47112 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: btrfs: abort in rename_exchange if we fail to insert the second ref Error injection stress uncovered a problem where we'd leave a dangling inode ref if we failed during a rename_exchange. This happens because we insert the inode ref for one side of the rename, and then for the other side. If this second inode ref insert fails we'll leave the first one dangling and leave a corrupt file system behind. Fix this by aborting if we did the insert for the first inode ref. CVE-2021-47113 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix data corruption by fallocate When fallocate punches holes out of inode size, if original isize is in the middle of last cluster, then the part from isize to the end of the cluster will be zeroed with buffer write, at that time isize is not yet updated to match the new size, if writeback is kicked in, it will invoke ocfs2_writepage()->block_write_full_page() where the pages out of inode size will be dropped. That will cause file corruption. Fix this by zero out eof blocks when extending the inode size. Running the following command with qemu-image 4.2.1 can get a corrupted coverted image file easily. qemu-img convert -p -t none -T none -f qcow2 $qcow_image \ -O qcow2 -o compat=1.1 $qcow_image.conv The usage of fallocate in qemu is like this, it first punches holes out of inode size, then extend the inode size. fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0 fallocate(11, 0, 2276196352, 65536) = 0 v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html v2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/ CVE-2021-47114 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed We got follow bug_on when run fsstress with injecting IO fault: [130747.323114] kernel BUG at fs/ext4/extents_status.c:762! [130747.323117] Internal error: Oops - BUG: 0 [#1] SMP ...... [130747.334329] Call trace: [130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4] [130747.334975] ext4_cache_extents+0x64/0xe8 [ext4] [130747.335368] ext4_find_extent+0x300/0x330 [ext4] [130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4] [130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4] [130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4] [130747.336995] ext4_readpage+0x54/0x100 [ext4] [130747.337359] generic_file_buffered_read+0x410/0xae8 [130747.337767] generic_file_read_iter+0x114/0x190 [130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4] [130747.338556] __vfs_read+0x11c/0x188 [130747.338851] vfs_read+0x94/0x150 [130747.339110] ksys_read+0x74/0xf0 This patch's modification is according to Jan Kara's suggestion in: https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/ "I see. Now I understand your patch. Honestly, seeing how fragile is trying to fix extent tree after split has failed in the middle, I would probably go even further and make sure we fix the tree properly in case of ENOSPC and EDQUOT (those are easily user triggerable). Anything else indicates a HW problem or fs corruption so I'd rather leave the extent tree as is and don't try to fix it (which also means we will not create overlapping extents)." CVE-2021-47117 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`. Full KASAN splat below. ================================================================== BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270: slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff ---truncated--- CVE-2021-47118 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_fill_super Buffer head references must be released before calling kill_bdev(); otherwise the buffer head (and its page referenced by b_data) will not be freed by kill_bdev, and subsequently that bh will be leaked. If blocksizes differ, sb_set_blocksize() will kill current buffers and page cache by using kill_bdev(). And then super block will be reread again but using correct blocksize this time. sb_set_blocksize() didn't fully free superblock page and buffer head, and being busy, they were not freed and instead leaked. This can easily be reproduced by calling an infinite loop of: systemctl start <ext4_on_lvm>.mount, and systemctl stop <ext4_on_lvm>.mount ... since systemd creates a cgroup for each slice which it mounts, and the bh leak get amplified by a dying memory cgroup that also never gets freed, and memory consumption is much more easily noticed. CVE-2021-47119 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: fix NULL-deref on disconnect Commit 9d7b18668956 ("HID: magicmouse: add support for Apple Magic Trackpad 2") added a sanity check for an Apple trackpad but returned success instead of -ENODEV when the check failed. This means that the remove callback will dereference the never-initialised driver data pointer when the driver is later unbound (e.g. on USB disconnect). CVE-2021-47120 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet: fix freeing unallocated p2pmem In case p2p device was found but the p2p pool is empty, the nvme target is still trying to free the sgl from the p2p pool instead of the regular sgl pool and causing a crash (BUG() is called). Instead, assign the p2p_dev for the request only if it was allocated from p2p pool. This is the crash that was caused: [Sun May 30 19:13:53 2021] ------------[ cut here ]------------ [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! [Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI ... [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! ... [Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0 ... [Sun May 30 19:13:53 2021] Call Trace: [Sun May 30 19:13:53 2021] ------------[ cut here ]------------ [Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70 [Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80 [Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet] [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! [Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma] [Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma] CVE-2021-47130 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix use-after-free after the TLS device goes down and up When a netdev with active TLS offload goes down, tls_device_down is called to stop the offload and tear down the TLS context. However, the socket stays alive, and it still points to the TLS context, which is now deallocated. If a netdev goes up, while the connection is still active, and the data flow resumes after a number of TCP retransmissions, it will lead to a use-after-free of the TLS context. This commit addresses this bug by keeping the context alive until its normal destruction, and implements the necessary fallbacks, so that the connection can resume in software (non-offloaded) kTLS mode. On the TX side tls_sw_fallback is used to encrypt all packets. The RX side already has all the necessary fallbacks, because receiving non-decrypted packets is supported. The thing needed on the RX side is to block resync requests, which are normally produced after receiving non-decrypted packets. The necessary synchronization is implemented for a graceful teardown: first the fallbacks are deployed, then the driver resources are released (it used to be possible to have a tls_dev_resync after tls_dev_del). A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback mode. It's used to skip the RX resync logic completely, as it becomes useless, and some objects may be released (for example, resync_async, which is allocated and freed by the driver). CVE-2021-47131 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: net: zero-initialize tc skb extension on allocation Function skb_ext_add() doesn't initialize created skb extension with any value and leaves it up to the user. However, since extension of type TC_SKB_EXT originally contained only single value tc_skb_ext->chain its users used to just assign the chain value without setting whole extension memory to zero first. This assumption changed when TC_SKB_EXT extension was extended with additional fields but not all users were updated to initialize the new fields which leads to use of uninitialized memory afterwards. UBSAN log: [ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28 [ 778.301495] load of value 107 is not a valid value for type '_Bool' [ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2 [ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 778.307901] Call Trace: [ 778.308680] <IRQ> [ 778.309358] dump_stack+0xbb/0x107 [ 778.310307] ubsan_epilogue+0x5/0x40 [ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48 [ 778.312454] ? memset+0x20/0x40 [ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch] [ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch] [ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch] [ 778.317188] ? create_prof_cpu_mask+0x20/0x20 [ 778.318220] ? arch_stack_walk+0x82/0xf0 [ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb [ 778.320399] ? stack_trace_save+0x91/0xc0 [ 778.321362] ? stack_trace_consume_entry+0x160/0x160 [ 778.322517] ? lock_release+0x52e/0x760 [ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch] [ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch] [ 778.325950] __netif_receive_skb_core+0x771/0x2db0 [ 778.327067] ? lock_downgrade+0x6e0/0x6f0 [ 778.328021] ? lock_acquire+0x565/0x720 [ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0 [ 778.329902] ? inet_gro_receive+0x2a7/0x10a0 [ 778.330914] ? lock_downgrade+0x6f0/0x6f0 [ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0 [ 778.332876] ? lock_release+0x52e/0x760 [ 778.333808] ? dev_gro_receive+0xcc8/0x2380 [ 778.334810] ? lock_downgrade+0x6f0/0x6f0 [ 778.335769] __netif_receive_skb_list_core+0x295/0x820 [ 778.336955] ? process_backlog+0x780/0x780 [ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core] [ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0 [ 778.341033] ? kvm_clock_get_cycles+0x14/0x20 [ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0 [ 778.343288] ? __kasan_kmalloc+0x7a/0x90 [ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core] [ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core] [ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820 [ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core] [ 778.349688] ? napi_gro_flush+0x26c/0x3c0 [ 778.350641] napi_complete_done+0x188/0x6b0 [ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core] [ 778.352853] __napi_poll+0x9f/0x510 [ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core] [ 778.355158] net_rx_action+0x34c/0xa40 [ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0 [ 778.357083] ? sched_clock_cpu+0x18/0x190 [ 778.358041] ? __common_interrupt+0x8e/0x1a0 [ 778.359045] __do_softirq+0x1ce/0x984 [ 778.359938] __irq_exit_rcu+0x137/0x1d0 [ 778.360865] irq_exit_rcu+0xa/0x20 [ 778.361708] common_interrupt+0x80/0xa0 [ 778.362640] </IRQ> [ 778.363212] asm_common_interrupt+0x1e/0x40 [ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10 [ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00 [ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246 [ 778.370570] RAX ---truncated--- CVE-2021-47136 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: lantiq: fix memory corruption in RX ring In a situation where memory allocation or dma mapping fails, an invalid address is programmed into the descriptor. This can lead to memory corruption. If the memory allocation fails, DMA should reuse the previous skb and mapping and drop the packet. This patch also increments rx drop counter. CVE-2021-47137 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cxgb4: avoid accessing registers when clearing filters Hardware register having the server TID base can contain invalid values when adapter is in bad state (for example, due to AER fatal error). Reading these invalid values in the register can lead to out-of-bound memory access. So, fix by using the saved server TID base when clearing filters. CVE-2021-47138 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: put off calling register_netdev() until client initialize complete Currently, the netdevice is registered before client initializing complete. So there is a timewindow between netdevice available and usable. In this case, if user try to change the channel number or ring param, it may cause the hns3_set_rx_cpu_rmap() being called twice, and report bug. [47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0 [47199.430340] hns3 0000:35:00.0 eth1: already uninitialized [47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1 [47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1 [47200.163524] ------------[ cut here ]------------ [47200.171674] kernel BUG at lib/cpu_rmap.c:142! [47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge] [47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1 [47200.215601] Hardware name: , xxxxxx 02/04/2021 [47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) [47200.230188] pc : cpu_rmap_add+0x38/0x40 [47200.237472] lr : irq_cpu_rmap_add+0x84/0x140 [47200.243291] sp : ffff800010e93a30 [47200.247295] x29: ffff800010e93a30 x28: ffff082100584880 [47200.254155] x27: 0000000000000000 x26: 0000000000000000 [47200.260712] x25: 0000000000000000 x24: 0000000000000004 [47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0 [47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680 [47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0 [47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0 [47200.293456] x15: fffffc2082990600 x14: dead000000000122 [47200.300059] x13: ffffffffffffffff x12: 000000000000003e [47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000 [47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700 [47200.319682] x7 : 0000000000000000 x6 : 000000000000003f [47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20 [47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80 [47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004 [47200.346058] Call trace: [47200.349324] cpu_rmap_add+0x38/0x40 [47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3] [47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3] [47200.370049] hns3_change_channels+0x40/0xb0 [hns3] [47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3] [47200.383353] ethtool_set_channels+0x140/0x250 [47200.389772] dev_ethtool+0x714/0x23d0 [47200.394440] dev_ioctl+0x4cc/0x640 [47200.399277] sock_do_ioctl+0x100/0x2a0 [47200.404574] sock_ioctl+0x28c/0x470 [47200.409079] __arm64_sys_ioctl+0xb4/0x100 [47200.415217] el0_svc_common.constprop.0+0x84/0x210 [47200.422088] do_el0_svc+0x28/0x34 [47200.426387] el0_svc+0x28/0x70 [47200.431308] el0_sync_handler+0x1a4/0x1b0 [47200.436477] el0_sync+0x174/0x180 [47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000) [47200.448869] ---[ end trace a01efe4ce42e5f34 ]--- The process is like below: excuting hns3_client_init | register_netdev() | hns3_set_channels() | | hns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet() | | | quit without calling function | hns3_free_rx_cpu_rmap for flag | HNS3_NIC_STATE_INITED is unset. | | | hns3_reset_notify_init_enet() | | set HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash Fix it by calling register_netdev() at the end of function hns3_client_init(). CVE-2021-47139 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: gve: Add NULL pointer checks when freeing irqs. When freeing notification blocks, we index priv->msix_vectors. If we failed to allocate priv->msix_vectors (see abort_with_msix_vectors) this could lead to a NULL pointer dereference if the driver is unloaded. CVE-2021-47141 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix a use-after-free looks like we forget to set ttm->sg to NULL. Hit panic below [ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 1235.989074] Call Trace: [ 1235.991751] sg_free_table+0x17/0x20 [ 1235.995667] amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu] [ 1236.002288] amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu] [ 1236.008464] ttm_tt_destroy+0x1e/0x30 [ttm] [ 1236.013066] ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm] [ 1236.018783] ttm_bo_release+0x262/0xa50 [ttm] [ 1236.023547] ttm_bo_put+0x82/0xd0 [ttm] [ 1236.027766] amdgpu_bo_unref+0x26/0x50 [amdgpu] [ 1236.032809] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu] [ 1236.040400] kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu] [ 1236.046912] kfd_ioctl+0x463/0x690 [amdgpu] CVE-2021-47142 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/amdgpu: fix refcount leak [Why] the gem object rfb->base.obj[0] is get according to num_planes in amdgpufb_create, but is not put according to num_planes [How] put rfb->base.obj[0] in amdgpu_fbdev_destroy according to num_planes CVE-2021-47144 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: fec: fix the potential memory leak in fec_enet_init() If the memory allocated for cbd_base is failed, it should free the memory allocated for the queues, otherwise it causes memory leak. And if the memory allocated for the queues is failed, it can return error directly. CVE-2021-47150 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Don't generate an interrupt on bus reset Now that the i2c-i801 driver supports interrupts, setting the KILL bit in a attempt to recover from a timed out transaction triggers an interrupt. Unfortunately, the interrupt handler (i801_isr) is not prepared for this situation and will try to process the interrupt as if it was signaling the end of a successful transaction. In the case of a block transaction, this can result in an out-of-range memory access. This condition was reproduced several times by syzbot: https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79 So disable interrupts while trying to reset the bus. Interrupts will be enabled again for the following transaction. CVE-2021-47153 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: mt7530: fix VLAN traffic leaks PCR_MATRIX field was set to all 1's when VLAN filtering is enabled, but was not reset when it is disabled, which may cause traffic leaks: ip link add br0 type bridge vlan_filtering 1 ip link add br1 type bridge vlan_filtering 1 ip link set swp0 master br0 ip link set swp1 master br1 ip link set br0 type bridge vlan_filtering 0 ip link set br1 type bridge vlan_filtering 0 # traffic in br0 and br1 will start leaking to each other As port_bridge_{add,del} have set up PCR_MATRIX properly, remove the PCR_MATRIX write from mt7530_port_set_vlan_aware. CVE-2021-47160 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-dspi: Fix a resource leak in an error handling path 'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the error handling path of the probe function, as already done in the remove function CVE-2021-47161 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix null deref accessing lag dev It could be the lag dev is null so stop processing the event. In bond_enslave() the active/backup slave being set before setting the upper dev so first event is without an upper dev. After setting the upper dev with bond_master_upper_dev_link() there is a second event and in that event we have an upper dev. CVE-2021-47164 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/meson: fix shutdown crash when component not probed When main component is not probed, by example when the dw-hdmi module is not loaded yet or in probe defer, the following crash appears on shutdown: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 ... pc : meson_drv_shutdown+0x24/0x50 lr : platform_drv_shutdown+0x20/0x30 ... Call trace: meson_drv_shutdown+0x24/0x50 platform_drv_shutdown+0x20/0x30 device_shutdown+0x158/0x360 kernel_restart_prepare+0x38/0x48 kernel_restart+0x18/0x68 __do_sys_reboot+0x224/0x250 __arm64_sys_reboot+0x24/0x30 ... Simply check if the priv struct has been allocated before using it. CVE-2021-47165 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce() The value of mirror->pg_bytes_written should only be updated after a successful attempt to flush out the requests on the list. CVE-2021-47166 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: Fix an Oopsable condition in __nfs_pageio_add_request() Ensure that nfs_pageio_error_cleanup() resets the mirror array contents, so that the structure reflects the fact that it is now empty. Also change the test in nfs_pageio_do_add_request() to be more robust by checking whether or not the list is empty rather than relying on the value of pg_count. CVE-2021-47167 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: fix an incorrect limit in filelayout_decode_layout() The "sizeof(struct nfs_fh)" is two bytes too large and could lead to memory corruption. It should be NFS_MAXFHSIZE because that's the size of the ->data[] buffer. I reversed the size of the arguments to put the variable on the left. CVE-2021-47168 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait' In 'rp2_probe', the driver registers 'rp2_uart_interrupt' then calls 'rp2_fw_cb' through 'request_firmware_nowait'. In 'rp2_fw_cb', if the firmware don't exists, function just return without initializing ports of 'rp2_card'. But now the interrupt handler function has been registered, and when an interrupt comes, 'rp2_uart_interrupt' may access those ports then causing NULL pointer dereference or other bugs. Because the driver does some initialization work in 'rp2_fw_cb', in order to make the driver ready to handle interrupts, 'request_firmware' should be used instead of asynchronous 'request_firmware_nowait'. This report reveals it: INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xec/0x156 lib/dump_stack.c:118 assign_lock_key kernel/locking/lockdep.c:727 [inline] register_lock_class+0x14e5/0x1ba0 kernel/locking/lockdep.c:753 __lock_acquire+0x187/0x3750 kernel/locking/lockdep.c:3303 lock_acquire+0x124/0x340 kernel/locking/lockdep.c:3907 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x32/0x50 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:329 [inline] rp2_ch_interrupt drivers/tty/serial/rp2.c:466 [inline] rp2_asic_interrupt.isra.9+0x15d/0x990 drivers/tty/serial/rp2.c:493 rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504 __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149 handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189 handle_irq_event+0xac/0x140 kernel/irq/handle.c:206 handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725 generic_handle_irq_desc include/linux/irqdesc.h:155 [inline] handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87 do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 </IRQ> RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61 Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8 8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde RAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200 RBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840 R10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002 R13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0x6f/0x360 arch/x86/kernel/process.c:557 arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548 default_idle_call+0x3b/0x60 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263 cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369 start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 8000000056d27067 P4D 8000000056d27067 PUD 56d28067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:readl arch/x86/include/asm/io.h:59 [inline] RIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline] RIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c: 493 Co ---truncated--- CVE-2021-47169 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: USB: usbfs: Don't WARN about excessively large memory allocations Syzbot found that the kernel generates a WARNing if the user tries to submit a bulk transfer through usbfs with a buffer that is way too large. This isn't a bug in the kernel; it's merely an invalid request from the user and the usbfs code does handle it correctly. In theory the same thing can happen with async transfers, or with the packet descriptor table for isochronous transfers. To prevent the MM subsystem from complaining about these bad allocation requests, add the __GFP_NOWARN flag to the kmalloc calls for these buffers. CVE-2021-47170 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: fix memory leak in smsc75xx_bind Syzbot reported memory leak in smsc75xx_bind(). The problem was is non-freed memory in case of errors after memory allocation. backtrace: [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline] [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline] [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460 [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728 CVE-2021-47171 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers Channel numbering must start at 0 and then not have any holes, or it is possible to overflow the available storage. Note this bug was introduced as part of a fix to ensure we didn't rely on the ordering of child nodes. So we need to support arbitrary ordering but they all need to be there somewhere. Note I hit this when using qemu to test the rest of this series. Arguably this isn't the best fix, but it is probably the most minimal option for backporting etc. Alexandru's sign-off is here because he carried this patch in a larger set that Jonathan then applied. CVE-2021-47172 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: misc/uss720: fix memory leak in uss720_probe uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. Fix this by decreasing the refcount of usbdev by usb_put_dev. BUG: memory leak unreferenced object 0xffff888101113800 (size 2048): comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s) hex dump (first 32 bytes): ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1........... 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................ backtrace: [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline] [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline] [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582 [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline] [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline] [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292 [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 CVE-2021-47173 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version Arturo reported this backtrace: [709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0 [709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod [709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common [709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1 [709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020 [709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0 [709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 <0f> 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb [709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202 [709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001 [709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003 [709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462 [709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960 [709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660 [709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000 [709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0 [709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [709732.359003] PKRU: 55555554 [709732.359005] Call Trace: [709732.359009] <IRQ> [709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables] [709732.359046] ? sched_clock+0x5/0x10 [709732.359054] ? sched_clock_cpu+0xc/0xb0 [709732.359061] ? record_times+0x16/0x80 [709732.359068] ? plist_add+0xc1/0x100 [709732.359073] ? psi_group_change+0x47/0x230 [709732.359079] ? skb_clone+0x4d/0xb0 [709732.359085] ? enqueue_task_rt+0x22b/0x310 [709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en] [709732.359102] ? packet_rcv+0x40/0x4a0 [709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables] [709732.359133] nft_do_chain+0x350/0x500 [nf_tables] [709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables] [709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables] [709732.359172] ? fib4_rule_action+0x6d/0x80 [709732.359178] ? fib_rules_lookup+0x107/0x250 [709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat] [709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat] [709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat] [709732.359207] nf_hook_slow+0x44/0xc0 [709732.359214] ip_output+0xd2/0x100 [709732.359221] ? __ip_finish_output+0x210/0x210 [709732.359226] ip_forward+0x37d/0x4a0 [709732.359232] ? ip4_key_hashfn+0xb0/0xb0 [709732.359238] ip_subli ---truncated--- CVE-2021-47174 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: fq_pie: fix OOB access in the traffic path the following script: # tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2 # tc qdisc add dev eth0 clsact # tc filter add dev eth0 egress matchall action skbedit priority 0x10002 # ping 192.0.2.2 -I eth0 -c2 -w1 -q produces the following splat: BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie] Read of size 4 at addr ffff888171306924 by task ping/942 CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie] __dev_queue_xmit+0x1034/0x2b10 ip_finish_output2+0xc62/0x2120 __ip_finish_output+0x553/0xea0 ip_output+0x1ca/0x4d0 ip_send_skb+0x37/0xa0 raw_sendmsg+0x1c4b/0x2d00 sock_sendmsg+0xdb/0x110 __sys_sendto+0x1d7/0x2b0 __x64_sys_sendto+0xdd/0x1b0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fe69735c3eb Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89 RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003 RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260 R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0 Allocated by task 917: kasan_save_stack+0x19/0x40 __kasan_kmalloc+0x7f/0xa0 __kmalloc_node+0x139/0x280 fq_pie_init+0x555/0x8e8 [sch_fq_pie] qdisc_create+0x407/0x11b0 tc_modify_qdisc+0x3c2/0x17e0 rtnetlink_rcv_msg+0x346/0x8e0 netlink_rcv_skb+0x120/0x380 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888171306800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 36 bytes to the right of 256-byte region [ffff888171306800, ffff888171306900) The buggy address belongs to the page: page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306 head:00000000bcfb624e order:1 compound_mapcount:0 flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fix fq_pie traffic path to avoid selecting 'q->flows + q->flows_cnt' as a valid flow: it's an address beyond the allocated memory. CVE-2021-47175 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: add missing discipline function Fix crash with illegal operation exception in dasd_device_tasklet. Commit b72949328869 ("s390/dasd: Prepare for additional path event handling") renamed the verify_path function for ECKD but not for FBA and DIAG. This leads to a panic when the path verification function is called for a FBA or DIAG device. Fix by defining a wrapper function for dasd_generic_verify_path(). CVE-2021-47176 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix sysfs leak in alloc_iommu() iommu_device_sysfs_add() is called before, so is has to be cleaned on subsequent errors. CVE-2021-47177 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() Commit de144ff4234f changes _pnfs_return_layout() to call pnfs_mark_matching_lsegs_return() passing NULL as the struct pnfs_layout_range argument. Unfortunately, pnfs_mark_matching_lsegs_return() doesn't check if we have a value here before dereferencing it, causing an oops. I'm able to hit this crash consistently when running connectathon basic tests on NFS v4.1/v4.2 against Ontap. CVE-2021-47179 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: nci: fix memory leak in nci_allocate_device nfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev. Fix this by freeing hci_dev in nci_free_device. BUG: memory leak unreferenced object 0xffff888111ea6800 (size 1024): comm "kworker/1:0", pid 19, jiffies 4294942308 (age 13.580s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 60 fd 0c 81 88 ff ff .........`...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000004bc25d43>] kmalloc include/linux/slab.h:552 [inline] [<000000004bc25d43>] kzalloc include/linux/slab.h:682 [inline] [<000000004bc25d43>] nci_hci_allocate+0x21/0xd0 net/nfc/nci/hci.c:784 [<00000000c59cff92>] nci_allocate_device net/nfc/nci/core.c:1170 [inline] [<00000000c59cff92>] nci_allocate_device+0x10b/0x160 net/nfc/nci/core.c:1132 [<00000000006e0a8e>] nfcmrvl_nci_register_dev+0x10a/0x1c0 drivers/nfc/nfcmrvl/main.c:153 [<000000004da1b57e>] nfcmrvl_probe+0x223/0x290 drivers/nfc/nfcmrvl/usb.c:345 [<00000000d506aed9>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554 [<00000000f5009125>] driver_probe_device+0x84/0x100 drivers/base/dd.c:740 [<000000000ce658ca>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:846 [<000000007067d05f>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 [<00000000f8e13372>] __device_attach+0x122/0x250 drivers/base/dd.c:914 [<000000009cf68860>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 [<00000000359c965a>] device_add+0x5be/0xc30 drivers/base/core.c:3109 [<00000000086e4bd3>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2164 [<00000000ca036872>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<00000000d40d36f6>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554 CVE-2021-47180 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: musb: tusb6010: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. CVE-2021-47181 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix link down processing to address NULL pointer dereference If an FC link down transition while PLOGIs are outstanding to fabric well known addresses, outstanding ABTS requests may result in a NULL pointer dereference. Driver unload requests may hang with repeated "2878" log messages. The Link down processing results in ABTS requests for outstanding ELS requests. The Abort WQEs are sent for the ELSs before the driver had set the link state to down. Thus the driver is sending the Abort with the expectation that an ABTS will be sent on the wire. The Abort request is stalled waiting for the link to come up. In some conditions the driver may auto-complete the ELSs thus if the link does come up, the Abort completions may reference an invalid structure. Fix by ensuring that Abort set the flag to avoid link traffic if issued due to conditions where the link failed. CVE-2021-47183 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL ptr dereference on VSI filter sync Remove the reason of null pointer dereference in sync VSI filters. Added new I40E_VSI_RELEASING flag to signalize deleting and releasing of VSI resources to sync this thread with sync filters subtask. Without this patch it is possible to start update the VSI filter list after VSI is removed, that's causing a kernel oops. CVE-2021-47184 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc When running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup, which look like this one: Workqueue: events_unbound flush_to_ldisc Call trace: dump_backtrace+0x0/0x1ec show_stack+0x24/0x30 dump_stack+0xd0/0x128 panic+0x15c/0x374 watchdog_timer_fn+0x2b8/0x304 __run_hrtimer+0x88/0x2c0 __hrtimer_run_queues+0xa4/0x120 hrtimer_interrupt+0xfc/0x270 arch_timer_handler_phys+0x40/0x50 handle_percpu_devid_irq+0x94/0x220 __handle_domain_irq+0x88/0xf0 gic_handle_irq+0x84/0xfc el1_irq+0xc8/0x180 slip_unesc+0x80/0x214 [slip] tty_ldisc_receive_buf+0x64/0x80 tty_port_default_receive_buf+0x50/0x90 flush_to_ldisc+0xbc/0x110 process_one_work+0x1d4/0x4b0 worker_thread+0x180/0x430 kthread+0x11c/0x120 In the testcase pty04, The first process call the write syscall to send data to the pty master. At the same time, the workqueue will do the flush_to_ldisc to pop data in a loop until there is no more data left. When the sender and workqueue running in different core, the sender sends data fastly in full time which will result in workqueue doing work in loop for a long time and occuring softlockup in flush_to_ldisc with kernel configured without preempt. So I add need_resched check and cond_resched in the flush_to_ldisc loop to avoid it. CVE-2021-47185 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory ordering between normal and ordered work functions Ordered work functions aren't guaranteed to be handled by the same thread which executed the normal work functions. The only way execution between normal/ordered functions is synchronized is via the WORK_DONE_BIT, unfortunately the used bitops don't guarantee any ordering whatsoever. This manifested as seemingly inexplicable crashes on ARM64, where async_chunk::inode is seen as non-null in async_cow_submit which causes submit_compressed_extents to be called and crash occurs because async_chunk::inode suddenly became NULL. The call trace was similar to: pc : submit_compressed_extents+0x38/0x3d0 lr : async_cow_submit+0x50/0xd0 sp : ffff800015d4bc20 <registers omitted for brevity> Call trace: submit_compressed_extents+0x38/0x3d0 async_cow_submit+0x50/0xd0 run_ordered_work+0xc8/0x280 btrfs_work_helper+0x98/0x250 process_one_work+0x1f0/0x4ac worker_thread+0x188/0x504 kthread+0x110/0x114 ret_from_fork+0x10/0x18 Fix this by adding respective barrier calls which ensure that all accesses preceding setting of WORK_DONE_BIT are strictly ordered before setting the flag. At the same time add a read barrier after reading of WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads would be strictly ordered after reading the bit. This in turn ensures are all accesses before WORK_DONE_BIT are going to be strictly ordered before any access that can occur in ordered_func. CVE-2021-47189 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: core: sysfs: Fix hang when device state is set via sysfs This fixes a regression added with: commit f0f82e2476f6 ("scsi: core: Fix capacity set to zero after offlinining device") The problem is that after iSCSI recovery, iscsid will call into the kernel to set the dev's state to running, and with that patch we now call scsi_rescan_device() with the state_mutex held. If the SCSI error handler thread is just starting to test the device in scsi_send_eh_cmnd() then it's going to try to grab the state_mutex. We are then stuck, because when scsi_rescan_device() tries to send its I/O scsi_queue_rq() calls -> scsi_host_queue_ready() -> scsi_host_in_recovery() which will return true (the host state is still in recovery) and I/O will just be requeued. scsi_send_eh_cmnd() will then never be able to grab the state_mutex to finish error handling. To prevent the deadlock move the rescan-related code to after we drop the state_mutex. This also adds a check for if we are already in the running state. This prevents extra scans and helps the iscsid case where if the transport class has already onlined the device during its recovery process then we don't need userspace to do it again plus possibly block that daemon. CVE-2021-47192 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cfg80211: call cfg80211_stop_ap when switch from P2P_GO type If the userspace tools switch from NL80211_IFTYPE_P2P_GO to NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it does not call the cleanup cfg80211_stop_ap(), this leads to the initialization of in-use data. For example, this path re-init the sdata->assigned_chanctx_list while it is still an element of assigned_vifs list, and makes that linked list corrupt. CVE-2021-47194 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine An error is detected with the following report when unloading the driver: "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b" The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the flag is not cleared upon completion of the login. This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set to LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used as an rpi_ids array index. Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in lpfc_mbx_cmpl_fc_reg_login(). CVE-2021-47198 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap drm_gem_ttm_mmap() drops a reference to the gem object on success. If the gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that drop will free the gem object, and the subsequent drm_gem_object_get() will be a UAF. Fix by grabbing a reference before calling the mmap helper. This issue was forseen when the reference dropping was adding in commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"): "For that to work properly the drm_gem_object_get() call in drm_gem_ttm_mmap() must be moved so it happens before calling obj->funcs->mmap(), otherwise the gem refcount would go down to zero." CVE-2021-47200 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iavf: free q_vectors before queues in iavf_disable_vf iavf_free_queues() clears adapter->num_active_queues, which iavf_free_q_vectors() relies on, so swap the order of these two function calls in iavf_disable_vf(). This resolves a panic encountered when the interface is disabled and then later brought up again after PF communication is restored. CVE-2021-47201 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: thermal: Fix NULL pointer dereferences in of_thermal_ functions of_parse_thermal_zones() parses the thermal-zones node and registers a thermal_zone device for each subnode. However, if a thermal zone is consuming a thermal sensor and that thermal sensor device hasn't probed yet, an attempt to set trip_point_*_temp for that thermal zone device can cause a NULL pointer dereference. Fix it. console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp ... Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... Call trace: of_thermal_set_trip_temp+0x40/0xc4 trip_point_temp_store+0xc0/0x1dc dev_attr_store+0x38/0x88 sysfs_kf_write+0x64/0xc0 kernfs_fop_write_iter+0x108/0x1d0 vfs_write+0x2f4/0x368 ksys_write+0x7c/0xec __arm64_sys_write+0x20/0x30 el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc do_el0_svc+0x28/0xa0 el0_svc+0x14/0x24 el0_sync_handler+0x88/0xec el0_sync+0x1c0/0x200 While at it, fix the possible NULL pointer dereference in other functions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(), of_thermal_get_trend(). CVE-2021-47202 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() When parsing the txq list in lpfc_drain_txq(), the driver attempts to pass the requests to the adapter. If such an attempt fails, a local "fail_msg" string is set and a log message output. The job is then added to a completions list for cancellation. Processing of any further jobs from the txq list continues, but since "fail_msg" remains set, jobs are added to the completions list regardless of whether a wqe was passed to the adapter. If successfully added to txcmplq, jobs are added to both lists resulting in list corruption. Fix by clearing the fail_msg string after adding a job to the completions list. This stops the subsequent jobs from being added to the completions list unless they had an appropriate failure. CVE-2021-47203 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: host: ohci-tmio: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. CVE-2021-47206 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: gus: fix null pointer dereference on pointer block The pointer block return from snd_gf1_dma_next_block could be null, so there is a potential null pointer dereference issue. Fix this by adding a null check before dereference. CVE-2021-47207 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]--- CVE-2021-47212 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: advansys: Fix kernel pointer leak Pointers should be printed with %p or %px rather than cast to 'unsigned long' and printed with %lx. Change %lx to %p to print the hashed pointer. CVE-2021-47216 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2021-47220 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Prevent state corruption in __fpu__restore_sig() The non-compacted slowpath uses __copy_from_user() and copies the entire user buffer into the kernel buffer, verbatim. This means that the kernel buffer may now contain entirely invalid state on which XRSTOR will #GP. validate_user_xstate_header() can detect some of that corruption, but that leaves the onus on callers to clear the buffer. Prior to XSAVES support, it was possible just to reinitialize the buffer, completely, but with supervisor states that is not longer possible as the buffer clearing code split got it backwards. Fixing that is possible but not corrupting the state in the first place is more robust. Avoid corruption of the kernel XSAVE buffer by using copy_user_to_xstate() which validates the XSAVE header contents before copying the actual states to the kernel. copy_user_to_xstate() was previously only called for compacted-format kernel buffers, but it works for both compacted and non-compacted forms. Using it for the non-compacted form is slower because of multiple __copy_from_user() operations, but that cost is less important than robust code in an already slow path. [ Changelog polished by Dave Hansen ] CVE-2021-47227 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/ioremap: Map EFI-reserved memory as encrypted for SEV Some drivers require memory that is marked as EFI boot services data. In order for this memory to not be re-used by the kernel after ExitBootServices(), efi_mem_reserve() is used to preserve it by inserting a new EFI memory descriptor and marking it with the EFI_MEMORY_RUNTIME attribute. Under SEV, memory marked with the EFI_MEMORY_RUNTIME attribute needs to be mapped encrypted by Linux, otherwise the kernel might crash at boot like below: EFI Variables Facility v0.08 2004-May-17 general protection fault, probably for non-canonical address 0x3597688770a868b2: 0000 [#1] SMP NOPTI CPU: 13 PID: 1 Comm: swapper/0 Not tainted 5.12.4-2-default #1 openSUSE Tumbleweed Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:efi_mokvar_entry_next [...] Call Trace: efi_mokvar_sysfs_init ? efi_mokvar_table_init do_one_initcall ? __kmalloc kernel_init_freeable ? rest_init kernel_init ret_from_fork Expand the __ioremap_check_other() function to additionally check for this other type of boot data reserved at runtime and indicate that it should be mapped encrypted for an SEV guest. [ bp: Massage commit message. ] CVE-2021-47228 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: PCI: aardvark: Fix kernel panic during PIO transfer Trying to start a new PIO transfer by writing value 0 in PIO_START register when previous transfer has not yet completed (which is indicated by value 1 in PIO_START) causes an External Abort on CPU, which results in kernel panic: SError Interrupt on CPU0, code 0xbf000002 -- SError Kernel panic - not syncing: Asynchronous SError Interrupt To prevent kernel panic, it is required to reject a new PIO transfer when previous one has not finished yet. If previous PIO transfer is not finished yet, the kernel may issue a new PIO request only if the previous PIO transfer timed out. In the past the root cause of this issue was incorrectly identified (as it often happens during link retraining or after link down event) and special hack was implemented in Trusted Firmware to catch all SError events in EL3, to ignore errors with code 0xbf000002 and not forwarding any other errors to kernel and instead throw panic from EL3 Trusted Firmware handler. Links to discussion and patches about this issue: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=3c7dcdac5c50 https://lore.kernel.org/linux-pci/20190316161243.29517-1-repk@triplefau.lt/ https://lore.kernel.org/linux-pci/971be151d24312cc533989a64bd454b4@www.loen.fr/ https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1541 But the real cause was the fact that during link retraining or after link down event the PIO transfer may take longer time, up to the 1.44s until it times out. This increased probability that a new PIO transfer would be issued by kernel while previous one has not finished yet. After applying this change into the kernel, it is possible to revert the mentioned TF-A hack and SError events do not have to be caught in TF-A EL3. CVE-2021-47229 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Immediately reset the MMU context when the SMM flag is cleared Immediately reset the MMU context when the vCPU's SMM flag is cleared so that the SMM flag in the MMU role is always synchronized with the vCPU's flag. If RSM fails (which isn't correctly emulated), KVM will bail without calling post_leave_smm() and leave the MMU in a bad state. The bad MMU role can lead to a NULL pointer dereference when grabbing a shadow page's rmap for a page fault as the initial lookups for the gfn will happen with the vCPU's SMM flag (=0), whereas the rmap lookup will use the shadow page's SMM flag, which comes from the MMU (=1). SMM has an entirely different set of memslots, and so the initial lookup can find a memslot (SMM=0) and then explode on the rmap memslot lookup (SMM=1). general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 8410 Comm: syz-executor382 Not tainted 5.13.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__gfn_to_rmap arch/x86/kvm/mmu/mmu.c:935 [inline] RIP: 0010:gfn_to_rmap+0x2b0/0x4d0 arch/x86/kvm/mmu/mmu.c:947 Code: <42> 80 3c 20 00 74 08 4c 89 ff e8 f1 79 a9 00 4c 89 fb 4d 8b 37 44 RSP: 0018:ffffc90000ffef98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888015b9f414 RCX: ffff888019669c40 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffff811d9cdb R09: ffffed10065a6002 R10: ffffed10065a6002 R11: 0000000000000000 R12: dffffc0000000000 R13: 0000000000000003 R14: 0000000000000001 R15: 0000000000000000 FS: 000000000124b300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000028e31000 CR4: 00000000001526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rmap_add arch/x86/kvm/mmu/mmu.c:965 [inline] mmu_set_spte+0x862/0xe60 arch/x86/kvm/mmu/mmu.c:2604 __direct_map arch/x86/kvm/mmu/mmu.c:2862 [inline] direct_page_fault+0x1f74/0x2b70 arch/x86/kvm/mmu/mmu.c:3769 kvm_mmu_do_page_fault arch/x86/kvm/mmu.h:124 [inline] kvm_mmu_page_fault+0x199/0x1440 arch/x86/kvm/mmu/mmu.c:5065 vmx_handle_exit+0x26/0x160 arch/x86/kvm/vmx/vmx.c:6122 vcpu_enter_guest+0x3bdd/0x9630 arch/x86/kvm/x86.c:9428 vcpu_run+0x416/0xc20 arch/x86/kvm/x86.c:9494 kvm_arch_vcpu_ioctl_run+0x4e8/0xa40 arch/x86/kvm/x86.c:9722 kvm_vcpu_ioctl+0x70f/0xbb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3460 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:1069 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x440ce9 CVE-2021-47230 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: fix memory leak in mcba_usb Syzbot reported memory leak in SocketCAN driver for Microchip CAN BUS Analyzer Tool. The problem was in unfreed usb_coherent. In mcba_usb_start() 20 coherent buffers are allocated and there is nothing, that frees them: 1) In callback function the urb is resubmitted and that's all 2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER is not set (see mcba_usb_start) and this flag cannot be used with coherent buffers. Fail log: | [ 1354.053291][ T8413] mcba_usb 1-1:0.0 can0: device disconnected | [ 1367.059384][ T8420] kmemleak: 20 new suspected memory leaks (see /sys/kernel/debug/kmem) So, all allocated buffers should be freed with usb_free_coherent() explicitly NOTE: The same pattern for allocating and freeing coherent buffers is used in drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c CVE-2021-47231 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethernet: fix potential use-after-free in ec_bhf_remove static void ec_bhf_remove(struct pci_dev *dev) { ... struct ec_bhf_priv *priv = netdev_priv(net_dev); unregister_netdev(net_dev); free_netdev(net_dev); pci_iounmap(dev, priv->dma_io); pci_iounmap(dev, priv->io); ... } priv is netdev private data, but it is used after free_netdev(). It can cause use-after-free when accessing priv pointer. So, fix it by moving free_netdev() after pci_iounmap() calls. CVE-2021-47235 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: cdc_eem: fix tx fixup skb leak when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), if skb_copy_expand() failed, it return NULL, usbnet_start_xmit() will have no chance to free original skb. fix it by free orginal skb in eem_tx_fixup() first, then check skb clone status, if failed, return NULL to usbnet. CVE-2021-47236 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: fix possible use-after-free in smsc75xx_bind The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") fails to clean up the work scheduled in smsc75xx_reset-> smsc75xx_set_multicast, which leads to use-after-free if the work is scheduled to start after the deallocation. In addition, this patch also removes a dangling pointer - dev->data[0]. This patch calls cancel_work_sync to cancel the scheduled work and set the dangling pointer to NULL. CVE-2021-47239 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ethtool: strset: fix message length calculation Outer nest for ETHTOOL_A_STRSET_STRINGSETS is not accounted for. This may result in ETHTOOL_MSG_STRSET_GET producing a warning like: calculated message payload length (684) not sufficient WARNING: CPU: 0 PID: 30967 at net/ethtool/netlink.c:369 ethnl_default_doit+0x87a/0xa20 and a splat. As usually with such warnings three conditions must be met for the warning to trigger: - there must be no skb size rounding up (e.g. reply_size of 684); - string set must be per-device (so that the header gets populated); - the device name must be at least 12 characters long. all in all with current user space it looks like reading priv flags is the only place this could potentially happen. Or with syzbot :) CVE-2021-47241 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix page reclaim for dead peer hairpin When adding a hairpin flow, a firmware-side send queue is created for the peer net device, which claims some host memory pages for its internal ring buffer. If the peer net device is removed/unbound before the hairpin flow is deleted, then the send queue is not destroyed which leads to a stack trace on pci device remove: [ 748.005230] mlx5_core 0000:08:00.2: wait_func:1094:(pid 12985): MANAGE_PAGES(0x108) timeout. Will cause a leak of a command resource [ 748.005231] mlx5_core 0000:08:00.2: reclaim_pages:514:(pid 12985): failed reclaiming pages: err -110 [ 748.001835] mlx5_core 0000:08:00.2: mlx5_reclaim_root_pages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0 [ 748.002171] ------------[ cut here ]------------ [ 748.001177] FW pages counter is 4 after reclaiming all pages [ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ +0.002771] Modules linked in: cls_flower mlx5_ib mlx5_core ptp pps_core act_mirred sch_ingress openvswitch nsh xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay fuse [last unloaded: pps_core] [ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1 [ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 748.002315] RIP: 0010:mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 <0f> 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9 [ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286 [ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000 [ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51 [ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8 [ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30 [ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000 [ 748.001429] FS: 00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000 [ 748.001695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0 [ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 748.001654] Call Trace: [ 748.000576] ? mlx5_satisfy_startup_pages+0x290/0x290 [mlx5_core] [ 748.001416] ? mlx5_cmd_teardown_hca+0xa2/0xd0 [mlx5_core] [ 748.001354] ? mlx5_cmd_init_hca+0x280/0x280 [mlx5_core] [ 748.001203] mlx5_function_teardown+0x30/0x60 [mlx5_core] [ 748.001275] mlx5_uninit_one+0xa7/0xc0 [mlx5_core] [ 748.001200] remove_one+0x5f/0xc0 [mlx5_core] [ 748.001075] pci_device_remove+0x9f/0x1d0 [ 748.000833] device_release_driver_internal+0x1e0/0x490 [ 748.001207] unbind_store+0x19f/0x200 [ 748.000942] ? sysfs_file_ops+0x170/0x170 [ 748.001000] kernfs_fop_write_iter+0x2bc/0x450 [ 748.000970] new_sync_write+0x373/0x610 [ 748.001124] ? new_sync_read+0x600/0x600 [ 748.001057] ? lock_acquire+0x4d6/0x700 [ 748.000908] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 748.001126] ? fd_install+0x1c9/0x4d0 [ 748.000951] vfs_write+0x4d0/0x800 [ 748.000804] ksys_write+0xf9/0x1d0 [ 748.000868] ? __x64_sys_read+0xb0/0xb0 [ 748.000811] ? filp_open+0x50/0x50 [ 748.000919] ? syscall_enter_from_user_mode+0x1d/0x50 [ 748.001223] do_syscall_64+0x3f/0x80 [ 748.000892] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 748.00 ---truncated--- CVE-2021-47246 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix use-after-free of encap entry in neigh update handler Function mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock removal from TC filter update path and properly handle concurrent encap entry insertion/deletion which can lead to following use-after-free: [23827.464923] ================================================================== [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635 [23827.472251] [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5 [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core] [23827.476731] Call Trace: [23827.477260] dump_stack+0xbb/0x107 [23827.477906] print_address_description.constprop.0+0x18/0x140 [23827.478896] ? mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.479879] ? mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.480905] kasan_report.cold+0x7c/0xd8 [23827.481701] ? mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.482744] kasan_check_range+0x145/0x1a0 [23827.493112] mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.494054] ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core] [23827.495296] mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core] [23827.496338] ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core] [23827.497486] ? read_word_at_a_time+0xe/0x20 [23827.498250] ? strscpy+0xa0/0x2a0 [23827.498889] process_one_work+0x8ac/0x14e0 [23827.499638] ? lockdep_hardirqs_on_prepare+0x400/0x400 [23827.500537] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [23827.501359] ? rwlock_bug.part.0+0x90/0x90 [23827.502116] worker_thread+0x53b/0x1220 [23827.502831] ? process_one_work+0x14e0/0x14e0 [23827.503627] kthread+0x328/0x3f0 [23827.504254] ? _raw_spin_unlock_irq+0x24/0x40 [23827.505065] ? __kthread_bind_mask+0x90/0x90 [23827.505912] ret_from_fork+0x1f/0x30 [23827.506621] [23827.506987] Allocated by task 28248: [23827.507694] kasan_save_stack+0x1b/0x40 [23827.508476] __kasan_kmalloc+0x7c/0x90 [23827.509197] mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core] [23827.510194] mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core] [23827.511218] __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core] [23827.512234] mlx5e_configure_flower+0x191c/0x4870 [mlx5_core] [23827.513298] tc_setup_cb_add+0x1d5/0x420 [23827.514023] fl_hw_replace_filter+0x382/0x6a0 [cls_flower] [23827.514975] fl_change+0x2ceb/0x4a51 [cls_flower] [23827.515821] tc_new_tfilter+0x89a/0x2070 [23827.516548] rtnetlink_rcv_msg+0x644/0x8c0 [23827.517300] netlink_rcv_skb+0x11d/0x340 [23827.518021] netlink_unicast+0x42b/0x700 [23827.518742] netlink_sendmsg+0x743/0xc20 [23827.519467] sock_sendmsg+0xb2/0xe0 [23827.520131] ____sys_sendmsg+0x590/0x770 [23827.520851] ___sys_sendmsg+0xd8/0x160 [23827.521552] __sys_sendmsg+0xb7/0x140 [23827.522238] do_syscall_64+0x3a/0x70 [23827.522907] entry_SYSCALL_64_after_hwframe+0x44/0xae [23827.523797] [23827.524163] Freed by task 25948: [23827.524780] kasan_save_stack+0x1b/0x40 [23827.525488] kasan_set_track+0x1c/0x30 [23827.526187] kasan_set_free_info+0x20/0x30 [23827.526968] __kasan_slab_free+0xed/0x130 [23827.527709] slab_free_freelist_hook+0xcf/0x1d0 [23827.528528] kmem_cache_free_bulk+0x33a/0x6e0 [23827.529317] kfree_rcu_work+0x55f/0xb70 [23827.530024] process_one_work+0x8ac/0x14e0 [23827.530770] worker_thread+0x53b/0x1220 [23827.531480] kthread+0x328/0x3f0 [23827.532114] ret_from_fork+0x1f/0x30 [23827.532785] [23827.533147] Last potentially related work creation: [23827.534007] kasan_save_stack+0x1b/0x40 [23827.534710] kasan_record_aux_stack+0xab/0xc0 [23827.535492] kvfree_call_rcu+0x31/0x7b0 [23827.536206] mlx5e_tc_del ---truncated--- CVE-2021-47247 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid WARN_ON timing related checks The soft/batadv interface for a queued OGM can be changed during the time the OGM was queued for transmission and when the OGM is actually transmitted by the worker. But WARN_ON must be used to denote kernel bugs and not to print simple warnings. A warning can simply be printed using pr_warn. CVE-2021-47252 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix potential memory leak in DMUB hw_init [Why] On resume we perform DMUB hw_init which allocates memory: dm_resume->dm_dmub_hw_init->dc_dmub_srv_create->kzalloc That results in memory leak in suspend/resume scenarios. [How] Allocate memory for the DC wrapper to DMUB only if it was not allocated before. No need to reallocate it on suspend/resume. CVE-2021-47253 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in gfs2_glock_shrink_scan The GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to remove the glock from the lru list in __gfs2_glock_put(). On the shrink scan path, the same flag is cleared under lru_lock but because of cond_resched_lock(&lru_lock) in gfs2_dispose_glock_lru(), progress on the put side can be made without deleting the glock from the lru list. Keep GLF_LRU across the race window opened by cond_resched_lock(&lru_lock) to ensure correct behavior on both sides - clear GLF_LRU after list_del under lru_lock. CVE-2021-47254 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: kvm: LAPIC: Restore guard to prevent illegal APIC register access Per the SDM, "any access that touches bytes 4 through 15 of an APIC register may cause undefined behavior and must not be executed." Worse, such an access in kvm_lapic_reg_read can result in a leak of kernel stack contents. Prior to commit 01402cf81051 ("kvm: LAPIC: write down valid APIC registers"), such an access was explicitly disallowed. Restore the guard that was removed in that commit. CVE-2021-47255 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix error handling of scsi_host_alloc() After device is initialized via device_initialize(), or its name is set via dev_set_name(), the device has to be freed via put_device(). Otherwise device name will be leaked because it is allocated dynamically in dev_set_name(). Fix the leak by replacing kfree() with put_device(). Since scsi_host_dev_release() properly handles IDA and kthread removal, remove special-casing these from the error handling as well. CVE-2021-47258 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: NFS: Fix use-after-free in nfs4_init_client() KASAN reports a use-after-free when attempting to mount two different exports through two different NICs that belong to the same server. Olga was able to hit this with kernels starting somewhere between 5.7 and 5.10, but I traced the patch that introduced the clear_bit() call to 4.13. So something must have changed in the refcounting of the clp pointer to make this call to nfs_put_client() the very last one. CVE-2021-47259 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a potential NULL dereference in nfs_get_client() None of the callers are expecting NULL returns from nfs_get_client() so this code will lead to an Oops. It's better to return an error pointer. I expect that this is dead code so hopefully no one is affected. CVE-2021-47260 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix initializing CQ fragments buffer The function init_cq_frag_buf() can be called to initialize the current CQ fragments buffer cq->buf, or the temporary cq->resize_buf that is filled during CQ resize operation. However, the offending commit started to use function get_cqe() for getting the CQEs, the issue with this change is that get_cqe() always returns CQEs from cq->buf, which leads us to initialize the wrong buffer, and in case of enlarging the CQ we try to access elements beyond the size of the current cq->buf and eventually hit a kernel panic. [exception RIP: init_cq_frag_buf+103] [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib] [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core] [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt] [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt] [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt] [ffff9f799ddcbec8] kthread at ffffffffa66c5da1 [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd Fix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that takes the correct source buffer as a parameter. CVE-2021-47261 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: gpio: wcd934x: Fix shift-out-of-bounds error bit-mask for pins 0 to 4 is BIT(0) to BIT(4) however we ended up with BIT(n - 1) which is not right, and this was caught by below usban check UBSAN: shift-out-of-bounds in drivers/gpio/gpio-wcd934x.c:34:14 CVE-2021-47263 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA: Verify port when creating flow rule Validate port value provided by the user and with that remove no longer needed validation by the driver. The missing check in the mlx5_ib driver could cause to the below oops. Call trace: _create_flow_rule+0x2d4/0xf28 [mlx5_ib] mlx5_ib_create_flow+0x2d0/0x5b0 [mlx5_ib] ib_uverbs_ex_create_flow+0x4cc/0x624 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xd4/0x150 [ib_uverbs] ib_uverbs_cmd_verbs.isra.7+0xb28/0xc50 [ib_uverbs] ib_uverbs_ioctl+0x158/0x1d0 [ib_uverbs] do_vfs_ioctl+0xd0/0xaf0 ksys_ioctl+0x84/0xb4 __arm64_sys_ioctl+0x28/0xc4 el0_svc_common.constprop.3+0xa4/0x254 el0_svc_handler+0x84/0xa0 el0_svc+0x10/0x26c Code: b9401260 f9615681 51000400 8b001c20 (f9403c1a) CVE-2021-47265 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: fix various gadget panics on 10gbps cabling usb_assign_descriptors() is called with 5 parameters, the last 4 of which are the usb_descriptor_header for: full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps), high-speed (USB2.0 - 480Mbps), super-speed (USB3.0 - 5Gbps), super-speed-plus (USB3.1 - 10Gbps). The differences between full/high/super-speed descriptors are usually substantial (due to changes in the maximum usb block size from 64 to 512 to 1024 bytes and other differences in the specs), while the difference between 5 and 10Gbps descriptors may be as little as nothing (in many cases the same tuning is simply good enough). However if a gadget driver calls usb_assign_descriptors() with a NULL descriptor for super-speed-plus and is then used on a max 10gbps configuration, the kernel will crash with a null pointer dereference, when a 10gbps capable device port + cable + host port combination shows up. (This wouldn't happen if the gadget max-speed was set to 5gbps, but it of course defaults to the maximum, and there's no real reason to artificially limit it) The fix is to simply use the 5gbps descriptor as the 10gbps descriptor, if a 10gbps descriptor wasn't provided. Obviously this won't fix the problem if the 5gbps descriptor is also NULL, but such cases can't be so trivially solved (and any such gadgets are unlikely to be used with USB3 ports any way). CVE-2021-47267 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: ep0: fix NULL pointer exception There is no validation of the index from dwc3_wIndex_to_dep() and we might be referring a non-existing ep and trigger a NULL pointer exception. In certain configurations we might use fewer eps and the index might wrongly indicate a larger ep index than existing. By adding this validation from the patch we can actually report a wrong index back to the caller. In our usecase we are using a composite device on an older kernel, but upstream might use this fix also. Unfortunately, I cannot describe the hardware for others to reproduce the issue as it is a proprietary implementation. [ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4 [ 82.966891] Mem abort info: [ 82.969663] ESR = 0x96000006 [ 82.972703] Exception class = DABT (current EL), IL = 32 bits [ 82.978603] SET = 0, FnV = 0 [ 82.981642] EA = 0, S1PTW = 0 [ 82.984765] Data abort info: [ 82.987631] ISV = 0, ISS = 0x00000006 [ 82.991449] CM = 0, WnR = 0 [ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc [ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000 [ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP [ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c) [ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1 [ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO) [ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c [ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94 ... [ 83.141788] Call trace: [ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c [ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94 [ 83.181546] ---[ end trace aac6b5267d84c32f ]--- CVE-2021-47269 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: fix various gadgets null ptr deref on 10gbps cabling. This avoids a null pointer dereference in f_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm} by simply reusing the 5gbps config for 10gbps. CVE-2021-47270 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Correct the length check which causes memory corruption We've suffered from severe kernel crashes due to memory corruption on our production environment, like, Call Trace: [1640542.554277] general protection fault: 0000 [#1] SMP PTI [1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G [1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190 [1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286 [1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX: 0000000006e931bf [1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI: ffff9a45ff004300 [1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09: 0000000000000000 [1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9a20608d [1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15: 696c662f65636976 [1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000) knlGS:0000000000000000 [1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4: 00000000003606e0 [1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1640542.566742] Call Trace: [1640542.567009] anon_vma_clone+0x5d/0x170 [1640542.567417] __split_vma+0x91/0x1a0 [1640542.567777] do_munmap+0x2c6/0x320 [1640542.568128] vm_munmap+0x54/0x70 [1640542.569990] __x64_sys_munmap+0x22/0x30 [1640542.572005] do_syscall_64+0x5b/0x1b0 [1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [1640542.575642] RIP: 0033:0x7f45d6e61e27 James Wang has reproduced it stably on the latest 4.19 LTS. After some debugging, we finally proved that it's due to ftrace buffer out-of-bound access using a debug tool as follows: [ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000 [ 86.780806] no_context+0xdf/0x3c0 [ 86.784327] __do_page_fault+0x252/0x470 [ 86.788367] do_page_fault+0x32/0x140 [ 86.792145] page_fault+0x1e/0x30 [ 86.795576] strncpy_from_unsafe+0x66/0xb0 [ 86.799789] fetch_memory_string+0x25/0x40 [ 86.804002] fetch_deref_string+0x51/0x60 [ 86.808134] kprobe_trace_func+0x32d/0x3a0 [ 86.812347] kprobe_dispatcher+0x45/0x50 [ 86.816385] kprobe_ftrace_handler+0x90/0xf0 [ 86.820779] ftrace_ops_assist_func+0xa1/0x140 [ 86.825340] 0xffffffffc00750bf [ 86.828603] do_sys_open+0x5/0x1f0 [ 86.832124] do_syscall_64+0x5b/0x1b0 [ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9 commit b220c049d519 ("tracing: Check length before giving out the filter buffer") adds length check to protect trace data overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent overflow entirely, the length check should also take the sizeof entry->array[0] into account, since this array[0] is filled the length of trace data and occupy addtional space and risk overflow. CVE-2021-47274 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: bcache: avoid oversized read request in cache missing code path In the cache missing code path of cached device, if a proper location from the internal B+ tree is matched for a cache miss range, function cached_dev_cache_miss() will be called in cache_lookup_fn() in the following code block, [code block 1] 526 unsigned int sectors = KEY_INODE(k) == s->iop.inode 527 ? min_t(uint64_t, INT_MAX, 528 KEY_START(k) - bio->bi_iter.bi_sector) 529 : INT_MAX; 530 int ret = s->d->cache_miss(b, s, bio, sectors); Here s->d->cache_miss() is the call backfunction pointer initialized as cached_dev_cache_miss(), the last parameter 'sectors' is an important hint to calculate the size of read request to backing device of the missing cache data. Current calculation in above code block may generate oversized value of 'sectors', which consequently may trigger 2 different potential kernel panics by BUG() or BUG_ON() as listed below, 1) BUG_ON() inside bch_btree_insert_key(), [code block 2] 886 BUG_ON(b->ops->is_extents && !KEY_SIZE(k)); 2) BUG() inside biovec_slab(), [code block 3] 51 default: 52 BUG(); 53 return NULL; All the above panics are original from cached_dev_cache_miss() by the oversized parameter 'sectors'. Inside cached_dev_cache_miss(), parameter 'sectors' is used to calculate the size of data read from backing device for the cache missing. This size is stored in s->insert_bio_sectors by the following lines of code, [code block 4] 909 s->insert_bio_sectors = min(sectors, bio_sectors(bio) + reada); Then the actual key inserting to the internal B+ tree is generated and stored in s->iop.replace_key by the following lines of code, [code block 5] 911 s->iop.replace_key = KEY(s->iop.inode, 912 bio->bi_iter.bi_sector + s->insert_bio_sectors, 913 s->insert_bio_sectors); The oversized parameter 'sectors' may trigger panic 1) by BUG_ON() from the above code block. And the bio sending to backing device for the missing data is allocated with hint from s->insert_bio_sectors by the following lines of code, [code block 6] 926 cache_bio = bio_alloc_bioset(GFP_NOWAIT, 927 DIV_ROUND_UP(s->insert_bio_sectors, PAGE_SECTORS), 928 &dc->disk.bio_split); The oversized parameter 'sectors' may trigger panic 2) by BUG() from the agove code block. Now let me explain how the panics happen with the oversized 'sectors'. In code block 5, replace_key is generated by macro KEY(). From the definition of macro KEY(), [code block 7] 71 #define KEY(inode, offset, size) \ 72 ((struct bkey) { \ 73 .high = (1ULL << 63) | ((__u64) (size) << 20) | (inode), \ 74 .low = (offset) \ 75 }) Here 'size' is 16bits width embedded in 64bits member 'high' of struct bkey. But in code block 1, if "KEY_START(k) - bio->bi_iter.bi_sector" is very probably to be larger than (1<<16) - 1, which makes the bkey size calculation in code block 5 is overflowed. In one bug report the value of parameter 'sectors' is 131072 (= 1 << 17), the overflowed 'sectors' results the overflowed s->insert_bio_sectors in code block 4, then makes size field of s->iop.replace_key to be 0 in code block 5. Then the 0- sized s->iop.replace_key is inserted into the internal B+ tree as cache missing check key (a special key to detect and avoid a racing between normal write request and cache missing read request) as, [code block 8] 915 ret = bch_btree_insert_check_key(b, &s->op, &s->iop.replace_key); Then the 0-sized s->iop.replace_key as 3rd parameter triggers the bkey size check BUG_ON() in code block 2, and causes the kernel panic 1). Another ke ---truncated--- CVE-2021-47275 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ftrace: Do not blindly read the ip address in ftrace_bug() It was reported that a bug on arm64 caused a bad ip address to be used for updating into a nop in ftrace_init(), but the error path (rightfully) returned -EINVAL and not -EFAULT, as the bug caused more than one error to occur. But because -EINVAL was returned, the ftrace_bug() tried to report what was at the location of the ip address, and read it directly. This caused the machine to panic, as the ip was not pointing to a valid memory address. Instead, read the ip address with copy_from_kernel_nofault() to safely access the memory, and if it faults, report that the address faulted, otherwise report what was in that location. CVE-2021-47276 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: Fix use-after-free read in drm_getunique() There is a time-of-check-to-time-of-use error in drm_getunique() due to retrieving file_priv->master prior to locking the device's master mutex. An example can be seen in the crash report of the use-after-free error found by Syzbot: https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803 In the report, the master pointer was used after being freed. This is because another process had acquired the device's master mutex in drm_setmaster_ioctl(), then overwrote fpriv->master in drm_new_set_master(). The old value of fpriv->master was subsequently freed before the mutex was unlocked. To fix this, we lock the device's master mutex before retrieving the pointer from from fpriv->master. This patch passes the Syzbot reproducer test. CVE-2021-47280 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: Fix race of snd_seq_timer_open() The timer instance per queue is exclusive, and snd_seq_timer_open() should have managed the concurrent accesses. It looks as if it's checking the already existing timer instance at the beginning, but it's not right, because there is no protection, hence any later concurrent call of snd_seq_timer_open() may override the timer instance easily. This may result in UAF, as the leftover timer instance can keep running while the queue itself gets closed, as spotted by syzkaller recently. For avoiding the race, add a proper check at the assignment of tmr->timeri again, and return -EBUSY if it's been already registered. CVE-2021-47281 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: netjet: Fix crash in nj_probe: 'nj_setup' in netjet.c might fail with -EIO and in this case 'card->irq' is initialized and is bigger than zero. A subsequent call to 'nj_release' will free the irq that has not been requested. Fix this bug by deleting the previous assignment to 'card->irq' and just keep the assignment before 'request_irq'. The KASAN's log reveals it: [ 3.354615 ] WARNING: CPU: 0 PID: 1 at kernel/irq/manage.c:1826 free_irq+0x100/0x480 [ 3.355112 ] Modules linked in: [ 3.355310 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc1-00144-g25a1298726e #13 [ 3.355816 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 3.356552 ] RIP: 0010:free_irq+0x100/0x480 [ 3.356820 ] Code: 6e 08 74 6f 4d 89 f4 e8 5e ac 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 4f ac 09 00 8b 75 c8 48 c7 c7 78 c1 2e 85 e8 e0 cf f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 72 33 0b 03 48 8b 43 40 4c 8b a0 80 [ 3.358012 ] RSP: 0000:ffffc90000017b48 EFLAGS: 00010082 [ 3.358357 ] RAX: 0000000000000000 RBX: ffff888104dc8000 RCX: 0000000000000000 [ 3.358814 ] RDX: ffff8881003c8000 RSI: ffffffff8124a9e6 RDI: 00000000ffffffff [ 3.359272 ] RBP: ffffc90000017b88 R08: 0000000000000000 R09: 0000000000000000 [ 3.359732 ] R10: ffffc900000179f0 R11: 0000000000001d04 R12: 0000000000000000 [ 3.360195 ] R13: ffff888107dc6000 R14: ffff888107dc6928 R15: ffff888104dc80a8 [ 3.360652 ] FS: 0000000000000000(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 [ 3.361170 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.361538 ] CR2: 0000000000000000 CR3: 000000000582e000 CR4: 00000000000006f0 [ 3.362003 ] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3.362175 ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3.362175 ] Call Trace: [ 3.362175 ] nj_release+0x51/0x1e0 [ 3.362175 ] nj_probe+0x450/0x950 [ 3.362175 ] ? pci_device_remove+0x110/0x110 [ 3.362175 ] local_pci_probe+0x45/0xa0 [ 3.362175 ] pci_device_probe+0x12b/0x1d0 [ 3.362175 ] really_probe+0x2a9/0x610 [ 3.362175 ] driver_probe_device+0x90/0x1d0 [ 3.362175 ] ? mutex_lock_nested+0x1b/0x20 [ 3.362175 ] device_driver_attach+0x68/0x70 [ 3.362175 ] __driver_attach+0x124/0x1b0 [ 3.362175 ] ? device_driver_attach+0x70/0x70 [ 3.362175 ] bus_for_each_dev+0xbb/0x110 [ 3.362175 ] ? rdinit_setup+0x45/0x45 [ 3.362175 ] driver_attach+0x27/0x30 [ 3.362175 ] bus_add_driver+0x1eb/0x2a0 [ 3.362175 ] driver_register+0xa9/0x180 [ 3.362175 ] __pci_register_driver+0x82/0x90 [ 3.362175 ] ? w6692_init+0x38/0x38 [ 3.362175 ] nj_init+0x36/0x38 [ 3.362175 ] do_one_initcall+0x7f/0x3d0 [ 3.362175 ] ? rdinit_setup+0x45/0x45 [ 3.362175 ] ? rcu_read_lock_sched_held+0x4f/0x80 [ 3.362175 ] kernel_init_freeable+0x2aa/0x301 [ 3.362175 ] ? rest_init+0x2c0/0x2c0 [ 3.362175 ] kernel_init+0x18/0x190 [ 3.362175 ] ? rest_init+0x2c0/0x2c0 [ 3.362175 ] ? rest_init+0x2c0/0x2c0 [ 3.362175 ] ret_from_fork+0x1f/0x30 [ 3.362175 ] Kernel panic - not syncing: panic_on_warn set ... [ 3.362175 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc1-00144-g25a1298726e #13 [ 3.362175 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 3.362175 ] Call Trace: [ 3.362175 ] dump_stack+0xba/0xf5 [ 3.362175 ] ? free_irq+0x100/0x480 [ 3.362175 ] panic+0x15a/0x3f2 [ 3.362175 ] ? __warn+0xf2/0x150 [ 3.362175 ] ? free_irq+0x100/0x480 [ 3.362175 ] __warn+0x108/0x150 [ 3.362175 ] ? free_irq+0x100/0x480 [ 3.362175 ] report_bug+0x119/0x1c0 [ 3.362175 ] handle_bug+0x3b/0x80 [ 3.362175 ] exc_invalid_op+0x18/0x70 [ 3.362175 ] asm_exc_invalid_op+0x12/0x20 [ 3.362175 ] RIP: 0010:free_irq+0x100 ---truncated--- CVE-2021-47284 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2021-47285 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() Fix an 11-year old bug in ngene_command_config_free_buf() while addressing the following warnings caught with -Warray-bounds: arch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds] arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds] The problem is that the original code is trying to copy 6 bytes of data into a one-byte size member _config_ of the wrong structue FW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a legitimate compiler warning because memcpy() overruns the length of &com.cmd.ConfigureBuffers.config. It seems that the right structure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains 6 more members apart from the header _hdr_. Also, the name of the function ngene_command_config_free_buf() suggests that the actual intention is to ConfigureFreeBuffers, instead of ConfigureBuffers (which takes place in the function ngene_command_config_buf(), above). Fix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS into new struct config, and use &com.cmd.ConfigureFreeBuffers.config as the destination address, instead of &com.cmd.ConfigureBuffers.config, when calling memcpy(). This also helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). CVE-2021-47288 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: fix NULL pointer dereference Commit 71f642833284 ("ACPI: utils: Fix reference counting in for_each_acpi_dev_match()") started doing "acpi_dev_put()" on a pointer that was possibly NULL. That fails miserably, because that helper inline function is not set up to handle that case. Just make acpi_dev_put() silently accept a NULL pointer, rather than calling down to put_device() with an invalid offset off that NULL pointer. CVE-2021-47289 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak vcpu_put is not called if the user copy fails. This can result in preempt notifier corruption and crashes, among other issues. CVE-2021-47296 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: igb: Fix use-after-free error during reset Cleans the next descriptor to watch (next_to_watch) when cleaning the TX ring. Failure to do so can cause invalid memory accesses. If igb_poll() runs while the controller is reset this can lead to the driver try to free a skb that was already freed. (The crash is harder to reproduce with the igb driver, but the same potential problem exists as the code is identical to igc) CVE-2021-47301 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: igc: Fix use-after-free error during reset Cleans the next descriptor to watch (next_to_watch) when cleaning the TX ring. Failure to do so can cause invalid memory accesses. If igc_poll() runs while the controller is being reset this can lead to the driver try to free a skb that was already freed. Log message: [ 101.525242] refcount_t: underflow; use-after-free. [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0 [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E) ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E) rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E) soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E) iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E) soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E) [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E) e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E) usbcore(E) drm(E) button(E) video(E) [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017 [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0 [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3 [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286 [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001 [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50 [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00 [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40 [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000 [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0 [ 101.525343] Call Trace: [ 101.525346] sock_wfree+0x9c/0xa0 [ 101.525353] unix_destruct_scm+0x7b/0xa0 [ 101.525358] skb_release_head_state+0x40/0x90 [ 101.525362] skb_release_all+0xe/0x30 [ 101.525364] napi_consume_skb+0x57/0x160 [ 101.525367] igc_poll+0xb7/0xc80 [igc] [ 101.525376] ? sched_clock+0x5/0x10 [ 101.525381] ? sched_clock_cpu+0xe/0x100 [ 101.525385] net_rx_action+0x14c/0x410 [ 101.525388] __do_softirq+0xe9/0x2f4 [ 101.525391] __local_bh_enable_ip+0xe3/0x110 [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0 [ 101.525398] irq_forced_thread_fn+0x6a/0x80 [ 101.525401] irq_thread+0xe8/0x180 [ 101.525403] ? wake_threads_waitq+0x30/0x30 [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0 [ 101.525408] kthread+0x183/0x1a0 [ 101.525412] ? kthread_park+0x80/0x80 [ 101.525415] ret_from_fork+0x22/0x30 CVE-2021-47302 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-buf/sync_file: Don't leak fences on merge failure Each add_fence() call does a dma_fence_get() on the relevant fence. In the error path, we weren't calling dma_fence_put() so all those fences got leaked. Also, in the krealloc_array failure case, we weren't freeing the fences array. Instead, ensure that i and fences are always zero-initialized and dma_fence_put() all the fences and kfree(fences) on every error path. CVE-2021-47305 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL deref in cifs_compose_mount_options() The optional @ref parameter might contain an NULL node_name, so prevent dereferencing it in cifs_compose_mount_options(). Addresses-Coverity: 1476408 ("Explicit null dereferenced") CVE-2021-47307 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: libfc: Fix array index out of bound exception Fix array index out of bound exception in fc_rport_prli_resp(). CVE-2021-47308 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: qcom/emac: fix UAF in emac_remove adpt is netdev private data and it cannot be used after free_netdev() call. Using adpt after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. CVE-2021-47311 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: memory: fsl_ifc: fix leak of private memory on probe failure On probe error the driver should free the memory allocated for private structure. Fix this by using resource-managed allocation. CVE-2021-47314 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: memory: fsl_ifc: fix leak of IO mapping on probe failure On probe error the driver should unmap the IO memory. Smatch reports: drivers/memory/fsl_ifc.c:298 fsl_ifc_ctrl_probe() warn: 'fsl_ifc_ctrl_dev->gregs' not released on lines: 298. CVE-2021-47315 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: nfs: fix acl memory leak of posix_acl_create() When looking into another nfs xfstests report, I found acl and default_acl in nfs3_proc_create() and nfs3_proc_mknod() error paths are possibly leaked. Fix them in advance. CVE-2021-47320 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: watchdog: Fix possible use-after-free by calling del_timer_sync() This driver's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. CVE-2021-47321 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. CVE-2021-47323 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: watchdog: Fix possible use-after-free in wdt_startup() This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. CVE-2021-47324 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: iscsi: Fix conn use after free during resets If we haven't done a unbind target call we can race where iscsi_conn_teardown wakes up the EH thread and then frees the conn while those threads are still accessing the conn ehwait. We can only do one TMF per session so this just moves the TMF fields from the conn to the session. We can then rely on the iscsi_session_teardown->iscsi_remove_session->__iscsi_unbind_session call to remove the target and it's devices, and know after that point there is no device or scsi-ml callout trying to access the session. CVE-2021-47328 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix resource leak in case of probe failure The driver doesn't clean up all the allocated resources properly when scsi_add_host(), megasas_start_aen() function fails during the PCI device probe. Clean up all those resources. CVE-2021-47329 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: tty: serial: 8250: serial_cs: Fix a memory leak in error handling path In the probe function, if the final 'serial_config()' fails, 'info' is leaking. Add a resource handling path to free this memory. CVE-2021-47330 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: ALSA: usx2y: Don't call free_pages_exact() with NULL address Unlike some other functions, we can't pass NULL pointer to free_pages_exact(). Add a proper NULL check for avoiding possible Oops. CVE-2021-47332 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge There is an issue with the ASPM(optional) capability checking function. A device might be attached to root complex directly, in this case, bus->self(bridge) will be NULL, thus priv->parent_pdev is NULL. Since alcor_pci_init_check_aspm(priv->parent_pdev) checks the PCI link's ASPM capability and populate parent_cap_off, which will be used later by alcor_pci_aspm_ctrl() to dynamically turn on/off device, what we can do here is to avoid checking the capability if we are on the root complex. This will make pdev_cap_off 0 and alcor_pci_aspm_ctrl() will simply return when bring called, effectively disable ASPM for the device. [ 1.246492] BUG: kernel NULL pointer dereference, address: 00000000000000c0 [ 1.248731] RIP: 0010:pci_read_config_byte+0x5/0x40 [ 1.253998] Call Trace: [ 1.254131] ? alcor_pci_find_cap_offset.isra.0+0x3a/0x100 [alcor_pci] [ 1.254476] alcor_pci_probe+0x169/0x2d5 [alcor_pci] CVE-2021-47333 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: misc/libmasm/module: Fix two use after free in ibmasm_init_one In ibmasm_init_one, it calls ibmasm_init_remote_input_dev(). Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are allocated by input_allocate_device(), and assigned to sp->remote.mouse_dev and sp->remote.keybd_dev respectively. In the err_free_devices error branch of ibmasm_init_one, mouse_dev and keybd_dev are freed by input_free_device(), and return error. Then the execution runs into error_send_message error branch of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev. My patch add a "error_init_remote" label to handle the error of ibmasm_init_remote_input_dev(), to avoid the uaf bugs. CVE-2021-47334 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix bad pointer dereference when ehandler kthread is invalid Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()") changed the allocation logic to call put_device() to perform host cleanup with the assumption that IDA removal and stopping the kthread would properly be performed in scsi_host_dev_release(). However, in the unlikely case that the error handler thread fails to spawn, shost->ehandler is set to ERR_PTR(-ENOMEM). The error handler cleanup code in scsi_host_dev_release() will call kthread_stop() if shost->ehandler != NULL which will always be the case whether the kthread was successfully spawned or not. In the case that it failed to spawn this has the nasty side effect of trying to dereference an invalid pointer when kthread_stop() is called. The following splat provides an example of this behavior in the wild: scsi host11: error handler thread failed to spawn, error = -4 Kernel attempted to read user page (10c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x0000010c Faulting instruction address: 0xc00000000818e9a8 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region hash dm_log dm_mod fuse overlay squashfs loop CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1 NIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8 REGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7) MSR: 800000000280b033 &lt;SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE&gt; CR: 28228228 XER: 20040001 CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0 GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000 GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0 GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288 GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898 GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000 GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc NIP [c00000000818e9a8] kthread_stop+0x38/0x230 LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160 Call Trace: [c000000033bb2c48] 0xc000000033bb2c48 (unreliable) [c0000000089846e8] scsi_host_dev_release+0x98/0x160 [c00000000891e960] device_release+0x60/0x100 [c0000000087e55c4] kobject_release+0x84/0x210 [c00000000891ec78] put_device+0x28/0x40 [c000000008984ea4] scsi_host_alloc+0x314/0x430 [c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi] [c000000008110104] vio_bus_probe+0xa4/0x4b0 [c00000000892a860] really_probe+0x140/0x680 [c00000000892aefc] driver_probe_device+0x15c/0x200 [c00000000892b63c] device_driver_attach+0xcc/0xe0 [c00000000892b740] __driver_attach+0xf0/0x200 [c000000008926f28] bus_for_each_dev+0xa8/0x130 [c000000008929ce4] driver_attach+0x34/0x50 [c000000008928fc0] bus_add_driver+0x1b0/0x300 [c00000000892c798] driver_register+0x98/0x1a0 [c00000000810eb60] __vio_register_driver+0x80/0xe0 [c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi] [c0000000080121d0] do_one_initcall+0x60/0x2d0 [c000000008261abc] do_init_module+0x7c/0x320 [c000000008265700] load_module+0x2350/0x25b0 [c000000008265cb4] __do_sys_finit_module+0xd4/0x160 [c000000008031110] system_call_exception+0x150/0x2d0 [c00000000800d35c] system_call_common+0xec/0x278 Fix this be nulling shost->ehandler when the kthread fails to spawn. CVE-2021-47337 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbmem: Do not delete the mode that is still in use The execution of fb_delete_videomode() is not based on the result of the previous fbcon_mode_deleted(). As a result, the mode is directly deleted, regardless of whether it is still in use, which may cause UAF. ================================================================== BUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \ drivers/video/fbdev/core/modedb.c:924 Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962 CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ... Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x137/0x1be lib/dump_stack.c:118 print_address_description+0x6c/0x640 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x13d/0x1e0 mm/kasan/report.c:562 fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924 fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746 fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 18960: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x108/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1541 [inline] slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574 slab_free mm/slub.c:3139 [inline] kfree+0xca/0x3d0 mm/slub.c:4121 fb_delete_videomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104 fb_set_var+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 CVE-2021-47338 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: fix GPF in diFree Avoid passing inode with JFS_SBI(inode->i_sb)->ipimap == NULL to diFree()[1]. GFP will appear: struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap; struct inomap *imap = JFS_IP(ipimap)->i_imap; JFS_IP() will return invalid pointer when ipimap == NULL Call Trace: diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1] jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154 evict+0x2ed/0x750 fs/inode.c:578 iput_final fs/inode.c:1654 [inline] iput.part.0+0x3fe/0x820 fs/inode.c:1680 iput+0x58/0x70 fs/inode.c:1670 CVE-2021-47340 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 Read of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269 CPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x110/0x164 lib/dump_stack.c:118 print_address_description+0x78/0x5c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x148/0x1e4 mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:183 [inline] __asan_load8+0xb4/0xbc mm/kasan/generic.c:252 kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Allocated by task 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475 kmem_cache_alloc_trace include/linux/slab.h:450 [inline] kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:664 [inline] kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146 kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Freed by task 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x38/0x6c mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355 __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422 kasan_slab_free+0x10/0x1c mm/kasan/common.c:431 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook mm/slub.c:1577 [inline] slab_free mm/slub.c:3142 [inline] kfree+0x104/0x38c mm/slub.c:4124 coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102 kvm_iodevice_destructor include/kvm/iodev.h:61 [inline] kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374 kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/sys ---truncated--- CVE-2021-47341 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm btree remove: assign new_root only when removal succeeds remove_raw() in dm_btree_remove() may fail due to IO read error (e.g. read the content of origin block fails during shadowing), and the value of shadow_spine::root is uninitialized, but the uninitialized value is still assign to new_root in the end of dm_btree_remove(). For dm-thin, the value of pmd->details_root or pmd->root will become an uninitialized value, so if trying to read details_info tree again out-of-bound memory may occur as showed below: general protection fault, probably for non-canonical address 0x3fdcb14c8d7520 CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6 Hardware name: QEMU Standard PC RIP: 0010:metadata_ll_load_ie+0x14/0x30 Call Trace: sm_metadata_count_is_more_than_one+0xb9/0xe0 dm_tm_shadow_block+0x52/0x1c0 shadow_step+0x59/0xf0 remove_raw+0xb2/0x170 dm_btree_remove+0xf4/0x1c0 dm_pool_delete_thin_device+0xc3/0x140 pool_message+0x218/0x2b0 target_message+0x251/0x290 ctl_ioctl+0x1c4/0x4d0 dm_ctl_ioctl+0xe/0x20 __x64_sys_ioctl+0x7b/0xb0 do_syscall_64+0x40/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixing it by only assign new_root when removal succeeds CVE-2021-47343 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: zr364xx: fix memory leak in zr364xx_start_readpipe syzbot reported memory leak in zr364xx driver. The problem was in non-freed urb in case of usb_submit_urb() fail. backtrace: [<ffffffff82baedf6>] kmalloc include/linux/slab.h:561 [inline] [<ffffffff82baedf6>] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74 [<ffffffff82f7cce8>] zr364xx_start_readpipe+0x78/0x130 drivers/media/usb/zr364xx/zr364xx.c:1022 [<ffffffff84251dfc>] zr364xx_board_init drivers/media/usb/zr364xx/zr364xx.c:1383 [inline] [<ffffffff84251dfc>] zr364xx_probe+0x6a3/0x851 drivers/media/usb/zr364xx/zr364xx.c:1516 [<ffffffff82bb6507>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff826018a9>] really_probe+0x159/0x500 drivers/base/dd.c:576 CVE-2021-47344 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: wl1251: Fix possible buffer overflow in wl1251_cmd_scan Function wl1251_cmd_scan calls memcpy without checking the length. Harden by checking the length is within the maximum allowed size. CVE-2021-47347 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid HDCP over-read and corruption Instead of reading the desired 5 bytes of the actual target field, the code was reading 8. This could result in a corrupted value if the trailing 3 bytes were non-zero, so instead use an appropriately sized and zero-initialized bounce buffer, and read only 5 bytes before casting to u64. CVE-2021-47348 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix lockup on kernel exec fault The powerpc kernel is not prepared to handle exec faults from kernel. Especially, the function is_exec_fault() will return 'false' when an exec fault is taken by kernel, because the check is based on reading current->thread.regs->trap which contains the trap from user. For instance, when provoking a LKDTM EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap (0xc00), and the fault taken by the kernel is not seen as an exec fault by set_access_flags_filter(). Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix with autonuma") made it clear and handled it properly. But later on commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") removed that handling, introducing test based on error_code. And here is the problem, because on the 603 all upper bits of SRR1 get cleared when the TLB instruction miss handler bails out to ISI. Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy search_exception_tables() verification"), an exec fault from kernel at a userspace address was indirectly caught by the lack of entry for that address in the exception tables. But after that commit the kernel mainly relies on KUAP or on core mm handling to catch wrong user accesses. Here the access is not wrong, so mm handles it. It is a minor fault because PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and voila. But as is_exec_fault() returns false as explained in the beginning, set_access_flags_filter() bails out without setting PAGE_EXEC flag, which leads to a forever minor exec fault. As the kernel is not prepared to handle such exec faults, the thing to do is to fire in bad_kernel_fault() for any exec fault taken by the kernel, as it was prior to commit d3ca587404b3. CVE-2021-47350 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: udf: Fix NULL pointer dereference in udf_symlink function In function udf_symlink, epos.bh is assigned with the value returned by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c and returns the value of sb_getblk function that could be NULL. Then, epos.bh is used without any check, causing a possible NULL pointer dereference when sb_getblk fails. This fix adds a check to validate the value of epos.bh. CVE-2021-47353 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/sched: Avoid data corruptions Wait for all dependencies of a job to complete before killing it to avoid data corruptions. CVE-2021-47354 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mISDN: fix possible use-after-free in HFC_cleanup() This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. CVE-2021-47356 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: enetc: Fix illegal access when reading affinity_hint irq_set_affinity_hit() stores a reference to the cpumask_t parameter in the irq descriptor, and that reference can be accessed later from irq_affinity_hint_proc_show(). Since the cpu_mask parameter passed to irq_set_affinity_hit() has only temporary storage (it's on the stack memory), later accesses to it are illegal. Thus reads from the corresponding procfs affinity_hint file can result in paging request oops. The issue is fixed by the get_cpu_mask() helper, which provides a permanent storage for the cpumask_t parameter. CVE-2021-47368 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix NULL deref in qeth_clear_working_pool_list() When qeth_set_online() calls qeth_clear_working_pool_list() to roll back after an error exit from qeth_hardsetup_card(), we are at risk of accessing card->qdio.in_q before it was allocated by qeth_alloc_qdio_queues() via qeth_mpc_initialize(). qeth_clear_working_pool_list() then dereferences NULL, and by writing to queue->bufs[i].pool_entry scribbles all over the CPU's lowcore. Resulting in a crash when those lowcore areas are used next (eg. on the next machine-check interrupt). Such a scenario would typically happen when the device is first set online and its queues aren't allocated yet. An early IO error or certain misconfigs (eg. mismatched transport mode, bad portno) then cause us to error out from qeth_hardsetup_card() with card->qdio.in_q still being NULL. Fix it by checking the pointer for NULL before accessing it. Note that we also have (rare) paths inside qeth_mpc_initialize() where a configuration change can cause us to free the existing queues, expecting that subsequent code will allocate them again. If we then error out before that re-allocation happens, the same bug occurs. Root-caused-by: Heiko Carstens <hca@linux.ibm.com> CVE-2021-47369 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use after free on rmmod plat_dev->dev->platform_data is released by platform_device_unregister(), use of pclk and hclk is a use-after-free. Since device unregister won't need a clk device we adjust the function call sequence to fix this issue. [ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] [ 31.275563] Freed by task 306: [ 30.276782] platform_device_release+0x25/0x80 CVE-2021-47372 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: blktrace: Fix uaf in blk_trace access after removing by sysfs There is an use-after-free problem triggered by following process: P1(sda) P2(sdb) echo 0 > /sys/block/sdb/trace/enable blk_trace_remove_queue synchronize_rcu blk_trace_free relay_close rcu_read_lock __blk_add_trace trace_note_tsk (Iterate running_trace_list) relay_close_buf relay_destroy_buf kfree(buf) trace_note(sdb's bt) relay_reserve buf->offset <- nullptr deference (use-after-free) !!! rcu_read_unlock [ 502.714379] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 502.715260] #PF: supervisor read access in kernel mode [ 502.715903] #PF: error_code(0x0000) - not-present page [ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 [ 502.717252] Oops: 0000 [#1] SMP [ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 [ 502.732872] Call Trace: [ 502.733193] __blk_add_trace.cold+0x137/0x1a3 [ 502.733734] blk_add_trace_rq+0x7b/0xd0 [ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 [ 502.734755] blk_mq_start_request+0xde/0x1b0 [ 502.735287] scsi_queue_rq+0x528/0x1140 ... [ 502.742704] sg_new_write.isra.0+0x16e/0x3e0 [ 502.747501] sg_ioctl+0x466/0x1100 Reproduce method: ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sda, BLKTRACESTART) ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sdb, BLKTRACESTART) echo 0 > /sys/block/sdb/trace/enable & // Add delay(mdelay/msleep) before kernel enters blk_trace_free() ioctl$SG_IO(/dev/sda, SG_IO, ...) // Enters trace_note_tsk() after blk_trace_free() returned // Use mdelay in rcu region rather than msleep(which may schedule out) Remove blk_trace from running_list before calling blk_trace_free() by sysfs if blk_trace is at Blktrace_running state. CVE-2021-47375 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: destroy cm id before destroy qp to avoid use after free We should always destroy cm_id before destroy qp to avoid to get cma event after qp was destroyed, which may lead to use after free. In RDMA connection establishment error flow, don't destroy qp in cm event handler.Just report cm_error to upper level, qp will be destroy in nvme_rdma_alloc_queue() after destroy cm id. CVE-2021-47378 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd KASAN reports a use-after-free report when doing fuzz test: [693354.104835] ================================================================== [693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160 [693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338 [693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 [693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 [693354.105612] Call Trace: [693354.105621] dump_stack+0xf1/0x19b [693354.105626] ? show_regs_print_info+0x5/0x5 [693354.105634] ? printk+0x9c/0xc3 [693354.105638] ? cpumask_weight+0x1f/0x1f [693354.105648] print_address_description+0x70/0x360 [693354.105654] kasan_report+0x1b2/0x330 [693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105670] bfq_io_set_weight_legacy+0xd3/0x160 [693354.105675] ? bfq_cpd_init+0x20/0x20 [693354.105683] cgroup_file_write+0x3aa/0x510 [693354.105693] ? ___slab_alloc+0x507/0x540 [693354.105698] ? cgroup_file_poll+0x60/0x60 [693354.105702] ? 0xffffffff89600000 [693354.105708] ? usercopy_abort+0x90/0x90 [693354.105716] ? mutex_lock+0xef/0x180 [693354.105726] kernfs_fop_write+0x1ab/0x280 [693354.105732] ? cgroup_file_poll+0x60/0x60 [693354.105738] vfs_write+0xe7/0x230 [693354.105744] ksys_write+0xb0/0x140 [693354.105749] ? __ia32_sys_read+0x50/0x50 [693354.105760] do_syscall_64+0x112/0x370 [693354.105766] ? syscall_return_slowpath+0x260/0x260 [693354.105772] ? do_page_fault+0x9b/0x270 [693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0 [693354.105784] ? enter_from_user_mode+0x30/0x30 [693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.105875] Allocated by task 1453337: [693354.106001] kasan_kmalloc+0xa0/0xd0 [693354.106006] kmem_cache_alloc_node_trace+0x108/0x220 [693354.106010] bfq_pd_alloc+0x96/0x120 [693354.106015] blkcg_activate_policy+0x1b7/0x2b0 [693354.106020] bfq_create_group_hierarchy+0x1e/0x80 [693354.106026] bfq_init_queue+0x678/0x8c0 [693354.106031] blk_mq_init_sched+0x1f8/0x460 [693354.106037] elevator_switch_mq+0xe1/0x240 [693354.106041] elevator_switch+0x25/0x40 [693354.106045] elv_iosched_store+0x1a1/0x230 [693354.106049] queue_attr_store+0x78/0xb0 [693354.106053] kernfs_fop_write+0x1ab/0x280 [693354.106056] vfs_write+0xe7/0x230 [693354.106060] ksys_write+0xb0/0x140 [693354.106064] do_syscall_64+0x112/0x370 [693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.106114] Freed by task 1453336: [693354.106225] __kasan_slab_free+0x130/0x180 [693354.106229] kfree+0x90/0x1b0 [693354.106233] blkcg_deactivate_policy+0x12c/0x220 [693354.106238] bfq_exit_queue+0xf5/0x110 [693354.106241] blk_mq_exit_sched+0x104/0x130 [693354.106245] __elevator_exit+0x45/0x60 [693354.106249] elevator_switch_mq+0xd6/0x240 [693354.106253] elevator_switch+0x25/0x40 [693354.106257] elv_iosched_store+0x1a1/0x230 [693354.106261] queue_attr_store+0x78/0xb0 [693354.106264] kernfs_fop_write+0x1ab/0x280 [693354.106268] vfs_write+0xe7/0x230 [693354.106271] ksys_write+0xb0/0x140 [693354.106275] do_syscall_64+0x112/0x370 [693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.106329] The buggy address belongs to the object at ffff888be0a35580 which belongs to the cache kmalloc-1k of size 1024 [693354.106736] The buggy address is located 228 bytes inside of 1024-byte region [ffff888be0a35580, ffff888be0a35980) [693354.107114] The buggy address belongs to the page: [693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0 [693354.107606] flags: 0x17ffffc0008100(slab|head) [693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080 [693354.108020] r ---truncated--- CVE-2021-47379 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Fix DSP oops stack dump output contents Fix @buf arg given to hex_dump_to_buffer() and stack address used in dump error output. CVE-2021-47381 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix deadlock during failing recovery Commit 0b9902c1fcc5 ("s390/qeth: fix deadlock during recovery") removed taking discipline_mutex inside qeth_do_reset(), fixing potential deadlocks. An error path was missed though, that still takes discipline_mutex and thus has the original deadlock potential. Intermittent deadlocks were seen when a qeth channel path is configured offline, causing a race between qeth_do_reset and ccwgroup_remove. Call qeth_set_offline() directly in the qeth_do_reset() error case and then a new variant of ccwgroup_set_offline(), without taking discipline_mutex. CVE-2021-47382 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tty: Fix out-of-bound vmalloc access in imageblit This issue happens when a userspace program does an ioctl FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct containing only the fields xres, yres, and bits_per_pixel with values. If this struct is the same as the previous ioctl, the vc_resize() detects it and doesn't call the resize_screen(), leaving the fb_var_screeninfo incomplete. And this leads to the updatescrollmode() calculates a wrong value to fbcon_display->vrows, which makes the real_y() return a wrong value of y, and that value, eventually, causes the imageblit to access an out-of-bound address value. To solve this issue I made the resize_screen() be called even if the screen does not need any resizing, so it will "fix and fill" the fb_var_screeninfo independently. CVE-2021-47383 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: cpufreq: schedutil: Use kobject release() method to free sugov_tunables The struct sugov_tunables is protected by the kobject, so we can't free it directly. Otherwise we would get a call trace like this: ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x30 WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100 Modules linked in: CPU: 3 PID: 720 Comm: a.sh Tainted: G W 5.14.0-rc1-next-20210715-yocto-standard+ #507 Hardware name: Marvell OcteonTX CN96XX board (DT) pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) pc : debug_print_object+0xb8/0x100 lr : debug_print_object+0xb8/0x100 sp : ffff80001ecaf910 x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80 x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000 x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20 x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010 x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365 x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69 x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0 x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001 x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000 x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000 Call trace: debug_print_object+0xb8/0x100 __debug_check_no_obj_freed+0x1c0/0x230 debug_check_no_obj_freed+0x20/0x88 slab_free_freelist_hook+0x154/0x1c8 kfree+0x114/0x5d0 sugov_exit+0xbc/0xc0 cpufreq_exit_governor+0x44/0x90 cpufreq_set_policy+0x268/0x4a8 store_scaling_governor+0xe0/0x128 store+0xc0/0xf0 sysfs_kf_write+0x54/0x80 kernfs_fop_write_iter+0x128/0x1c0 new_sync_write+0xf0/0x190 vfs_write+0x2d4/0x478 ksys_write+0x74/0x100 __arm64_sys_write+0x24/0x30 invoke_syscall.constprop.0+0x54/0xe0 do_el0_svc+0x64/0x158 el0_svc+0x2c/0xb0 el0t_64_sync_handler+0xb0/0xb8 el0t_64_sync+0x198/0x19c irq event stamp: 5518 hardirqs last enabled at (5517): [<ffff8000100cbd7c>] console_unlock+0x554/0x6c8 hardirqs last disabled at (5518): [<ffff800010fc0638>] el1_dbg+0x28/0xa0 softirqs last enabled at (5504): [<ffff8000100106e0>] __do_softirq+0x4d0/0x6c0 softirqs last disabled at (5483): [<ffff800010049548>] irq_exit+0x1b0/0x1b8 So split the original sugov_tunables_free() into two functions, sugov_clear_global_tunables() is just used to clear the global_tunables and the new sugov_tunables_free() is used as kobj_type::release to release the sugov_tunables safely. CVE-2021-47387 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mac80211: fix use-after-free in CCMP/GCMP RX When PN checking is done in mac80211, for fragmentation we need to copy the PN to the RX struct so we can later use it to do a comparison, since commit bf30ca922a0c ("mac80211: check defrag PN against current frame"). Unfortunately, in that commit I used the 'hdr' variable without it being necessarily valid, so use-after-free could occur if it was necessary to reallocate (parts of) the frame. Fix this by reloading the variable after the code that results in the reallocations, if any. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401. CVE-2021-47388 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests The FSM can run in a circle allowing rdma_resolve_ip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice. CPU 1 CPU 2 rdma_resolve_addr(): RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1 process_one_req(): for #1 addr_handler(): RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND mutex_unlock(&id_priv->handler_mutex); [.. handler still running ..] rdma_resolve_addr(): RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) !! two requests are now on the req_list rdma_destroy_id(): destroy_id_handler_unlock(): _destroy_id(): cma_cancel_operation(): rdma_addr_cancel() // process_one_req() self removes it spin_lock_bh(&lock); cancel_delayed_work(&req->work); if (!list_empty(&req->list)) == true ! rdma_addr_cancel() returns after process_on_req #1 is done kfree(id_priv) process_one_req(): for #2 addr_handler(): mutex_lock(&id_priv->handler_mutex); !! Use after free on id_priv rdma_addr_cancel() expects there to be one req on the list and only cancels the first one. The self-removal behavior of the work only happens after the handler has returned. This yields a situations where the req_list can have two reqs for the same "handle" but rdma_addr_cancel() only cancels the first one. The second req remains active beyond rdma_destroy_id() and will use-after-free id_priv once it inevitably triggers. Fix this by remembering if the id_priv has called rdma_resolve_ip() and always cancel before calling it again. This ensures the req_list never gets more than one item in it and doesn't cost anything in the normal flow that never uses this strange error path. CVE-2021-47391 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure If cma_listen_on_all() fails it leaves the per-device ID still on the listen_list but the state is not set to RDMA_CM_ADDR_BOUND. When the cmid is eventually destroyed cma_cancel_listens() is not called due to the wrong state, however the per-device IDs are still holding the refcount preventing the ID from being destroyed, thus deadlocking: task:rping state:D stack: 0 pid:19605 ppid: 47036 flags:0x00000084 Call Trace: __schedule+0x29a/0x780 ? free_unref_page_commit+0x9b/0x110 schedule+0x3c/0xa0 schedule_timeout+0x215/0x2b0 ? __flush_work+0x19e/0x1e0 wait_for_completion+0x8d/0xf0 _destroy_id+0x144/0x210 [rdma_cm] ucma_close_id+0x2b/0x40 [rdma_ucm] __destroy_id+0x93/0x2c0 [rdma_ucm] ? __xa_erase+0x4a/0xa0 ucma_destroy_id+0x9a/0x120 [rdma_ucm] ucma_write+0xb8/0x130 [rdma_ucm] vfs_write+0xb4/0x250 ksys_write+0xb5/0xd0 ? syscall_trace_enter.isra.19+0x123/0x190 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Ensure that cma_listen_on_all() atomically unwinds its action under the lock during error. CVE-2021-47392 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs Fan speed minimum can be enforced from sysfs. For example, setting current fan speed to 20 is used to enforce fan speed to be at 100% speed, 19 - to be not below 90% speed, etcetera. This feature provides ability to limit fan speed according to some system wise considerations, like absence of some replaceable units or high system ambient temperature. Request for changing fan minimum speed is configuration request and can be set only through 'sysfs' write procedure. In this situation value of argument 'state' is above nominal fan speed maximum. Return non-zero code in this case to avoid thermal_cooling_device_stats_update() call, because in this case statistics update violates thermal statistics table range. The issues is observed in case kernel is configured with option CONFIG_THERMAL_STATISTICS. Here is the trace from KASAN: [ 159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0 [ 159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444 [ 159.545625] Call Trace: [ 159.548366] dump_stack+0x92/0xc1 [ 159.552084] ? thermal_cooling_device_stats_update+0x7d/0xb0 [ 159.635869] thermal_zone_device_update+0x345/0x780 [ 159.688711] thermal_zone_device_set_mode+0x7d/0xc0 [ 159.694174] mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core] [ 159.700972] ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core] [ 159.731827] mlxsw_thermal_init+0x763/0x880 [mlxsw_core] [ 160.070233] RIP: 0033:0x7fd995909970 [ 160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff .. [ 160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970 [ 160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001 [ 160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700 [ 160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013 [ 160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013 [ 160.143671] [ 160.145338] Allocated by task 2924: [ 160.149242] kasan_save_stack+0x19/0x40 [ 160.153541] __kasan_kmalloc+0x7f/0xa0 [ 160.157743] __kmalloc+0x1a2/0x2b0 [ 160.161552] thermal_cooling_device_setup_sysfs+0xf9/0x1a0 [ 160.167687] __thermal_cooling_device_register+0x1b5/0x500 [ 160.173833] devm_thermal_of_cooling_device_register+0x60/0xa0 [ 160.180356] mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan] [ 160.248140] [ 160.249807] The buggy address belongs to the object at ffff888116163400 [ 160.249807] which belongs to the cache kmalloc-1k of size 1024 [ 160.263814] The buggy address is located 64 bytes to the right of [ 160.263814] 1024-byte region [ffff888116163400, ffff888116163800) [ 160.277536] The buggy address belongs to the page: [ 160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160 [ 160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0 [ 160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2) [ 160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0 [ 160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000 [ 160.327033] page dumped because: kasan: bad access detected [ 160.333270] [ 160.334937] Memory state around the buggy address: [ 160.356469] >ffff888116163800: fc .. CVE-2021-47393 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap Limit max values for vht mcs and nss in ieee80211_parse_tx_radiotap routine in order to fix the following warning reported by syzbot: WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 Modules linked in: CPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] RIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 RSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216 RAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000 RDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003 RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100 R10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8 R13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004 FS: 00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740 netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089 __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165 __bpf_tx_skb net/core/filter.c:2114 [inline] __bpf_redirect_no_mac net/core/filter.c:2139 [inline] __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162 ____bpf_clone_redirect net/core/filter.c:2429 [inline] bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401 bpf_prog_eeb6f53a69e5c6a2+0x59/0x234 bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline] __bpf_prog_run include/linux/filter.h:624 [inline] bpf_prog_run include/linux/filter.h:631 [inline] bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119 bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663 bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline] __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 CVE-2021-47395 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mac80211-hwsim: fix late beacon hrtimer handling Thomas explained in https://lore.kernel.org/r/87mtoeb4hb.ffs@tglx that our handling of the hrtimer here is wrong: If the timer fires late (e.g. due to vCPU scheduling, as reported by Dmitry/syzbot) then it tries to actually rearm the timer at the next deadline, which might be in the past already: 1 2 3 N N+1 | | | ... | | ^ intended to fire here (1) ^ next deadline here (2) ^ actually fired here The next time it fires, it's later, but will still try to schedule for the next deadline (now 3), etc. until it catches up with N, but that might take a long time, causing stalls etc. Now, all of this is simulation, so we just have to fix it, but note that the behaviour is wrong even per spec, since there's no value then in sending all those beacons unaligned - they should be aligned to the TBTT (1, 2, 3, ... in the picture), and if we're a bit (or a lot) late, then just resume at that point. Therefore, change the code to use hrtimer_forward_now() which will ensure that the next firing of the timer would be at N+1 (in the picture), i.e. the next interval point after the current time. CVE-2021-47396 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup The ixgbe driver currently generates a NULL pointer dereference with some machine (online cpus < 63). This is due to the fact that the maximum value of num_xdp_queues is nr_cpu_ids. Code is in "ixgbe_set_rss_queues"". Here's how the problem repeats itself: Some machine (online cpus < 63), And user set num_queues to 63 through ethtool. Code is in the "ixgbe_set_channels", adapter->ring_feature[RING_F_FDIR].limit = count; It becomes 63. When user use xdp, "ixgbe_set_rss_queues" will set queues num. adapter->num_rx_queues = rss_i; adapter->num_tx_queues = rss_i; adapter->num_xdp_queues = ixgbe_xdp_queues(adapter); And rss_i's value is from f = &adapter->ring_feature[RING_F_FDIR]; rss_i = f->indices = f->limit; So "num_rx_queues" > "num_xdp_queues", when run to "ixgbe_xdp_setup", for (i = 0; i < adapter->num_rx_queues; i++) if (adapter->xdp_ring[i]->xsk_umem) It leads to panic. Call trace: [exception RIP: ixgbe_xdp+368] RIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297 RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90 RBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000 R10: ffff9fe16202f830 R11: 0000000000000000 R12: ffff92f8f24c0000 R13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc 8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808 9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235 10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384 11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd 12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb 13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88 14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319 15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290 16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8 17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64 18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9 19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c So I fix ixgbe_max_channels so that it will not allow a setting of queues to be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup, take the smaller value of num_rx_queues and num_xdp_queues. CVE-2021-47399 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: sched: flower: protect fl_walk() with rcu Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul() also removed rcu protection of individual filters which causes following use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain rcu read lock while iterating and taking the filter reference and temporary release the lock while calling arg->fn() callback that can sleep. KASAN trace: [ 352.773640] ================================================================== [ 352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower] [ 352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987 [ 352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2 [ 352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 352.781022] Call Trace: [ 352.781573] dump_stack_lvl+0x46/0x5a [ 352.782332] print_address_description.constprop.0+0x1f/0x140 [ 352.783400] ? fl_walk+0x159/0x240 [cls_flower] [ 352.784292] ? fl_walk+0x159/0x240 [cls_flower] [ 352.785138] kasan_report.cold+0x83/0xdf [ 352.785851] ? fl_walk+0x159/0x240 [cls_flower] [ 352.786587] kasan_check_range+0x145/0x1a0 [ 352.787337] fl_walk+0x159/0x240 [cls_flower] [ 352.788163] ? fl_put+0x10/0x10 [cls_flower] [ 352.789007] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.790102] tcf_chain_dump+0x231/0x450 [ 352.790878] ? tcf_chain_tp_delete_empty+0x170/0x170 [ 352.791833] ? __might_sleep+0x2e/0xc0 [ 352.792594] ? tfilter_notify+0x170/0x170 [ 352.793400] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.794477] tc_dump_tfilter+0x385/0x4b0 [ 352.795262] ? tc_new_tfilter+0x1180/0x1180 [ 352.796103] ? __mod_node_page_state+0x1f/0xc0 [ 352.796974] ? __build_skb_around+0x10e/0x130 [ 352.797826] netlink_dump+0x2c0/0x560 [ 352.798563] ? netlink_getsockopt+0x430/0x430 [ 352.799433] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.800542] __netlink_dump_start+0x356/0x440 [ 352.801397] rtnetlink_rcv_msg+0x3ff/0x550 [ 352.802190] ? tc_new_tfilter+0x1180/0x1180 [ 352.802872] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.803668] ? tc_new_tfilter+0x1180/0x1180 [ 352.804344] ? _copy_from_iter_nocache+0x800/0x800 [ 352.805202] ? kasan_set_track+0x1c/0x30 [ 352.805900] netlink_rcv_skb+0xc6/0x1f0 [ 352.806587] ? rht_deferred_worker+0x6b0/0x6b0 [ 352.807455] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.808324] ? netlink_ack+0x4d0/0x4d0 [ 352.809086] ? netlink_deliver_tap+0x62/0x3d0 [ 352.809951] netlink_unicast+0x353/0x480 [ 352.810744] ? netlink_attachskb+0x430/0x430 [ 352.811586] ? __alloc_skb+0xd7/0x200 [ 352.812349] netlink_sendmsg+0x396/0x680 [ 352.813132] ? netlink_unicast+0x480/0x480 [ 352.813952] ? __import_iovec+0x192/0x210 [ 352.814759] ? netlink_unicast+0x480/0x480 [ 352.815580] sock_sendmsg+0x6c/0x80 [ 352.816299] ____sys_sendmsg+0x3a5/0x3c0 [ 352.817096] ? kernel_sendmsg+0x30/0x30 [ 352.817873] ? __ia32_sys_recvmmsg+0x150/0x150 [ 352.818753] ___sys_sendmsg+0xd8/0x140 [ 352.819518] ? sendmsg_copy_msghdr+0x110/0x110 [ 352.820402] ? ___sys_recvmsg+0xf4/0x1a0 [ 352.821110] ? __copy_msghdr_from_user+0x260/0x260 [ 352.821934] ? _raw_spin_lock+0x81/0xd0 [ 352.822680] ? __handle_mm_fault+0xef3/0x1b20 [ 352.823549] ? rb_insert_color+0x2a/0x270 [ 352.824373] ? copy_page_range+0x16b0/0x16b0 [ 352.825209] ? perf_event_update_userpage+0x2d0/0x2d0 [ 352.826190] ? __fget_light+0xd9/0xf0 [ 352.826941] __sys_sendmsg+0xb3/0x130 [ 352.827613] ? __sys_sendmsg_sock+0x20/0x20 [ 352.828377] ? do_user_addr_fault+0x2c5/0x8a0 [ 352.829184] ? fpregs_assert_state_consistent+0x52/0x60 [ 352.830001] ? exit_to_user_mode_prepare+0x32/0x160 [ 352.830845] do_syscall_64+0x35/0x80 [ 352.831445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 352.832331] RIP: 0033:0x7f7bee973c17 [ ---truncated--- CVE-2021-47402 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: betop: fix slab-out-of-bounds Write in betop_probe Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. The problem is the driver assumes the device must have an input report but some malicious devices violate this assumption. So this patch checks hid_device's input is non empty before it's been used. CVE-2021-47404 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: free raw_report buffers in usbhid_stop Free the unsent raw_report buffers when the device is removed. Fixes a memory leak reported by syzbot at: https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47 CVE-2021-47405 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. CVE-2021-47409 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: ci_hdrc_imx: Also search for 'phys' phandle When passing 'phys' in the devicetree to describe the USB PHY phandle (which is the recommended way according to Documentation/devicetree/bindings/usb/ci-hdrc-usb2.txt) the following NULL pointer dereference is observed on i.MX7 and i.MX8MM: [ 1.489344] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 [ 1.498170] Mem abort info: [ 1.500966] ESR = 0x96000044 [ 1.504030] EC = 0x25: DABT (current EL), IL = 32 bits [ 1.509356] SET = 0, FnV = 0 [ 1.512416] EA = 0, S1PTW = 0 [ 1.515569] FSC = 0x04: level 0 translation fault [ 1.520458] Data abort info: [ 1.523349] ISV = 0, ISS = 0x00000044 [ 1.527196] CM = 0, WnR = 1 [ 1.530176] [0000000000000098] user address but active_mm is swapper [ 1.536544] Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 1.542125] Modules linked in: [ 1.545190] CPU: 3 PID: 7 Comm: kworker/u8:0 Not tainted 5.14.0-dirty #3 [ 1.551901] Hardware name: Kontron i.MX8MM N801X S (DT) [ 1.557133] Workqueue: events_unbound deferred_probe_work_func [ 1.562984] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--) [ 1.568998] pc : imx7d_charger_detection+0x3f0/0x510 [ 1.573973] lr : imx7d_charger_detection+0x22c/0x510 This happens because the charger functions check for the phy presence inside the imx_usbmisc_data structure (data->usb_phy), but the chipidea core populates the usb_phy passed via 'phys' inside 'struct ci_hdrc' (ci->usb_phy) instead. This causes the NULL pointer dereference inside imx7d_charger_detection(). Fix it by also searching for 'phys' in case 'fsl,usbphy' is not found. Tested on a imx7s-warp board. CVE-2021-47413 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: phy: mdio: fix memory leak Syzbot reported memory leak in MDIO bus interface, the problem was in wrong state logic. MDIOBUS_ALLOCATED indicates 2 states: 1. Bus is only allocated 2. Bus allocated and __mdiobus_register() fails, but device_register() was called In case of device_register() has been called we should call put_device() to correctly free the memory allocated for this device, but mdiobus_free() calls just kfree(dev) in case of MDIOBUS_ALLOCATED state To avoid this behaviour we need to set bus->state to MDIOBUS_UNREGISTERED _before_ calling device_register(), because put_device() should be called even in case of device_register() failure. CVE-2021-47416 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/kms/nv50-: fix file release memory leak When using single_open() for opening, single_release() should be called, otherwise the 'op' allocated in single_open() will be leaked. CVE-2021-47422 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/debugfs: fix file release memory leak When using single_open() for opening, single_release() should be called, otherwise the 'op' allocated in single_open() will be leaked. CVE-2021-47423 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: i40e: Fix freeing of uninitialized misc IRQ vector When VSI set up failed in i40e_probe() as part of PF switch set up driver was trying to free misc IRQ vectors in i40e_clear_interrupt_scheme and produced a kernel Oops: Trying to free already-free IRQ 266 WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300 Workqueue: events work_for_cpu_fn RIP: 0010:__free_irq+0x9a/0x300 Call Trace: ? synchronize_irq+0x3a/0xa0 free_irq+0x2e/0x60 i40e_clear_interrupt_scheme+0x53/0x190 [i40e] i40e_probe.part.108+0x134b/0x1a40 [i40e] ? kmem_cache_alloc+0x158/0x1c0 ? acpi_ut_update_ref_count.part.1+0x8e/0x345 ? acpi_ut_update_object_reference+0x15e/0x1e2 ? strstr+0x21/0x70 ? irq_get_irq_data+0xa/0x20 ? mp_check_pin_attr+0x13/0xc0 ? irq_get_irq_data+0xa/0x20 ? mp_map_pin_to_irq+0xd3/0x2f0 ? acpi_register_gsi_ioapic+0x93/0x170 ? pci_conf1_read+0xa4/0x100 ? pci_bus_read_config_word+0x49/0x70 ? do_pci_enable_device+0xcc/0x100 local_pci_probe+0x41/0x90 work_for_cpu_fn+0x16/0x20 process_one_work+0x1a7/0x360 worker_thread+0x1cf/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x112/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x1f/0x40 The problem is that at that point misc IRQ vectors were not allocated yet and we get a call trace that driver is trying to free already free IRQ vectors. Add a check in i40e_clear_interrupt_scheme for __I40E_MISC_IRQ_REQUESTED PF state before calling i40e_free_misc_vector. This state is set only if misc IRQ vectors were properly initialized. CVE-2021-47424 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: acpi: fix resource leak in reconfiguration device addition acpi_i2c_find_adapter_by_handle() calls bus_find_device() which takes a reference on the adapter which is never released which will result in a reference count leak and render the adapter unremovable. Make sure to put the adapter after creating the client in the same manner that we do for OF. [wsa: fixed title] CVE-2021-47425 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, s390: Fix potential memory leak about jit_data Make sure to free jit_data through kfree() in the error path. CVE-2021-47426 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: fix program check interrupt emergency stack path Emergency stack path was jumping into a 3: label inside the __GEN_COMMON_BODY macro for the normal path after it had finished, rather than jumping over it. By a small miracle this is the correct place to build up a new interrupt frame with the existing stack pointer, so things basically worked okay with an added weird looking 700 trap frame on top (which had the wrong ->nip so it didn't decode bug messages either). Fix this by avoiding using numeric labels when jumping over non-trivial macros. Before: LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 88 Comm: sh Not tainted 5.15.0-rc2-00034-ge057cdade6e5 #2637 NIP: 7265677368657265 LR: c00000000006c0c8 CTR: c0000000000097f0 REGS: c0000000fffb3a50 TRAP: 0700 Not tainted MSR: 9000000000021031 <SF,HV,ME,IR,DR,LE> CR: 00000700 XER: 20040000 CFAR: c0000000000098b0 IRQMASK: 0 GPR00: c00000000006c964 c0000000fffb3cf0 c000000001513800 0000000000000000 GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299 GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8 GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001 GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8 GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158 GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300 GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80 NIP [7265677368657265] 0x7265677368657265 LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10 Call Trace: [c0000000fffb3cf0] [c00000000000bdac] soft_nmi_common+0x13c/0x1d0 (unreliable) --- interrupt: 700 at decrementer_common_virt+0xb8/0x230 NIP: c0000000000098b8 LR: c00000000006c0c8 CTR: c0000000000097f0 REGS: c0000000fffb3d60 TRAP: 0700 Not tainted MSR: 9000000000021031 <SF,HV,ME,IR,DR,LE> CR: 22424282 XER: 20040000 CFAR: c0000000000098b0 IRQMASK: 0 GPR00: c00000000006c964 0000000000002400 c000000001513800 0000000000000000 GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299 GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8 GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001 GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8 GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158 GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300 GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80 NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230 LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10 --- interrupt: 700 Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX ---[ end trace 6d28218e0cc3c949 ]--- After: ------------[ cut here ]------------ kernel BUG at arch/powerpc/kernel/exceptions-64s.S:491! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 88 Comm: login Not tainted 5.15.0-rc2-00034-ge057cdade6e5-dirty #2638 NIP: c0000000000098b8 LR: c00000000006bf04 CTR: c0000000000097f0 REGS: c0000000fffb3d60 TRAP: 0700 Not tainted MSR: 9000000000021031 <SF,HV,ME,IR,DR,LE> CR: 24482227 XER: 00040000 CFAR: c0000000000098b0 IRQMASK: 0 GPR00: c00000000006bf04 0000000000002400 c000000001513800 c000000001271868 GPR04: 00000000100f0d29 0000000042000000 0000000000000007 0000000000000009 GPR08: 00000000100f0d29 0000000024482227 0000000000002710 c000000000181b3c GPR12: 9000000000009033 c0000000016b0000 00000000100f0d29 c000000005b22f00 GPR16: 00000000ffff0000 0000000000000001 0000000000000009 00000000100eed90 GPR20: 00000000100eed90 00000 ---truncated--- CVE-2021-47428 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix gart.bo pin_count leak gmc_v{9,10}_0_gart_disable() isn't called matched with correspoding gart_enbale function in SRIOV case. This will lead to gart.bo pin_count leak on driver unload. CVE-2021-47431 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: xhci: Fix command ring pointer corruption while aborting a command The command ring pointer is located at [6:63] bits of the command ring control register (CRCR). All the control bits like command stop, abort are located at [0:3] bits. While aborting a command, we read the CRCR and set the abort bit and write to the CRCR. The read will always give command ring pointer as all zeros. So we essentially write only the control bits. Since we split the 64 bit write into two 32 bit writes, there is a possibility of xHC command ring stopped before the upper dword (all zeros) is written. If that happens, xHC updates the upper dword of its internal command ring pointer with all zeros. Next time, when the command ring is restarted, we see xHC memory access failures. Fix this issue by only writing to the lower dword of CRCR where all control bits are located. CVE-2021-47434 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm: fix mempool NULL pointer race when completing IO dm_io_dec_pending() calls end_io_acct() first and will then dec md in-flight pending count. But if a task is swapping DM table at same time this can result in a crash due to mempool->elements being NULL: task1 task2 do_resume ->do_suspend ->dm_wait_for_completion bio_endio ->clone_endio ->dm_io_dec_pending ->end_io_acct ->wakeup task1 ->dm_swap_table ->__bind ->__bind_mempools ->bioset_exit ->mempool_exit ->free_io [ 67.330330] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 ...... [ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 67.330510] pc : mempool_free+0x70/0xa0 [ 67.330515] lr : mempool_free+0x4c/0xa0 [ 67.330520] sp : ffffff8008013b20 [ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004 [ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8 [ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800 [ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800 [ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80 [ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c [ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd [ 67.330563] x15: 000000000093b41e x14: 0000000000000010 [ 67.330569] x13: 0000000000007f7a x12: 0000000034155555 [ 67.330574] x11: 0000000000000001 x10: 0000000000000001 [ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000 [ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a [ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001 [ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8 [ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970 [ 67.330609] Call trace: [ 67.330616] mempool_free+0x70/0xa0 [ 67.330627] bio_put+0xf8/0x110 [ 67.330638] dec_pending+0x13c/0x230 [ 67.330644] clone_endio+0x90/0x180 [ 67.330649] bio_endio+0x198/0x1b8 [ 67.330655] dec_pending+0x190/0x230 [ 67.330660] clone_endio+0x90/0x180 [ 67.330665] bio_endio+0x198/0x1b8 [ 67.330673] blk_update_request+0x214/0x428 [ 67.330683] scsi_end_request+0x2c/0x300 [ 67.330688] scsi_io_completion+0xa0/0x710 [ 67.330695] scsi_finish_command+0xd8/0x110 [ 67.330700] scsi_softirq_done+0x114/0x148 [ 67.330708] blk_done_softirq+0x74/0xd0 [ 67.330716] __do_softirq+0x18c/0x374 [ 67.330724] irq_exit+0xb4/0xb8 [ 67.330732] __handle_domain_irq+0x84/0xc0 [ 67.330737] gic_handle_irq+0x148/0x1b0 [ 67.330744] el1_irq+0xe8/0x190 [ 67.330753] lpm_cpuidle_enter+0x4f8/0x538 [ 67.330759] cpuidle_enter_state+0x1fc/0x398 [ 67.330764] cpuidle_enter+0x18/0x20 [ 67.330772] do_idle+0x1b4/0x290 [ 67.330778] cpu_startup_entry+0x20/0x28 [ 67.330786] secondary_start_kernel+0x160/0x170 Fix this by: 1) Establishing pointers to 'struct dm_io' members in dm_io_dec_pending() so that they may be passed into end_io_acct() _after_ free_io() is called. 2) Moving end_io_acct() after free_io(). CVE-2021-47435 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: musb: dsps: Fix the probe error path Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after initializing musb") has inverted the calls to dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without updating correctly the error path. dsps_create_musb_pdev() allocates and registers a new platform device which must be unregistered and freed with platform_device_unregister(), and this is missing upon dsps_setup_optional_vbus_irq() error. While on the master branch it seems not to trigger any issue, I observed a kernel crash because of a NULL pointer dereference with a v5.10.70 stable kernel where the patch mentioned above was backported. With this kernel version, -EPROBE_DEFER is returned the first time dsps_setup_optional_vbus_irq() is called which triggers the probe to error out without unregistering the platform device. Unfortunately, on the Beagle Bone Black Wireless, the platform device still living in the system is being used by the USB Ethernet gadget driver, which during the boot phase triggers the crash. My limited knowledge of the musb world prevents me to revert this commit which was sent to silence a robot warning which, as far as I understand, does not make sense. The goal of this patch was to prevent an IRQ to fire before the platform device being registered. I think this cannot ever happen due to the fact that enabling the interrupts is done by the ->enable() callback of the platform musb device, and this platform device must be already registered in order for the core or any other user to use this callback. Hence, I decided to fix the error path, which might prevent future errors on mainline kernels while also fixing older ones. CVE-2021-47436 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: thermal: Fix out-of-bounds memory accesses Currently, mlxsw allows cooling states to be set above the maximum cooling state supported by the driver: # cat /sys/class/thermal/thermal_zone2/cdev0/type mlxsw_fan # cat /sys/class/thermal/thermal_zone2/cdev0/max_state 10 # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state # echo $? 0 This results in out-of-bounds memory accesses when thermal state transition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the transition table is accessed with a too large index (state) [1]. According to the thermal maintainer, it is the responsibility of the driver to reject such operations [2]. Therefore, return an error when the state to be set exceeds the maximum cooling state supported by the driver. To avoid dead code, as suggested by the thermal maintainer [3], partially revert commit a421ce088ac8 ("mlxsw: core: Extend cooling device with cooling levels") that tried to interpret these invalid cooling states (above the maximum) in a special way. The cooling levels array is not removed in order to prevent the fans going below 20% PWM, which would cause them to get stuck at 0% PWM. [1] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290 Read of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5 CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122 Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2FO"/"SA000874", BIOS 4.6.5 03/08/2016 Workqueue: events_freezable_power_ thermal_zone_device_check Call Trace: dump_stack_lvl+0x8b/0xb3 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x7f/0x11b thermal_cooling_device_stats_update+0x271/0x290 __thermal_cdev_update+0x15e/0x4e0 thermal_cdev_update+0x9f/0xe0 step_wise_throttle+0x770/0xee0 thermal_zone_device_update+0x3f6/0xdf0 process_one_work+0xa42/0x1770 worker_thread+0x62f/0x13e0 kthread+0x3ee/0x4e0 ret_from_fork+0x1f/0x30 Allocated by task 1: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 thermal_cooling_device_setup_sysfs+0x153/0x2c0 __thermal_cooling_device_register.part.0+0x25b/0x9c0 thermal_cooling_device_register+0xb3/0x100 mlxsw_thermal_init+0x5c5/0x7e0 __mlxsw_core_bus_device_register+0xcb3/0x19c0 mlxsw_core_bus_device_register+0x56/0xb0 mlxsw_pci_probe+0x54f/0x710 local_pci_probe+0xc6/0x170 pci_device_probe+0x2b2/0x4d0 really_probe+0x293/0xd10 __driver_probe_device+0x2af/0x440 driver_probe_device+0x51/0x1e0 __driver_attach+0x21b/0x530 bus_for_each_dev+0x14c/0x1d0 bus_add_driver+0x3ac/0x650 driver_register+0x241/0x3d0 mlxsw_sp_module_init+0xa2/0x174 do_one_initcall+0xee/0x5f0 kernel_init_freeable+0x45a/0x4de kernel_init+0x1f/0x210 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff8881052f7800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 1016 bytes inside of 1024-byte region [ffff8881052f7800, ffff8881052f7c00) The buggy address belongs to the page: page:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0 head:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x200000000010200(slab|head|node=0|zone=2) raw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67- ---truncated--- CVE-2021-47441 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: digital: fix possible memory leak in digital_in_send_sdd_req() 'skb' is allocated in digital_in_send_sdd_req(), but not free when digital_in_send_cmd() failed, which will cause memory leak. Fix it by freeing 'skb' if digital_in_send_cmd() return failed. CVE-2021-47442 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() 'params' is allocated in digital_tg_listen_mdaa(), but not free when digital_send_cmd() failed, which will cause memory leak. Fix it by freeing 'params' if digital_send_cmd() return failed. CVE-2021-47443 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read In commit e11f5bd8228f ("drm: Add support for DP 1.4 Compliance edid corruption test") the function connector_bad_edid() started assuming that the memory for the EDID passed to it was big enough to hold `edid[0x7e] + 1` blocks of data (1 extra for the base block). It completely ignored the fact that the function was passed `num_blocks` which indicated how much memory had been allocated for the EDID. Let's fix this by adding a bounds check. This is important for handling the case where there's an error in the first block of the EDID. In that case we will call connector_bad_edid() without having re-allocated memory based on `edid[0x7e]`. CVE-2021-47444 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix null pointer dereference on pointer edp The initialization of pointer dev dereferences pointer edp before edp is null checked, so there is a potential null pointer deference issue. Fix this by only dereferencing edp after edp has been null checked. Addresses-Coverity: ("Dereference before null check") CVE-2021-47445 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value Currently, when the rule related to IDLETIMER is added, idletimer_tg timer structure is initialized by kmalloc on executing idletimer_tg_create function. However, in this process timer->timer_type is not defined to a specific value. Thus, timer->timer_type has garbage value and it occurs kernel panic. So, this commit fixes the panic by initializing timer->timer_type using kzalloc instead of kmalloc. Test commands: # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test $ cat /sys/class/xt_idletimer/timers/test Killed Splat looks like: BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70 Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917 CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x6e/0x9c kasan_report.cold+0x112/0x117 ? alarm_expires_remaining+0x49/0x70 __asan_load8+0x86/0xb0 alarm_expires_remaining+0x49/0x70 idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] dev_attr_show+0x3c/0x60 sysfs_kf_seq_show+0x11d/0x1f0 ? device_remove_bin_file+0x20/0x20 kernfs_seq_show+0xa4/0xb0 seq_read_iter+0x29c/0x750 kernfs_fop_read_iter+0x25a/0x2c0 ? __fsnotify_parent+0x3d1/0x570 ? iov_iter_init+0x70/0x90 new_sync_read+0x2a7/0x3d0 ? __x64_sys_llseek+0x230/0x230 ? rw_verify_area+0x81/0x150 vfs_read+0x17b/0x240 ksys_read+0xd9/0x180 ? vfs_write+0x460/0x460 ? do_syscall_64+0x16/0xc0 ? lockdep_hardirqs_on+0x79/0x120 __x64_sys_read+0x43/0x50 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0cdc819142 Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142 RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003 RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000 R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 CVE-2021-47451 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: peak_pci: peak_pci_remove(): fix UAF When remove the module peek_pci, referencing 'chan' again after releasing 'dev' will cause UAF. Fix this by releasing 'dev' later. The following log reveals it: [ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537 [ 35.965513 ] Call Trace: [ 35.965718 ] dump_stack_lvl+0xa8/0xd1 [ 35.966028 ] print_address_description+0x87/0x3b0 [ 35.966420 ] kasan_report+0x172/0x1c0 [ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170 [ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.967945 ] __asan_report_load8_noabort+0x14/0x20 [ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.968752 ] pci_device_remove+0xa9/0x250 CVE-2021-47456 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: mount fails with buffer overflow in strlen Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the trace below. Problem seems to be that strings for cluster stack and cluster name are not guaranteed to be null terminated in the disk representation, while strlcpy assumes that the source string is always null terminated. This causes a read outside of the source string triggering the buffer overflow detection. detected buffer overflow in strlen ------------[ cut here ]------------ kernel BUG at lib/string.c:1149! invalid opcode: 0000 [#1] SMP PTI CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 Debian 5.14.6-2 RIP: 0010:fortify_panic+0xf/0x11 ... Call Trace: ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] ocfs2_fill_super+0x359/0x19b0 [ocfs2] mount_bdev+0x185/0x1b0 legacy_get_tree+0x27/0x40 vfs_get_tree+0x25/0xb0 path_mount+0x454/0xa20 __x64_sys_mount+0x103/0x140 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-47458 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix data corruption after conversion from inline format Commit 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()") uncovered a latent bug in ocfs2 conversion from inline inode format to a normal inode format. The code in ocfs2_convert_inline_data_to_extents() attempts to zero out the whole cluster allocated for file data by grabbing, zeroing, and dirtying all pages covering this cluster. However these pages are beyond i_size, thus writeback code generally ignores these dirty pages and no blocks were ever actually zeroed on the disk. This oversight was fixed by commit 693c241a5f6a ("ocfs2: No need to zero pages past i_size.") for standard ocfs2 write path, inline conversion path was apparently forgotten; the commit log also has a reasoning why the zeroing actually is not needed. After commit 6dbf7bb55598, things became worse as writeback code stopped invalidating buffers on pages beyond i_size and thus these pages end up with clean PageDirty bit but with buffers attached to these pages being still dirty. So when a file is converted from inline format, then writeback triggers, and then the file is grown so that these pages become valid, the invalid dirtiness state is preserved, mark_buffer_dirty() does nothing on these pages (buffers are already dirty) but page is never written back because it is clean. So data written to these pages is lost once pages are reclaimed. Simple reproducer for the problem is: xfs_io -f -c "pwrite 0 2000" -c "pwrite 2000 2000" -c "fsync" \ -c "pwrite 4000 2000" ocfs2_file After unmounting and mounting the fs again, you can observe that end of 'ocfs2_file' has lost its contents. Fix the problem by not doing the pointless zeroing during conversion from inline format similarly as in the standard write path. [akpm@linux-foundation.org: fix whitespace, per Joseph] CVE-2021-47460 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: audit: fix possible null-pointer dereference in audit_filter_rules Fix possible null-pointer dereference in audit_filter_rules. audit_filter_rules() error: we previously assumed 'ctx' could be null CVE-2021-47464 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest() In commit 10d91611f426 ("powerpc/64s: Reimplement book3s idle code in C") kvm_start_guest() became idle_kvm_start_guest(). The old code allocated a stack frame on the emergency stack, but didn't use the frame to store anything, and also didn't store anything in its caller's frame. idle_kvm_start_guest() on the other hand is written more like a normal C function, it creates a frame on entry, and also stores CR/LR into its callers frame (per the ABI). The problem is that there is no caller frame on the emergency stack. The emergency stack for a given CPU is allocated with: paca_ptrs[i]->emergency_sp = alloc_stack(limit, i) + THREAD_SIZE; So emergency_sp actually points to the first address above the emergency stack allocation for a given CPU, we must not store above it without first decrementing it to create a frame. This is different to the regular kernel stack, paca->kstack, which is initialised to point at an initial frame that is ready to use. idle_kvm_start_guest() stores the backchain, CR and LR all of which write outside the allocation for the emergency stack. It then creates a stack frame and saves the non-volatile registers. Unfortunately the frame it creates is not large enough to fit the non-volatiles, and so the saving of the non-volatile registers also writes outside the emergency stack allocation. The end result is that we corrupt whatever is at 0-24 bytes, and 112-248 bytes above the emergency stack allocation. In practice this has gone unnoticed because the memory immediately above the emergency stack happens to be used for other stack allocations, either another CPUs mc_emergency_sp or an IRQ stack. See the order of calls to irqstack_early_init() and emergency_stack_init(). The low addresses of another stack are the top of that stack, and so are only used if that stack is under extreme pressue, which essentially never happens in practice - and if it did there's a high likelyhood we'd crash due to that stack overflowing. Still, we shouldn't be corrupting someone else's stack, and it is purely luck that we aren't corrupting something else. To fix it we save CR/LR into the caller's frame using the existing r1 on entry, we then create a SWITCH_FRAME_SIZE frame (which has space for pt_regs) on the emergency stack with the backchain pointing to the existing stack, and then finally we switch to the new frame on the emergency stack. CVE-2021-47465 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: Fix sleeping function called from invalid context The driver can call card->isac.release() function from an atomic context. Fix this by calling this function after releasing the lock. The following log reveals it: [ 44.168226 ] BUG: sleeping function called from invalid context at kernel/workqueue.c:3018 [ 44.168941 ] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 5475, name: modprobe [ 44.169574 ] INFO: lockdep is turned off. [ 44.169899 ] irq event stamp: 0 [ 44.170160 ] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 44.170627 ] hardirqs last disabled at (0): [<ffffffff814209ed>] copy_process+0x132d/0x3e00 [ 44.171240 ] softirqs last enabled at (0): [<ffffffff81420a1a>] copy_process+0x135a/0x3e00 [ 44.171852 ] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 44.172318 ] Preemption disabled at: [ 44.172320 ] [<ffffffffa009b0a9>] nj_release+0x69/0x500 [netjet] [ 44.174441 ] Call Trace: [ 44.174630 ] dump_stack_lvl+0xa8/0xd1 [ 44.174912 ] dump_stack+0x15/0x17 [ 44.175166 ] ___might_sleep+0x3a2/0x510 [ 44.175459 ] ? nj_release+0x69/0x500 [netjet] [ 44.175791 ] __might_sleep+0x82/0xe0 [ 44.176063 ] ? start_flush_work+0x20/0x7b0 [ 44.176375 ] start_flush_work+0x33/0x7b0 [ 44.176672 ] ? trace_irq_enable_rcuidle+0x85/0x170 [ 44.177034 ] ? kasan_quarantine_put+0xaa/0x1f0 [ 44.177372 ] ? kasan_quarantine_put+0xaa/0x1f0 [ 44.177711 ] __flush_work+0x11a/0x1a0 [ 44.177991 ] ? flush_work+0x20/0x20 [ 44.178257 ] ? lock_release+0x13c/0x8f0 [ 44.178550 ] ? __kasan_check_write+0x14/0x20 [ 44.178872 ] ? do_raw_spin_lock+0x148/0x360 [ 44.179187 ] ? read_lock_is_recursive+0x20/0x20 [ 44.179530 ] ? __kasan_check_read+0x11/0x20 [ 44.179846 ] ? do_raw_spin_unlock+0x55/0x900 [ 44.180168 ] ? ____kasan_slab_free+0x116/0x140 [ 44.180505 ] ? _raw_spin_unlock_irqrestore+0x41/0x60 [ 44.180878 ] ? skb_queue_purge+0x1a3/0x1c0 [ 44.181189 ] ? kfree+0x13e/0x290 [ 44.181438 ] flush_work+0x17/0x20 [ 44.181695 ] mISDN_freedchannel+0xe8/0x100 [ 44.182006 ] isac_release+0x210/0x260 [mISDNipac] [ 44.182366 ] nj_release+0xf6/0x500 [netjet] [ 44.182685 ] nj_remove+0x48/0x70 [netjet] [ 44.182989 ] pci_device_remove+0xa9/0x250 CVE-2021-47468 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els() Commit 8c0eb596baa5 ("[SCSI] qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()"), intended to change: bsg_job->request->msgcode == FC_BSG_HST_ELS_NOLOGIN bsg_job->request->msgcode != FC_BSG_RPT_ELS but changed it to: bsg_job->request->msgcode == FC_BSG_RPT_ELS instead. Change the == to a != to avoid leaking the fcport structure or freeing unallocated memory. CVE-2021-47473 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: isofs: Fix out of bound access for corrupted isofs image When isofs image is suitably corrupted isofs_read_inode() can read data beyond the end of buffer. Sanity-check the directory entry length before using it. CVE-2021-47478 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: core: Put LLD module refcnt after SCSI device is released SCSI host release is triggered when SCSI device is freed. We have to make sure that the low-level device driver module won't be unloaded before SCSI host instance is released because shost->hostt is required in the release handler. Make sure to put LLD module refcnt after SCSI device is released. Fixes a kernel panic of 'BUG: unable to handle page fault for address' reported by Changhui and Yi. CVE-2021-47480 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: batman-adv: fix error handling Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was in wrong error handling in batadv_mesh_init(). Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case of any batadv_*_init() calls failure. This approach may work well, when there is some kind of indicator, which can tell which parts of batadv are initialized; but there isn't any. All written above lead to cleaning up uninitialized fields. Even if we hide ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1] To fix these bugs we can unwind batadv_*_init() calls one by one. It is good approach for 2 reasons: 1) It fixes bugs on error handling path 2) It improves the performance, since we won't call unneeded batadv_*_free() functions. So, this patch makes all batadv_*_init() clean up all allocated memory before returning with an error to no call correspoing batadv_*_free() and open-codes batadv_mesh_free() with proper order to avoid touching uninitialized fields. CVE-2021-47482 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: regmap: Fix possible double-free in regcache_rbtree_exit() In regcache_rbtree_insert_to_block(), when 'present' realloc failed, the 'blk' which is supposed to assign to 'rbnode->block' will be freed, so 'rbnode->block' points a freed memory, in the error handling path of regcache_rbtree_init(), 'rbnode->block' will be freed again in regcache_rbtree_exit(), KASAN will report double-free as follows: BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390 Call Trace: slab_free_freelist_hook+0x10d/0x240 kfree+0xce/0x390 regcache_rbtree_exit+0x15d/0x1a0 regcache_rbtree_init+0x224/0x2c0 regcache_init+0x88d/0x1310 __regmap_init+0x3151/0x4a80 __devm_regmap_init+0x7d/0x100 madera_spi_probe+0x10f/0x333 [madera_spi] spi_probe+0x183/0x210 really_probe+0x285/0xc30 To fix this, moving up the assignment of rbnode->block to immediately after the reallocation has succeeded so that the data structure stays valid even if the second reallocation fails. CVE-2021-47483 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields Overflowing either addrlimit or bytes_togo can allow userspace to trigger a buffer overflow of kernel memory. Check for overflows in all the places doing math on user controlled buffers. CVE-2021-47485 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix race between searching chunks and release journal_head from buffer_head Encountered a race between ocfs2_test_bg_bit_allocatable() and jbd2_journal_put_journal_head() resulting in the below vmcore. PID: 106879 TASK: ffff880244ba9c00 CPU: 2 COMMAND: "loop3" Call trace: panic oops_end no_context __bad_area_nosemaphore bad_area_nosemaphore __do_page_fault do_page_fault page_fault [exception RIP: ocfs2_block_group_find_clear_bits+316] ocfs2_block_group_find_clear_bits [ocfs2] ocfs2_cluster_group_search [ocfs2] ocfs2_search_chain [ocfs2] ocfs2_claim_suballoc_bits [ocfs2] __ocfs2_claim_clusters [ocfs2] ocfs2_claim_clusters [ocfs2] ocfs2_local_alloc_slide_window [ocfs2] ocfs2_reserve_local_alloc_bits [ocfs2] ocfs2_reserve_clusters_with_limit [ocfs2] ocfs2_reserve_clusters [ocfs2] ocfs2_lock_refcount_allocators [ocfs2] ocfs2_make_clusters_writable [ocfs2] ocfs2_replace_cow [ocfs2] ocfs2_refcount_cow [ocfs2] ocfs2_file_write_iter [ocfs2] lo_rw_aio loop_queue_work kthread_worker_fn kthread ret_from_fork When ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the bg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and released the jounal head from the buffer head. Needed to take bit lock for the bit 'BH_JournalHead' to fix this race. CVE-2021-47493 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cfg80211: fix management registrations locking The management registrations locking was broken, the list was locked for each wdev, but cfg80211_mgmt_registrations_update() iterated it without holding all the correct spinlocks, causing list corruption. Rather than trying to fix it with fine-grained locking, just move the lock to the wiphy/rdev (still need the list on each wdev), we already need to hold the wdev lock to change it, so there's no contention on the lock in any case. This trivially fixes the bug since we hold one wdev's lock already, and now will hold the lock that protects all lists. CVE-2021-47494 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usbnet: sanity check for maxpacket maxpacket of 0 makes no sense and oopses as we need to divide by it. Give up. V2: fixed typo in log and stylistic issues CVE-2021-47495 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix flipped sign in tls_err_abort() calls sk->sk_err appears to expect a positive value, a convention that ktls doesn't always follow and that leads to memory corruption in other code. For instance, [kworker] tls_encrypt_done(..., err=<negative error from crypto request>) tls_err_abort(.., err) sk->sk_err = err; [task] splice_from_pipe_feed ... tls_sw_do_sendpage if (sk->sk_err) { ret = -sk->sk_err; // ret is positive splice_from_pipe_feed (continued) ret = actor(...) // ret is still positive and interpreted as bytes // written, resulting in underflow of buf->len and // sd->len, leading to huge buf->offset and bogus // addresses computed in later calls to actor() Fix all tls_err_abort() callers to pass a negative error code consistently and centralize the error-prone sign flip there, throwing in a warning to catch future misuse and uninlining the function so it really does only warn once. CVE-2021-47496 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells If a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0); will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we subtract one from that making a large number that is then shifted more than the number of bits that fit into an unsigned long. UBSAN reports this problem: UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8 shift exponent 64 is too large for 64-bit type 'unsigned long' CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9 Hardware name: Google Lazor (rev3+) with KB Backlight (DT) Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace+0x0/0x170 show_stack+0x24/0x30 dump_stack_lvl+0x64/0x7c dump_stack+0x18/0x38 ubsan_epilogue+0x10/0x54 __ubsan_handle_shift_out_of_bounds+0x180/0x194 __nvmem_cell_read+0x1ec/0x21c nvmem_cell_read+0x58/0x94 nvmem_cell_read_variable_common+0x4c/0xb0 nvmem_cell_read_variable_le_u32+0x40/0x100 a6xx_gpu_init+0x170/0x2f4 adreno_bind+0x174/0x284 component_bind_all+0xf0/0x264 msm_drm_bind+0x1d8/0x7a0 try_to_bring_up_master+0x164/0x1ac __component_add+0xbc/0x13c component_add+0x20/0x2c dp_display_probe+0x340/0x384 platform_probe+0xc0/0x100 really_probe+0x110/0x304 __driver_probe_device+0xb8/0x120 driver_probe_device+0x4c/0xfc __device_attach_driver+0xb0/0x128 bus_for_each_drv+0x90/0xdc __device_attach+0xc8/0x174 device_initial_probe+0x20/0x2c bus_probe_device+0x40/0xa4 deferred_probe_work_func+0x7c/0xb8 process_one_work+0x128/0x21c process_scheduled_works+0x40/0x54 worker_thread+0x1ec/0x2a8 kthread+0x138/0x158 ret_from_fork+0x10/0x20 Fix it by making sure there are any bits to mask out. CVE-2021-47497 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm rq: don't queue request to blk-mq during DM suspend DM uses blk-mq's quiesce/unquiesce to stop/start device mapper queue. But blk-mq's unquiesce may come from outside events, such as elevator switch, updating nr_requests or others, and request may come during suspend, so simply ask for blk-mq to requeue it. Fixes one kernel panic issue when running updating nr_requests and dm-mpath suspend/resume stress test. CVE-2021-47498 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove When ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the memory allocated by iio_triggered_buffer_setup() will not be freed, and cause memory leak as follows: unreferenced object 0xffff888009551400 (size 512): comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (age 83.852s) hex dump (first 32 bytes): 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff ........ ....... backtrace: [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360 [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf] [<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer] [<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013] Fix it by remove data->dready_trig condition in probe and remove. CVE-2021-47499 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: mma8452: Fix trigger reference couting The mma8452 driver directly assigns a trigger to the struct iio_dev. The IIO core when done using this trigger will call `iio_trigger_put()` to drop the reference count by 1. Without the matching `iio_trigger_get()` in the driver the reference count can reach 0 too early, the trigger gets freed while still in use and a use-after-free occurs. Fix this by getting a reference to the trigger before assigning it to the IIO device. CVE-2021-47500 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc When trying to dump VFs VSI RX/TX descriptors using debugfs there was a crash due to NULL pointer dereference in i40e_dbg_dump_desc. Added a check to i40e_dbg_dump_desc that checks if VSI type is correct for dumping RX/TX descriptors. CVE-2021-47501 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd934x: handle channel mappping list correctly Currently each channel is added as list to dai channel list, however there is danger of adding same channel to multiple dai channel list which endups corrupting the other list where its already added. This patch ensures that the channel is actually free before adding to the dai channel list and also ensures that the channel is on the list before deleting it. This check was missing previously, and we did not hit this issue as we were testing very simple usecases with sequence of amixer commands. CVE-2021-47502 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc() Calling scsi_remove_host() before scsi_add_host() results in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000108 RIP: 0010:device_del+0x63/0x440 Call Trace: device_unregister+0x17/0x60 scsi_remove_host+0xee/0x2a0 pm8001_pci_probe+0x6ef/0x1b90 [pm80xx] local_pci_probe+0x3f/0x90 We cannot call scsi_remove_host() in pm8001_alloc() because scsi_add_host() has not been called yet at that point in time. Function call tree: pm8001_pci_probe() | `- pm8001_pci_alloc() | | | `- pm8001_alloc() | | | `- scsi_remove_host() | `- scsi_add_host() CVE-2021-47503 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: fix use-after-free due to delegation race A delegation break could arrive as soon as we've called vfs_setlease. A delegation break runs a callback which immediately (in nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we then exit nfs4_set_delegation without hashing the delegation, it will be freed as soon as the callback is done with it, without ever being removed from del_recall_lru. Symptoms show up later as use-after-free or list corruption warnings, usually in the laundromat thread. I suspect aba2072f4523 "nfsd: grant read delegations to clients holding writes" made this bug easier to hit, but I looked as far back as v3.0 and it looks to me it already had the same problem. So I'm not sure where the bug was introduced; it may have been there from the beginning. CVE-2021-47506 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix nsfd startup race (again) Commit bd5ae9288d64 ("nfsd: register pernet ops last, unregister first") has re-opened rpc_pipefs_event() race against nfsd_net_id registration (register_pernet_subsys()) which has been fixed by commit bb7ffbf29e76 ("nfsd: fix nsfd startup race triggering BUG_ON"). Restore the order of register_pernet_subsys() vs register_cld_notifier(). Add WARN_ON() to prevent a future regression. Crash info: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000012 CPU: 8 PID: 345 Comm: mount Not tainted 5.4.144-... #1 pc : rpc_pipefs_event+0x54/0x120 [nfsd] lr : rpc_pipefs_event+0x48/0x120 [nfsd] Call trace: rpc_pipefs_event+0x54/0x120 [nfsd] blocking_notifier_call_chain rpc_fill_super get_tree_keyed rpc_fs_get_tree vfs_get_tree do_mount ksys_mount __arm64_sys_mount el0_svc_handler el0_svc CVE-2021-47507 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Limit the period size to 16MB Set the practical limit to the period size (the fragment shift in OSS) instead of a full 31bit; a too large value could lead to the exhaust of memory as we allocate temporary buffers of the period size, too. As of this patch, we set to 16MB limit, which should cover all use cases. CVE-2021-47509 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix negative period/buffer sizes The period size calculation in OSS layer may receive a negative value as an error, but the code there assumes only the positive values and handle them with size_t. Due to that, a too big value may be passed to the lower layers. This patch changes the code to handle with ssize_t and adds the proper error checks appropriately. CVE-2021-47511 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: net/sched: fq_pie: prevent dismantle issue For some reason, fq_pie_destroy() did not copy working code from pie_destroy() and other qdiscs, thus causing elusive bug. Before calling del_timer_sync(&q->adapt_timer), we need to ensure timer will not rearm itself. rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 0-....: (4416 ticks this GP) idle=60d/1/0x4000000000000000 softirq=10433/10434 fqs=2579 (t=10501 jiffies g=13085 q=3989) NMI backtrace for cpu 0 CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111 nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62 trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] rcu_dump_cpu_stacks+0x25e/0x3f0 kernel/rcu/tree_stall.h:343 print_cpu_stall kernel/rcu/tree_stall.h:627 [inline] check_cpu_stall kernel/rcu/tree_stall.h:711 [inline] rcu_pending kernel/rcu/tree.c:3878 [inline] rcu_sched_clock_irq.cold+0x9d/0x746 kernel/rcu/tree.c:2597 update_process_times+0x16d/0x200 kernel/time/timer.c:1785 tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226 tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749 hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline] __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:write_comp_data kernel/kcov.c:221 [inline] RIP: 0010:__sanitizer_cov_trace_const_cmp1+0x1d/0x80 kernel/kcov.c:273 Code: 54 c8 20 48 89 10 c3 66 0f 1f 44 00 00 53 41 89 fb 41 89 f1 bf 03 00 00 00 65 48 8b 0c 25 40 70 02 00 48 89 ce 4c 8b 54 24 08 <e8> 4e f7 ff ff 84 c0 74 51 48 8b 81 88 15 00 00 44 8b 81 84 15 00 RSP: 0018:ffffc90000d27b28 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff888064bf1bf0 RCX: ffff888011928000 RDX: ffff888011928000 RSI: ffff888011928000 RDI: 0000000000000003 RBP: ffff888064bf1c28 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff875d8295 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880783dd300 R14: 0000000000000000 R15: 0000000000000000 pie_calculate_probability+0x405/0x7c0 net/sched/sch_pie.c:418 fq_pie_timer+0x170/0x2a0 net/sched/sch_fq_pie.c:383 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> CVE-2021-47512 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfp: Fix memory leak in nfp_cpp_area_cache_add() In line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a CPP area structure. But in line 807 (#2), when the cache is allocated failed, this CPP area structure is not freed, which will result in memory leak. We can fix it by freeing the CPP area when the cache is allocated failed (#2). 792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size) 793 { 794 struct nfp_cpp_area_cache *cache; 795 struct nfp_cpp_area *area; 800 area = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0), 801 0, size); // #1: allocates and initializes 802 if (!area) 803 return -ENOMEM; 805 cache = kzalloc(sizeof(*cache), GFP_KERNEL); 806 if (!cache) 807 return -ENOMEM; // #2: missing free 817 return 0; 818 } CVE-2021-47516 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done The done() netlink callback nfc_genl_dump_ses_done() should check if received argument is non-NULL, because its allocation could fail earlier in dumpit() (nfc_genl_dump_ses()). CVE-2021-47518 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: sja1000: fix use after free in ems_pcmcia_add_card() If the last channel is not available then "dev" is freed. Fortunately, we can just use "pdev->irq" instead. Also we should check if at least one channel was set up. CVE-2021-47521 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr This buffer is currently allocated in hfi1_init(): if (reinit) ret = init_after_reset(dd); else ret = loadtime_init(dd); if (ret) goto done; /* allocate dummy tail memory for all receive contexts */ dd->rcvhdrtail_dummy_kvaddr = dma_alloc_coherent(&dd->pcidev->dev, sizeof(u64), &dd->rcvhdrtail_dummy_dma, GFP_KERNEL); if (!dd->rcvhdrtail_dummy_kvaddr) { dd_dev_err(dd, "cannot allocate dummy tail memory\n"); ret = -ENOMEM; goto done; } The reinit triggered path will overwrite the old allocation and leak it. Fix by moving the allocation to hfi1_alloc_devdata() and the deallocation to hfi1_free_devdata(). CVE-2021-47523 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: serial: core: fix transmit-buffer reset and memleak Commit 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") converted serial core to use tty_port_close() but failed to notice that the transmit buffer still needs to be freed on final close. Not freeing the transmit buffer means that the buffer is no longer cleared on next open so that any ioctl() waiting for the buffer to drain might wait indefinitely (e.g. on termios changes) or that stale data can end up being transmitted in case tx is restarted. Furthermore, the buffer of any port that has been opened would leak on driver unbind. Note that the port lock is held when clearing the buffer pointer due to the ldisc race worked around by commit a5ba1d95e46e ("uart: fix race between uart_put_char() and uart_shutdown()"). Also note that the tty-port shutdown() callback is not called for console ports so it is not strictly necessary to free the buffer page after releasing the lock (cf. d72402145ace ("tty/serial: do not free trasnmit buffer page under port lock")). CVE-2021-47527 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Allocate enough space for GMU registers In commit 142639a52a01 ("drm/msm/a6xx: fix crashstate capture for A650") we changed a6xx_get_gmu_registers() to read 3 sets of registers. Unfortunately, we didn't change the memory allocation for the array. That leads to a KASAN warning (this was on the chromeos-5.4 kernel, which has the problematic commit backported to it): BUG: KASAN: slab-out-of-bounds in _a6xx_get_gmu_registers+0x144/0x430 Write of size 8 at addr ffffff80c89432b0 by task A618-worker/209 CPU: 5 PID: 209 Comm: A618-worker Tainted: G W 5.4.156-lockdep #22 Hardware name: Google Lazor Limozeen without Touchscreen (rev5 - rev8) (DT) Call trace: dump_backtrace+0x0/0x248 show_stack+0x20/0x2c dump_stack+0x128/0x1ec print_address_description+0x88/0x4a0 __kasan_report+0xfc/0x120 kasan_report+0x10/0x18 __asan_report_store8_noabort+0x1c/0x24 _a6xx_get_gmu_registers+0x144/0x430 a6xx_gpu_state_get+0x330/0x25d4 msm_gpu_crashstate_capture+0xa0/0x84c recover_worker+0x328/0x838 kthread_worker_fn+0x32c/0x574 kthread+0x2dc/0x39c ret_from_fork+0x10/0x18 Allocated by task 209: __kasan_kmalloc+0xfc/0x1c4 kasan_kmalloc+0xc/0x14 kmem_cache_alloc_trace+0x1f0/0x2a0 a6xx_gpu_state_get+0x164/0x25d4 msm_gpu_crashstate_capture+0xa0/0x84c recover_worker+0x328/0x838 kthread_worker_fn+0x32c/0x574 kthread+0x2dc/0x39c ret_from_fork+0x10/0x18 CVE-2021-47535 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: fix wrong list_del in smc_lgr_cleanup_early smc_lgr_cleanup_early() meant to delete the link group from the link group list, but it deleted the list head by mistake. This may cause memory corruption since we didn't remove the real link group from the list and later memseted the link group structure. We got a list corruption panic when testing: [ 231.277259] list_del corruption. prev->next should be ffff8881398a8000, but was 0000000000000000 [ 231.278222] ------------[ cut here ]------------ [ 231.278726] kernel BUG at lib/list_debug.c:53! [ 231.279326] invalid opcode: 0000 [#1] SMP NOPTI [ 231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435 [ 231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014 [ 231.281248] Workqueue: events smc_link_down_work [ 231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90 [ 231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c 60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 <0f> 0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc [ 231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292 [ 231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000 [ 231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040 [ 231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001 [ 231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001 [ 231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003 [ 231.288337] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 [ 231.289160] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0 [ 231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 231.291940] Call Trace: [ 231.292211] smc_lgr_terminate_sched+0x53/0xa0 [ 231.292677] smc_switch_conns+0x75/0x6b0 [ 231.293085] ? update_load_avg+0x1a6/0x590 [ 231.293517] ? ttwu_do_wakeup+0x17/0x150 [ 231.293907] ? update_load_avg+0x1a6/0x590 [ 231.294317] ? newidle_balance+0xca/0x3d0 [ 231.294716] smcr_link_down+0x50/0x1a0 [ 231.295090] ? __wake_up_common_lock+0x77/0x90 [ 231.295534] smc_link_down_work+0x46/0x60 [ 231.295933] process_one_work+0x18b/0x350 CVE-2021-47536 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() Need to call rxrpc_put_local() for peer candidate before kfree() as it holds a ref to rxrpc_local. [DH: v2: Changed to abstract the peer freeing code out into a function] CVE-2021-47538 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode Fix the following NULL pointer dereference in mt7915_get_phy_mode routine adding an ibss interface to the mt7915 driver. [ 101.137097] wlan0: Trigger new scan to find an IBSS to join [ 102.827039] wlan0: Creating new IBSS network, BSSID 26:a4:50:1a:6e:69 [ 103.064756] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 103.073670] Mem abort info: [ 103.076520] ESR = 0x96000005 [ 103.079614] EC = 0x25: DABT (current EL), IL = 32 bits [ 103.084934] SET = 0, FnV = 0 [ 103.088042] EA = 0, S1PTW = 0 [ 103.091215] Data abort info: [ 103.094104] ISV = 0, ISS = 0x00000005 [ 103.098041] CM = 0, WnR = 0 [ 103.101044] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000460b1000 [ 103.107565] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 103.116590] Internal error: Oops: 96000005 [#1] SMP [ 103.189066] CPU: 1 PID: 333 Comm: kworker/u4:3 Not tainted 5.10.75 #0 [ 103.195498] Hardware name: MediaTek MT7622 RFB1 board (DT) [ 103.201124] Workqueue: phy0 ieee80211_iface_work [mac80211] [ 103.206695] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--) [ 103.212705] pc : mt7915_get_phy_mode+0x68/0x120 [mt7915e] [ 103.218103] lr : mt7915_mcu_add_bss_info+0x11c/0x760 [mt7915e] [ 103.223927] sp : ffffffc011cdb9e0 [ 103.227235] x29: ffffffc011cdb9e0 x28: ffffff8006563098 [ 103.232545] x27: ffffff8005f4da22 x26: ffffff800685ac40 [ 103.237855] x25: 0000000000000001 x24: 000000000000011f [ 103.243165] x23: ffffff8005f4e260 x22: ffffff8006567918 [ 103.248475] x21: ffffff8005f4df80 x20: ffffff800685ac58 [ 103.253785] x19: ffffff8006744400 x18: 0000000000000000 [ 103.259094] x17: 0000000000000000 x16: 0000000000000001 [ 103.264403] x15: 000899c3a2d9d2e4 x14: 000899bdc3c3a1c8 [ 103.269713] x13: 0000000000000000 x12: 0000000000000000 [ 103.275024] x11: ffffffc010e30c20 x10: 0000000000000000 [ 103.280333] x9 : 0000000000000050 x8 : ffffff8006567d88 [ 103.285642] x7 : ffffff8006563b5c x6 : ffffff8006563b44 [ 103.290952] x5 : 0000000000000002 x4 : 0000000000000001 [ 103.296262] x3 : 0000000000000001 x2 : 0000000000000001 [ 103.301572] x1 : 0000000000000000 x0 : 0000000000000011 [ 103.306882] Call trace: [ 103.309328] mt7915_get_phy_mode+0x68/0x120 [mt7915e] [ 103.314378] mt7915_bss_info_changed+0x198/0x200 [mt7915e] [ 103.319941] ieee80211_bss_info_change_notify+0x128/0x290 [mac80211] [ 103.326360] __ieee80211_sta_join_ibss+0x308/0x6c4 [mac80211] [ 103.332171] ieee80211_sta_create_ibss+0x8c/0x10c [mac80211] [ 103.337895] ieee80211_ibss_work+0x3dc/0x614 [mac80211] [ 103.343185] ieee80211_iface_work+0x388/0x3f0 [mac80211] [ 103.348495] process_one_work+0x288/0x690 [ 103.352499] worker_thread+0x70/0x464 [ 103.356157] kthread+0x144/0x150 [ 103.359380] ret_from_fork+0x10/0x18 [ 103.362952] Code: 394008c3 52800220 394000e4 7100007f (39400023) CVE-2021-47540 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv(). After that mlx4_en_alloc_resources() is called and there is a dereference of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to a use after free problem on failure of mlx4_en_copy_priv(). Fix this bug by adding a check of mlx4_en_copy_priv() This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_MLX4_EN=m show no new warnings, and our static analyzer no longer warns about this code. CVE-2021-47541 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() In qlcnic_83xx_add_rings(), the indirect function of ahw->hw_ops->alloc_mbx_args will be called to allocate memory for cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(), which could lead to a NULL pointer dereference on failure of the indirect function like qlcnic_83xx_alloc_mbx_args(). Fix this bug by adding a check of alloc_mbx_args(), this patch imitates the logic of mbx_cmd()'s failure handling. This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_QLCNIC=m show no new warnings, and our static analyzer no longer warns about this code. CVE-2021-47542 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux, a bug is reported: ================================================================== BUG: Unable to handle kernel data access on read at 0x80000800805b502c Oops: Kernel access of bad area, sig: 11 [#1] NIP [c0000000000388a4] .ioread32+0x4/0x20 LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl] Call Trace: .free_irq+0x1c/0x4e0 (unreliable) .ata_host_stop+0x74/0xd0 [libata] .release_nodes+0x330/0x3f0 .device_release_driver_internal+0x178/0x2c0 .driver_detach+0x64/0xd0 .bus_remove_driver+0x70/0xf0 .driver_unregister+0x38/0x80 .platform_driver_unregister+0x14/0x30 .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl] .__se_sys_delete_module+0x1ec/0x2d0 .system_call_exception+0xfc/0x1f0 system_call_common+0xf8/0x200 ================================================================== The triggering of the BUG is shown in the following stack: driver_detach device_release_driver_internal __device_release_driver drv->remove(dev) --> platform_drv_remove/platform_remove drv->remove(dev) --> sata_fsl_remove iounmap(host_priv->hcr_base); <---- unmap kfree(host_priv); <---- free devres_release_all release_nodes dr->node.release(dev, dr->data) --> ata_host_stop ap->ops->port_stop(ap) --> sata_fsl_port_stop ioread32(hcr_base + HCONTROL) <---- UAF host->ops->host_stop(host) The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should not be executed in drv->remove. These functions should be executed in host_stop after port_stop. Therefore, we move these functions to the new function sata_fsl_host_stop and bind the new function to host_stop. CVE-2021-47549 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_ets: don't peek at classes beyond 'nbands' when the number of DRR classes decreases, the round-robin active list can contain elements that have already been freed in ets_qdisc_change(). As a consequence, it's possible to see a NULL dereference crash, caused by the attempt to call cl->qdisc->ops->peek(cl->qdisc) when cl->qdisc is NULL: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 910 Comm: mausezahn Not tainted 5.16.0-rc1+ #475 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 RIP: 0010:ets_qdisc_dequeue+0x129/0x2c0 [sch_ets] Code: c5 01 41 39 ad e4 02 00 00 0f 87 18 ff ff ff 49 8b 85 c0 02 00 00 49 39 c4 0f 84 ba 00 00 00 49 8b ad c0 02 00 00 48 8b 7d 10 <48> 8b 47 18 48 8b 40 38 0f ae e8 ff d0 48 89 c3 48 85 c0 0f 84 9d RSP: 0000:ffffbb36c0b5fdd8 EFLAGS: 00010287 RAX: ffff956678efed30 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: ffffffff9b938dc9 RDI: 0000000000000000 RBP: ffff956678efed30 R08: e2f3207fe360129c R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff956678efeac0 R13: ffff956678efe800 R14: ffff956611545000 R15: ffff95667ac8f100 FS: 00007f2aa9120740(0000) GS:ffff95667b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000011070c000 CR4: 0000000000350ee0 Call Trace: <TASK> qdisc_peek_dequeued+0x29/0x70 [sch_ets] tbf_dequeue+0x22/0x260 [sch_tbf] __qdisc_run+0x7f/0x630 net_tx_action+0x290/0x4c0 __do_softirq+0xee/0x4f8 irq_exit_rcu+0xf4/0x130 sysvec_apic_timer_interrupt+0x52/0xc0 asm_sysvec_apic_timer_interrupt+0x12/0x20 RIP: 0033:0x7f2aa7fc9ad4 Code: b9 ff ff 48 8b 54 24 18 48 83 c4 08 48 89 ee 48 89 df 5b 5d e9 ed fc ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa <53> 48 83 ec 10 48 8b 05 10 64 33 00 48 8b 00 48 85 c0 0f 85 84 00 RSP: 002b:00007ffe5d33fab8 EFLAGS: 00000202 RAX: 0000000000000002 RBX: 0000561f72c31460 RCX: 0000561f72c31720 RDX: 0000000000000002 RSI: 0000561f72c31722 RDI: 0000561f72c31720 RBP: 000000000000002a R08: 00007ffe5d33fa40 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 0000561f7187e380 R13: 0000000000000000 R14: 0000000000000000 R15: 0000561f72c31460 </TASK> Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt intel_rapl_msr iTCO_vendor_support intel_rapl_common joydev virtio_balloon lpc_ich i2c_i801 i2c_smbus pcspkr ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel ahci libahci ghash_clmulni_intel serio_raw libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod CR2: 0000000000000018 Ensuring that 'alist' was never zeroed [1] was not sufficient, we need to remove from the active list those elements that are no more SP nor DRR. [1] https://lore.kernel.org/netdev/60d274838bf09777f0371253416e8af71360bc08.1633609148.git.dcaratti@redhat.com/ v3: fix race between ets_qdisc_change() and ets_qdisc_dequeue() delisting DRR classes beyond 'nbands' in ets_qdisc_change() with the qdisc lock acquired, thanks to Cong Wang. v2: when a NULL qdisc is found in the DRR active list, try to dequeue skb from the next list item. CVE-2021-47557 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: fix vsi->txq_map sizing The approach of having XDP queue per CPU regardless of user's setting exposed a hidden bug that could occur in case when Rx queue count differ from Tx queue count. Currently vsi->txq_map's size is equal to the doubled vsi->alloc_txq, which is not correct due to the fact that XDP rings were previously based on the Rx queue count. Below splat can be seen when ethtool -L is used and XDP rings are configured: [ 682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f [ 682.883403] #PF: supervisor read access in kernel mode [ 682.889345] #PF: error_code(0x0000) - not-present page [ 682.895289] PGD 0 P4D 0 [ 682.898218] Oops: 0000 [#1] PREEMPT SMP PTI [ 682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1 [ 682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016 [ 682.923380] RIP: 0010:devres_remove+0x44/0x130 [ 682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f <4c> 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8 [ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002 [ 682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370 [ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000 [ 682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000 [ 682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60 [ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c [ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000 [ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0 [ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 683.038336] Call Trace: [ 683.041167] devm_kfree+0x33/0x50 [ 683.045004] ice_vsi_free_arrays+0x5e/0xc0 [ice] [ 683.050380] ice_vsi_rebuild+0x4c8/0x750 [ice] [ 683.055543] ice_vsi_recfg_qs+0x9a/0x110 [ice] [ 683.060697] ice_set_channels+0x14f/0x290 [ice] [ 683.065962] ethnl_set_channels+0x333/0x3f0 [ 683.070807] genl_family_rcv_msg_doit+0xea/0x150 [ 683.076152] genl_rcv_msg+0xde/0x1d0 [ 683.080289] ? channels_prepare_data+0x60/0x60 [ 683.085432] ? genl_get_cmd+0xd0/0xd0 [ 683.089667] netlink_rcv_skb+0x50/0xf0 [ 683.094006] genl_rcv+0x24/0x40 [ 683.097638] netlink_unicast+0x239/0x340 [ 683.102177] netlink_sendmsg+0x22e/0x470 [ 683.106717] sock_sendmsg+0x5e/0x60 [ 683.110756] __sys_sendto+0xee/0x150 [ 683.114894] ? handle_mm_fault+0xd0/0x2a0 [ 683.119535] ? do_user_addr_fault+0x1f3/0x690 [ 683.134173] __x64_sys_sendto+0x25/0x30 [ 683.148231] do_syscall_64+0x3b/0xc0 [ 683.161992] entry_SYSCALL_64_after_hwframe+0x44/0xae Fix this by taking into account the value that num_possible_cpus() yields in addition to vsi->alloc_txq instead of doubling the latter. CVE-2021-47562 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: avoid bpf_prog refcount underflow Ice driver has the routines for managing XDP resources that are shared between ndo_bpf op and VSI rebuild flow. The latter takes place for example when user changes queue count on an interface via ethtool's set_channels(). There is an issue around the bpf_prog refcounting when VSI is being rebuilt - since ice_prepare_xdp_rings() is called with vsi->xdp_prog as an argument that is used later on by ice_vsi_assign_bpf_prog(), same bpf_prog pointers are swapped with each other. Then it is also interpreted as an 'old_prog' which in turn causes us to call bpf_prog_put on it that will decrement its refcount. Below splat can be interpreted in a way that due to zero refcount of a bpf_prog it is wiped out from the system while kernel still tries to refer to it: [ 481.069429] BUG: unable to handle page fault for address: ffffc9000640f038 [ 481.077390] #PF: supervisor read access in kernel mode [ 481.083335] #PF: error_code(0x0000) - not-present page [ 481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0 [ 481.097141] Oops: 0000 [#1] PREEMPT SMP PTI [ 481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G OE 5.15.0-rc5+ #1 [ 481.110840] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016 [ 481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40 [ 481.127265] Code: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 <48> 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84 [ 481.148991] RSP: 0018:ffffc90007b63868 EFLAGS: 00010286 [ 481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000 [ 481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000 [ 481.171527] RBP: ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0 [ 481.179776] R10: 0000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc [ 481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 481.196276] FS: 00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000 [ 481.205633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0 [ 481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 481.228771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 481.237029] Call Trace: [ 481.239856] rtnl_fill_ifinfo+0x768/0x12e0 [ 481.244602] rtnl_dump_ifinfo+0x525/0x650 [ 481.249246] ? __alloc_skb+0xa5/0x280 [ 481.253484] netlink_dump+0x168/0x3c0 [ 481.257725] netlink_recvmsg+0x21e/0x3e0 [ 481.262263] ____sys_recvmsg+0x87/0x170 [ 481.266707] ? __might_fault+0x20/0x30 [ 481.271046] ? _copy_from_user+0x66/0xa0 [ 481.275591] ? iovec_from_user+0xf6/0x1c0 [ 481.280226] ___sys_recvmsg+0x82/0x100 [ 481.284566] ? sock_sendmsg+0x5e/0x60 [ 481.288791] ? __sys_sendto+0xee/0x150 [ 481.293129] __sys_recvmsg+0x56/0xa0 [ 481.297267] do_syscall_64+0x3b/0xc0 [ 481.301395] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 481.307238] RIP: 0033:0x7f5466f39617 [ 481.311373] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 [ 481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617 [ 481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 0000000000000003 [ 481.398500] RBP: 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50 [ 481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: 00007ffedc7f5360 [ 481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98 [ 481.451520] Modules linked in: ice ---truncated--- CVE-2021-47563 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix kernel panic during drive powercycle test While looping over shost's sdev list it is possible that one of the drives is getting removed and its sas_target object is freed but its sdev object remains intact. Consequently, a kernel panic can occur while the driver is trying to access the sas_address field of sas_target object without also checking the sas_target object for NULL. CVE-2021-47565 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() The free_rtllib() function frees the "dev" pointer so there is use after free on the next line. Re-arrange things to avoid that. CVE-2021-47571 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() In resp_mode_select() sanity check the block descriptor len to avoid UAF. BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Read of size 1 at addr ffff888026670f50 by task scsicmd/15032 CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Call Trace: <TASK> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306 resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483 scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537 scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50 entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113 CVE-2021-47576 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: media: mxl111sf: change mutex_init() location Syzbot reported, that mxl111sf_ctrl_msg() uses uninitialized mutex. The problem was in wrong mutex_init() location. Previous mutex_init(&state->msg_lock) call was in ->init() function, but dvb_usbv2_init() has this order of calls: dvb_usbv2_init() dvb_usbv2_adapter_init() dvb_usbv2_adapter_frontend_init() props->frontend_attach() props->init() Since mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach() internally we need to initialize state->msg_lock before frontend_attach(). To achieve it, ->probe() call added to all mxl111sf_* devices, which will simply initiaize mutex. CVE-2021-47583 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: igbvf: fix double free in `igbvf_probe` In `igbvf_probe`, if register_netdev() fails, the program will go to label err_hw_init, and then to label err_ioremap. In free_netdev() which is just below label err_ioremap, there is `list_for_each_entry_safe` and `netif_napi_del` which aims to delete all entries in `dev->napi_list`. The program has added an entry `adapter->rx_ring->napi` which is added by `netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has been freed below label err_hw_init. So this a UAF. In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before `adapter->rx_ring`. The KASAN logs are as follows: [ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dump_stack_lvl+0x59/0x7b [ 35.132865] print_address_description+0x7c/0x3b0 [ 35.133707] ? free_netdev+0x1fd/0x450 [ 35.134378] __kasan_report+0x160/0x1c0 [ 35.135063] ? free_netdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] free_netdev+0x1fd/0x450 [ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] [ 35.138751] local_pci_probe+0x13c/0x1f0 [ 35.139461] pci_device_probe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] ____kasan_kmalloc+0xc4/0xf0 [ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] [ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] [ 35.168866] local_pci_probe+0x13c/0x1f0 [ 35.169565] pci_device_probe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasan_set_track+0x4c/0x80 [ 35.181211] kasan_set_free_info+0x1f/0x40 [ 35.181942] ____kasan_slab_free+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] [ 35.184040] local_pci_probe+0x13c/0x1f0 CVE-2021-47589 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_ets: don't remove idle classes from the round-robin list Shuang reported that the following script: 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 2) mausezahn ddd0 -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp & 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 crashes systematically when line 2) is commented: list_del corruption, ffff8e028404bd30->next is LIST_POISON1 (dead000000000100) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:47! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400 FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0 Call Trace: <TASK> ets_qdisc_change+0x58b/0xa70 [sch_ets] tc_modify_qdisc+0x323/0x880 rtnetlink_rcv_msg+0x169/0x4a0 netlink_rcv_skb+0x50/0x100 netlink_unicast+0x1a5/0x280 netlink_sendmsg+0x257/0x4d0 sock_sendmsg+0x5b/0x60 ____sys_sendmsg+0x1f2/0x260 ___sys_sendmsg+0x7c/0xc0 __sys_sendmsg+0x57/0xa0 do_syscall_64+0x3a/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7efdc8031338 Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55 RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338 RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940 R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000 </TASK> Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets] ---[ end trace f35878d1912655c2 ]--- RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400 FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000 ---truncated--- CVE-2021-47595 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg Currently, the hns3_remove function firstly uninstall client instance, and then uninstall acceletion engine device. The netdevice is freed in client instance uninstall process, but acceletion engine device uninstall process still use it to trace runtime information. This causes a use after free problem. So fixes it by check the instance register state to avoid use after free. CVE-2021-47596 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm btree remove: fix use after free in rebalance_children() Move dm_tm_unlock() after dm_tm_dec(). CVE-2021-47600 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mac80211: track only QoS data frames for admission control For admission control, obviously all of that only works for QoS data frames, otherwise we cannot even access the QoS field in the header. Syzbot reported (see below) an uninitialized value here due to a status of a non-QoS nullfunc packet, which isn't even long enough to contain the QoS header. Fix this to only do anything for QoS data packets. CVE-2021-47602 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Fix string overflow in SCPI genpd driver Without the bound checks for scpi_pd->name, it could result in the buffer overflow when copying the SCPI device name from the corresponding device tree node as the name string is set at maximum size of 30. Let us fix it by using devm_kasprintf so that the string buffer is allocated dynamically. CVE-2021-47609 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mac80211: validate extended element ID is present Before attempting to parse an extended element, verify that the extended element ID is present. CVE-2021-47611 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfc: fix segfault in nfc_genl_dump_devices_done When kmalloc in nfc_genl_dump_devices() fails then nfc_genl_dump_devices_done() segfaults as below KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:klist_iter_exit+0x26/0x80 Call Trace: <TASK> class_dev_iter_exit+0x15/0x20 nfc_genl_dump_devices_done+0x3b/0x50 genl_lock_done+0x84/0xd0 netlink_sock_destruct+0x8f/0x270 __sk_destruct+0x64/0x3b0 sk_destruct+0xa8/0xd0 __sk_free+0x2e8/0x3d0 sk_free+0x51/0x90 netlink_sock_destruct_work+0x1c/0x20 process_one_work+0x411/0x710 worker_thread+0x6fd/0xa80 CVE-2021-47612 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: pciehp: Fix infinite loop in IRQ handler upon power fault The Power Fault Detected bit in the Slot Status register differs from all other hotplug events in that it is sticky: It can only be cleared after turning off slot power. Per PCIe r5.0, sec. 6.7.1.8: If a power controller detects a main power fault on the hot-plug slot, it must automatically set its internal main power fault latch [...]. The main power fault latch is cleared when software turns off power to the hot-plug slot. The stickiness used to cause interrupt storms and infinite loops which were fixed in 2009 by commits 5651c48cfafe ("PCI pciehp: fix power fault interrupt storm problem") and 99f0169c17f3 ("PCI: pciehp: enable software notification on empty slots"). Unfortunately in 2020 the infinite loop issue was inadvertently reintroduced by commit 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race"): The hardirq handler pciehp_isr() clears the PFD bit until pciehp's power_fault_detected flag is set. That happens in the IRQ thread pciehp_ist(), which never learns of the event because the hardirq handler is stuck in an infinite loop. Fix by setting the power_fault_detected flag already in the hardirq handler. CVE-2021-47617 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ARM: 9170/1: fix panic when kasan and kprobe are enabled arm32 uses software to simulate the instruction replaced by kprobe. some instructions may be simulated by constructing assembly functions. therefore, before executing instruction simulation, it is necessary to construct assembly function execution environment in C language through binding registers. after kasan is enabled, the register binding relationship will be destroyed, resulting in instruction simulation errors and causing kernel panic. the kprobe emulate instruction function is distributed in three files: actions-common.c actions-arm.c actions-thumb.c, so disable KASAN when compiling these files. for example, use kprobe insert on cap_capable+20 after kasan enabled, the cap_capable assembly code is as follows: <cap_capable>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c add r0, r0, #108 ; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [pc, #144] ; ebfc7bf8 bl c03aa4b4 <__asan_load4> e595706c ldr r7, [r5, #108] ; 0x6c e2859014 add r9, r5, #20 ...... The emulate_ldr assembly code after enabling kasan is as follows: c06f1384 <emulate_ldr>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c add r8, r2, #60 ; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 <__asan_load4> e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f and sl, r5, #15 0a000001 beq c06f13bc <emulate_ldr+0x38> e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 <__asan_load4> e084010a add r0, r4, sl, lsl #2 ebf3545a bl c03c6530 <__asan_load4> e2890010 add r0, r9, #16 ebf35458 bl c03c6530 <__asan_load4> e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 1a000014 bne c06f1430 <emulate_ldr+0xac> e1a06000 mov r6, r0 e2840040 add r0, r4, #64 ; 0x40 ...... when running in emulate_ldr to simulate the ldr instruction, panic occurred, and the log is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, *pmd=00000000 Internal error: Oops: 206 [#1] SMP ARM PC is at cap_capable+0x14/0xb0 LR is at emulate_ldr+0x50/0xc0 psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 32c5387d Table: 2d546400 DAC: 55555555 Process bash (pid: 1643, stack limit = 0xecd60190) (cap_capable) from (kprobe_handler+0x218/0x340) (kprobe_handler) from (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) (do_undefinstr) from (__und_svc_finish+0x0/0x30) (__und_svc_finish) from (cap_capable+0x18/0xb0) (cap_capable) from (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) from (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) from (copy_process.constprop.5+0x16b4/0x25c8) (copy_process.constprop.5) from (_do_fork+0xe8/0x55c) (_do_fork) from (SyS_clone+0x1c/0x24) (SyS_clone) from (__sys_trace_return+0x0/0x10) Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7) CVE-2021-47618 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Fix queues reservation for XDP When XDP was configured on a system with large number of CPUs and X722 NIC there was a call trace with NULL pointer dereference. i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12 i40e 0000:87:00.0: setup of MAIN VSI failed BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e] Call Trace: ? i40e_reconfig_rss_queues+0x130/0x130 [i40e] dev_xdp_install+0x61/0xe0 dev_xdp_attach+0x18a/0x4c0 dev_change_xdp_fd+0x1e6/0x220 do_setlink+0x616/0x1030 ? ahci_port_stop+0x80/0x80 ? ata_qc_issue+0x107/0x1e0 ? lock_timer_base+0x61/0x80 ? __mod_timer+0x202/0x380 rtnl_setlink+0xe5/0x170 ? bpf_lsm_binder_transaction+0x10/0x10 ? security_capable+0x36/0x50 rtnetlink_rcv_msg+0x121/0x350 ? rtnl_calcit.isra.0+0x100/0x100 netlink_rcv_skb+0x50/0xf0 netlink_unicast+0x1d3/0x2a0 netlink_sendmsg+0x22a/0x440 sock_sendmsg+0x5e/0x60 __sys_sendto+0xf0/0x160 ? __sys_getsockname+0x7e/0xc0 ? _copy_from_user+0x3c/0x80 ? __sys_setsockopt+0xc8/0x1a0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f83fa7a39e0 This was caused by PF queue pile fragmentation due to flow director VSI queue being placed right after main VSI. Because of this main VSI was not able to resize its queue allocation for XDP resulting in no queues allocated for main VSI when XDP was turned on. Fix this by always allocating last queue in PF queue pile for a flow director VSI. CVE-2021-47619 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: refactor malicious adv data check Check for out-of-bound read was being performed at the end of while num_reports loop, and would fill journal with false positives. Added check to beginning of loop processing so that it doesn't get checked after ptr has been advanced. CVE-2021-47620 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network. CVE-2022-0435 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important 9 AV:N/AC:L/Au:S/C:C/I:C/A:C A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1. CVE-2022-0487 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early. CVE-2022-1195 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used. CVE-2022-1210 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libjbig2-2.1-150000.3.5.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa. CVE-2022-1622 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libtiff5-4.0.9-150000.45.44.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P In lg_probe and related functions of hid-lg.c and other USB HID files, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure if a malicious USB HID device were plugged in, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-188677105References: Upstream kernel CVE-2022-20132 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate 4.9 AV:L/AC:L/Au:N/C:C/I:N/A:N In lock_sock_nested of sock.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-174846563References: Upstream kernel CVE-2022-20154 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer. CVE-2022-22942 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVE-2022-25236 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-curses-3.6.15-150300.10.65.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file. CVE-2022-40090 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libtiff5-4.0.9-150000.45.44.1 moderate A double-free flaw was found in the Linux kernel's TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system. CVE-2022-4744 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c. CVE-2022-48622 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gdk-pixbuf-query-loaders-2.40.0-150200.3.12.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libgdk_pixbuf-2_0-0-2.40.0-150200.3.12.1 important close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. CVE-2022-48624 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:less-530-150000.3.9.1 important In the Linux kernel, the following vulnerability has been resolved: vt: fix memory overlapping when deleting chars in the buffer A memory overlapping copy occurs when deleting a long line. This memory overlapping copy can cause data corruption when scr_memcpyw is optimized to memcpy because memcpy does not ensure its behavior if the destination buffer overlaps with the source buffer. The line buffer is not always broken, because the memcpy utilizes the hardware acceleration, whose result is not deterministic. Fix this problem by using replacing the scr_memcpyw with scr_memmovew. CVE-2022-48627 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0 When walking through an inode extents, the ext4_ext_binsearch_idx() function assumes that the extent header has been previously validated. However, there are no checks that verify that the number of entries (eh->eh_entries) is non-zero when depth is > 0. And this will lead to problems because the EXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this: [ 135.245946] ------------[ cut here ]------------ [ 135.247579] kernel BUG at fs/ext4/extents.c:2258! [ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP [ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4 [ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 [ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0 [ 135.256475] Code: [ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246 [ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023 [ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c [ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c [ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024 [ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000 [ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 [ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0 [ 135.277952] Call Trace: [ 135.278635] <TASK> [ 135.279247] ? preempt_count_add+0x6d/0xa0 [ 135.280358] ? percpu_counter_add_batch+0x55/0xb0 [ 135.281612] ? _raw_read_unlock+0x18/0x30 [ 135.282704] ext4_map_blocks+0x294/0x5a0 [ 135.283745] ? xa_load+0x6f/0xa0 [ 135.284562] ext4_mpage_readpages+0x3d6/0x770 [ 135.285646] read_pages+0x67/0x1d0 [ 135.286492] ? folio_add_lru+0x51/0x80 [ 135.287441] page_cache_ra_unbounded+0x124/0x170 [ 135.288510] filemap_get_pages+0x23d/0x5a0 [ 135.289457] ? path_openat+0xa72/0xdd0 [ 135.290332] filemap_read+0xbf/0x300 [ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40 [ 135.292192] new_sync_read+0x103/0x170 [ 135.293014] vfs_read+0x15d/0x180 [ 135.293745] ksys_read+0xa1/0xe0 [ 135.294461] do_syscall_64+0x3c/0x80 [ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0 This patch simply adds an extra check in __ext4_ext_check(), verifying that eh_entries is not 0 when eh_depth is > 0. CVE-2022-48631 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup Fix Oops in dasd_alias_get_start_dev() function caused by the pavgroup pointer being NULL. The pavgroup pointer is checked on the entrance of the function but without the lcu->lock being held. Therefore there is a race window between dasd_alias_get_start_dev() and _lcu_update() which sets pavgroup to NULL with the lcu->lock held. Fix by checking the pavgroup pointer with lcu->lock held. CVE-2022-48636 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cgroup: cgroup_get_from_id() must check the looked-up kn is a directory cgroup has to be one kernfs dir, otherwise kernel panic is caused, especially cgroup id is provide from userspace. CVE-2022-48638 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts() Commit 8f394da36a36 ("scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG") made the __qlt_24xx_handle_abts() function return early if tcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean up the allocated memory for the management command. CVE-2022-48650 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following: ================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan] __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0 __sys_sendto+0x18a/0x230 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers() 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit() In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use "skb->head + skb->mac_header", out-of-bound access occurs. This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug. CVE-2022-48651 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find() nf_osf_find() incorrectly returns true on mismatch, this leads to copying uninitialized memory area in nft_osf which can be used to leak stale kernel stack data to userspace. CVE-2022-48654 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: of: fdt: fix off-by-one error in unflatten_dt_nodes() Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") forgot to fix up the depth check in the loop body in unflatten_dt_nodes() which makes it possible to overflow the nps[] buffer... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. CVE-2022-48672 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: Fix possible access to freed memory in link clear After modifying the QP to the Error state, all RX WR would be completed with WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not wait for it is done, but destroy the QP and free the link group directly. So there is a risk that accessing the freed memory in tasklet context. Here is a crash example: BUG: unable to handle page fault for address: ffffffff8f220860 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060 Oops: 0002 [#1] SMP PTI CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23 Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018 RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0 Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32 RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086 RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000 RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00 RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010 R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> _raw_spin_lock_irqsave+0x30/0x40 mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib] smc_wr_rx_tasklet_fn+0x56/0xa0 [smc] tasklet_action_common.isra.21+0x66/0x100 __do_softirq+0xd5/0x29c asm_call_irq_on_stack+0x12/0x20 </IRQ> do_softirq_own_stack+0x37/0x40 irq_exit_rcu+0x9d/0xa0 sysvec_call_function_single+0x34/0x80 asm_sysvec_call_function_single+0x12/0x20 CVE-2022-48673 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix UAF when detecting digest errors We should also bail from the io_work loop when we set rd_enabled to true, so we don't attempt to read data from the socket when the TCP stream is already out-of-sync or corrupted. CVE-2022-48686 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs In brcmstb_pm_probe(), there are two kinds of leak bugs: (1) we need to add of_node_put() when for_each__matching_node() breaks (2) we need to add iounmap() for each iomap in fail path CVE-2022-48693 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use-after-free warning Fix the following use-after-free warning which is observed during controller reset: refcount_t: underflow; use-after-free. WARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0 CVE-2022-48695 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and the number of it's interfaces less than 4, an out-of-bounds read bug occurs when parsing the interface descriptor for this device. Fix this by checking the number of interfaces. CVE-2022-48701 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() The voice allocator sometimes begins allocating from near the end of the array and then wraps around, however snd_emu10k1_pcm_channel_alloc() accesses the newly allocated voices as if it never wrapped around. This results in out of bounds access if the first voice has a high enough index so that first_voice + requested_voice_count > NUM_G (64). The more voices are requested, the more likely it is for this to occur. This was initially discovered using PipeWire, however it can be reproduced by calling aplay multiple times with 16 channels: aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40 index 65 is out of range for type 'snd_emu10k1_voice [64]' CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7 Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010 Call Trace: <TASK> dump_stack_lvl+0x49/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x3f __ubsan_handle_out_of_bounds.cold+0x44/0x49 snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1] snd_pcm_hw_params+0x29f/0x600 [snd_pcm] snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm] ? exit_to_user_mode_prepare+0x35/0x170 ? do_syscall_64+0x69/0x90 ? syscall_exit_to_user_mode+0x26/0x50 ? do_syscall_64+0x69/0x90 ? exit_to_user_mode_prepare+0x35/0x170 snd_pcm_ioctl+0x27/0x40 [snd_pcm] __x64_sys_ioctl+0x95/0xd0 do_syscall_64+0x5c/0x90 ? do_syscall_64+0x69/0x90 ? do_syscall_64+0x69/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd CVE-2022-48702 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: add a force flush to delay work when radeon Although radeon card fence and wait for gpu to finish processing current batch rings, there is still a corner case that radeon lockup work queue may not be fully flushed, and meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to put device in D3hot state. Per PCI spec rev 4.0 on 5.3.1.4.1 D3hot State. > Configuration and Message requests are the only TLPs accepted by a Function in > the D3hot state. All other received Requests must be handled as Unsupported Requests, > and all received Completions may optionally be handled as Unexpected Completions. This issue will happen in following logs: Unable to handle kernel paging request at virtual address 00008800e0008010 CPU 0 kworker/0:3(131): Oops 0 pc = [<ffffffff811bea5c>] ra = [<ffffffff81240844>] ps = 0000 Tainted: G W pc is at si_gpu_check_soft_reset+0x3c/0x240 ra is at si_dma_is_lockup+0x34/0xd0 v0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000 t2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258 t5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000 s0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018 s3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000 s6 = fff00007ef07bd98 a0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008 a3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338 t8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800 t11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000 gp = ffffffff81d89690 sp = 00000000aa814126 Disabling lock debugging due to kernel taint Trace: [<ffffffff81240844>] si_dma_is_lockup+0x34/0xd0 [<ffffffff81119610>] radeon_fence_check_lockup+0xd0/0x290 [<ffffffff80977010>] process_one_work+0x280/0x550 [<ffffffff80977350>] worker_thread+0x70/0x7c0 [<ffffffff80977410>] worker_thread+0x130/0x7c0 [<ffffffff80982040>] kthread+0x200/0x210 [<ffffffff809772e0>] worker_thread+0x0/0x7c0 [<ffffffff80981f8c>] kthread+0x14c/0x210 [<ffffffff80911658>] ret_from_kernel_thread+0x18/0x20 [<ffffffff80981e40>] kthread+0x0/0x210 Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101 <88210000> 4821ed21 So force lockup work queue flush to fix this problem. CVE-2022-48704 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix a possible null pointer dereference In radeon_fp_native_mode(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. The failure status of drm_cvt_mode() on the other path is checked too. CVE-2022-48710 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe Running tests with a debug kernel shows that bnx2fc_recv_frame() is modifying the per_cpu lport stats counters in a non-mpsafe way. Just boot a debug kernel and run the bnx2fc driver with the hardware enabled. [ 1391.699147] BUG: using smp_processor_id() in preemptible [00000000] code: bnx2fc_ [ 1391.699160] caller is bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] [ 1391.699174] CPU: 2 PID: 4355 Comm: bnx2fc_l2_threa Kdump: loaded Tainted: G B [ 1391.699180] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 1391.699183] Call Trace: [ 1391.699188] dump_stack_lvl+0x57/0x7d [ 1391.699198] check_preemption_disabled+0xc8/0xd0 [ 1391.699205] bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] [ 1391.699215] ? do_raw_spin_trylock+0xb5/0x180 [ 1391.699221] ? bnx2fc_npiv_create_vports.isra.0+0x4e0/0x4e0 [bnx2fc] [ 1391.699229] ? bnx2fc_l2_rcv_thread+0xb7/0x3a0 [bnx2fc] [ 1391.699240] bnx2fc_l2_rcv_thread+0x1af/0x3a0 [bnx2fc] [ 1391.699250] ? bnx2fc_ulp_init+0xc0/0xc0 [bnx2fc] [ 1391.699258] kthread+0x364/0x420 [ 1391.699263] ? _raw_spin_unlock_irq+0x24/0x50 [ 1391.699268] ? set_kthread_struct+0x100/0x100 [ 1391.699273] ret_from_fork+0x22/0x30 Restore the old get_cpu/put_cpu code with some modifications to reduce the size of the critical section. CVE-2022-48715 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: ASoC: max9759: fix underflow in speaker_gain_control_put() Check for negative values of "priv->gain" to prevent an out of bounds access. The concern is that these might come from the user via: -> snd_ctl_elem_write_user() -> snd_ctl_elem_write() -> kctl->put() CVE-2022-48717 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: ca8210: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. We then leak the skb structure. Free the skb structure upon error before returning. CVE-2022-48722 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() After commit e3beca48a45b ("irqdomain/treewide: Keep firmware node unconditionally allocated"). For tear down scenario, fn is only freed after fail to allocate ir_domain, though it also should be freed in case dmar_enable_qi returns error. Besides free fn, irq_domain and ir_msi_domain need to be removed as well if intel_setup_irq_remapping fails to enable queued invalidation. Improve the rewinding path by add out_free_ir_domain and out_free_fwnode lables per Baolu's suggestion. CVE-2022-48724 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/ucma: Protect mc during concurrent multicast leaves Partially revert the commit mentioned in the Fixes line to make sure that allocation and erasing multicast struct are locked. BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529 CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614 ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xae0 fs/read_write.c:588 ksys_write+0x1ee/0x250 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Currently the xarray search can touch a concurrently freeing mc as the xa_for_each() is not surrounded by any lock. Rather than hold the lock for a full scan hold it only for the effected items, which is usually an empty list. CVE-2022-48726 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix AIP early init panic An early failure in hfi1_ipoib_setup_rn() can lead to the following panic: BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0 PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI Workqueue: events work_for_cpu_fn RIP: 0010:try_to_grab_pending+0x2b/0x140 Code: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 44 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 <f0> 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c RSP: 0018:ffffb6b3cf7cfa48 EFLAGS: 00010046 RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000 RDX: 0000000000000246 RSI: 0000000000000000 RDI: 00000000000001b0 RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: ffffb6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690 FS: 0000000000000000(0000) GS:ffff8a527f400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001b0 CR3: 00000017e2410003 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __cancel_work_timer+0x42/0x190 ? dev_printk_emit+0x4e/0x70 iowait_cancel_work+0x15/0x30 [hfi1] hfi1_ipoib_txreq_deinit+0x5a/0x220 [hfi1] ? dev_err+0x6c/0x90 hfi1_ipoib_netdev_dtor+0x15/0x30 [hfi1] hfi1_ipoib_setup_rn+0x10e/0x150 [hfi1] rdma_init_netdev+0x5a/0x80 [ib_core] ? hfi1_ipoib_free_rdma_netdev+0x20/0x20 [hfi1] ipoib_intf_init+0x6c/0x350 [ib_ipoib] ipoib_intf_alloc+0x5c/0xc0 [ib_ipoib] ipoib_add_one+0xbe/0x300 [ib_ipoib] add_client_context+0x12c/0x1a0 [ib_core] enable_device_and_get+0xdc/0x1d0 [ib_core] ib_register_device+0x572/0x6b0 [ib_core] rvt_register_device+0x11b/0x220 [rdmavt] hfi1_register_ib_device+0x6b4/0x770 [hfi1] do_init_one.isra.20+0x3e3/0x680 [hfi1] local_pci_probe+0x41/0x90 work_for_cpu_fn+0x16/0x20 process_one_work+0x1a7/0x360 ? create_worker+0x1a0/0x1a0 worker_thread+0x1cf/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x1f/0x40 The panic happens in hfi1_ipoib_txreq_deinit() because there is a NULL deref when hfi1_ipoib_netdev_dtor() is called in this error case. hfi1_ipoib_txreq_init() and hfi1_ipoib_rxq_init() are self unwinding so fix by adjusting the error paths accordingly. Other changes: - hfi1_ipoib_free_rdma_netdev() is deleted including the free_netdev() since the netdev core code deletes calls free_netdev() - The switch to the accelerated entrances is moved to the success path. CVE-2022-48728 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-buf: heaps: Fix potential spectre v1 gadget It appears like nr could be a Spectre v1 gadget as it's supplied by a user and used as an array index. Prevent the contents of kernel memory from being leaked to userspace via speculative execution by using array_index_nospec. [sumits: added fixes and cc: stable tags] CVE-2022-48730 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix off by one in BIOS boundary checking Bounds checking when parsing init scripts embedded in the BIOS reject access to the last byte. This causes driver initialization to fail on Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working console. This is probably only seen on OpenFirmware machines like PowerPC Macs because the BIOS image provided by OF is only the used parts of the ROM, not a power-of-two blocks read from PCI directly so PCs always have empty bytes at the end that are never accessed. CVE-2022-48732 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2022-48736 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2022-48737 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() We don't currently validate that the values being set are within the range we advertised to userspace as being valid, do so and reject any values that are out of range. CVE-2022-48738 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix handling of wrong devices during bond netevent Current implementation of bond netevent handler only check if the handled netdev is VF representor and it missing a check if the VF representor is on the same phys device of the bond handling the netevent. Fix by adding the missing check and optimizing the check if the netdev is VF representor so it will not access uninitialized private data and crashes. BUG: kernel NULL pointer dereference, address: 000000000000036c PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI Workqueue: eth3bond0 bond_mii_monitor [bonding] RIP: 0010:mlx5e_is_uplink_rep+0xc/0x50 [mlx5_core] RSP: 0018:ffff88812d69fd60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000 RDX: ffff88812d69fe10 RSI: 000000000000001b RDI: ffff8881cf800880 RBP: ffff8881cf800000 R08: 00000445cabccf2b R09: 0000000000000008 R10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10 R13: 00000000fffffffe R14: ffff88820c0f9000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88846fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000036c CR3: 0000000103d80006 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5e_eswitch_uplink_rep+0x31/0x40 [mlx5_core] mlx5e_rep_is_lag_netdev+0x94/0xc0 [mlx5_core] mlx5e_rep_esw_bond_netevent+0xeb/0x3d0 [mlx5_core] raw_notifier_call_chain+0x41/0x60 call_netdevice_notifiers_info+0x34/0x80 netdev_lower_state_changed+0x4e/0xa0 bond_mii_monitor+0x56b/0x640 [bonding] process_one_work+0x1b9/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x124/0x150 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30 CVE-2022-48746 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: block: Fix wrong offset in bio_truncate() bio_truncate() clears the buffer outside of last block of bdev, however current bio_truncate() is using the wrong offset of page. So it can return the uninitialized data. This happened when both of truncated/corrupted FS and userspace (via bdev) are trying to read the last of bdev. CVE-2022-48747 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: vlan: fix memory leak in __allowed_ingress When using per-vlan state, if vlan snooping and stats are disabled, untagged or priority-tagged ingress frame will go to check pvid state. If the port state is forwarding and the pvid state is not learning/forwarding, untagged or priority-tagged frame will be dropped but skb memory is not freed. Should free skb when __allowed_ingress returns false. CVE-2022-48748 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc The function performs a check on the "ctx" input parameter, however, it is used before the check. Initialize the "base" variable after the sanity check to avoid a possible NULL pointer dereference. Addresses-Coverity-ID: 1493866 ("Null pointer dereference") CVE-2022-48749 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel triggered below warning: [ 172.851380] ------------[ cut here ]------------ [ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280 [ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse [ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2 [ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180 [ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598) [ 172.851465] MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 48004884 XER: 20040000 [ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1 [ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004 [ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000 [ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68 [ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000 [ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0 [ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003 [ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600 [ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8 [ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280 [ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280 [ 172.851565] Call Trace: [ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable) [ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60 [ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660 [ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0 [ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140 [ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40 [ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380 [ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268 The warning indicates that MSR_EE being set(interrupt enabled) when there was an overflown PMC detected. This could happen in power_pmu_disable since it runs under interrupt soft disable condition ( local_irq_save ) and not with interrupts hard disabled. commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") intended to clear PMI pending bit in Paca when disabling the PMU. It could happen that PMC gets overflown while code is in power_pmu_disable callback function. Hence add a check to see if PMI pending bit is set in Paca before clearing it via clear_pmi_pending. CVE-2022-48752 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: phylib: fix potential use-after-free Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call to phy_device_reset(phydev) after the put_device() call in phy_detach(). The comment before the put_device() call says that the phydev might go away with put_device(). Fix potential use-after-free by calling phy_device_reset() before put_device(). CVE-2022-48754 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable The function performs a check on the "phy" input parameter, however, it is used before the check. Initialize the "dev" variable after the sanity check to avoid a possible NULL pointer dereference. Addresses-Coverity-ID: 1493860 ("Null pointer dereference") CVE-2022-48756 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() The bnx2fc_destroy() functions are removing the interface before calling destroy_work. This results multiple WARNings from sysfs_remove_group() as the controller rport device attributes are removed too early. Replace the fcoe_port's destroy_work queue. It's not needed. The problem is easily reproducible with the following steps. Example: $ dmesg -w & $ systemctl enable --now fcoe $ fipvlan -s -c ens2f1 $ fcoeadm -d ens2f1.802 [ 583.464488] host2: libfc: Link down on port (7500a1) [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!! [ 583.490468] ------------[ cut here ]------------ [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0' [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80 [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ... [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1 [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc] [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80 [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ... [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282 [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000 [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0 [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00 [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400 [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004 [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000 [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0 [ 584.454888] Call Trace: [ 584.466108] device_del+0xb2/0x3e0 [ 584.481701] device_unregister+0x13/0x60 [ 584.501306] bsg_unregister_queue+0x5b/0x80 [ 584.522029] bsg_remove_queue+0x1c/0x40 [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc] [ 584.573823] process_one_work+0x1e3/0x3b0 [ 584.592396] worker_thread+0x50/0x3b0 [ 584.609256] ? rescuer_thread+0x370/0x370 [ 584.628877] kthread+0x149/0x170 [ 584.643673] ? set_kthread_struct+0x40/0x40 [ 584.662909] ret_from_fork+0x22/0x30 [ 584.680002] ---[ end trace 53575ecefa942ece ]--- CVE-2022-48758 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev struct rpmsg_ctrldev contains a struct cdev. The current code frees the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the cdev is a managed object, therefore its release is not predictable and the rpmsg_ctrldev could be freed before the cdev is entirely released, as in the backtrace below. [ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c [ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0 [ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v [ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26 [ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT) [ 93.730055] Workqueue: events kobject_delayed_cleanup [ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO) [ 93.740216] pc : debug_print_object+0x13c/0x1b0 [ 93.744890] lr : debug_print_object+0x13c/0x1b0 [ 93.749555] sp : ffffffacf5bc7940 [ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000 [ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000 [ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000 [ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0 [ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0 [ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0 [ 93.785814] x17: 0000000000000000 x16: dfffffd000000000 [ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c [ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000 [ 93.802244] x11: 0000000000000001 x10: 0000000000000000 [ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900 [ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000 [ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000 [ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001 [ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061 [ 93.835104] Call trace: [ 93.837644] debug_print_object+0x13c/0x1b0 [ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0 [ 93.846987] debug_check_no_obj_freed+0x18/0x20 [ 93.851669] slab_free_freelist_hook+0xbc/0x1e4 [ 93.856346] kfree+0xfc/0x2f4 [ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8 [ 93.864445] device_release+0x84/0x168 [ 93.868310] kobject_cleanup+0x12c/0x298 [ 93.872356] kobject_delayed_cleanup+0x10/0x18 [ 93.876948] process_one_work+0x578/0x92c [ 93.881086] worker_thread+0x804/0xcf8 [ 93.884963] kthread+0x2a8/0x314 [ 93.888303] ret_from_fork+0x10/0x18 The cdev_device_add/del() API was created to address this issue (see commit '233ed09d7fda ("chardev: add helper function to register char devs with a struct device")'), use it instead of cdev add/del(). CVE-2022-48759 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix hang in usb_kill_urb by adding memory barriers The syzbot fuzzer has identified a bug in which processes hang waiting for usb_kill_urb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received. The reason is memory-access ordering on SMP systems. In outline form, usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on different CPUs perform the following actions: CPU 0 CPU 1 ---------------------------- --------------------------------- usb_kill_urb(): __usb_hcd_giveback_urb(): ... ... atomic_inc(&urb->reject); atomic_dec(&urb->use_count); ... ... wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); Confining your attention to urb->reject and urb->use_count, you can see that the overall pattern of accesses on CPU 0 is: write urb->reject, then read urb->use_count; whereas the overall pattern of accesses on CPU 1 is: write urb->use_count, then read urb->reject. This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->use_count while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usb_kill_urb(). The same pattern of accesses occurs in usb_poison_urb() and the failure pathway of usb_hcd_submit_urb(). The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomic_inc() and atomic_dec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smp_mb__after_atomic() memory barrier in the various routines to obtain the desired effect. This patch adds the necessary memory barriers. CVE-2022-48760 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: properly put ceph_string reference after async create attempt The reference acquired by try_prep_async_create is currently leaked. Ensure we put it. CVE-2022-48767 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing/histogram: Fix a potential memory leak for kstrdup() kfree() is missing on an error path to free the memory allocated by kstrdup(): p = param = kstrdup(data->params[i], GFP_KERNEL); So it is better to free it via kfree(p). CVE-2022-48768 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A deadlock flaw was found in the Linux kernel's BPF subsystem. This flaw allows a local user to potentially crash the system. CVE-2023-0160 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service. CVE-2023-1192 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service. CVE-2023-1667 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libssh4-0.9.8-150200.13.6.2 moderate A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. CVE-2023-1829 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. CVE-2023-1916 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libtiff5-4.0.9-150000.45.44.1 moderate A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege. CVE-2023-2176 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK. CVE-2023-2283 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libssh4-0.9.8-150200.13.6.2 moderate Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS. CVE-2023-24023 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image. CVE-2023-26965 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libtiff5-4.0.9-150000.45.44.1 important The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. CVE-2023-27043 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-curses-3.6.15-150300.10.65.2 moderate A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service. CVE-2023-2731 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libtiff5-4.0.9-150000.45.44.1 moderate A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. CVE-2023-27534 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. The flaw exists within the processing of seg6 attributes. The issue results from the improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This flaw allows a privileged local user to disclose sensitive information on affected installations of the Linux kernel. CVE-2023-2860 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2023-28746 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file. CVE-2023-3164 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libtiff5-4.0.9-150000.45.44.1 moderate An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c. CVE-2023-35827 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate ** REJECT ** Not a Security Issue. CVE-2023-38288 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libtiff5-4.0.9-150000.45.44.1 low A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record. CVE-2023-38469 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function. CVE-2023-38470 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function. CVE-2023-38471 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function. CVE-2023-38472 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function. CVE-2023-38473 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c. CVE-2023-39804 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:tar-1.34-150000.3.34.1 low LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. CVE-2023-40745 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libtiff5-4.0.9-150000.45.44.1 moderate A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Due to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability. We recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8. CVE-2023-4244 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. CVE-2023-42465 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:sudo-1.9.5p2-150300.3.33.1 moderate The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. CVE-2023-4408 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-bind-9.16.6-150300.22.47.1 important An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. CVE-2023-45288 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:containerd-1.7.17-150000.114.1 moderate ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2023-45918 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libncurses6-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ncurses-utils-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:terminfo-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:terminfo-base-6.1-150000.5.24.1 low In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c. CVE-2023-46343 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate Transmit requests in Xen's virtual network protocol can consist of multiple parts. While not really useful, except for the initial part any of them may be of zero length, i.e. carry no data at all. Besides a certain initial portion of the to be transferred data, these parts are directly translated into what Linux calls SKB fragments. Such converted request parts can, when for a particular SKB they are all of length zero, lead to a de-reference of NULL in core networking code. CVE-2023-46838 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned. Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain. CVE-2023-46839 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. CVE-2023-46841 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. CVE-2023-46842 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this "could be exploited in a real world scenario." This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. CVE-2023-47233 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate Use After Free in GitHub repository vim/vim prior to 9.0.1857. CVE-2023-4750 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48231 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit `cb0b99f0` which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48232 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48233 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48234 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48235 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger than MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48236 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48237 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue. CVE-2023-48706 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libssh2-1-1.11.0-150200.9.2.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libssh4-0.9.8-150200.13.6.2 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssh-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssh-clients-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssh-common-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssh-server-8.4p1-150300.3.37.1 important ** REJECT ** CVE-2023-4881 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux kernel security team. CVE-2023-4881 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. CVE-2023-49083 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-cryptography-3.3.2-150200.22.1 moderate A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8. CVE-2023-4921 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVE-2023-50387 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-bind-9.16.6-150300.22.47.1 important NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry(). CVE-2023-50495 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libncurses6-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ncurses-utils-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:terminfo-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:terminfo-base-6.1-150000.5.24.1 moderate The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. CVE-2023-50868 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-bind-9.16.6-150300.22.47.1 important In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free. CVE-2023-51042 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload. CVE-2023-51043 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. CVE-2023-51385 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssh-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssh-clients-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssh-common-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssh-server-8.4p1-150300.3.37.1 moderate bt_sock_recvmsg in net/bluetooth/af_bluetooth.c in the Linux kernel through 6.6.8 has a use-after-free because of a bt_sock_ioctl race condition. CVE-2023-51779 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition. CVE-2023-51780 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition. CVE-2023-51782 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack. CVE-2023-52323 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-pycryptodome-3.9.0-150200.9.1 moderate The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket. CVE-2023-52340 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. CVE-2023-52356 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libtiff5-4.0.9-150000.45.44.1 moderate libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-curses-3.6.15-150300.10.65.2 moderate dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count. CVE-2023-52429 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction New elements in this transaction might expired before such transaction ends. Skip sync GC for such elements otherwise commit path might walk over an already released object. Once transaction is finished, async GC will collect such expired element. CVE-2023-52433 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock. CVE-2023-52439 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: <TASK> ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside. AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org). CVE-2023-52443 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack. CVE-2023-52445 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump Syzkaller has reported a NULL pointer dereference when accessing rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating rgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in gfs2_rgrp_dump() to prevent that. CVE-2023-52448 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access 'gluebi->desc' in gluebi_read(). ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULL Detailed reproduction information available at the Link [1], In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference. The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME. CVE-2023-52449 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/memhp: Fix access beyond end of drmem array dlpar_memory_remove_by_index() may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the last valid entry in the array. The debug message at the end of the function then dereferences this pointer: pr_debug("Failed to hot-remove memory at %llx\n", lmb->base_addr); This was found by inspection and confirmed with KASAN: pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 ================================================================== BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 Read of size 8 at addr c000000364e97fd0 by task bash/949 dump_stack_lvl+0xa4/0xfc (unreliable) print_report+0x214/0x63c kasan_report+0x140/0x2e0 __asan_load8+0xa8/0xe0 dlpar_memory+0x298/0x1658 handle_dlpar_errorlog+0x130/0x1d0 dlpar_store+0x18c/0x3e0 kobj_attr_store+0x68/0xa0 sysfs_kf_write+0xc4/0x110 kernfs_fop_write_iter+0x26c/0x390 vfs_write+0x2d4/0x4e0 ksys_write+0xac/0x1a0 system_call_exception+0x268/0x530 system_call_vectored_common+0x15c/0x2ec Allocated by task 1: kasan_save_stack+0x48/0x80 kasan_set_track+0x34/0x50 kasan_save_alloc_info+0x34/0x50 __kasan_kmalloc+0xd0/0x120 __kmalloc+0x8c/0x320 kmalloc_array.constprop.0+0x48/0x5c drmem_init+0x2a0/0x41c do_one_initcall+0xe0/0x5c0 kernel_init_freeable+0x4ec/0x5a0 kernel_init+0x30/0x1e0 ret_from_kernel_user_thread+0x14/0x1c The buggy address belongs to the object at c000000364e80000 which belongs to the cache kmalloc-128k of size 131072 The buggy address is located 0 bytes to the right of allocated 98256-byte region [c000000364e80000, c000000364e97fd0) ================================================================== pseries-hotplug-mem: Failed to hot-remove memory at 0 Log failed lookups with a separate message and dereference the cursor only when it points to a valid entry. CVE-2023-52451 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: efivarfs: force RO when remounting if SetVariable is not supported If SetVariable at runtime is not supported by the firmware we never assign a callback for that function. At the same time mount the efivarfs as RO so no one can call that. However, we never check the permission flags when someone remounts the filesystem as RW. As a result this leads to a crash looking like this: $ mount -o remount,rw /sys/firmware/efi/efivars $ efi-updatevar -f PK.auth PK [ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 303.280482] Mem abort info: [ 303.280854] ESR = 0x0000000086000004 [ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits [ 303.282016] SET = 0, FnV = 0 [ 303.282414] EA = 0, S1PTW = 0 [ 303.282821] FSC = 0x04: level 0 translation fault [ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000 [ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP [ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6 [ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1 [ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023 [ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 303.292123] pc : 0x0 [ 303.292443] lr : efivar_set_variable_locked+0x74/0xec [ 303.293156] sp : ffff800008673c10 [ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000 [ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027 [ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000 [ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000 [ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54 [ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4 [ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002 [ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201 [ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc [ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000 [ 303.303341] Call trace: [ 303.303679] 0x0 [ 303.303938] efivar_entry_set_get_size+0x98/0x16c [ 303.304585] efivarfs_file_write+0xd0/0x1a4 [ 303.305148] vfs_write+0xc4/0x2e4 [ 303.305601] ksys_write+0x70/0x104 [ 303.306073] __arm64_sys_write+0x1c/0x28 [ 303.306622] invoke_syscall+0x48/0x114 [ 303.307156] el0_svc_common.constprop.0+0x44/0xec [ 303.307803] do_el0_svc+0x38/0x98 [ 303.308268] el0_svc+0x2c/0x84 [ 303.308702] el0t_64_sync_handler+0xf4/0x120 [ 303.309293] el0t_64_sync+0x190/0x194 [ 303.309794] Code: ???????? ???????? ???????? ???????? (????????) [ 303.310612] ---[ end trace 0000000000000000 ]--- Fix this by adding a .reconfigure() function to the fs operations which we can use to check the requested flags and deny anything that's not RO if the firmware doesn't implement SetVariable at runtime. CVE-2023-52463 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug. CVE-2023-52469 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() check the alloc_workqueue return value in radeon_crtc_init() to avoid null-ptr-deref. CVE-2023-52470 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec.a Here are the specific bugs: 1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len. Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec to the packet, even if some of those bytes are past iovec->iov.iov_len and are thus not intended to be in the packet. 2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the next iovec in user_sdma_request->iovs when the current iovec is not PAGE_SIZE and does not contain enough data to complete the packet. The transmitted packet will contain the wrong data from the iovec pages. This has not been an issue with SDMA packets from hfi1 Verbs or PSM2 because they only produce iovecs that end short of PAGE_SIZE as the tail iovec of an SDMA request. Fixing these bugs exposes other bugs with the SDMA pin cache (struct mmu_rb_handler) that get in way of supporting user SDMA requests with multiple payload iovecs whose buffers do not end at PAGE_SIZE. So this commit fixes those issues as well. Here are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec payload user SDMA requests can hit: 1. Overlapping memory ranges in mmu_rb_handler will result in duplicate pinnings. 2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node), the mmu_rb code (1) removes the existing entry under a lock, (2) releases that lock, pins the new pages, (3) then reacquires the lock to insert the extended mmu_rb_node. If someone else comes in and inserts an overlapping entry between (2) and (3), insert in (3) will fail. The failure path code in this case unpins _all_ pages in either the original mmu_rb_node or the new mmu_rb_node that was inserted between (2) and (3). 3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is incremented outside of mmu_rb_handler->lock. As a result, mmu_rb_node could be evicted by another thread that gets mmu_rb_handler->lock and checks mmu_rb_node->refcount before mmu_rb_node->refcount is incremented. 4. Related to #2 above, SDMA request submission failure path does not check mmu_rb_node->refcount before freeing mmu_rb_node object. If there are other SDMA requests in progress whose iovecs have pointers to the now-freed mmu_rb_node(s), those pointers to the now-freed mmu_rb nodes will be dereferenced when those SDMA requests complete. CVE-2023-52474 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: Input: powermate - fix use-after-free in powermate_config_complete syzbot has found a use-after-free bug [1] in the powermate driver. This happens when the device is disconnected, which leads to a memory free from the powermate_device struct. When an asynchronous control message completes after the kfree and its callback is invoked, the lock does not exist anymore and hence the bug. Use usb_kill_urb() on pm->config to cancel any in-progress requests upon device disconnection. [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e CVE-2023-52475 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf/x86/lbr: Filter vsyscall addresses We found that a panic can occur when a vsyscall is made while LBR sampling is active. If the vsyscall is interrupted (NMI) for perf sampling, this call sequence can occur (most recent at top): __insn_get_emulate_prefix() insn_get_emulate_prefix() insn_get_prefixes() insn_get_opcode() decode_branch_type() get_branch_type() intel_pmu_lbr_filter() intel_pmu_handle_irq() perf_event_nmi_handler() Within __insn_get_emulate_prefix() at frame 0, a macro is called: peek_nbyte_next(insn_byte_t, insn, i) Within this macro, this dereference occurs: (insn)->next_byte Inspecting registers at this point, the value of the next_byte field is the address of the vsyscall made, for example the location of the vsyscall version of gettimeofday() at 0xffffffffff600000. The access to an address in the vsyscall region will trigger an oops due to an unhandled page fault. To fix the bug, filtering for vsyscalls can be done when determining the branch type. This patch will return a "none" branch if a kernel address if found to lie in the vsyscall region. CVE-2023-52476 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: hub: Guard against accesses to uninitialized BOS descriptors Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h access fields inside udev->bos without checking if it was allocated and initialized. If usb_get_bos_descriptor() fails for whatever reason, udev->bos will be NULL and those accesses will result in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1> Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:hub_port_reset+0x193/0x788 Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9 RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310 RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840 RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0 Call Trace: hub_event+0x73f/0x156e ? hub_activate+0x5b7/0x68f process_one_work+0x1a2/0x487 worker_thread+0x11a/0x288 kthread+0x13a/0x152 ? process_one_work+0x487/0x487 ? kthread_associate_blkcg+0x70/0x70 ret_from_fork+0x1f/0x30 Fall back to a default behavior if the BOS descriptor isn't accessible and skip all the functionalities that depend on it: LPM support checks, Super Speed capabilitiy checks, U1/U2 states setup. CVE-2023-52477 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU) races when it races with itself. hidpp_connect_event() primarily runs from a workqueue but it also runs on probe() and if a "device-connected" packet is received by the hw when the thread running hidpp_connect_event() from probe() is waiting on the hw, then a second thread running hidpp_connect_event() will be started from the workqueue. This opens the following races (note the below code is simplified): 1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; } We can actually see this race hit in the dmesg in the abrt output attached to rhbz#2227968: [ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. [ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. Testing with extra logging added has shown that after this the 2 threads take turn grabbing the hw access mutex (send_mutex) so they ping-pong through all the other TOCTOU cases managing to hit all of them: 2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; } 3. Initializing the power_supply class for the battery (problematic!): hidpp_initialize_battery() { if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); } 4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev); The really big problem here is 3. Hitting the race leads to the following sequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); So now we have registered 2 power supplies for the same battery, which looks a bit weird from userspace's pov but this is not even the really big problem. Notice how: 1. This is all devm-maganaged 2. The hidpp->battery.desc struct is shared between the 2 power supplies 3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup() This causes a use after free scenario on USB disconnect of the receiver: 1. The last registered power supply class device gets unregistered 2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory 3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data 4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one: Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08 ... Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0 ... Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0 Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0 Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680 Sep 22 20:01:35 eric kernel: ---truncated--- CVE-2023-52478 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/srso: Add SRSO mitigation for Hygon processors Add mitigation for the speculative return stack overflow vulnerability which exists on Hygon processors too. CVE-2023-52482 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: fix NULL pointer in channel unregistration function __dma_async_device_channel_register() can fail. In case of failure, chan->local is freed (with free_percpu()), and chan->local is nullified. When dma_async_device_unregister() is called (because of managed API or intentionally by DMA controller driver), channels are unconditionally unregistered, leading to this NULL pointer: [ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 [...] [ 1.484499] Call trace: [ 1.486930] device_del+0x40/0x394 [ 1.490314] device_unregister+0x20/0x7c [ 1.494220] __dma_async_device_channel_unregister+0x68/0xc0 Look at dma_async_device_register() function error path, channel device unregistration is done only if chan->local is not NULL. Then add the same condition at the beginning of __dma_async_device_channel_unregister() function, to avoid NULL pointer issue whatever the API used to reach this function. CVE-2023-52492 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command Tags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed when we receive the response. CVE-2023-52500 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF. Getting a reference on the socket found in a lookup while holding a lock should happen before releasing the lock. nfc_llcp_sock_get_sn() has a similar problem. Finally nfc_llcp_recv_snl() needs to make sure the socket found by nfc_llcp_sock_from_sn() does not disappear. CVE-2023-52502 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() The nvme_fc_fcp_op structure describing an AEN operation is initialized with a null request structure pointer. An FC LLDD may make a call to nvme_fc_io_getuuid passing a pointer to an nvmefc_fcp_req for an AEN operation. Add validation of the request structure pointer before dereference. CVE-2023-52508 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add(). CVE-2023-52530 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the "(u8 *)" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected. CVE-2023-52531 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix TX CQE error handling For an unknown TX CQE error type (probably from a newer hardware), still free the SKB, update the queue tail, etc., otherwise the accounting will be wrong. Also, TX errors can be triggered by injecting corrupted packets, so replace the WARN_ONCE to ratelimited error logging. CVE-2023-52532 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: remove BUG() after failure to insert delayed dir index item Instead of calling BUG() when we fail to insert a delayed dir index item into the delayed node's tree, we can just release all the resources we have allocated/acquired before and return the error to the caller. This is fine because all existing call chains undo anything they have done before calling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending snapshots in the transaction commit path). So remove the BUG() call and do proper error handling. This relates to a syzbot report linked below, but does not fix it because it only prevents hitting a BUG(), it does not fix the issue where somehow we attempt to use twice the same index number for different index items. CVE-2023-52569 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? vlan_dev_hard_header+0x35/0x140 [8021q] ? vlan_dev_hard_header+0x8e/0x140 [8021q] neigh_connected_output+0xb2/0x100 ip6_finish_output2+0x1cb/0x520 ? nf_hook_slow+0x43/0xc0 ? ip6_mtu+0x46/0x80 ip6_finish_output+0x2a/0xb0 mld_sendpack+0x18f/0x250 mld_ifc_work+0x39/0x160 process_one_work+0x1e6/0x3f0 worker_thread+0x4d/0x2f0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe5/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 [1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0 When enslave a vlan device to team device and team device type is changed from non-ether to ether, header_ops of team device is changed to vlan_header_ops. That is incorrect and will trigger null-ptr-deref for vlan->real_dev in vlan_dev_hard_header() because team device is not a vlan device. Cache eth_header_ops in team_setup(), then assign cached header_ops to header_ops of team net device when its type is changed from non-ether to ether to fix the bug. CVE-2023-52574 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2023-52575 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memleak when more than 255 elements expired When more than 255 elements expired we're supposed to switch to a new gc container structure. This never happens: u8 type will wrap before reaching the boundary and nft_trans_gc_space() always returns true. This means we recycle the initial gc container structure and lose track of the elements that came before. While at it, don't deref 'gc' after we've passed it to call_rcu. CVE-2023-52581 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: fix deadlock or deadcode of misusing dget() The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let's just remove it. CVE-2023-52583 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: reiserfs: Avoid touching renamed directory if parent does not change The VFS will not be locking moved directory if its parent does not change. Change reiserfs rename code to avoid touching renamed directory if its parent does not change as without locking that can corrupt the filesystem. CVE-2023-52591 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix setting of fpc register kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control (fpc) register of a guest cpu. The new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the host process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space / host process fpc register value, however it will be discarded, when returning to user space. In result the host process will incorrectly continue to run with the value that was supposed to be used for a guest cpu. Fix this by simply removing the test. There is another test right before the SIE context is entered which will handles invalid values. This results in a change of behaviour: invalid values will now be accepted instead of that the ioctl fails with -EINVAL. This seems to be acceptable, given that this interface is most likely not used anymore, and this is in addition the same behaviour implemented with the memory mapped interface (replace invalid values with zero) - see sync_regs() in kvm-s390.c. CVE-2023-52597 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2023-52605 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix null-pointer dereference in pgtable_cache_add kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity. CVE-2023-52607 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: aqc111: check packet for fixup for true limit If a device sends a packet that is inbetween 0 and sizeof(u64) the value passed to skb_trim() as length will wrap around ending up as some very large value. The driver will then proceed to parse the header located at that position, which will either oops or process some random value. The fix is to check against sizeof(u64) rather than 0, which the driver currently does. The issue exists since the introduction of the driver. CVE-2023-52655 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null pointer check in opal_event_init() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. CVE-2023-52686 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 CVE-2023-52752 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() The put_device() calls rmi_release_function() which frees "fn" so the dereference on the next line "fn->num_of_irqs" is a use after free. Move the put_device() to the end to fix this. CVE-2023-52840 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: llcc: Handle a second device without data corruption Usually there is only one llcc device. But if there were a second, even a failed probe call would modify the global drv_data pointer. So check if drv_data is valid before overwriting it. CVE-2023-52871 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that. CVE-2023-52880 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian Rossow. ACK seq validation is currently following RFC 5961 5.2 guidelines: The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. It needs to be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return". The "ignored" above implies that the processing of the incoming data segment continues, which means the ACK value is treated as acceptable. This mitigation makes the ACK check more stringent since any ACK < SND.UNA wouldn't be accepted, instead only ACKs that are in the range ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through. This can be refined for new (and possibly spoofed) flows, by not accepting ACK for bytes that were never sent. This greatly improves TCP security at a little cost. I added a Fixes: tag to make sure this patch will reach stable trees, even if the 'blamed' patch was adhering to the RFC. tp->bytes_acked was added in linux-4.2 Following packetdrill test (courtesy of Yepeng Pan) shows the issue at hand: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1024) = 0 // ---------------- Handshake ------------------- // // when window scale is set to 14 the window size can be extended to // 65535 * (2^14) = 1073725440. Linux would accept an ACK packet // with ack number in (Server_ISN+1-1073725440. Server_ISN+1) // ,though this ack number acknowledges some data never // sent by the server. +0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14> +0 > S. 0:0(0) ack 1 <...> +0 < . 1:1(0) ack 1 win 65535 +0 accept(3, ..., ...) = 4 // For the established connection, we send an ACK packet, // the ack packet uses ack number 1 - 1073725300 + 2^32, // where 2^32 is used to wrap around. // Note: we used 1073725300 instead of 1073725440 to avoid possible // edge cases. // 1 - 1073725300 + 2^32 = 3221241997 // Oops, old kernels happily accept this packet. +0 < . 1:1001(1000) ack 3221241997 win 65535 // After the kernel fix the following will be replaced by a challenge ACK, // and prior malicious frame would be dropped. +0 > . 1:1(0) ack 1001 CVE-2023-52881 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2023-5388 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libfreebl3-3.101.2-150000.3.120.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libsoftokn3-3.101.2-150000.3.120.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:mozilla-nss-3.101.2-150000.3.120.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:mozilla-nss-certs-3.101.2-150000.3.120.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:mozilla-nss-tools-3.101.2-150000.3.120.1 moderate A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. CVE-2023-5517 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-bind-9.16.6-150300.22.47.1 important A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. CVE-2023-5981 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gnutls-3.6.7-150200.14.31.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libgnutls30-3.6.7-150200.14.31.1 moderate A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter. CVE-2023-6004 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libssh4-0.9.8-150200.13.6.2 moderate An out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family); While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access. CVE-2023-6040 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg). CVE-2023-6121 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. CVE-2023-6270 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service. CVE-2023-6356 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. CVE-2023-6516 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-bind-9.16.6-150300.22.47.1 important A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on. CVE-2023-6531 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. CVE-2023-6535 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. CVE-2023-6536 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. CVE-2023-6597 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-curses-3.6.15-150300.10.65.2 important An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information. CVE-2023-6606 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information. CVE-2023-6610 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free. We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a. CVE-2023-6817 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return. CVE-2023-6915 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection. CVE-2023-6918 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libssh4-0.9.8-150200.13.6.2 important A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b. CVE-2023-6931 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread. We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1. CVE-2023-6932 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service. CVE-2023-7042 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow. CVE-2023-7192 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames. CVE-2023-7207 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cpio-2.12-150000.3.12.1 low A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file. CVE-2024-0340 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low A defect was discovered in the Python "ssl" module where there is a memory race condition with the ssl.SSLContext methods "cert_store_stats()" and "get_ca_certs()". The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. CVE-2024-0397 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-curses-3.6.15-150300.10.65.2 moderate An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. CVE-2024-0450 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-curses-3.6.15-150300.10.65.2 moderate A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981. CVE-2024-0553 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gnutls-3.6.7-150200.14.31.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libgnutls30-3.6.7-150200.14.31.1 moderate An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service. CVE-2024-0565 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality. CVE-2024-0607 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel's SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system. CVE-2024-0639 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-0727 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 low A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free. CVE-2024-0775 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. CVE-2024-0841 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. CVE-2024-1086 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues. CVE-2024-1151 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1737 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-bind-9.16.6-150300.22.47.1 important If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1975 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-bind-9.16.6-150300.22.47.1 important runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVE-2024-21626 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:runc-1.1.13-150000.67.1 important A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. CVE-2024-2193 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems. CVE-2024-2201 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C. This issue affects Linux kernel: v2.6.12-rc2. CVE-2024-22099 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. CVE-2024-22667 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow. CVE-2024-23307 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options. CVE-2024-23651 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:docker-25.0.6_ce-150000.203.1 important BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature. CVE-2024-23652 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:docker-25.0.6_ce-150000.203.1 moderate BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources. CVE-2024-23653 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:docker-25.0.6_ce-150000.203.1 moderate In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access. CVE-2024-23849 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl. CVE-2024-23851 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash. CVE-2024-2494 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libvirt-client-7.1.0-150300.6.41.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libvirt-libs-7.1.0-150300.6.41.1 moderate An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. CVE-2024-25062 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libxml2-2-2.9.7-150000.3.70.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libxml2-tools-2.9.7-150000.3.70.1 important Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. CVE-2024-2511 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack's media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1. CVE-2024-25126 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ruby2.5-rubygem-rack-2.0.8-150000.3.21.2 important c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist. CVE-2024-25629 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libcares2-1.19.1-150000.3.26.1 moderate Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1. CVE-2024-26141 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ruby2.5-rubygem-rack-2.0.8-150000.3.21.2 important Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1. CVE-2024-26146 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ruby2.5-rubygem-rack-2.0.8-150000.3.21.2 moderate Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. CVE-2024-26458 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:krb5-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:krb5-client-1.19.2-150300.19.1 important Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. CVE-2024-26461 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:krb5-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:krb5-client-1.19.2-150300.19.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active. CVE-2024-26581 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do. CVE-2024-26585 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b CVE-2024-26586 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with "R7 pointer arithmetic on flow_keys prohibited". CVE-2024-26589 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read. CVE-2024-26593 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after failing to attach the region to an ACL group, we hit a NULL pointer dereference upon 'region->group->tcam' [1]. Fix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam(). [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 [...] Call Trace: mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b CVE-2024-26595 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP If the external phy working together with phy-omap-usb2 does not implement send_srp(), we may still attempt to call it. This can happen on an idle Ethernet gadget triggering a wakeup for example: configfs-gadget.g1 gadget.0: ECM Suspend configfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup ... Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute ... PC is at 0x0 LR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc] ... musb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core] usb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether] eth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c dev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4 sch_direct_xmit from __dev_queue_xmit+0x334/0xd88 __dev_queue_xmit from arp_solicit+0xf0/0x268 arp_solicit from neigh_probe+0x54/0x7c neigh_probe from __neigh_event_send+0x22c/0x47c __neigh_event_send from neigh_resolve_output+0x14c/0x1c0 neigh_resolve_output from ip_finish_output2+0x1c8/0x628 ip_finish_output2 from ip_send_skb+0x40/0xd8 ip_send_skb from udp_send_skb+0x124/0x340 udp_send_skb from udp_sendmsg+0x780/0x984 udp_sendmsg from __sys_sendto+0xd8/0x158 __sys_sendto from ret_fast_syscall+0x0/0x58 Let's fix the issue by checking for send_srp() and set_vbus() before calling them. For USB peripheral only cases these both could be NULL. CVE-2024-26600 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: sched/membarrier: reduce the ability to hammer on sys_membarrier On some systems, sys_membarrier can be very expensive, causing overall slowdowns for everything. So put a lock on the path in order to serialize the accesses to prevent the ability for this to be called at too high of a frequency and saturate the machine. CVE-2024-26602 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe(). CVE-2024-26607 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix a memory corruption iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in bytes, we'll write past the buffer. CVE-2024-26610 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: <IRQ> _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 </TASK> The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated--- CVE-2024-26614 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. CVE-2024-26622 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. CVE-2024-26642 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set element timeout"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction abort"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too. CVE-2024-26643 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: prevent use-after-free in encode_cap_msg() In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This implies before the refcount could be increment here, it was freed. In same file, in "handle_cap_grant()" refcount is decremented by this line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race occurred and resource was freed by the latter line before the former line could increment it. encode_cap_msg() is called by __send_cap() and __send_cap() is called by ceph_check_caps() after calling __prep_cap(). __prep_cap() is where arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where the refcount must be increased to prevent "use after free" error. CVE-2024-26689 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix double-free of blocks due to wrong extents moved_len In ext4_move_extents(), moved_len is only updated when all moves are successfully executed, and only discards orig_inode and donor_inode preallocations when moved_len is not zero. When the loop fails to exit after successfully moving some extents, moved_len is not updated and remains at 0, so it does not discard the preallocations. If the moved extents overlap with the preallocated extents, the overlapped extents are freed twice in ext4_mb_release_inode_pa() and ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4: Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is incremented twice. Hence when trim is executed, a zero-division bug is triggered in mb_update_avg_fragment_size() because bb_free is not zero and bb_fragments is zero. Therefore, update move_len after each extent move to avoid the issue. CVE-2024-26704 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 </TASK> CVE-2024-26733 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: don't override retval if we already lost the skb If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF. Move the retval override to the error path which actually need it. CVE-2024-26739 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Support specifying the srpt_service_guid parameter Make loading ib_srpt with this parameter set work. The current behavior is that setting that parameter while loading the ib_srpt kernel module triggers the following kernel crash: BUG: kernel NULL pointer dereference, address: 0000000000000000 Call Trace: <TASK> parse_one+0x18c/0x1d0 parse_args+0xe1/0x230 load_module+0x8de/0xa60 init_module_from_file+0x8b/0xd0 idempotent_init_module+0x181/0x240 __x64_sys_finit_module+0x5a/0xb0 do_syscall_64+0x5f/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 CVE-2024-26744 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86, relocs: Ignore relocations in .notes section When building with CONFIG_XEN_PV=y, .text symbols are emitted into the .notes section so that Xen can find the "startup_xen" entry point. This information is used prior to booting the kernel, so relocations are not useful. In fact, performing relocations against the .notes section means that the KASLR base is exposed since /sys/kernel/notes is world-readable. To avoid leaking the KASLR base without breaking unprivileged tools that are expecting to read /sys/kernel/notes, skip performing relocations in the .notes section. The values readable in .notes are then identical to those found in System.map. CVE-2024-26816 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: set correct id, uid and cruid for multiuser automounts When uid, gid and cruid are not specified, we need to dynamically set them into the filesystem context used for automounting otherwise they'll end up reusing the values from the parent mount. CVE-2024-26822 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that "bytes_left" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending. CVE-2024-26828 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix memory leak in cachefiles_add_cache() The following memory leak was reported after unbinding /dev/cachefiles: ================================================================== unreferenced object 0xffff9b674176e3c0 (size 192): comm "cachefilesd2", pid 680, jiffies 4294881224 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc ea38a44b): [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 ================================================================== Put the reference count of cache_cred in cachefiles_daemon_unbind() to fix the problem. And also put cache_cred in cachefiles_add_cache() error branch to avoid memory leaks. CVE-2024-26840 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6_route_mpath_notify() syzbot found another use-after-free in ip6_route_mpath_notify() [1] Commit f7225172f25a ("net/ipv6: prevent use after free in ip6_route_mpath_notify") was not able to fix the root cause. We need to defer the fib6_info_release() calls after ip6_route_mpath_notify(), in the cleanup phase. [1] BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0 Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037 CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x167/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x180 mm/kasan/report.c:601 rt6_fill_node+0x1460/0x1ac0 inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184 ip6_route_mpath_notify net/ipv6/route.c:5198 [inline] ip6_route_multipath_add net/ipv6/route.c:5404 [inline] inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f73dd87dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 </TASK> Allocated by task 23037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:372 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3981 [inline] __kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758 ip6_route_multipath_add net/ipv6/route.c:5298 [inline] inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640 poison_slab_object+0xa6/0xe0 m ---truncated--- CVE-2024-26852 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: packet: annotate data-races around ignore_outgoing ignore_outgoing is read locklessly from dev_queue_xmit_nit() and packet_getsockopt() Add appropriate READ_ONCE()/WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt write to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0: packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003 do_sock_setsockopt net/socket.c:2311 [inline] __sys_setsockopt+0x1d8/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff888107804542 of 1 bytes by task 27 on cpu 1: dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248 xmit_one net/core/dev.c:3527 [inline] dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547 __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108 batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335 worker_thread+0x526/0x730 kernel/workqueue.c:3416 kthread+0x1d1/0x210 kernel/kthread.c:388 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 value changed: 0x00 -> 0x01 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet CVE-2024-26862 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: <TASK> ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault(). CVE-2024-26906 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. CVE-2024-26921 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected. CVE-2024-26923 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. CVE-2024-26925 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-26929 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of the ha->vp_map pointer Coverity scan reported potential risk of double free of the pointer ha->vp_map. ha->vp_map was freed in qla2x00_mem_alloc(), and again freed in function qla2x00_mem_free(ha). Assign NULL to vp_map and kfree take care of NULL. CVE-2024-26930 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several error-handling paths. However, *pdvbdev is not set to NULL after dvbdev's deallocation, causing use-after-frees in many places, for example, in the following call chain: budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device |-> dvb_remove_device |-> dvb_device_put |-> kref_put When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in dvb_register_device) could point to memory that had been freed in dvb_register_device. Thereafter, this pointer is transferred to kref_put and triggering a use-after-free. CVE-2024-27043 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below: Cleanup Thread | Worker Thread sco_sock_release | sco_sock_close | __sco_sock_close | sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait a time) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE The KASAN report triggered by POC is shown below: [ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events sco_sock_timeout [ 95.890755] Call Trace: [ 95.890755] <TASK> [ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755] print_address_description+0x78/0x390 [ 95.890755] print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [ 95.890755] process_one_work+0x561/0xc50 [ 95.890755] worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork_asm+0x11/0x20 [ 95.890755] </TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] __kasan_kmalloc+0x86/0x90 [ 95.890755] __kmalloc+0x17f/0x360 [ 95.890755] sk_prot_alloc+0xe1/0x1a0 [ 95.890755] sk_alloc+0x31/0x4e0 [ 95.890755] bt_sock_alloc+0x2b/0x2a0 [ 95.890755] sco_sock_create+0xad/0x320 [ 95.890755] bt_sock_create+0x145/0x320 [ 95.890755] __sock_create+0x2e1/0x650 [ 95.890755] __sys_socket+0xd0/0x280 [ 95.890755] __x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755] poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30 [ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [ 95.890755] sco_sock_release+0x232/0x280 [ 95.890755] sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755] task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [ 95.890755] arch_do_signal_or_restart+0x3f/0x520 [ 95.890755] syscall_exit_to_user_mode+0x55/0x120 [ 95.890755] do_syscall_64+0xd1/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755] which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] ano ---truncated--- CVE-2024-27398 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect allocation size gcc-14 notices that the allocation with sizeof(void) on 32-bit architectures is not enough for a 64-bit phys_addr_t: drivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open': drivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size] 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL); | ^ Use the correct type instead here. CVE-2024-27413 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover. CVE-2024-28085 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libblkid1-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libfdisk1-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libmount1-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libsmartcols1-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libuuid1-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:util-linux-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:util-linux-systemd-2.36.2-150300.4.44.11 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:uuidd-2.36.2-150300.4.44.11 important nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability. CVE-2024-28182 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libnghttp2-14-1.40.0-150200.17.1 important The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable. CVE-2024-2961 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-32bit-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:nscd-2.31-150300.83.1 important Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html CVE-2024-31142 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVE-2024-31143 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:xen-libs-4.14.6_16-150300.3.75.1 important less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. CVE-2024-32487 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:less-530-150000.3.9.1 important nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33599 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-32bit-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:nscd-2.31-150300.83.1 important nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33600 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-32bit-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:nscd-2.31-150300.83.1 important nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33601 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-32bit-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:nscd-2.31-150300.83.1 moderate nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33602 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-32bit-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:nscd-2.31-150300.83.1 low An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. CVE-2024-34397 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:glib2-tools-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libgio-2_0-0-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libglib-2_0-0-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libgmodule-2_0-0-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libgobject-2_0-0-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libgthread-2_0-0-2.62.6-150200.3.18.1 low An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. CVE-2024-34459 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libxml2-2-2.9.7-150000.3.70.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libxml2-tools-2.9.7-150000.3.70.1 low Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. CVE-2024-35195 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-requests-2.25.1-150300.3.12.2 moderate OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue. CVE-2024-35235 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cups-config-2.2.7-150000.3.62.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libcups2-2.2.7-150000.3.62.1 important In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes When moving a station out of a VLAN and deleting the VLAN afterwards, the fast_rx entry still holds a pointer to the VLAN's netdev, which can cause use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx after the VLAN change. CVE-2024-35789 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35861 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35862 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35864 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: drm/client: Fully protect modes[] with dev->mode_config.mutex The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory. CVE-2024-35950 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size. CVE-2024-3651 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-idna-2.6-150000.3.3.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") CVE-2024-36894 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's sk_refcnt after putting it into ehash and releasing the bucket lock. Thus, there is a small race window where other threads could try to reuse the port during connect() and call sock_hold() in tcp_twsk_unique() for the TIME-WAIT socket with zero refcnt. If that happens, the refcnt taken by tcp_twsk_unique() is overwritten and sock_put() will cause underflow, triggering a real use-after-free somewhere else. To avoid the use-after-free, we need to use refcount_inc_not_zero() in tcp_twsk_unique() and give up on reusing the port if it returns false. [0]: refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1 Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023 RIP: 0010:refcount_warn_saturate+0xe5/0x110 Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8 RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027 RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0 RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84 R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <TASK> ? refcount_warn_saturate+0xe5/0x110 ? __warn+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110 ? report_bug+0x171/0x1a0 ? refcount_warn_saturate+0xe5/0x110 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_established+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_established+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0x83/0x170 entry_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7f62c11a885d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0 </TASK> CVE-2024-36904 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: core: delete incorrect free in pinctrl_enable() The "pctldev" struct is allocated in devm_pinctrl_register_and_init(). It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(), so freeing it in pinctrl_enable() will lead to a double free. The devm_pinctrl_dev_release() function frees the pindescs and destroys the mutex as well. CVE-2024-36940 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u. CVE-2024-36964 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 important In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37370 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:krb5-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:krb5-client-1.19.2-150300.19.1 important In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. CVE-2024-37371 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:krb5-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:krb5-client-1.19.2-150300.19.1 moderate urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations. CVE-2024-37891 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-urllib3-1.25.10-150300.4.12.1 moderate url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. CVE-2024-38428 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:wget-1.20.3-150000.3.20.1 moderate In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). CVE-2024-38541 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix UAF for cq async event The refcount of CQ is not protected by locks. When CQ asynchronous events and CQ destruction are concurrent, CQ may have been released, which will cause UAF. Use the xa_lock() to protect the CQ refcount. CVE-2024-38545 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Ensure the copied buf is NUL terminated Currently, we allocate a count-sized kernel buffer and copy count from userspace to that buffer. Later, we use kstrtouint on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using kstrtouint. Fix this issue by using memdup_user_nul instead of memdup_user. CVE-2024-38559 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. CVE-2024-38560 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:cluster-md-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:dlm-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:gfs2-kmp-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:ocfs2-kmp-default-5.3.18-150300.59.167.1 moderate The "ipaddress" module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as "globally reachable" or "private". This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn't be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. CVE-2024-4032 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:python3-curses-3.6.15-150300.10.65.2 low Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege. CVE-2024-41110 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:docker-25.0.6_ce-150000.203.1 critical Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-4741 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-sap-v20240808-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 important